Why are the boring board policies so critical?

Whenever people start talking about the financial crime prevention policy, the financial crime risk assessment, or the alert handling procedures, most tend to start a light sleep-induced head-banging quickly.

A strong policy framework is the most underestimated work a board or leadership team can do. A robust framework would at least consist of:

✅ Financial crime risk assessment.
✅ Financial crime prevention policy.
✅ Financial crime prevention roles and responsibilities.
✅ Various underlying policies or procedures based on the framework.

Admittedly, creating the policies doesn't change anything regarding mitigating risks. It’s seen more than once that a firm has super well-formulated policies, but nothing is happening underneath. So rather have less strong policies, but actually perform the tasks and actions you have described in your framework.

Then why does the framework even have to be in place?

First of all, it's a regulatory requirement for regulated firms. Second, it’s a great way for the compliance officer to involve the leadership and board in taking ownership of the risks and vice versa. This way, leadership, and the board can set the bar and ambition level towards the broader team regarding how much risk you want to accept and how to mitigate unwanted risks.

Therefore, creating the framework is just the first step on a longer journey, but it’s an important step, as it centers the following dialogue around something very concrete. As a board member, you can hone in on the implementation framework and the performance of the risk mitigation. This could be done by gradually starting to ask the following questions to your compliance team:

❓ Is there an implementation plan for identified gaps in our control environment?
❓ What does the compliance plan for the coming year look like, and which part of the policy are you mostly focused on?
❓ Does the organization have enough resources to comply with the policy?
❓ How do you plan to report control performance towards leadership and board?
❓ Is there a clear line between regulatory requirements to the requirements in our policies to the controls created to the testing of those controls? (the killer question).

You will quickly find that it’s an iterative process, and you will most likely find it necessary to adjust policies and improve the control environment.

But without the policies, there is nothing to measure against and no guidance from the top. So spend those hours on the boring stuff; the rest will be much easier.

‍