ioversee | CONTROLS

Comsure can assist with systems and controls management. Summarised below is Comsure's approach to helping firms manage and oversee their systems and controls documentation. Systems and controls documentation forms an integral part of managing OPERATIONAL RISK [OR] and serves as a fundamental prerequisite to controls' effective operation.

Firstly firms must apply the principle of proportionality and adopt a risk-based approach when choosing to implement a particular way of managing documentation, e.g:

1. The complexity of the documentation hierarchy and ownership structure  
2. Whether to apply documentation management principles, for example, regular reviews requirement, to all documentation across the firm.
3. To the documentation identified as business-critical only.

Secondly, firms must demonstrate that they have all their essential processes documented to the appropriate levels of detail and that their documentation is well-managed through the application of the principles of:

1. Well-defined ownership
2. Documentation hierarchy and lifecycle
3. As well as establishing relevant controls over documentation management.

Lastly, firms must also meet the requirement of what may be called a 'use test' for documentation, ensuring that documentation works for the firm by:

1. Being of good quality.
2. Regularly communicated.
3. Well-understood.
4. Used by the relevant staff.
5. Evolving with the firm's business and continuing to reflect the environment the firm operates in.

The following diagram shows Comsure's suggested approach to document hierarchy

Further to the above diagram, the following provides Comsure's approach to document hierarchy

i|oversee| controls and types

Level 1 – Policy - Principles

Typically policies, strategy documents and/or any other documentation covering.

1. High-level principles governing activities and/or
2. Outlining courses of action thought to be prudent or tactically advantageous.

Level 2 – Standards, Frameworks and Methodologies

Control standards. (A set of requirements for an activity/activities to deliver policy conformance)

1. Frameworks. (Overarching documents linking relevant activities to ensure their consistent execution)
2. Methodologies. (A firm should illustrate it approaches (actions) to deliver required outcomes). 

Level 3 – Standard Operating Procedures/Processes [SOPs]

The lowest level of the documentation hierarchy could include detailed specifications for the execution of activities, conforming to control standards, and following the firms Level 2 – Standards, frameworks and methodologies.

i|oversee | controls and the hierarchy of control

1. Concerning systems and controls, all firms approach them differently, Comsure is of the view (primarily supported by reading many regulatory papers). A firm will have a structure, a hierarchy, for their policy and procedures (control documentation).
2. Further, the ownership control documentation is established through a firms management chain (all levels of the hierarchy).

Owners generally delegate the creation, review and maintenance to lower levels. As an example:

1. The Board of directors could approve policies developed by senior management.
2. Senior management could be made responsible for implementing and maintaining policies throughout the organisation.
3. The Board would be viewed as policy owners that delegate implementation and maintenance to senior management.