Back to Basics -- Policies
by Andy Zavoina, BankersOnline.com Guru
"It's our policy. It's not our policy until someone complains. It's our policy whether they complain or not."
The above quote was posted in the BankersOnline.com threads. It is a reminder of what policies are for. Whether you are a member of the board or senior management, it is useful to review the basics from time to time. And policies are a basic component of the management foundation of your institution.
By definition a policy is "a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters." It is meant to be long-term guidance.
The purpose of a policy is to answer important and common questions. The policy provides information on issues and provides direction like a roadmap. If a question arises once every few years, it isn't necessary to have a written policy to address it. Writing and maintaining that policy, including training for it, would be more costly than answering the simple question infrequently. But if it is asked every month or if it has high risks, a policy, a direction, may be in order.
Some policies are required. But don't bother looking for a master list. There isn't one. In my discussions with three regulatory agencies I asked about this. The OCC mentions several policies that are required in their licensing manual. But it isn't all-inclusive. Each regulator told me that policies that are required are referenced in their manuals, bulletins, issuances and other documents. In the long run, when you have the policies that are needed to help guide your institution, you should have what is needed. The examiners don't have a master checklist either.
And you do not need a policy for every regulation that exists. You do need them for those where questions are common and guidance is desired. Universally you should have a Bank Secrecy Act policy, Branch Closing, Disaster Recovery, Privacy and Security. This list is not exhaustive.
A good policy is succinct. It isn't detailed. That is where your procedures are used. A policy should convey what is required in a general statement, where basic controls are needed and should also denote the penalties for not following the policy. Without enforcement measures, policy users have no idea what could happen if they failed to follow this. Internal enforcement actions may be one policy, or may be a part of each policy.
Above I said that policies are long-term guidance. They are. But that doesn't mean they don't have to be revised periodically. Annual policy reviews are advantageous even if the rules and requirements that influenced them have not changed. By having the board reaffirm the policies, they reaffirm that this is still the direction they want the institution to follow.
Two ways annual reviews may be done include staggering them, or doing them all at once. In the former method, the policies for review are divided into the meetings in which they will be addressed. Twenty-four policies would be reviewed two per month for a monthly board review schedule, six per quarter, etc. Procedures outlined below for the review process could also be used here.
For an annual review we suggest having the policies made available to the board members in advance. A month or two prior to the meeting in which they will be presented should be sufficient. Present the policies in paper or electronic format with a recapitulation of what each policy addresses and what changes management recommends. The policy itself can show, using Microsoft Word's "Track Changes" feature as an example, where any recommended changes are. This makes reviews much easier and faster. As the voting board members review these in advance and on their schedule, they should have access to a point of contact who can answer any questions. A senior person with intimate knowledge of the policy, what is required, what may have changed and how effective it is should attend the meeting or be available when the documents are being reviewed and be prepared to answer questions. With all the reviews done in advance, discussion, a motion and a vote of approval could take only a few minutes of board meeting time.
It is also recommended that one central point of contact maintain the policies. This will provide a consolidated list reflecting each policy, when it was last approved/affirmed, and the point of contact responsible for answering questions and recommending changes. The central point of contact should be familiar with all of these and should ensure there are no conflicts between policies. You do not want one which allows something to be done, and another that prohibits it. This will also hel make the policies available to all employees who need access either to paper copies or electronic versions.
With a system that provides inventory controls, periodic reviews by staff and approvals by the board, your policies practices will of the highest standard and will be up to date. Providing those in the drivers seat with the directions they need will help you arrive at your destination.
First published on BankersOnline.com 5/5/04
First published on 05/05/2004