The first step in developing good policies for operational risk is ensuring that your policies, standards and procedures fit within the overall hierarchy. All to often businesses create guidelines or procedures with one or more optional components to them, but label the document as a "policy". Then comes the rude awakening when an auditor or regulator treats the "policy" as mandatory and notes a compliance failure because one or more units within the business have chosen to ignore a "policy" provision.
Make sure you understand the relationship and priority of the documents within the hierarchy and label the documents accordingly:
Laws - A high level, mandatory requirement by a governmental entity (i.e. "Businesses must protect customer data.")
Regulations - Detailed provisions that provide requirements for compliance with Laws (i.e. "Businesses will use firewalls, encryption, and other access controls to protect customer data.")
Policies - High level requirements issued by businesses and other organizations. Policies address how legal and internal requirements are applied to the organization (i.e. Each business will deploy approved firewalls at every access point to the Internet.").
©2009 ISRMC, LLC