There are some key focus areas that have been brought to the fore by the pandemic, especially communication surveillance given recent announcements by the FCA on the subject of monitoring home working users as effectively as those in the office environment.
Others continue to be a priority focus, including, AML/KYC, regulatory horizon scanning and regulatory reporting.
These are the big subjects that you often see splashed across the press/LinkedIn. They are all very important, but they often take up all the space and eclipse others. Sometimes the smaller pieces get lost amongst these items.
Take policy management.
On the face of it, who needs a policy management system? Surely, a waste or luxury for all those valuable change budget $/£/€? After all, it can’t be that hard, right? You just write a document, get it reviewed and approved, store it somewhere centrally and send it out to your staff then periodically update it when regulations or processes change. Easy.
Word hell when it comes to policy management
Let’s take a look at word processing packages like MS Word. It has an extraordinary amount of functions that, on the face of it, appear to allow you to produce a policy document; capture versions, share with others, collect comments and overall provide some structure via an universal template.
Unfortunately, it doesn’t really play out that way. Instead, you’re probably more familiar with the following scenario:
You email a policy created in Word to colleagues to review
- You then receive multiple versions of the Word document by email from reviewers all with suggested changes you should make; some in tracked changes, some in the body of the text, some in different fonts and colours, some even return their response in paper with handwritten changes!
- Even if some reply with a ‘reviewer’ version of the document, all nicely marked up, you still now have 5-8 separate documents to merge into your master version
- Late reviewers reply to versions that are now several versions behind
- You are now juggling so many versions and you’re not sure exactly which is the latest
- The final approval of the document comes in the format of emails, telephone calls, PostIt notes, printed paper copies with ‘approved’ written on the document pouch
- In the midst of all of this, some fundamental changes come in and you have to start re-writing it all again
- Finally finished, someone in the front office tells you that they don’t read policy documents as they are too long, boring and they don’t even know where they are stored (someone actually told me this once)!
The regulatory landscape is changing continuously as regulators worldwide pour out more and more changes. These changes can also have an impact across multiple policies and so the above scenario becomes even more complex and frustrated. It is not unheard of for organisations to take 6-9 months to get policies through their internal processes.
Is this acceptable? Probably to some extent in the 1980s, but in the 21st century, it is not .
We need an agile and effective policy management system. Or do we?
Who needs an agile and effective policy management system?
We discussed the pitfalls of relying on desktop applications like Word and email to manage policy updates and communication. Now we explore the alternative. How about centralised storage, version control, a single source of the truth for review, comment and approval? What about workflow and ocument mapping? These alone should improve any poor policy management process by a lot.
What are the true benefits from such a system?
The true benefit of a good policy management system is to establish a firm foundation for setting compliance standards for the business. These standards set out expected behaviours of staff throughout the organisation.
In order for this to be successful, the information that is input and subsequently output, is vital.
Think of it as if you were to build a house. Pouring the concrete foundations of a house isn’t much to be excited about, however, without this, there’s no chance of creating a functional, comfortable and safe home.
Policy management is a fundamental part of the ‘Regulatory Landscape’ process. Broadly, this is regulator contact, horizon scanning, obligations, policy management, controls, various reporting needs. And, importantly, the surfacing of policy information to users.
Policy is fundamentally driven by regulation and what you are obliged to do as a company. As we all know, the regulatory burden will continue to grow. Do you really want to leave your policy review in the hands of a compliance team (let alone other, equally busy teams like risk, technology and operations) to ‘remember’ to identify something that has changed? Surely, this isn’t the reason you hired highly experienced and expensive compliance resources?
You initially hired compliance staff to provide valuable insight, partnering with your business to meet company objectives. Not to rely on their collective memory to manually piece together various planned changes by a multitude of regulators that could impact any number of policies.
The RegTech world provides many solutions to challenges found throughout the management of the ‘regulatory landscape’. Many of these solutions offer ‘hooks’, via APIs, to push and pull information from one application to another; connecting policy management processes to regulatory horizon scanning and obligations assessments. As changes are assessed and implemented, impacted policies and procedures can automatically flag up. Relevant individuals and teams that have ownership of specific policies can more easily engage and collaborate as changes are reviewed, approved and new versions are published to staff. No more need for all of those Word documents flying around on email! There is one single place to manage every stage of the policy life-cycle. One place to record all changes and approvals. One portal to ensure staff have access to only the latest version of any particular policy. One, dynamic, integrated, solution to provide assurance to senior management that the relationships between published policy and the firm’s regulatory obligations are understood and continually monitored.
Back to the housing analogy, even this isn’t really the exciting bit as now all you have is the basic structure to the property although perhaps now it’s also waterproof!
The exciting bit (where to position the TV, place the smart speakers or hang the family portrait) comes when we can link to ‘controls’ and start surfacing policy information.
The policy journey only works if you consider it end to end
First up, controls.
Policy should help define the controls in your business. These controls allow you to undertake self assessments on a regular basis. Failure of controls, especially bad ones, can lead to regulator intervention. At best it leads to a flurry of internal activity to put things right. Often, but not always, it is a failure of a control or the lack of one.
Connecting your policy management system to your controls (risk management) system should allow you to have new controls flagged for implementation more speedily. Again, it takes the reliance out of the hands of individuals who need to remember to connect the dots when they are often very busy with day to day processing.
Secondly, surfacing the data contained in policies to staff. I am going to say that no-one looks at a policy document when it is sent out. Given that the standard for video communications to staff is approximately 1.5-2 min before you lose them, I’m going to go out on a limb and say most are not going to read a 20+ page document on policy (they can be dry subjects), unless it is part of your annual mandatory training requirement.
Evolving from folders to chatbots
I remember the day when policy documents came round the office in a folder and you had to initial that you had read them. If you were truly unlucky, there would be 3 or 4 of them in one folder and there went an entire afternoon.
Fortunately, the tech world has again found a solution – virtual assistants or chatbots. Even the most basic entry level chatbot can achieve a 90% success rate on answering questions to basic policy documents and that is before you get sophisticated and start tying them directly into underlying systems or applying artificial intelligence into the process.
These ‘assistants’ can sit on desktops becoming easily available to staff for when they need answers. They can pull up sections of the policy based on the questions or even provide direct links into the policy, should you suddenly find you need to read the whole thing.
Chatbots have a much wider use but they can help pull strands of information together of which policy is fundamental.
Policy management is often the forgotten little gem in the RegTech space and maybe it still is. Often you will find that policy management has a thread throughout your organisation and any delays or inaction as a result of internal or external changes, may result in serious adverse consequences. Internal policy sets out the standards and expected behaviours of staff. Unless these documents are maintained and accurately reflect the expectations of all stakeholders, the business is at risk of failure.
A systemised approach to policy management
Without a systemised approach to policy management the administrative burden on compliance, risk and controls teams is too vast for most organisations to manage using only Word, email and SharePoint sites. The business can become frustrated and bogged down as they are continually asked to review and provide input to proposed policy and procedural changes. Their efforts to simplify and streamline their own processes are interrupted by the slow and clumsy methods of managing and documenting changes that are still deployed by compliance departments today.
The user journey only works if you consider it end to end. Horizon scanning or risk management systems might be the burning issue that you have to resolve today, however you need to keep a good eye on the overall strategy and that end-to-end process. The time is now for this often-forgotten process to have its day and to be prioritised as we all now realise that internal policy underlies core decision making and actions taken throughout an organisation. Policy not only ‘sets the tone’, it impacts the decisions and actions taken that affect critical processes throughout the organisation, from revenue generating activities to setting laptop password standards. Without a policy there’s no guidance for marketing and promotions. Without foundations for a home, there is nowhere to place the TV!