Welcome to the new MQMR website

BLOG

Best Practices – Annual Policy Review

June 17, 2021 BY MQMR Blogger

Question:

 

How often should a company review its key policies and procedures? Who should be involved in that review process?

 

Answer:

 

A company must review and update its key policies and procedures as often as necessary to ensure they remain up-to-date and accurate. The Consumer Financial Protection Bureau indicates in its Examination Procedures that examiners should seek to determine, among other things, whether a supervised entity maintains and modifies its compliance policies and procedures so that they remain current and complete and serve as a reference for employees in their day-to-day activities. To comply with this, it is best practice for a company to review its key policies and procedures at least annually. Generally, the review should involve compliance employees and/or subject matter experts at the company. Further, a Company’s Board of Directors (if there is one) and/or Executive Management should review and approve written policies each year and any time there are material changes to such policies. Companies may memorialize this review and approval within the minutes of a meeting, through a corporate resolution, or within the policy itself, provided it is signed by a member of the Board and/or Executive Management.

 

Timely policy and procedure reviews can be overlooked for a variety of reasons. This can lead to issues on federal and state examinations, as well as with investors and agencies as it signals weakness in a company’s Compliance Management System. For this reason, it is recommended that companies maintain a policy and procedure inventory that documents all of the policies and procedures maintained by the company, the date of the last review, the next review date (provided no changes in applicable law or company operation requiring an earlier review/update), and the party responsible for the review. A company may also choose to fold annual policy and procedure reviews into the company’s internal audit program as it may make sense to review key policies and procedures as part of the risk assessment process.