Compliance departments at many firms have realized that their business continuity plans (BCPs) failed to adequately address unique challenges presented by the global COVID-19 pandemic. Therefore, many firms have had to revise plans that were perhaps too "boilerplate" or failed to anticipate a need for essentially an entire company to work remotely for a long time.
Decisions to alter policies or standard operating procedures by senior managers, compliance, legal, and operations departments are not taken lightly, but in this fast-moving crisis they are being made daily. Although personnel may be stretched thin by the crisis demands, documenting the changes and the decision process is essential. Once the pandemic is in the rear-view mirror, continuity plans, how firms performed, and changes to policies and procedures are likely to be scrutinized by regulators.
There is a big difference between documentation that is thorough and accurate and documentation that is incomplete or inadequate. Simply put, inaccurate or insufficient documentation can have expensive or even dire consequences. Here are several tips, reminders, and suggestions for documenting exceptions or changes to policies for compliance departments.
Suggestions for compliance documentation
— When documenting changes, compliance personnel should ask themselves if an outsider, such as a regulator or internal auditor, will be able to fully comprehend all of the material and "paint an accurate picture" to recreate the situation.
— As described in the U.K. Senior Managers Certification Regime, which can serve as a guide elsewhere, there is a duty of responsibility to demonstrate "reasonable steps" are taken. These include a leaving a coherent audit trail and diligently recording information "just in case" something goes wrong.
— Documentation should demonstrate up-to-date knowledge and understanding of the relevant regulatory requirements associated with any change or exception to policies.
— Potential risks and issues that could arise from changes to policies should be included. Setting a course of action to follow up or review such risks should be included as well.
— Identify those involved in making decisions and changes. Include dates, the changes, reasons for change, and the most senior person who approved the change.
— Be sure the documentation format is standardized and scalable. Standardization will guard against omission of key elements such as background, purpose or intent, the scope of change, and relevant regulations.
— The content in the documentation must be accurate and comprehensive, yet concise. It should also be accessible to all relevant parties such as auditors, risk, compliance, and senior management.
— Use examples of why the policy is changing and what were to happen if the policy or procedure were left unchanged.
— Be sure to include the policy title, departments involved, tracking numbers, and references to related documents or policies and procedures.
— Note whether new training will be required of individuals, and the extent of such training.
— Detail what the notification process will be. That includes dates and details of when and how the new policy or procedures will be rolled out, and what employees will be informed.
— After changing policies, be sure to include any compliance difficulties or failures.
— A thorough analysis of how customers are affected or could possibly be affected by a change in policies is critical.
— Documentation should detail the pros and cons of various courses of action and reasons for implementing a change or making an exception to policies.
— Specific references to all relevant prior policies and evidence of prior review of such policies must be included.
— Input from affected departments such as risk, legal, or IT should be included in the documentation.
— Compliance should confirm that effected employees are made aware of changes to policies, and relevant dates and distribution lists should be included in the documentation.
— Have a colleague or co-worker add, edit, or provide feedback before finalizing.
— Be sure to include what the consequences will be for non-compliance.
Thorough and accurate documentation is essential, as failures can have significant consequences. Failing to accurately demonstrate the rationale for changes to policy, particularly during times of crisis, will be seen as a red flag by regulators. Incomplete records can also jeopardize the possibility of cooperation credit in investigations.
Importantly for compliance professionals, thorough and accurate documentation is perhaps the most valuable safeguard against own personal liability risk.
NOTE: Please visit the Thomson Reuters COVID-19 resource center for additional resources. For a regularly updated list of U.S. regulations related to the COVID-19/novel coronavirus update, please click on this link to the Skopos Labs Coronavirus Policy Tracker>