Policies are not one-size-fits-all documents. To be effective governance documents, they need to be tailored to the product, service, or area of operations impacted.
Despite this need for customization, there are some universal building blocks that should be included in every policy. Those 10 elements include:
- Focus area and policy statement. Policies should have a clear statement as to what they are about, what specific product, service, or operation they cover, and why they exist. Think about the statement as the elevator pitch for the policy document.
- Specific goals. If the board has established a policy to carry out a specific objective, this should be made clear in the policy document to aid management in implementing the objective and keep everyone rowing in the same direction.
- Oversight, authority, and responsibility. Most directors are not involved in the day-to-day management of the institution. For this reason, policies should designate the manager or officer who will have the board’s authority to carry out the objectives and be responsible for reporting progress, pitfalls, and other important information to the board.
- Back-up authority. Managers or officers will sometimes be unavailable because they are implementing another big project like a core conversion or are simply out on leave. Good policies recognize this human aspect of management and assign a back-up in case the primary authority is unavailable. This saves the institution valuable time, especially during instances of disasters or other unforeseen circumstances.
- Changes and exceptions. Sometimes discretion is necessary to carry out the objectives of a policy. For example, if the policy is meant to expand access to credit to more individuals, it may also have some exceptions built-in. It is important that the policy explicitly states when this discretion is appropriate, who is allowed to exercise their judgment, and the types of reports that must be provided to the board for oversight purposes.
- Impacted business units. Make it easy for your staffers to know which policies apply to their area of operation. The more they have to search and investigate whether a policy applies to them or their peers, the more likely they are to miss an important document. It is a good practice to identify the impacted business unit like Bank Secrecy Act/Anti-money laundering (BSA/AML) somewhere at the top of the document so that the right staffers and departments know to observe the policy.
- Approval frequency. Stale policies lose their impact, so it is important for the board and management to decide the appropriate frequency for policy review and re-approval. Sometimes the frequency will be established by regulation, but more often than not, the decision of how frequently to get a policy in front of the board belongs to the institution. A best practice is to review significant policies at least every year, but more often if there are triggering events, and every 18 months if the policy is for less critical or unchanging operations.
- Approval body. Not all policies require board approval. There are regulations and supervisory expectations that sometimes dictate the board must approve a policy, but other times institutions have deference in deciding whether some or all policies will go to the board for approval. Some policies are operational in nature (e.g.: human resources oriented) or carry little risk and strategic impact. For those reasons, it is important to establish the policies that must be approved by the board and those that can simply be reviewed and approved by senior management.
- Recordkeeping requirements. In compliance and audit the saying “if it is not documented it didn’t happen” is grounded in the need to retain important documents to make them available for examinations, audits, litigation, and oversight. Policies should observe this important motto and ensure policies establish required record retention principles.
- Accountability Accountability is the bedrock of any effective policy. Failing to name an officer or committee as the responsible party for implementing a policy leads to policies being written, approved, and quickly forgotten. To give the policy a higher likelihood of success, list the person that will be accountable for implementing and enforcing the policy and keeping the board appraised.
Accountability is both an armor and a sword. Think of your BSA policy. It likely names the BSA officer. This person is both responsible for the implementation of the policy and a party that regulators can go after should the institution choose to ignore the regulatory framework. This gives the BSA officer clear motivation to ensure the policy is observed and any issues are presented to the board for resolution.
Want to learn more? Check out our free whitepaper: Policies as a Power Tool: Creating Policies and Procedures That Get the Job Done