Having read many monstrosities called 'Compliance Manuals', I am absolutely convinced that they often add little value to organisations, and often lead to a poorer outcome of compliance than in those organisations that have give this issue much more thought.
I recently spoke, as a panelist, at the 2020 Anti-bribery and Corruption Forum organised by BPP. The Chair of the panel Chris Usher, asked
"What the challenges were when considering and designing Policies, Procedures and Controls within an organisation?". I started by making clear the differences between these three elements, and why the age old 'compliance manual' has had its day.
These three lexicons are often used interchangeably, and perhaps are regularly misused, misunderstood and confused. This creates barriers for us as organisations when we are trying to implement good governance, effective risk management and achieve the outcome of compliance.
Generally speaking a Policy is a statement of position, and it may make reference to a particular requirement [in most circumstances within organisations these relate to legislative or other regulatory requirements]. So, your organisation may have a number of policies surrounding various aspects of its business and these policies should clearly and concisely state the position stance that your organisation takes on these obligations.
However, a Policy can and perhaps should also relate to wider more moral, ethical or conduct-related aspects, beyond purely legislative and regulatory requirements.
Policies should be short, concise, easy to digest and understand and most importantly, should link directly to your organisation's values and principles.
This approach offers staff a more practical method by which they can live the values that your organisation has adopted and helps them when endeavouring to ensure 'compliance' with your regulatory obligations.
In my view, if your policies are more than two pages of A4, you have not produced something of value, they will not be understood by your staff and they should be reviewed.
These are very different to policies and although they will have often direct relationships with your policies, they are principally coming from two objectives:
Firstly, they are the methods by which your organisation intends and is endeavouring to meet their Policies, and
Secondly, they come from and with the intent of mitigating your risks identified through your risk assessment process.
Procedures should and probably will be by nature more detailed and may make reference to various other documents, such as checklists or forms [electronic or manual], or to particular Controls within your organisation.
A Procedure, in order to be effective, may also make reference to many Processes [sometimes Processes can be synonymous with Systems]. Processes are the step by step detail that should be followed. These should be sufficiently explanatory that any member of staff could conduct and follow the Process.
A Procedure may contain or make reference to multiple Processes and may house many points of control (a Control).
A Control, however, is a specific juncture within a Procedure, Process or System where there is a gate-keeping mechanism. A stop-check. There is an expectation [from most regulators] that organisations embed Controls. These are often, although not always, at key regulatory connection points, where an erroneous action could result in a breach. They can, however, also be found at points of criticality, where there is no point of return once completed…a bank transfer for example.
Most companies do not distinguish clearly enough between Policy and Procedure. It is not readily clear sometimes, without digesting all of the often copious documentation, what a company’s various policies are and therefore what its key guiding principles might be.
This is important, because these should be the driving statements of the business, and staff should understand and be clear on them and helps in ensuring a common approach, and is especially important in meeting key regulatory obligations.
In addition, the key Controls in any designed Process [System] should be clearly identified. This assists in supporting the overall risk management framework, along with the monitoring strategies implemented to ensure their effectiveness.
These monitoring strategies should include a Compliance Monitoring Programme, which will form part of any Compliance and Control Monitoring Framework (CCMF).
One of the purposes of a CCMF is to assess the effectiveness and suitability and effectiveness of the Procedures, Processes and Controls of your organisation in meeting the two objectives noted above.
Compliance Manuals conflate policies, procedures and controls in to one gargantuane document. Unread, unused and often almost immediately inaccurate literary wad. If we think that one of the principle aims of procedures is to respond to the risks we have identified and assessed, and that these change frequently, our manual will be out of date almost instantly.
A failure or insufficiency in any of these three, or a conflation of them in to one cumbersome document will likely mean that your organisation will not be living its core values, meeting its key regulatory obligations and may therefore be failing in its outcome of compliance.