Bloomberg Law
Sept. 25, 2019, 10:49 AM

ANALYSIS: Avoiding Common Pitfalls of Poorly Managed Policies

Patty Tehrani
Patty Tehrani
Legal Analyst

The SEC and the CFTC announced a settlement with the Options Clearing Corporation for mismanagement of the clearing firm’s policies. Unfortunately for the OCC, the penalties weren’t limited to a hefty $20 million fine—the firm also had to complete various remedial measures. The SEC’s order also charged the OCC with changing certain policies without obtaining approval from the regulator.

According to the OCC’s statement on the September 4 settlement, the clearing firm replaced a number of its executives. These changes included hiring a new Chief Executive Officer, Chief Operating Officer, head of Financial Risk Management, Chief Information Officer, and Chief Security Officer, as well as new heads of control functions. The OCC also increased its budget and headcount in the areas of risk management, compliance, legal, and information technology.

Why the hefty fine and expansive undertakings?

Consider the OCC’s designation as a systemically important financial market utility (SIFMU), a designation that triggers enhanced oversight. If a SIFMU fails, its failure might harm not just the firm but could also threaten the stability of the U.S. financial system. These concerns underlie the actions taken against the OCC’s for its deficient or missing policies, a risk both the SEC and CFTC could not readily ignore as the clearing firm’s primary gatekeepers.

Commenting on the settlement, SEC Chairman Jay Clayton said: “As a clearing agency, OCC performs a range of services that are critical to the effective operation of the securities markets. Today’s resolution is intended to ensure that OCC will have appropriate policies and procedures in place to meet its obligations to our financial system.”

Neglecting your policies may not have the same dire implications as OCC’s failures, but it could still result in significant consequences for your C-suite and the viability of your organization.

Below I outline essential considerations for why policy management matters and how to establish and improve policy management practices for your organization to maintain policies that work for it.

Strategies That Don’t Work

No one doubts that leaders of most organizations understand the importance and benefits of written, well-defined policies. Policies help run an organization: On the inside, they can help employees and management know what they are expected to do and not to do; from the outside, policies inform external stakeholders how an organization will engage with them, as well as how it will manage its business and protect its assets.

The OCC settlement reveals what happens when there is an ineffective strategy for managing how policies are developed and maintained. Typically, such ineffective approaches fall into one of the policy models described below.

Reactive—Organizations that rely on discovering issues or problems during a legal proceeding or internal or external audit to create (or update) policies end up with policy management practices riddled with holes. What are the consequences of this reactive approach? Time and resources are in short supply to meet deadlines, and rarely is there a defined, collaborative approach. Policies look and sound different due to siloed policy practices, and worse yet, employees may be confused about how to proceed with conflicting guidance. Policies can become obsolete if the organization leaves them unattended until the next audit. And without the proper audit trail or designated gatekeeper, it’s difficult to find policies or know how they were developed.

Over-engineered—Organizations that use this policy management approach are well-intentioned and assign resources to manage their policies. Problems often start if the assigned oversight group defines a policy management process in a vacuum with little to no collaboration with different business functions. If the process is complex, with multiple layers administering policy development and maintenance, too much time is spent on getting policies issued rather than implementing them. The unworkable process impedes staff from following it or it ends up being ignored.

Paper Framework—Frankly, organizations don’t really “use” this model that exists only on paper to present when asked for information on their policy management practices. In many cases, the organization will rely on an external source—a consultant or law firm—to outline best practices for policy management and limit internal input. The goals may be aspirational but not realistic in light of the organization’s operations, needs, and resources. The tangible output of this model is a policy management document with limited utility and a process with even less use for the organization.

None of the above approaches is an effective way to handle policy management, but this is the reality for organizations that view policy management as a burden and not a core component of their organization’s viability.

For organizations that recognize the value and necessity for policy management, please accept the premise that there is no one right way to manage policies across all organizations. However, there are common attributes of a policy management process that all organizations should consider to establish and ultimately successfully maintain a policy management framework.

Policy Management—A Blueprint

The good news is that you don’t have to start with a blank slate. Marrying the resources you have with a realistic policy management strategy that is a collaborative, proactive approach can go a long way to producing effective and consistent policies. First, consider the following components for your policy management framework:

Roles—setting out key roles and responsibilities for policy management activities, including the central control point to administer the policy management process.

Rules—defining rules for conducting policy management activities (often referred to as the “Policy on Policies”).

Inventory—organizing and inventorying policies (including any supplemental guidance) in a central repository to facilitate maintenance and access.

Process—establishing procedures for carrying out policy development and maintenance steps.

Tools—creating guides, templates, and other tools to guide how to write policies.

Awareness—notifying employees on new and updated policies ensuring they remain current on organizational policy requirements.

Implementation—integrating policy requirements into how the organization runs its business.

Records—keeping records on policy management activities.

Maintenance—assessing policy management practices periodically to keep them current.

Automation—maintaining a system to facilitate policy management activities.

An important point here is to avoid getting mired down in the details right from the outset. Plan an approach your policy management process factoring in the following measures: 1) assess current practices against your policy strategy or blueprint; 2) determine areas for remediation; 3) detail goals in a project plan; 4) engage stakeholders to ensure the output is collaborative; 5) document the results in a policy management framework; and 6) review the framework periodically to ensure it remains effective.

A word of advice from someone who has done this a few times—have a plan that sets achievable goals (unless legal undertakings dictate these). Keep in mind that your policy management process should make things easier for your organization, not harder. Separately, make sure you have the support of your organization’s governing authority or senior management. You’ll want management’s support, especially to demonstrate their commitment to the process—a strong message to both internal and external stakeholders.

Policy Management—Automate!

Maintaining a policy management process can prove challenging—and overwhelming. That’s why if you are fortunate enough to have the resources to automate your policy management process, do so. Policy management systems offer various features such as: ticklers, recordkeeping, workflows, templates, and integrations with other systems, among others. But the real benefit of automating policy management is the increased efficiency that allows you to spend more time on the substance of the policies than their administration.

Before you purchase a policy management tool, avoid common pitfalls. Many organizations waste time and resources, not to mention deploying technology that doesn’t work. If your organization uses a documented process to select, implement, and maintain your policy tool, it can avoid these mistakes and establish a model for future upgrades or purchases.


The OCC settlement is a good reminder for why policy management matters. Having an effective policy management process is essential to protecting your organization and no longer an option for well-run organizations. Implementing one or enhancing the one you have is not impossible. Consider the recommendations above, obtain the support of management and stakeholders and have a plan.

Remember policies are useful to an organization only if its employees understand what is expected of them. Effective policy management practices can facilitate this and must be part of an organization’s DNA.