Minding your P’s and P’s

It seems that there is a constant barrage of regulations and standards that businesses must comply with. Every quarter there is a new audit; SOX, GLBA, HIPAA, PCI, and the list goes on. Businesses try to accommodate these requirements by adopting structured governance model which presents their own requirements, seldom aligning perfectly with the others. Fortunately, there is a common thread woven into all these business detractions. If managed properly, that thread can be a lifeline to save much of the time and effort required to meet regulatory requirements. So what is this thread? It’s your policies and procedures.

Policies and procedures are the foundations of your businesses activities. They are the rules that you play by. They also can make up much of the evidence required by auditors to show that you understand and intend to comply with whatever regulation or standard being applied at that moment. Policies are high level management directives. They are designed to indicate to the company’s workers that management has made a commitment to something which they expect the staff to uphold. Policies are typically general in nature. Specifics are usually in the domain of the procedure.

Procedures normally contain the detail that flows from the policy. If the policy says ‘management is committed to the protection of customer private information’, then the procedure will explain how that will be accomplished. Sometimes a policy and procedure are mixed in a single document. While this is not a preferred practice, it can be acceptable.

Policies and procedures are living documents. They are meant to change and grow with the organization. They should be reviewed at least annually, but modified anytime there is a significant change that should be made. Policies and procedures should have an embedded change control process to track changes and ensure management has approved. Old copies of policies should be removed and replaced with new copies whenever changes occur to ensure everyone is using the same playbook.

Some regulations and standards require specific language in policies and procedures to meet their compliance requirements. While there are many options for developing policies from templates or forms, it is often advisable to enlist the aid of a professional when developing a policy set. Most boilerplate templates are designed to meet one of the many regulations, but may fail to include language to support others a business may be subject to. Also, most premade policies usually lack procedures.

Procedures provide the how to implement policies and as are frequently closely related to the actual practices employed by the business. In some cases, procedures are developed to meet the intent of the policies while documenting the current practices of the business. In others, procedures are required to impose changes to current practices to meet policy directives and regulatory requirements. In either case, bringing in outside assistance can drive the process of documenting and ensuring compliance. The perspective of an experienced auditor can be a cost savings in the long run. So be prepared and mind your P’s and P’s.