“Policies and procedures” are one of the most important kinds of enterprise risk management (ERM) controls, yet many companies seeking to implement ERM programs act as if the two concepts are separate and unrelated. Too often, it seems as if a company's compliance department, responsible for daily policies and procedures, and its staff documenting company-wide ERM controls, are on two different teams engaged in a tug-of-war, competing for attention and resources.

As noted in my last blog, ERM Rodeo – Roping Risk with Effective Controls, one of the ultimate goals of an ERM program is to establish a suite of techniques to reduce or mitigate potential losses. As part of their ERM efforts, companies typically create a list or library of internal controls, matched to identified risks, in a spreadsheet or IT system. “Controls” consist of all the measures taken by a company to manage risk, in light of the entity's business objectives. They can include such things as management approval hierarchies, IT security efforts, business continuity or backup plans, and outsourcing strategies.

“Policies and procedures” are a key subset of controls. They help manage potential losses from financial, underwriting, regulatory, or claims activities. Historically, companies have catalogued compliance standards and behavioral guidelines into policy manuals or handbooks. For each policy setting forth general and goals guidelines for behavior, there is usually a corresponding written procedure that documents the actual day-to-day, nitty-gritty steps of how to comply with such policies.

In theory, policies and procedures should be an integral part of a company's ERM efforts. In practice, however, the typical insurer has lists or libraries of policies and procedures, and a separate database of risks and controls. Risk and compliance professionals, managers, and staff who have to work or comply with both can feel that they are in the middle of—or being pulled by—two forces. On one side, there is day-to-day departmental compliance. On the other side, there is the ERM program. This dichotomy can arise for several reasons:

Managers and staff responsible for enterprise risk management, whether or not as part of a formal ERM unit, may actually be different, by organizational design, from the conventional compliance team charged with specific operational, legal, and financial initiatives. This creates two unique “silos” of control-related efforts that may not have the same workflows, priorities, or reporting structures.
Companies getting up to speed on ERM may quickly develop a library of generic industry-standard risks and controls, just to get their framework started, without first thoroughly reviewing all of their own historical policies and procedures. The ERM control library may not reflect much of the content or language of the existing policies and procedures universe.
Certain historical policies and procedures themselves may be outdated, without ownership or roles assigned, may be housed in multiple places, and may no longer serve as effective or appropriate risk mitigators—never making it into the ERM control library.

As a result, separate compliance and ERM workflows may be established to address the same or similar risks. Two completely different sets of attestation and sign-off protocols may exist for routine compliance versus ERM purposes. Managers and staff responsible for complying with and/or attesting to the operation of controls and success of procedures may be confused as to what to follow, how to attest to each, and may be frustrated by duplication of review efforts.

Costs may double. Audit efforts may multiply. Compliance procedures may not clearly map to loss events, issues or incidents tracked in the ERM process, and specific policy or workflow failures can be hard to identify. Laws, rules, and regulations may not be adequately or consistently followed, and changes in laws may not be properly assessed or implemented. Risk cannot be sufficiently evaluated and overall risk mitigation efforts collapse.

It is important to remember that everyone involved in ERM and compliance efforts are, in fact, on the same side. Instead of pitting themselves against each other, they should all be pulling together to combat company risk and potential losses. In the sport of tug-of-war, winning teams need individuals to pull their own weight in unison and harmony with their colleagues.

In the field of risk, ERM and compliance individuals also need to align themselves in a common framework, with common goals, and a coordinated approach. They should work together to develop one integrated, cohesive set of risks, controls, policies and procedures. ERM controls, and day-to-day policies and procedures, should be synergetic.

A Sturdy Rope: An Aligned risk and Compliance Framework

Every tug-of-war team must possess a sturdy rope as a necessary foundation. In ERM, it is essential that all ERM program and compliance participants operate under a single risk and control policy development protocol, or framework—a continuum on which all players are aligned.

For example, if there is a risk noted in an ERM risk library, there should be one or more controls to help manage it. If there is a control in an ERM control library, are there written, updated, active policies and/or procedures elsewhere in the company that more fully detail that control? Conversely, if there is a historical policy/procedure in place, what corporate risk does it address? Is that policy or procedure noted as part of a “control” in the ERM library? Ideally, when a new risk is identified in the ERM process, and a control suggested, a related department-specific compliance policy and procedure should be simultaneously identified or drafted, in line with any applicable laws, rules, or regulations. Any gaps should be filled, and documentation created or edited as necessary.

There are software tools being developed today that can help structure and streamline this process, designed to easily map or cross-reference ERM library risks and controls with other compliance policies and procedures. But even a manual process for cross-checking both is helpful. The expense and effort to complete a matching process early in the development of an ERM program will be repaid over time.

Assembling a Strong, Integrated Team

Tug-of war is a sport where many pullers of all shapes and sizes work together using common techniques to achieve a single goal. There are no “stars,” and all must give their best efforts. The same is true for compliance and risk personnel. No one person in the company can provide the time or skill, or has sufficient perspective, to identify all risks and controls, and draft and manage all procedures.

All staff need to rely on each other to fulfill their respective roles as policy drafters, managers, risk owners, and control monitors, and take responsibility to eliminate any slack in the risk management chain. Regular communication amongst risk and compliance professionals, management, and line of business staff is critical. All activities and efforts should be as transparent and coordinated as possible in order to create necessary documentation that is clear, consistent, and easy to follow. Inclusive e-mails, multi-team meetings, cross-functional projects, common management/reporting and shared performance goals all foster team spirit amongst risk and compliance stakeholders.

Proper Training and Education

Training and education is essential for success in most endeavors, whether in sport or in business. With tug-of-war, serious injury can result if the participants are not physically and mentally prepared for a meet.

In risk management, insufficient compliance training can lead to fines, fees, penalties, and other economic damages, as well as loss of reputation. In some areas, development of core policies, and training on risk and compliance issues, is poor, narrow, and uncoordinated. Compliance training may be given to staff on code of conduct-type policies, human resource laws, or customer services issues, but such training may not have any relation to the company's most significant risks of financial loss. Employees may be trained on wide ERM principles, but then not have follow up training on specific day-to-day compliance procedures that are necessary to implement ERM effectively.

However, if all risk and compliance functions and processes are well-integrated, and related documentation is consistent, compliance education and training efforts can evolve to a new level, structured more around the actual risks faced by the entity as a whole. Training and education resources can be targeted to those risks measured and quantified in the ERM process as the most serious or crucial to the insurer. Feedback from the ERM program on incidents and losses can be turned into a learning opportunity in the daily compliance process. Resources will be better aligned to needs for peak performance.

Pull Together, Remain Flexible

When the tug-of-war judge gives the command, “Pull!” team members use their whole bodies as leverage, but should not stiffen themselves in any way, as a too-rigid stance uses up energy that will be required later. ERM and compliance team members also need to work hard to manage their respective areas, but remain flexible. They should always be open to new ideas, new perceptions of risk, and input from other areas of the company. Neither ERM control libraries nor general compliance policies and procedures should be set in stone.

In the long run, documenting either ERM controls or compliance protocols should be a fluid processes, adapting all information to changes in the company's business, legal, and financial environment. Changes in ERM control documentation may also necessitate a change in a companion policy and procedure, and vice-versa.

Continual Progress

To gain ground in a tug-of-war, the team makes “lifts,” or short bursts of energetic heaves, but must not relax after the lift lest it risk losing ground. Likewise, it is important for the ERM and compliance teams, once making progress towards integrated documentation of controls and procedures, not to relax the effort.

Drafting new operational procedures should always be done in light of ERM program documentation needs. The “matching” process of controls and risk must continue, and should not be considered as just a one-time “project.” Otherwise, it may be too easy for day-to-day departmental compliance policies and procedures to sprout independently, like weeds, without connection to the larger ERM platform. This increases the danger that policies are not enforced, and brings back all of the risks noted above.

In sum, with all risk management efforts, success is not defined by how well each process works. The question is, “How well do they all work together?” Policy and procedure management is a critical component of ERM controls, and all participants in the risk and compliance process should be treated as valuable and necessary members of the same team.

Special Reports /

The ERM Tug-of-War: Controls vs. Policies and Procedures

Related Stories

Recommended For You