1. The document discusses six leading practices for effective policy management in financial services firms: establishing a policy office, defining clear roles and responsibilities; spending time on semantics and taxonomy; centralizing policy documentation; measuring the policy program; training employees on policies; and requiring employees to sign, attest, and acknowledge policies.
2. Key stakeholders in policy management include employees, executive management, boards, clients, auditors, and regulators. Effective policy management can improve risk mitigation while meeting these stakeholders' needs.
3. Regular review and updating of policies is important, especially for high-risk policies which should be reviewed at least annually. Metrics like percentage of out-of-date policies can help manage the quality and
Managing Information Risk in Financial Services Andrew Smart
Managing Information Risk in Financial Services Webinar Feb 26th 2014
presented by Colin Lobley
http://manigent.com/uk.linkedin.com/pub/colin-lobley/2/7/563
Many of the fines issued by the FCA over the past few years can be attributed to poor information management. The threats from external cyber-attack and malicious insiders are escalating, with your corporate and client information being the primary target of the cyber criminals. The legal requirement on UK businesses will evolve with the proposed EU data protection regulation likely to come into force next year. It is therefore critical to implement robust information risk management.
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
Derive more value from your risk and control self-assessment process, and integrate your organization’s overall operational risk management process to comply with Dodd Frank and other legislation. We specialize in working with clients to help identify, remediate and resolve assessment gaps so they efficiently meet or exceed regulatory requirements.
Risck intelligence in the energy and resources industry Franco Ferrario
DELOITTE TECHNOLOGIES
Risk Intelligence in the Energy & Resources Industry
Enterprise Risk Management Benchmark Survey Report
Upload by Franco Ferrario CIO Temporary Manager
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
One of the most popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP),FRAP will allow any organization to implement risk management techniques in a highly cost-effective way,develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented.
Managing Information Risk in Financial Services Andrew Smart
Managing Information Risk in Financial Services Webinar Feb 26th 2014
presented by Colin Lobley
http://manigent.com/uk.linkedin.com/pub/colin-lobley/2/7/563
Many of the fines issued by the FCA over the past few years can be attributed to poor information management. The threats from external cyber-attack and malicious insiders are escalating, with your corporate and client information being the primary target of the cyber criminals. The legal requirement on UK businesses will evolve with the proposed EU data protection regulation likely to come into force next year. It is therefore critical to implement robust information risk management.
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
Derive more value from your risk and control self-assessment process, and integrate your organization’s overall operational risk management process to comply with Dodd Frank and other legislation. We specialize in working with clients to help identify, remediate and resolve assessment gaps so they efficiently meet or exceed regulatory requirements.
Risck intelligence in the energy and resources industry Franco Ferrario
DELOITTE TECHNOLOGIES
Risk Intelligence in the Energy & Resources Industry
Enterprise Risk Management Benchmark Survey Report
Upload by Franco Ferrario CIO Temporary Manager
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
One of the most popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP),FRAP will allow any organization to implement risk management techniques in a highly cost-effective way,develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented.
Enterprise risk management is an underutilized management practice that allows community-based financial institutions to become more efficient, smarter, and better able to compete in an increasingly complex environment.
WolfPAC Solutions Group Director Michael Cohn creates a strong case on why community-based financial institutions should implement an enterprise risk management program to reduce costs and successfully achieve business goals in an increasingly competitive and regulated environment.
Presentation Makes the Case for Enterprise Risk ManagementPYA, P.C.
PYA Principal David McMillan recently co-presented “Enterprise Risk Management” at the Massachusetts Continuing Legal Education 15th Annual Hospital & Health Law Conference.
Enterprise Project and Portfolio Management: Managing the RevolutionUMT
Most large organizations routinely need to balance the need for centralized control and local autonomy. Different lines of business may have unique objectives, and it’s often difficult to envision implementing standardized processes. Dispersed companies tend to slowly gravitate away from homogenous practices and this leads to fragmented policies and the use of disparate systems. In more extreme circumstances, merger and acquisition activity may attempt to quickly assimilate entirely distinct organizations. However, implementing the Comprehensive EPM methodologies and frameworks in a systematic manner will yield predictable results that include savings, improved transparency and better alignment with company strategies.
On average organizations spend $10M+ responding to third-party security breaches each year. Third-Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your organization by outsourcing to third-party service providers (TPSP). TPSP relationships can introduce strategic, financial, operational, regulatory, and reputational risks.
For example, some TPSPs are involved in the storage, processing, and/or transmission of cardholder data (CHD), while others are involved in securing cardholder data, or securing the cardholder data environment (CDE).
Digital relationships with third-party providers increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they had experienced a data breach caused by one of their third-party providers (up 12% since 2016).
Learn more about:
• TPSP lifecycle,
• The effects of due diligence,
• The five critical control objectives, and
• How to build an effective risk assessment questionnaire.
To learn more, visit: https://bit.ly/3vQ4DjC
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIUMT
Ben Chamberlain, UMT360 gave this presentation at Microsoft and UMT event Project Portfolio Management Exchange at Microsoft San Francisco office on January 14, 2014.
PYA Principal Shannon Sumner co-presented “Enterprise Risk Management” at the HCCA Board Audit Committee Compliance Conference, February 27-28, 2017, in Scottsdale, Arizona.
The presentation covered:
The role of the governing Board of an organization in enterprise risk management (ERM)
Effective ERM in today’s healthcare setting
When ERM fails: “The perfect storm”
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...UMT
A vast majority of U.S multinational firms – 93% in fact, according to a recent survey – are at some stage
of undergoing or preparing for business transformation initiatives. This is being driven by an unprecedented
confluence of changes in customer behavior, disruptive technology and domestic competition, among other
key triggers. It’s constantly “transform or wither” in today’s volatile global business, and
agility is the executive imperative of the day, albeit an elusive one. An organization’s long term success or failure
depends on its capacity to consistently identify opportunities and risks and renew itself faster than rivals do.
Business leaders need to be more efficient and effective at updating and implementing strategies than ever
before. If wielded correctly, an important weapon in their agility war chest is a new style of enterprise program
management office (PMO) that is more comprehensive than in the past.
This is a lecture I have for female managers from third world countries. It is part of a larger course financed by SIDA - the Swedish foreign aid development agency
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxrusselldayna
ERM: Evolving From Risk Assessment to Strategic Risk
Management
hfma.org/Content.aspx
Changes in the healthcare system are bringing new risks, which hospitals and
health systems need to manage effectively to remain competitive.
The U.S. healthcare ecosystem represents a $5 trillion market and is projected to grow to a
$5.5 trillion market by 2025. The exponential growth comes from several thematic drivers,
including the shift from volume to value and the rise of the consumer, both of which are turning
the industry on its head as new payment models and greater expansion of consumer options
are being introduced to the marketplace. Other drivers include evolving mobile strategies, new
entrants, an aging population, and continued uncertainty in political and regulatory
environments. With medical device cybersecurity vulnerabilities being reported at record
levels, it is evident that new risks are constantly threatening the quality of patient care and
providers’ long-term prosperity.
As the healthcare market expands and evolves, the inherent risks also are increasing, as
shown in the sidebar.
Moving Beyond Risk Identification
Traditionally, the healthcare industry has exceled in risk identification and assessment. The
industry has been less proficient at prioritizing and managing risk, however, and it has a vital
need to tackle these areas. To do so, healthcare providers must invest more in building
enterprise risk management (ERM) capabilities.
As a defensive strategy, a focus on avoiding risk may seem to hold promise, but no hospital or
health system can avoid risk entirely. By giving an organization insight into how to take the
right risks at the right time, an effective ERM program can help the organization more
successfully execute its strategic imperatives.
Getting Beyond Basic Effectiveness
Despite the growing importance of programs today, and the raised awareness of their
importance, many healthcare providers have been slow to adopt a more sophisticated
approach. As shown in the exhibit below, the current state for most providers falls between
“basic” and “evolving” maturities for ERM programs.
Levels of ERM Maturity
a
b
1/5
http://www.hfma.org/Content.aspx?id=60137
Organizations classified as basic recognize the implications of risk to
achieving the organization’s objectives and are just beginning to have
important discussions on the topics of risk. Often defined as hazards
and considered only in the context of their adverse consequences, risks
managed at a basic maturity levels are identified on an annual basis; risk mitigation and
controls are seldom factored in, and reporting is seldom, most often biannually at best.
Organizations at basic maturity also may have disparate risk management processes that
aren’t managed in a coordinated method (e.g., compliance, IT/cyber security, operations, and
legal/insurance) and that exist outside normal management processes or cadences. Moreover,
the internal ERM risk assessment is s.
Enterprise risk management is an underutilized management practice that allows community-based financial institutions to become more efficient, smarter, and better able to compete in an increasingly complex environment.
WolfPAC Solutions Group Director Michael Cohn creates a strong case on why community-based financial institutions should implement an enterprise risk management program to reduce costs and successfully achieve business goals in an increasingly competitive and regulated environment.
Presentation Makes the Case for Enterprise Risk ManagementPYA, P.C.
PYA Principal David McMillan recently co-presented “Enterprise Risk Management” at the Massachusetts Continuing Legal Education 15th Annual Hospital & Health Law Conference.
Enterprise Project and Portfolio Management: Managing the RevolutionUMT
Most large organizations routinely need to balance the need for centralized control and local autonomy. Different lines of business may have unique objectives, and it’s often difficult to envision implementing standardized processes. Dispersed companies tend to slowly gravitate away from homogenous practices and this leads to fragmented policies and the use of disparate systems. In more extreme circumstances, merger and acquisition activity may attempt to quickly assimilate entirely distinct organizations. However, implementing the Comprehensive EPM methodologies and frameworks in a systematic manner will yield predictable results that include savings, improved transparency and better alignment with company strategies.
On average organizations spend $10M+ responding to third-party security breaches each year. Third-Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your organization by outsourcing to third-party service providers (TPSP). TPSP relationships can introduce strategic, financial, operational, regulatory, and reputational risks.
For example, some TPSPs are involved in the storage, processing, and/or transmission of cardholder data (CHD), while others are involved in securing cardholder data, or securing the cardholder data environment (CDE).
Digital relationships with third-party providers increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they had experienced a data breach caused by one of their third-party providers (up 12% since 2016).
Learn more about:
• TPSP lifecycle,
• The effects of due diligence,
• The five critical control objectives, and
• How to build an effective risk assessment questionnaire.
To learn more, visit: https://bit.ly/3vQ4DjC
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIUMT
Ben Chamberlain, UMT360 gave this presentation at Microsoft and UMT event Project Portfolio Management Exchange at Microsoft San Francisco office on January 14, 2014.
PYA Principal Shannon Sumner co-presented “Enterprise Risk Management” at the HCCA Board Audit Committee Compliance Conference, February 27-28, 2017, in Scottsdale, Arizona.
The presentation covered:
The role of the governing Board of an organization in enterprise risk management (ERM)
Effective ERM in today’s healthcare setting
When ERM fails: “The perfect storm”
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...UMT
A vast majority of U.S multinational firms – 93% in fact, according to a recent survey – are at some stage
of undergoing or preparing for business transformation initiatives. This is being driven by an unprecedented
confluence of changes in customer behavior, disruptive technology and domestic competition, among other
key triggers. It’s constantly “transform or wither” in today’s volatile global business, and
agility is the executive imperative of the day, albeit an elusive one. An organization’s long term success or failure
depends on its capacity to consistently identify opportunities and risks and renew itself faster than rivals do.
Business leaders need to be more efficient and effective at updating and implementing strategies than ever
before. If wielded correctly, an important weapon in their agility war chest is a new style of enterprise program
management office (PMO) that is more comprehensive than in the past.
This is a lecture I have for female managers from third world countries. It is part of a larger course financed by SIDA - the Swedish foreign aid development agency
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxrusselldayna
ERM: Evolving From Risk Assessment to Strategic Risk
Management
hfma.org/Content.aspx
Changes in the healthcare system are bringing new risks, which hospitals and
health systems need to manage effectively to remain competitive.
The U.S. healthcare ecosystem represents a $5 trillion market and is projected to grow to a
$5.5 trillion market by 2025. The exponential growth comes from several thematic drivers,
including the shift from volume to value and the rise of the consumer, both of which are turning
the industry on its head as new payment models and greater expansion of consumer options
are being introduced to the marketplace. Other drivers include evolving mobile strategies, new
entrants, an aging population, and continued uncertainty in political and regulatory
environments. With medical device cybersecurity vulnerabilities being reported at record
levels, it is evident that new risks are constantly threatening the quality of patient care and
providers’ long-term prosperity.
As the healthcare market expands and evolves, the inherent risks also are increasing, as
shown in the sidebar.
Moving Beyond Risk Identification
Traditionally, the healthcare industry has exceled in risk identification and assessment. The
industry has been less proficient at prioritizing and managing risk, however, and it has a vital
need to tackle these areas. To do so, healthcare providers must invest more in building
enterprise risk management (ERM) capabilities.
As a defensive strategy, a focus on avoiding risk may seem to hold promise, but no hospital or
health system can avoid risk entirely. By giving an organization insight into how to take the
right risks at the right time, an effective ERM program can help the organization more
successfully execute its strategic imperatives.
Getting Beyond Basic Effectiveness
Despite the growing importance of programs today, and the raised awareness of their
importance, many healthcare providers have been slow to adopt a more sophisticated
approach. As shown in the exhibit below, the current state for most providers falls between
“basic” and “evolving” maturities for ERM programs.
Levels of ERM Maturity
a
b
1/5
http://www.hfma.org/Content.aspx?id=60137
Organizations classified as basic recognize the implications of risk to
achieving the organization’s objectives and are just beginning to have
important discussions on the topics of risk. Often defined as hazards
and considered only in the context of their adverse consequences, risks
managed at a basic maturity levels are identified on an annual basis; risk mitigation and
controls are seldom factored in, and reporting is seldom, most often biannually at best.
Organizations at basic maturity also may have disparate risk management processes that
aren’t managed in a coordinated method (e.g., compliance, IT/cyber security, operations, and
legal/insurance) and that exist outside normal management processes or cadences. Moreover,
the internal ERM risk assessment is s.
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
DISUSSION-1
RE: Chapter 15: Embedding ERM into Strategic Planning at the City of Edmonton
COLLAPSE
Top of Form
The two strategic processes
The two strategic processes which are tightly connected to ERM in the current scenario of Edmonton City ERM implementation are:
Results based budgeting and Performance measurement.
Results based budgeting (RBB):
ERM helps organizations to allocate the resources based on the requirement for completing the tasks and to produce the desired output. The RBB assists to determine the funding allocation requirements which are mandatory to fulfill the strategic objectives of organization. This budget formulation is performed based on predefined objectives such as priority, resource availability and expected results etc. here the expected results represents the desired outputs which organization expects to meet its strategic goals. In simple words the Results-based budgeting is about emphasizing performance and accountability.
Performance measurement:
The continuous performance measurement helps organizations to drive the progress in risk mitigation and it provides insights where additional attention is required. The Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. The Performance measurement in ERM sends the list of desired outcomes to RBB and receives list of prioritized programs and costs to ensure ERM works at its full potential (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Two criteria’s must be balanced in a successful ERM model
The two criteria are model power and user-friendliness. The powerful model can provide large amount of information and lets the organization to compare the results and risks, effectiveness’ of current program and impact of future initiatives. The user friendliness program helps to easily add information, add new features and easy to understand by the user with simple steps. The user friendliness also includes if needed some unnecessary steps could also be removed without losing model robustness (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Thank you
References
Fraser, J., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken: Wiley.
Bottom of Form
DISCUSSION-2
1. What the other strategic processes are closely tied to ERM?
The strategic processes may have success strategy which is linked to the command of risk and organization understanding. The selection of strategy is an exercise of high-stakes. Approx. 80% of the underperformer may against the industry who have lost their wat over the prior 10 years because of blunder who are strategic and the business and strategy magazine. It may blame on failure on operations errors and the external event or compliance fault.
2. What are three kinds of risks are identified within the city of Edmonton?
There may be three risks which may involve avoidance or risk termination, tolerance or acceptance of ...
Ahead of the marcus evans National Healthcare CFO Summit Fall 2019, read here an interview with Joni Noel discussing how healthcare CFOs can ensure their health system is compliant with the new lease accounting standard under ASC 842 or GASB 87
Chapter 101. Describe the concepts and models of plann.docxcravennichole326
Chapter 10
1. Describe the concepts and models of planning and decision making in the context of the healthcare supply chain.
2. Discuss the importance of situational factors (trends, environmental issues, technology, regulatory compliance, etc…) in the planning process and how leadership principles, metrics and improvement tenets can be used to positively impact the organizational culture of healthcare supply chain operations.
3. Relate, discuss and provide areas of integration between planning and decision making amid continuous operations of the healthcare supply chain to include the use of metrics and improvement strategies.
4. Distinguish the differences between planning and contingency planning.
5. Merge principles of leadership, planning and decision making to develop a personal plan for operating in a fast paced healthcare supply chain environment.
6. Evaluate the benefits for organizational operations with a solid planning process and standing operating procedures as part of the healthcare supply chain culture to include outside sales representatives.
Chapter 10: Building a Culture of Healthcare Supply Chain Excellence: Leading, Planning, Managing, Deciding, and Learning
Learning Objectives
Describe the concepts and models of planning and decision making in the context of the healthcare supply chain.
Discuss the importance of situational factors (trends, environmental issues, technology, regulatory compliance, etc…) in the planning process and how leadership principles, metrics and improvement tenets can be used to positively impact the organizational culture of healthcare supply chain operations.
Relate, discuss and provide areas of integration between planning and decision making amid continuous operations of the healthcare supply chain to include the use of metrics and improvement strategies.
Distinguish the differences between planning and contingency planning.
Merge principles of leadership, planning and decision making to develop a personal plan for operating in a fast paced healthcare supply chain environment.
Evaluate the benefits for organizational operations with a solid planning process and standing operating procedures as part of the healthcare supply chain culture to include outside sales representatives.
Introduction
Planning and decision making are essential to efficient, effective and efficacious healthcare supply chain operations and strategies.
Leaders and managers must structure and facilitate plans that integrate well with the healthcare organization’s strategic plan and must make consistent decisions in alignment with those plans.
Creating standing operating procedures for routine and consistent operations of the supply chain allows leaders and managers to spread the operational culture at all levels of the supply chain enterprise.
This chapter provides an overview of planning, improvement strategies, metrics, regulatory compliance and decision making.
These constructs should be reviewed and ...
Explanation of policies, guidelines, procedures and standards. Article focuses on the elements of a good policy and other considerations to ensure successful implementation for the organization.
CCAR & DFAST: How to incorporate stress testing into banking operations + str...Grant Thornton LLP
Banks are integrating elements of regulatory stress testing into their everyday business processes and strategic planning exercises, and optimizing enterprise risk management in the process. What does enterprise wide stress testing mean for a financial institution? What are the impacts and implications to a financial institution?
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxmadlynplamondon
Discussion- 1
1. How does efficient frontier analysis (EFA) differ from other forms of complex risk assessment techniques?
The issue of the selection of the risk management methods to support investment decision-making is one of the key issues discussed in the management of portfolios. The factor contributing to the development and dissemination of the risk management methods is the fact that the development of this theory, the risk of portfolios of financial institutions began to measure widely using the Markowitz portfolio selection model. Currently, this problem has been solved, since his designation used linear programming. It cannot be missed with these two facts. The indication of such a relationship, as well as its characteristics are the main purpose of the publication, in which there was not only used the study literature. The efficient frontier can be defined as the image of a set of portfolios that provide the maximum return for each level of risk or minimal risk for any level of return. In addition, this measure brings important details in the development area of portfolios’ management of financial instruments, on the grounds that it considers the possibility of the investor’s bankruptcy and may be regarded as a dynamic measurement of the risk (Bali T.G).
2. What limitations might an analyst encounter with EFA?
The financial equivalent of racing cars if They're one of the most touted, yet most misunderstood and misused, tools in the field of financial planning. Understanding the nature of an efficient frontier model and the assumptions on which it relies. As with a sophisticated racing car, a powerful tool in the wrong hands can be a very dangerous thing. For example, it's logical to believe that stocks will outperform bonds in the future. Efficient frontier models rely on historical data and relationships to generate the "perfect" portfolio. In my experience, many investors who use efficient frontier models are unaware of their pitfalls. These models are being marketed as solutions to the problem of portfolio construction, but they come without instructions.
3. How can efficient frontier analysis results be communicated and utilized with nonmathematical decision maker?
Communication is not a crank to be turned mindlessly, but a decision problem of its own. As we will see, there are many alternatives to consider. The analyst’s choices constitute the design of a communication plan. In ideal cases, the client is infinitely patient, unshakably invested in the problem, fully committed to finding the highest quality solutions, flexible about the process, and unwavering in confidence in the analyst’s work. In such cases, tight outlines or rambling jumbles may lead to the same outcome. Good quantitative analysis alone does not usually produce good decisions, because rarely does the analyst control all the resources required to decide and act. Decision makers and other players who influence the decision must assimilate the results of th ...
1. September 2013 The RMA Journal28
OPERATIONALRISK
September 2013 The RMA Journal28
2. September 2013 The RMA Journal 29
Here are six steps to ensuring that your firm’s
approach to policy management is improving risk
mitigation while meeting stakeholder needs.
by Greg Montana, Daniel Paula, and Jane Krecicki
iStockphoto/Thinkstock
Since the financial crisis of 2007-09, much has been written about the importance
of a strong risk management function capable of challenging front-line business units
within financial services firms. Since the crisis, many of these firms have focused on
expanding and improving their internal risk management functions, and many have
made significant progress.
Risk management is in the spotlight, as indicated by U.S. Comptroller of the Currency
Thomas Curry, who stated that operational risk is now the most important determinant
of a financial institution’s robustness and stability, replacing credit risk as the major safety
and soundness challenge for national banks.1
It is axiomatic that enterprise policy management should be a vital part of an effective
risk management program, and there is strong evidence that banks and other financial
institutions have focused on this aspect in efforts to improve their risk programs. Nonethe-
less, for policy management to have a sustainable impact, risk managers should follow
a set of leading practices and make sure to give those practices ongoing attention and
maintenance.
This article will discuss the art of risk mitigation through sustainable policy management
practices. It will identify key stakeholders and their interests and propose leading practices
for the financial services industry as it deals with the aftermath of the financial crisis.
Six Leading Practices in Policy Management
A properly structured policy management program adds value to all stakeholders of a
Importance
Sustainable Policy Management
in Delivering an
Effective Risk Program
The
of
3. September 2013 The RMA Journal30
financial services firm. These include internal stakeholders,
such as employees, executive management, and the board, as
well as external stakeholders, such as clients, auditors, and
regulators. Employees want clear, easy-to-understand, and
accessible policy documentation so they will know what is
expected from them. Executive management and the board
are interested in how well strategies and goals are being car-
ried out through codified expectations in well-written cor-
porate policies. Internal auditors and government regulators
are interested in measuring policy adherence and in ensuring
that policies meet regulatory and industry standards. Clients
rightfully expect their financial institutions and vendors to
have policies that protect their assets and sensitive data.
Meeting all these expectations is at the heart of a strong
enterprise policy management program. Based on experience
in developing and leading policy management programs,
the authors have observed these leading practices:
1Establish a policy office and define clear roles and
responsibilities for the policy management process.
Creating a policy office in effect creates a central function
with clear authority for administrating the policy manage-
ment program. The policy office should then define the
roles and responsibilities for all other participants in the
policy management program. Policy owners (or stewards)
with the correct subject-matter expertise should be assigned
to all policies and given accountability for authoring and
maintaining them. Oversight and governance of the policy
management framework should be centralized within the
policy office to ensure that policy owners across the orga-
nization are performing consistently. Responsibilities for
compliance, implementation of policy requirements, and
employee training should also be clearly articulated. Execu-
tive management should not only be informed of all new
policies, but be required to approve major policy changes
as well as new material policies. The policy-approval pro-
cess should be crystal clear. Any policy exceptions ought
to be individually approved and monitored. Finally, the
list of policy owners (or stewards) should be kept current.
All changes should be formally approved on a regularly
scheduled basis.
2Spend time on semantics because it matters.
A consistent taxonomy is also a fundamental part of
solving the policy management puzzle. A clear and concise
working definition of a “policy,” a “standard,” a “procedure,”
or a “guideline” should be documented and disseminated
throughout the organization. Organizations should also
consider developing training targeted at policy owners to
ensure that corporate policy writing and maintenance ac-
tivities are executed consistently. An organization’s central
policy management team is perfectly positioned to work with
policy owners to ensure that every policy meets consistent
criteria.
3Centralize policy documentation
and make it easy to find.
Centralizing policies and making them easily acces-
sible to employees are keys to sustaining a successful policy
management program. Policies should not be dispersed but
rather consolidated, maintained, and managed, ideally by
using technological solutions to automate workflow and
document management activities that ensure positive control
over the content. Organizations should keep their policy
inventory in a centralized location, subject to strong version
control, functioning as the one-stop shop for all corpo-
rate policy needs. This construct is helpful in avoiding
the proliferation of user-defined intranet portals, which are
outside the oversight of the central policy governance team.
Automated tools can be used to configure search parameters
and render policy documents to avoid confusion, simplify
the user experience, and keep the content current.
4Measure to manage the program.
With one central repository, metrics and reporting can
be used to manage the quality and accuracy of the policy
inventory. A simple yet helpful risk indicator is the percent-
age of policy documents with past-due reviews, which measures
Details/Depth
BroaderImplications
Policy
What?
Standard
How?
Guideline
Best Practices
4. September 2013 The RMA Journal 31
the quality of the policy inventory. It can also
be used as a forward-looking (predictive) in-
dicator of poor compliance or audit ratings.
The higher the percentage, the more likely
your policy documentation is outdated and
the less likely your business standards and
employee practices are reflecting your policy.
In a nutshell: Policies cannot afford to be out-
dated. They must be reviewed and updated
on a regular basis. The frequency of policy
review and updating should be based on a
simple, risk-based approach. Policies intended
to cover the highest-risk practices should be
reviewed and updated at least annually. The
speed with which the regulatory landscape
changes demands nothing less. In addition,
policy management reporting should be incor-
porated into overall governance routines such
as line of business or corporate operational
risk committees to give visibility on all policy
activity as well as risk indicator levels.
5Train, train, train.
Well-defined policy awareness training should be part
of every company’s new-hire orientation program, covering
at least the most important corporate policies. In addition,
on an annual basis, a thematic analysis of recurring issues
and control breakdowns should be performed to reveal any
potential policy gaps and to yield insights into which policies
might need to be disseminated to employees. More often
than not, behind every control breakdown is a human being
who did not make the right call at the right time. While
human error cannot be completely avoided, adequate policy
awareness training can be an effective mitigation strategy.
The highly regulated airline industry, with its focus on rig-
orous and ongoing safety training to ensure all employees
are aware of policies and requirements, provides a good
example for the financial services industry. When it comes to
increasing employee awareness, the best practice is to have
a single policy system that allows employees to see all of the
policies that apply to their specific roles in the organization
and to receive an automated notification of new or revised
policies.
6Sign, attest, acknowledge, and track.
Attestation and acknowledgment must be integral parts
of policy management. Even putting the most sophisticated
policies in place is not enough. Organizations must also be
able to attest to the training they provide, as well as certify
that their employees understand and agree to comply with
corporate policies.
Conclusion
Heightened regulatory expectations and ongoing change in
the financial services industry demand a more disciplined
approach to managing corporate policies. This article pre-
sented six policy management practices designed to improve
risk mitigation while addressing what can often be complex
stakeholder needs.
Whether you are managing operational risk at a com-
munity bank, a regional institution, a technology services
provider, or a large bank, the challenges are similar. A
consistent and structured enterprise policy management
program is more than just collecting important documents
and providing them when requested. It is about creating a
lever that can be pulled to help reduce risk exposure, while
enabling employees to understand their roles and perform
their jobs more efficiently and effectively. v
••
Greg Montana is executive vice president and CRO at FIS. He can be reached at
greg.montana@fisglobal.com. Daniel Paula is senior vice president, risk management
executive, and head of enterprise risk governance and policy at FIS. He can be reached
at daniel.paula@fisglobal.com. Jane Krecicki, risk manager, leads the enterprise policy
management program at FIS. She can be reached at Jane.Krecicki@FISGlobal.com.
Notes
1 “‘An Extraordinary Thing’: OCC’s Curry Sees Operational Risk as
Top Concern,” American Banker, May 16, 2012.
Define and
Communicate
Boundaries and
Expectations
Communicate
Expected Behavior
Drive Compliance
Enforcement and
Guide Desired Behavior
Establish Governance
and Accountability
Framework
Protect the Organization
Achieve Business
Outcomes
Policy
Development and
Approval
Communicate,
Train and
Acknowledge
Implement and
Enforce
Policy
Measurement and
Evaluation
Policy Management
Lifecycle