One of the pain points of larger organizations that are externally regulated often lies into the volume of policies and procedures they have in place. Some managers may call it necessary evil, but work alongside employees that are targeted by those documents and you will quickly realize that often, less is more.
To understand the best way to address statutory compliance, we must first understand the meaning and purpose of an internal control. If you “Google” it, you will come across a variety of definitions that are more or less complex. To keep it simple, think of an internal control as a specific point in a process where evidence is captured to demonstrate that a validation was performed to ensure the integrity of the information or the process itself. For example, the signature of the approver on a document or computed totals on reconciled numbers.
In the context of regulations, the expectation is that the business must make the demonstration that it meets its regulatory obligations; that is the job of the inspector. Most of this evidence comes from your internal controls. But why are we not meeting those expectations if we have all these procedures? Here are some insights into the situations that may compromise your compliance profile.
Generally, the internal controls the organization has implemented are documented in its policies and procedures. One of the main issues is that different people often add to those document as regulations are introduced and updated. However, we seldom remove anything. As a result, the content of those documents may become clogged with information, tedious to read … let alone to understand … that is if the employee takes the time to read them (as opposed to cheat them).
One of the dangers of those documents is to set false expectations when it comes to external compliance. The policies and procedures tell the story of your internal controls and how you ensure they are followed. Is your business telling the right story?
The inspector will examine two aspects of your controls, as presented in those documents:
- Are you doing what you say you are doing?
- Are you doing everything we say you should do?
From experience, I can honestly say that the most successful and sustainable way to ensure your policies and procedures are adequate is to work backwards.
Start by identifying what is expected from your external regulator. This is what you need to comply with. Remember that there are no bonus points for “super-compliance”. You are compliant or you are not. It is black or white. Money spent into achieving super compliance may be better invested elsewhere.
Next associate the internal controls that are in place to meet those compliance requirements and identify the evidence in place that will demonstrate it. These are the key elements your employees must understand, apply and demonstrate in their daily operations. Make sure they do.
Lastly, go back to your policies and procedure and read them through. Anything relevant to those controls stays; the rest should be requestioned as for relevance and pertinence.
Softwords offers the experience and expertise to work with you and your employees to raise your compliance profile and ensure the right information is presented and understood by the employees and collaborators.
Author: Manon Chouinard, Principal Partner – Business