Podcast 135: Writing procedures needed for regulatory compliance

In this episode, we talk about writing procedures that are needed for regulatory compliance.

By this we mean organisations that might be investigated by a regulatory body.

We describe the different approaches to creating the content.


Welcome to the Cherryleaf Podcast
In this episode I want to talk about writing procedures that are needed for regulatory compliance.
By this I mean organisations that might be investigated by a regulatory body.

Some organisations are regulated; and they have the possibility of regulators or auditors coming in and checking if they comply with the rules.
External audits and compliance reviews are something an organisation should take them seriously.
Firstly, external audits are often required by law or regulations, and non-compliance can result in penalties or legal action against the organisation. Organisations need to make sure they are meeting legal and regulatory requirements.
They also help an organization identify any inaccuracies, errors, and potential fraud in their data. This can help the organisation become aware of issues, which hopefully can then be corrected or prevented.
Sometimes there’s an accreditation that goes along with the audit or compliance. This might help an organization maintain or improve its reputation. It can demonstrate to investors and customers that the organization operates to a certain standard.
And the review can also examine the processes of a company. You might get feedback on the areas where an organization can improve its processes, reduce costs, or increase efficiencies. This can lead to better use of resources and improved performance.
And related to that, it can help an organisation manage risk. That is, identifying and mitigating risks, in areas such as cybersecurity or financial compliance. This can help the organization avoid or minimize potential losses.
If the organisation doesn’t comply, there is the risk that the regulatory body might fine them, close them down, or even charge people with a criminal offence.
For example, some organisations have to comply with anti-money laundering checks and Know Your Customer checks. Know Your Customer, or KYC, checks are guidelines and regulations mostly in the financial services sector that require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with that customer.
These are typically a mandatory process of identifying and verifying the client’s identity when they open an account. They also verify existing customers periodically over time.
An AML investigation is the formal analysis of any suspicious, or what’s called red-flag activities, to determine if customers or businesses are using a bank or another financial institution for money laundering purposes. These are checks to make sure that the business is legitimate, that any money they’re investing is for themselves, and not for other people where that money might have come about by illegal means.
Another set of regulations that international banks will have to deal with are what are called OFAC screening. OFAC stands for the Office of Foreign Assets Control, which is an office within the United States’ Treasury Department. OFAC screening is about checking whether companies and individuals are violating federal sanctions against transactions involving certain foreign nations or vertical specially designated nationals. It involves checking identities against what’s called the denied parties list. This list is maintained by OFAC. As sanction violations can have national security implications, OFAC enforcement investigations present significant risks for any company or individuals that is investigated by OFAC.

Other organisations might be indirectly regulated, as a result of them having mechanisms in place to follow the law.
For example, how they keep information about their customers secure.
To do that, many comply with standards such as ISO 27001. This is an international standard for managing information security.
If they follow that standard, then information should be confidential. In effect, only authorised persons have the right to access information.
There should be integrity. Only authorised persons can change the information.
And information should be accessible to authorised persons whenever it’s needed.
And not only do they want to comply with ISO 27001 standard, they also want to become certified in that standard. As part of the certification, organisations have to prove that they have the relevant procedures and documentation in place.

Some of the clients that we do work with operate in these types of environments. They worry that regulators might come in at short notice, and ask them to prove that they have the checks and policies and procedures in place. And that those policies and procedures are compliant. And that those policies and procedures are being followed in a compliant and consistent way.
They might also want to do all the customer verification and unusual transaction checks in an efficient way.
This means they have a need for good documentation. They need a detailed set of policies and procedures that address the organization’s specific risks and vulnerabilities. For example, these should include detailed guidance on customer due diligence, transaction monitoring, suspicious activity reporting, and employee training and awareness.
So how do you tackle a problem like this?

The answer to that depends on where you’re starting from.
You need to ask, do you have the policies and procedures and checks and balances in place that are complete, accurate, legally-compliant, and up to date? You might call these utility-type questions.
If you do have policies and procedures that are written, then there’s a second type question that you need to ask. Is the information clear and findable? It is consistent? is it actionable? You could call these usability-type questions.

Let’s look at what to do if you do NOT have the policies and procedures and checks and balances in place that are complete, accurate, legally-compliant, and up to date.
Before you start writing, there are a few things you should do.
Firstly, you should carry out a risk assessment of your organization’s activities to determine the likelihood and potential impact of the potential problem: the potential for money laundering in the case of AML and KYC, and the potential for data breaches in the case of data security.
This assessment will help you identify areas that require more attention and help prioritise your efforts.
Secondly, you should review all relevant laws and regulations related to your industry sector, and ensure that your policies and procedures align with these requirements. You might need external advice to do this – experts in law, the regulations or the relevant standard.
Then you should be in a position to start to develop your policies and procedures:
So step one in this stage will be to get the information written down. It might be in people’s heads, in experts’ heads, and it needs to be documented. You might need to have meetings to agree what the policies, processes, and procedures should be. To agree who should do what. To agree what should be done, and in what order.
For one company, we conducted a series of interviews with their subject matter experts and captured the knowledge that was in their heads. We wrote for them a series of policy and procedures which they then reviewed. And then there were a series of drafts until the policies and procedures were signed off and published.
The advantage of this approach is that it doesn’t require as much time as some of the alternatives from the subject matter experts. They share their knowledge, and they review the documents. The downside is that there is no new writing expertise acquired by the subject matter experts. So there is a risk that future documents are not to the same standard or not as or not consistent if they are done in-house. So there might be a need also to have some sort of training to transfer the skills across so that the organisation can do the next set of documents in house, if they want.
An alternative approach is to get the subject matter experts to write down the policies and procedures themselves. It is unlikely to be perfect. The English may not be clear. But it does mean that you have something documented that you could show the regulators.
You could help the subject matter experts by giving them training in how to write policies and procedures in a clear way. And we have clients where we provide training to do that. You could also provide them with examples of what a good procedure looks like, which they could copy. You might also be able to create templates for them to use.

There might be a stage before the procedures are written. A Stage Zero. That is to define an information design model. That could be to define what content goes into a policy document, what content goes into a process diagram, what content goes into compliance procedures, what content goes into operational procedures, what content goes into guidelines, and what content goes into how-to guides for the particular applications that are used within the organisation.
The information model can also define how you connect the procedures that staff use with the compliance procedures the regulators want to see that you are following. That may involve defining some labelling or metadata that goes into the documents.
It might also involve understanding the users and what they need. And in this situation there is more than one type of user. There are the regulators and there are the staff.
Related to this stage is how the information connects to each other, and how it can be kept consistent. With regards to consistency, that might involve creating a terminology guide so that certain buzzwords are described in the same way across all of the documentation. It could also involve a voice and tone guide. It could also involve a playbook on how to write new procedures. For those, it may be that these are developed as the project goes along and are essentially completed after the main documents have been signed off.
You might also consider what authoring and publishing tools that you use. Microsoft Word is the de facto choice for many, but there are alternatives. They might be better in having coherent, consistent, auditable, and usable content.

The second stage could be to improve policies and procedures that are accurate and complete but aren’t very usable.
The information isn’t clear and findable. It isn’t consistent. It isn’t actionable.
You can tell if information is clear and understandable and findable by asking or observing your users. Are they making mistakes? Are they complying with the policies? Is it taking them too long to complete tasks? Do they tell you that they don’t understand the information that you’ve provided? Do the procedures match with reality of how things actually have to be done? Do the documents give them enough information, the information they need, or is it so complicated that no one can understand them?
In some situations, you can see it for yourself. You can ask people to follow the instructions, observe them, and see if the instructions actually enable them to complete the task correctly. You can see if you understand the content, assuming you didn’t write it yourself.
In addition to that, you can get our input. We can provide expert advice on whether the information is clear; if it follows generally-accepted information design and communication principles.
To improve the clarity of the content, you can provide training to your staff so that they can rewrite the policies and procedures in a better way. That would work if they have the time to update and improve the content.
You could create a projects team dedicated to rewriting and improving the content. If that resource is available.
You can also bring in outside resource such as Cherryleaf. We can work on some or all of the policies and procedures and write them in a better way. The advantage of this approach is it minimises the workload on your staff.
This approach can also involve a training course so that there can be skills transfer to staff. It can also involve creating the terminology guide and voice and tone guide that we mentioned earlier.

We’re now at the stage of having clear and accurate procedures.
Your work doesn’t end there.
They need to be followed by staff. This can involve training employees on the new policies and procedures. It can involve implementing effective monitoring and reporting systems. Hopefully, these exist already, as they are the way that you identify and address any potential, what we might call, “bad” activities.
They need to be kept up-to-date. In other words, they remain effective and relevant in the face of changing risks and regulatory requirements.
So there needs to be a way that you review and update them on a regular basis. You might engage a company such as Cherryleaf on a retainer do that, or create a reviewing committee.
You might also want to carry out regular independent audits of your programmes. This is to identify areas for improvement and ensure that your organization is fully compliant with all relevant laws and regulations.

So those are the main options that you have if you are in a situation where you need policies and procedures that might be reviewed by regulators. There’s the challenge of having multiple audiences. The need for policies and procedures becomes much more important because the risk to the organisation of not having good policies and procedures becomes so much greater.
But it is a solvable problem. By following these steps, you can create a comprehensive plan that will help you protect your organization from the risks.
However, each organisation will have its own unique approach.
Overall, the development of an effective programme requires a commitment to ongoing training, awareness, and compliance from all levels of the organization.
That’s probably enough for you to get on with, at the moment. If you have any questions or comments, you’re more than welcome to contact us. You can e-mail us via info@cherryleaf.com. Thank you for listening.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.