Angela,
I think that the answer lies in the size and complexity of your organisation, Steve Rileys list looks good for a smaller institution but if you have different divisions or affiliates I think this approach would best be served on a case at a time basis.
My personal belief, as I have said before, is in a principals based approach, so I tend to get the process owners together, discuss the rules, try and get agreement as to what they are intended to achieve, and then look at existing process. The look at existing process is best done, in my experiance, with one process owner and one compliance person or at least a party who niether owns nor operates the process. My reasoning is that someone familiar with the process can walk it much faster than one with no knowledge, but the knowledge itself may lead to ommitions which will be recognised by the other party simply because they don't see how you get from A to B or H-J and then the ommitions, be they steps or simple pieces of process, can be written in.
Again as I have said before by all means refer to rules in the process but write broadly identifying the aims of the process and the intent, mistranslation of a rule will give you far less trouble if you can show good intent. All compliance is really a broad and ethics based practise, the rules are broad and therefore the documentation of compliance needs to be broad.
Process in itself is of course usless unless it is practical and you log regulular tests to ensure continued compliance. The written process is nothing like aas important in the real world as is what actually happens on a day to day basis.
Have fun, just pretend you are being paid like a management consultant - it make you feel much better!
Matthew Read
Compliance Officers Association, Privacy Officers Association, AACFE,MICM,SHRM.