Policy, standards and guidelines: Not sexy, but necessary

by Urs E. Gattiker on 2010/12/30 · 7 comments 8.301 views

We previously noted that risk management is not sexy, but neither is ensuring that proper governance is adhered to, in order to stay compliant when it comes to policy and standards.

Compliance is becoming increasingly important in these times of economic boom and bust. For instance, on 2010-12-21 New York prosecutors first took legal action against Ernst & Young regarding Lehman Brothers’ collapse.

Image - Compliance is a balancing act.State prosecutors accuse E&Y of helping Lehman Brothers engage in a ‘massive accounting fraud’ by approving a move under a controversial accounting measure known as Repo 105 that temporarily reduced the broker firm’s debt, leading investors to incorrectly believe that the bank’s financial position was more secure than was actually the case.

The lawsuit puts the extent of the transactions allowed by E&Y under the spotlight, not the legality of the transactions themselves. After the Enron debacle, US regulators imposed the Sarbanes-Oxley Act, which many auditors believe adds little protection – an argument supported by Lehmann’s demise.

However, since an auditor’s greatest asset is its reputation, attacking it in the courts is an effective means of control. In turn, additional rules would appear unnecessary and if Andrew Cuomo, New York’s attorney general, believes he has a case, he should see it through in public and avoid a private settlement.

In this post we discuss the key terms and similarities between guidelines, rules and compliance.

1. Policy and standards
A policy is usually made up of a set of rules (see below). It may also stipulate that legal compliance and adherance to certain standards (e.g., regarding ethics and ISO standards) is implied and must be demonstrated in all activities undertaken on behalf of the enterprise. Of course, this includes such things as IT security efforts and risk management.

There may also be some unwritten rules about overtime or travel expenses within an organization. Of course, people tend to know what is and what is not permissible.

Standards can be categorized as follows:

    1. Industry standards try to improve compatibility of technology and facilitate globalization.
    2. International standards are a result of increasing globalization that requires countries to work together to harmonize legislation to ease and enable cross-border business.
    3. Standards by regulators, such as compulsory refrigeration of perishable food items or safety testing of consumer products.

Often a firm’s policy may refer to some standards, and the philosophy or idea behind a standard can also differ, such as whether it is encouraged or required.

Principles-based standards or guidelines are usually based on common sense and the regulator or company may put into effect something like

    Regarding  these rules, guidelines or standards:

2. Rules and guidelines
Image - when you end up in court - Everything you write and share on Facebook, Twitter, Google Buzz can and will be held against you in a court of law
In contrast to standards, rules govern the acceptable use of computing resources, security practices, and operational procedures in an organization.

Rules may be prescriptive, whereby they outline what one must do. The Sarbanes-Oxley Act outlines the rules that must be followed to remain compliant.

Other examples include the Federal Trade Commission (FTC) Guidelines on Blogger Disclosure, which state that a blogger must disclose whether a product that is reviewed was received free of charge, or the FTC can fine offenders up to US$11,000.

In contrast to guidelines from regulators, guidelines from management are suggestions for best practice. These result in standard procedures that make it easier for employees to follow guidelines while working. For instance, company guidelines may suggest that cash be stored securely, so employees’ standard procedure may be to lock up any petty cash whenever it is not in use.

3 . What it means in practice
Globalization has resulted in a convergence of standards.

However, while Europe and the UK in particular may use and prefer principles-based standards, the US tends to prefer prescriptive rules that are much more specific and easier to follow by auditors and also tend to be preferred by corporate lawyers.

This difference is also illustrated by ISO 27002 (originally ISO 17799), an information security standard that is principles-based and sometimes rather open to interpretation. COBIT (Control Objectives for Information and related Technology), also strives to be principles-based, though its specificity sometimes borders on the explicitness, extensiveness and prescriptiveness of rules.

The biggest challenge is that rules that are too specific will create a check-box mentality, whereby people will do exactly what is required, but no more or less.

Following the spirit as well as the letter of the law is the key to successful compliance with a principles-based code, because it requires exercising good judgment, doing the ‘right’ thing, and acting ethically even when the law is not specific.

When faced with a business situation in which one must determine what the right thing to do is, ask the following questions:

    1. Am I following the spirit, as well as the letter of any law or company policy?
    2. Would I want my actions reported publicly?
    3. What would my family, friends or neighbors think of my actions?
    4. Will there be any direct or indirect negative consequences for my employer and my team?

Policy and compliance management is a process, not an event. The increasingly difficult regulatory regime makes it a core organizational principle, which must be adopted and incorporated into our daily working environment.

If you like this post, please share it with your friends. How about asking them to comment after reading; I love to hear what people think!

Are you with me on these compliance, regulation and guideline issues? What do you think? Please leave a comment; the floor is yours!

And since this is our last post before the New Year, we would like to wish you and your family a safe and happy holiday!

Previous post:

Next post: