Written policies and procedures are important. Few financial institution officers will argue that. However, in the eyes of an IT examiner, it isn’t enough to simply have written policies in place. Examiners increasingly want to know that the institution follows its own rules.
Policies, procedures and practices form the three pillars of compliance. All three must be present, and ideally, in perfect alignment with one another. Policies clearly state what you will do; protect customer information, recovery critical processes, oversee third-party relationships, etc. Procedures describe, step by step, how you will accomplish your policy goals. Your practices are what you actually do.
More than three-quarters of financial institutions (78%) indicate their examiners were more interested in practices – documentation that policies were being followed – than they were in written policies and procedures alone, according to an informal survey conducted by ComplianceGuru.com. No longer is it simply acceptable to have written policies and procedures in place. IT examiners want to see proof that bankers are following their own instructions.
In his accompanying post, Tom Hinkel, Safe Systems VP of Compliance notes that the trend is a break from tradition. Where in the past examiners looked for policy weaknesses, they now seem to be reading deeper into the meaning of each policy and whether the institution is testing, refining and following procedure. In other words, it’s important that you say the right thing, but even more so that you do it.
(Policy weakness) problems are relatively easy to fix; draft the policy or expand it or enhance it, run it by the Board, and move on. But every time you add a policy, or expand an existing one, you obligate yourself. You say you’ll do something a certain way, or with a particular group, or with a specific frequency. And this is where many recent exam findings have occurred. Examiners are reading through your policies, and identifying deviations between your policies and procedures and your actual documented practices.
This is nothing new, I originally wrote about it back in 2011. What is new however is the depth and breadth of the scrutiny. What used to be primarily limited to Board reporting and testing and auditing, now seems to include almost any instance of “will” or “shall.”
That in mind, now might be a good time to revisit your policies. Highlight every instance a “will” or “shall” is mentioned, and how often it says you’ll do something, and with what group. If it’s something you don’t need to do, take it out of your polices. If you should be doing it and can’t prove you are, implement processes to document your practices. For many aspects of IT, such as patch management, data backups and security monitoring, this is an area where automated systems can provide the documentation needed to show an examiner your practices align with your policies.