“Policies and procedures” are one of the most important kinds of enterprise risk management (ERM) controls, yet many companies seeking to implement ERM programs act as if the two concepts are separate and unrelated. Too often, it seems as if a company's compliance department, responsible for daily policies and procedures, and its staff documenting company-wide ERM controls, are on two different teams engaged in a tug-of-war, competing for attention and resources.

As noted in my last blog, ERM Rodeo – Roping Risk with Effective Controls, one of the ultimate goals of an ERM program is to establish a suite of techniques to reduce or mitigate potential losses. As part of their ERM efforts, companies typically create a list or library of internal controls, matched to identified risks, in a spreadsheet or IT system. “Controls” consist of all the measures taken by a company to manage risk, in light of the entity's business objectives. They can include such things as management approval hierarchies, IT security efforts, business continuity or backup plans, and outsourcing strategies.

“Policies and procedures” are a key subset of controls. They help manage potential losses from financial, underwriting, regulatory, or claims activities. Historically, companies have catalogued compliance standards and behavioral guidelines into policy manuals or handbooks. For each policy setting forth general and goals guidelines for behavior, there is usually a corresponding written procedure that documents the actual day-to-day, nitty-gritty steps of how to comply with such policies.