“Policies and procedures” are one of the most important kinds ofenterprise risk management (ERM) controls, yet many companiesseeking to implement ERM programs act as if the two concepts areseparate and unrelated. Too often, it seems as if a company'scompliance department, responsible for daily policies andprocedures, and its staff documenting company-wide ERM controls,are on two different teams engaged in a tug-of-war, competing forattention and resources.

As noted in my last blog, ERM Rodeo – Roping Risk with Effective Controls, one of theultimate goals of an ERM program is to establish a suite oftechniques to reduce or mitigate potential losses. As part of theirERM efforts, companies typically create a list or library ofinternal controls, matched to identified risks, in a spreadsheet orIT system. “Controls” consist of all the measures taken by acompany to manage risk, in light of the entity's businessobjectives. They can include such things as management approvalhierarchies, IT security efforts, business continuity or backupplans, and outsourcing strategies.

“Policies and procedures” are a key subset of controls. Theyhelp manage potential losses from financial, underwriting,regulatory, or claims activities. Historically, companies havecatalogued compliance standards and behavioral guidelines intopolicy manuals or handbooks. For each policy setting forthgeneral and goals guidelines for behavior, there is usually acorresponding written procedure that documents the actualday-to-day, nitty-gritty steps of how to comply with suchpolicies.

ReadMore Risk Management Insights From Denise Tessier

In theory, policies and procedures should be an integral part ofa company's ERM efforts. In practice, however, the typical insurerhas lists or libraries of policies and procedures, and a separatedatabase of risks and controls. Risk and compliance professionals,managers, and staff who have to work or comply with both can feelthat they are in the middle of—or being pulled by—two forces. Onone side, there is day-to-day departmental compliance. On the otherside, there is the ERM program. This dichotomy can arise forseveral reasons:

• Managers and staff responsible for enterprise risk management,whether or not as part of a formal ERM unit, may actually bedifferent, by organizational design, from the conventionalcompliance team charged with specific operational, legal, andfinancial initiatives. This creates two unique “silos” ofcontrol-related efforts that may not have the same workflows,priorities, or reporting structures.
• Companies getting up to speed on ERM may quickly develop alibrary of generic industry-standard risks and controls, just toget their framework started, without first thoroughly reviewing allof their own historical policies and procedures. The ERM controllibrary may not reflect much of the content or language of theexisting policies and procedures universe.
• Certain historical policies and procedures themselves may beoutdated, without ownership or roles assigned, may be housed inmultiple places, and may no longer serve as effective orappropriate risk mitigators—never making it into the ERM controllibrary.

As a result, separate compliance and ERM workflows may beestablished to address the same or similar risks. Two completelydifferent sets of attestation and sign-off protocols may exist forroutine compliance versus ERM purposes. Managers and staffresponsible for complying with and/or attesting to the operation ofcontrols and success of procedures may be confused as to what tofollow, how to attest to each, and may be frustrated by duplicationof review efforts.

Costs may double. Audit efforts may multiply. Complianceprocedures may not clearly map to loss events, issues or incidentstracked in the ERM process, and specific policy or workflowfailures can be hard to identify. Laws, rules, and regulations maynot be adequately or consistently followed, and changes in laws maynot be properly assessed or implemented. Risk cannot besufficiently evaluated and overall risk mitigation effortscollapse.

It is important to remember that everyone involved in ERM andcompliance efforts are, in fact, on the same side. Instead ofpitting themselves against each other, they should all be pullingtogether to combat company risk and potential losses. In the sportof tug-of-war, winning teams need individuals to pull their ownweight in unison and harmony with their colleagues.

In the field of risk, ERM and compliance individuals also needto align themselves in a common framework, with common goals, and acoordinated approach. They should work together to develop oneintegrated, cohesive set of risks, controls, policies andprocedures. ERM controls, and day-to-day policies and procedures,should be synergetic.

A Sturdy Rope: An Aligned risk and ComplianceFramework

Every tug-of-war team must possess a sturdy rope as a necessaryfoundation. In ERM, it is essential that all ERM program andcompliance participants operate under a single risk and controlpolicy development protocol, or framework—a continuum on which allplayers are aligned.

For example, if there is a risk noted in an ERM risk library,there should be one or more controls to help manage it. If there isa control in an ERM control library, are there written, updated,active policies and/or procedures elsewhere in the company thatmore fully detail that control? Conversely, if there is ahistorical policy/procedure in place, what corporate risk does itaddress? Is that policy or procedure noted as part of a “control”in the ERM library? Ideally, when a new risk is identified in theERM process, and a control suggested, a related department-specificcompliance policy and procedure should be simultaneously identifiedor drafted, in line with any applicable laws, rules, orregulations. Any gaps should be filled, and documentation createdor edited as necessary.

There are software tools being developed today that can helpstructure and streamline this process, designed to easily map orcross-reference ERM library risks and controls with othercompliance policies and procedures. But even a manual process forcross-checking both is helpful. The expense and effort to completea matching process early in the development of an ERM program willbe repaid over time.

Assembling a Strong, Integrated Team

Tug-of war is a sport where many pullers of all shapes and sizeswork together using common techniques to achieve a single goal.There are no “stars,” and all must give their best efforts. Thesame is true for compliance and risk personnel. No one person inthe company can provide the time or skill, or has sufficientperspective, to identify all risks and controls, and draft andmanage all procedures.

All staff need to rely on each other to fulfill their respectiveroles as policy drafters, managers, risk owners, and controlmonitors, and take responsibility to eliminate any slack in therisk management chain. Regular communication amongst risk andcompliance professionals, management, and line of business staff iscritical. All activities and efforts should be as transparent andcoordinated as possible in order to create necessary documentationthat is clear, consistent, and easy to follow. Inclusive e-mails,multi-team meetings, cross-functional projects, commonmanagement/reporting and shared performance goals all foster teamspirit amongst risk and compliance stakeholders.

Proper Training and Education

Training and education is essential for success in mostendeavors, whether in sport or in business. With tug-of-war,serious injury can result if the participants are not physicallyand mentally prepared for a meet.

In risk management, insufficient compliance training can lead tofines, fees, penalties, and other economic damages, as well as lossof reputation. In some areas, development of core policies, andtraining on risk and compliance issues, is poor, narrow, anduncoordinated. Compliance training may be given to staff on code ofconduct-type policies, human resource laws, or customer servicesissues, but such training may not have any relation to thecompany's most significant risks of financial loss. Employees maybe trained on wide ERM principles, but then not have follow uptraining on specific day-to-day compliance procedures that arenecessary to implement ERM effectively.

However, if all risk and compliance functions and processes arewell-integrated, and related documentation is consistent,compliance education and training efforts can evolve to a newlevel, structured more around the actual risks faced by the entityas a whole. Training and education resources can be targeted tothose risks measured and quantified in the ERM process as the mostserious or crucial to the insurer. Feedback from the ERM program onincidents and losses can be turned into a learning opportunity inthe daily compliance process. Resources will be better aligned toneeds for peak performance.

Pull Together, Remain Flexible

When the tug-of-war judge gives the command, “Pull!” teammembers use their whole bodies as leverage, but should notstiffen themselves in any way, as a too-rigid stance uses up energythat will be required later. ERM and compliance team members alsoneed to work hard to manage their respective areas, but remainflexible. They should always be open to new ideas, new perceptionsof risk, and input from other areas of the company. Neither ERMcontrol libraries nor general compliance policies and proceduresshould be set in stone.

In the long run, documenting either ERM controls or complianceprotocols should be a fluid processes, adapting all information tochanges in the company's business, legal, and financialenvironment. Changes in ERM control documentation may alsonecessitate a change in a companion policy and procedure, andvice-versa.

Continual Progress

To gain ground in a tug-of-war, the team makes “lifts,” or shortbursts of energetic heaves, but must not relax after the lift lestit risk losing ground. Likewise, it is important for the ERM andcompliance teams, once making progress towards integrateddocumentation of controls and procedures, not to relax theeffort.

Drafting new operational procedures should always be done inlight of ERM program documentation needs. The “matching” process ofcontrols and risk must continue, and should not be considered asjust a one-time “project.” Otherwise, it may be too easy forday-to-day departmental compliance policies and procedures tosprout independently, like weeds, without connection to the largerERM platform. This increases the danger that policies are notenforced, and brings back all of the risks noted above.

In sum, with all risk management efforts, success is not definedby how well each process works. The question is, “How well do theyall work together?” Policy and procedure management is a criticalcomponent of ERM controls, and all participants in the risk andcompliance process should be treated as valuable and necessarymembers of the same team.