Setting and Enforcing Debt Management Controls

This article is part of the Debt Policy Series for All About Debt Management.

Setting and Enforcing Debt Management Controls
By Andrey Popov

This article is part of the Debt Policy Series. The first part of the series can be found here.

If you’ve ever worked in a software company, especially one that gets anywhere close to the FinTech space, you’ll have at least heard the tales of someone who has been through a SOC II audit. For those that aren’t familiar, SOC II is basically a set of standards that, once passed, indicate to the outside world that you meet some minimum security requirements for storing and transmitting your customer’s data. If you feel like boring yourself to tears, you can read more about SOC II here.

Once of the defining characteristics of becoming SOC II compliant are setting a series of Policies and Controls. The policy is the requirement, the control is how you enforce the requirement. They’re effective tools for risk management, and a principle we can use in order to build our own Debt Management Policies.

We’ve spent the last several posts in this series talking about Policies, including portfolio-level debt standards and loan requirements checklists. In this post, we’ll take a brief look at how to set Controls so you don’t put in a bunch of work for nothing.

Setting Controls

In order to set effective controls, they need to be specific and contain the actions someone needs to take if an exception to the policy needs to be made. Controls don’t need to be long and detailed, they just need to give your colleagues enough information to know where to go next.

Policy Controls

We’ll define the different characteristics this control needs to be effective. The primary outcomes we want to achieve from these controls are accountability and transparency. In other words, if something goes wrong 2 years from now, can you look back and see who made what decision and why?

1. State the Requirement and Point to the Policy

First things first, simply restate the fact there’s a requirement that’s expected to be followed. For example, call out that there is a Capitalization Rate requirement and a Portfolio DSC requirement. Let the reader know exactly where they can find the policy, which will contain the latest information on how the standard is to be followed.

2. Outline How Compliance is Met, Along With Any Deliverables

Using Capitalization Rate as an example, outline how testing is to be performed to ensure that the proposed financing meets the portfolio requirements. Ideally, you should require some sort of compliance deliverable to evidence that the requirement was met. Something as simple as an updated spreadsheet showing those point-in-time values would suffice. If these first two steps are met, the controls are satisfied and you can move on. If these can’t be met, move on to the 3rd section.

3. Provide Paths for Exceptions

Someone is going to ask for an exception to the rule. If we just bend the rules for this deal, we can make a lot of money — you know it’s coming. Sometimes, there is valid cause for making exceptions to that rule, which all comes back to your business plans and risk tolerance. If an exception needs to be made, you need to have spelled out in the control:

  • How a request for an exception can be initiated
  • Who is authorized to approve the exception, and how that authorization is recorded
  • The types of deliverables required to evidence the reasoning for the exception (i.e. a document outlining the rationale behind the request, as well as any evidence or analysis to support the rationale).
  • Where all of the evidence, deliverables, and approval documentation needs to be stored, and for how long.

Summary

The point of all of this isn’t to be a pain, it’s to provide the accountability and transparency we described above. If we make an exception and it turns out to be a bad decision, we want to point back to why that decision was made, whether there was any way to have foreseen the problem, and how to prevent the same mistake in the future.

This is Part 5 of the Debt Management Policy series.

Next: Challenges You Will Face Implementing Debt Management Policies


The Debt Management Policy is a short series of articles that provide the resources and materials for building and establishing Debt Management Policies for your own CRE firm.

  1. Why Your Middle-Market Real Estate Firm Needs a Debt Management Policy
  2. A Better Approach To Debt Management
  3. Creating Portfolio Debt Standards
  4. Debt Standard Checklists for Individual Loans
  5. Setting and Enforcing Debt Management Policies
  6. Challenges You Will Face Implementing Debt Management Policies

If you liked this article, consider following me and subscribing to email updates whenever I post an article. You can also follow me on Twitter or connect with me on LinkedIn.