You are here :: home > knowledge network > FND-OCEG Foundation "Red Book" Version 1 v1 > P-Process > PR-Prevent, Protect & Prepare > PR1-General Controls, Policies & Procedures > PR1.1 Develop Controls, Policies & Procedures
PR1.1 DEVELOP CONTROLS, POLICIES & PROCEDURES
Develop a mix of preventative detective and corrective controls, policies and procedures to address risks and other program objectives, indicating specific accountability and criteria for successful operation of the controls.


Management should develop policies and procedures to address risks and opportunities. Policies articulate what is expected by the organization and procedures define how to follow or adhere to the policy. When designing a policy/procedure, the drafters should consider the following elements to ensure that the policy/procedure is developed in a manner that increases participation, buy-in and compliance:
> the objective of the policy/procedure
> the target audience
> target audience level of knowledge/skill
> affected elements of the business model
> the stakeholders who should/must be involved in developing the policy/procedure
> consistency of design with, and relationship to, other policies/procedures
> need for legal overview and sign-off of policy/procedure to ensure compliance with law/regulation and avoid legal risks

Management should develop policies/procedures using a consistent methodology to ensure that they are accurate, clear, and understandable. When policies/procedures are developed in an ad hoc manner, there are often gaps in coverage, conflicts between policies, and inconsistencies in approach.
Standards & Guidance
    PR1.1.S01
  • Establish standards and procedures to prevent and detect criminal or unacceptable conduct
    PR1.1.S02
  • Establish procedures to ensure program is followed, including procedures to detect criminal conduct
Core Practices
    PR1.1.101
  • Define the objective of each policy/procedure
    PR1.1.102
  • Define the target audience for each policy/procedure
    PR1.1.103
  • Identify the legal factors that each policy/procedure is designed to address
    PR1.1.104
  • Understand business model elements that are affected by each policy/procedure
    PR1.1.105
  • Define the consequences for non-compliance with each policy/procedure
    PR1.1.106
  • Obtain sign-off for each policy/procedure from appropriate executives, given the target audience and business model elements that are affected
    PR1.1.107
  • Define when to review, revisit, modify or expire each policy/procedure
    PR1.1.108
  • Define how each policy/procedure will be monitored
    PR1.1.109
  • Define resources needed for each policy/procedure
Additional Practices
    PR1.1.201
  • Define a methodology for developing control/policies/procedures, including identification of when there is a need for sign-off from other departments
    PR1.1.202
  • Pilot test a control/policy/procedure before it is widely implemented to ensure it is understandable, applicable and usable
    PR1.1.203
  • Address any need for translating and/or localizing control/ policies/procedures
    PR1.1.204
  • Identify stakeholders who should participate in control/policy/procedure development
    PR1.1.205
  • Map interrelated or dependent controls/policies/procedures to ensure that management understands how changing one policy/procedure may impact another control/policy/procedure
    PR1.1.206
  • Track change and revision history for each control/policy/procedure
    PR1.1.207
  • Design templates for various types of controls/policies/procedures
GUIDELINE DETAILS
Actions: Download<br />Download
Legend:
Source / Reference
Resource
Domain Supplement
Featured In