Policy Hierarchy

The first step in developing good policies for operational risk is ensuring that your policies, standards and procedures fit within the overall hierarchy. All to often businesses create guidelines or procedures with one or more optional components to them, but label the document as a "policy". Then comes the rude awakening when an auditor or regulator treats the "policy" as mandatory and notes a compliance failure because one or more units within the business have chosen to ignore a "policy" provision.

Make sure you understand the relationship and priority of the documents within the hierarchy and label the documents accordingly:

Laws - A high level, mandatory requirement by a governmental entity (i.e. "Businesses must protect customer data.")

Regulations - Detailed provisions that provide requirements for compliance with Laws (i.e. "Businesses will use firewalls, encryption, and other access controls to protect customer data.")

Policies - High level requirements issued by businesses and other organizations. Policies address how legal and internal requirements are applied to the organization (i.e. Each business will deploy approved firewalls at every access point to the Internet.").

Standards - Detailed provisions for how Policies are implemented within the business units (i.e. "All firewalls will be configured, deployed maintained and monitor by the Technology group."). Since Standards are directly derived from Policies, they are mandatory provisions.

Guidelines - Advice on how to implement Standards. Guidelines are equivalent to optional, best practices (i.e. Firewalls should typically be configured to not permit activity through the following ports:..."). While Guidelines are not mandatory, auditors or regulators may conclude that the risk is significant enough that the Guidelines must be implemented to mitigate the risk. This leads to frequent arguments over whether the business must implement the Guidelines.

Practices - Detailed provisions developed by business units as to how policies and standards should be implemented within the unit (i.e. "The Technology Group will deploy firewalls with the following standardized port configuration:... Any exceptions to this configuration require prior, written approval from a Vice president or higher.").

Procedures - Specific, step-by-step requirements for completing a process (i.e. The Firewall Administrator will access the firewall configuration panel and ensure that only the following ports are designated as open:...").

©2009 ISRMC, LLC