Maybe this should be in the "Couch" forum but here it is in "General"

It happened again today. A co-worker (Controller) stated that she was speaking with our Bank President, when one of the directors walked into the office. He questioned the timing of the next audit meeting and asked her if she would have things for them....Then he said that there was one thing he wanted to know: "Why do we have 500 policies?"

This question has never been posed to me (compliance officer), however, it has been asked by directors before to others including the bank president and now to the controller. I used to attend the Audit Meetings and discuss some of the compliance issues, but was made to feel that those things were not important and really they were not interested in hearing about it. They wanted to know who had overdrawn their accounts. Eventually, I stopped attending. Sometime, I've been asked by the person who distributes the copies of the policies to the various department, if "because there are so-o-o many" change the margins so the policy would print on one or two pages.

Now, I'm not sure how all of this makes me feel...but it isn't good. Maybe I am being too sensitive.

First off, we don't have 500 policies. But we do have quite a few. I send them to the board annually. Sometimes there are no changes.

I sometimes feel that I should respond to such questions, even if they weren't directed to me. Yet I'm not sure how. I certainly don't want to insult a board member.

We are from a small town and I think that most of the time (let's face it compliance is not the most exciting topic) they are in a hurry to go to the Board Supper held after the meeting.

Any ideas of IF and how I should address this.

Thanks,

Maybe I am being too sensitive.

So, you already know the answer! The care and feeding of Directors is the CEO's job, not your job. Don't get involved directly and only respond when you are asked to respond, unless you have an 'issue' to bring up relating to your responsibilities.

Directors come up with all kinds of 'stuff' and if you are lucky you have a CEO/President that shelters the staff from the more curious input and suggestions. Relax - we are only here for a few years.

We have lots of policies as well...some things you might consider are:

Make your changes in bold, so they can scan them, rather than read them...If they are given a 50 page policy, they are more apt to look at the changes than they would be to ever read the entire thing...

Consider sending an updated title page on unchanged policy, noting it as unchanged and available for view upon request...this will cut down on unnecessary copying as well as keep it at one simple page.

Consider only sending required policies out for board approval...

Hope this gives you some idea to bring back the meat to the importance of your policies, without inundating the directors with a ton of paper. Also...consider staggering your policy approval throughout the year, rather than overwhelming them once per year.

All of these things have helped me and actually, the directors do take note of them and have actually recommended changes from time to time!

I have also started to send policies to the board only when they need an initial approval, an annual approval or if I made changes to a previously approved and then I highlight the material changes so that they can find them with ease.

We also spread our policies out during the year. It helps with the time spent re-working them. One thing I also do is to create a memo that is at the top of the stack given to each director. It lists each of the policies being presented and whether it has any changes or not and explain the changes made. So far they have not had a problem with it that way.

We actually do have over 480 policies - we counted them a while back for some reason... Most are 2-3 pages. Most don't need any changes from year to year, so they just get the dates updated and re-posted.

Whenever we submit changes for approval, we always include an "Executive Summary" of what the policy is, why it's needed, and if there were any changes, what they were and why we made them. Usually a half-page or less. We also include the full text, just in case they really want to read it, but usually they don't.

We also have a committe appointed by the Board that has authority to approve most policy changes - except Bank Secrecy and a few others that require direct Board approval. Keeps the Board from being overloaded with 'trivial' (to them) issues.

While policies serve as the core governance model for all of our banks, having too many policies soon becomes unwieldy and then begins to contribute to a bureacratic malaise. Core policies in banking should be risk-focused and mirror the CAMELS/Compliance/CRA: interest-rate risk, A/L Management, capital, liquidity, hedging, securitizations, if applicable; lending, appraisals, ALLL, etc., etc.; followed by your non-financial support systems: security, consumer compliance, CRA, etc.

Instead of stressing over the issue, you can look like a problem solver and announce to the CEO and/or Board that you'll be coordinating and leading a review of all policies for applicability and effectiveness. Policies are high-level control documents, not day-to-day "how-to" procedural documents, and there is such a thing as having too many policies. More is not necessarily better.

Directors tend to view the need to be business-like, and they're likely to be bottom-line oriented. They want a non-greek version of risk presentation, not competing managers trying to out-do each other as to who has the most critical risk for the Board to address.

I would pause, step back, and then devise a strategy that truly serves as a solution . Listen to the message the Board is saying: that the policy infrastructure is too unwieldy. Put your consultant hat on, don't resist, and go with the flow. You'll be tapped as the bank's next chief risk officer!

[qu ote]We actually do have over 480 policies

---

Thanks everyone!!!!!

Good suggestions here, and I have a few more. When going to the board, group policies by type -- such as specific bank activities -- lending, investments, security, etc. That way, you can cover several policies with one thought process and it is less overwhelming or confusing.

Another approach is to combine policies that are for similar purposes. A Bank Secrecy policy can include OFAC, for example. You can have a general "Fair and Ethical Lending" policy that covers everything from ECOA through predatory lending and unfair or deceptive practices. And, you can even merge these into your full lending policy. If you do this, keep track of what regulations are covered by -- or incorporated in -- which policies so you can answer your examiners when they want to see specific policies.