The question every action should pass first
Before a trade or portfolio change goes through, it should have to answer a simple question: is this action permitted, documented, and reviewable? That is the entire job of investment policy and compliance. It is not bureaucracy for its own sake — it is the guardrail that keeps a portfolio aligned with the mandate the client actually agreed to, and the evidence trail that lets anyone confirm, later, that it was.
The IPS: a living document, not a filing-cabinet relic
The Investment Policy Statement (IPS) is the foundation. It codifies the rules a portfolio must live by: target allocation and ranges, risk tolerance, liquidity needs, permitted and prohibited holdings, concentration limits, and any client-specific restrictions. Too often the IPS is written once, signed, and forgotten. Done properly it is a living document with a lifecycle — drafted, reviewed, made active, and updated as circumstances and regulations change. A portfolio managed against a stale IPS is being managed against rules that may no longer reflect the client's reality.
Policy checks: enforcement at the moment of action
A policy that is only consulted occasionally is not really enforced. The discipline is to check proposed actions against the policy at the moment of action — does this trade keep the portfolio inside its allocation bands, respect concentration limits, and avoid prohibited securities? A daily compliance queue surfaces the items that need attention, so policy enforcement is a continuous operating rhythm rather than a quarterly surprise.
Breaches: detection, severity, and triage
Even well-run portfolios breach policy — a market move pushes an allocation out of range, a holding drifts past a concentration limit, a restriction is newly added. What matters is catching breaches promptly, ranking them by severity, and triaging them. Not every breach is an emergency: some require immediate action, others are minor and self-correcting. A serious compliance process distinguishes the two, so attention flows to what actually matters instead of drowning in noise.
Overrides: permitted, but never silent
Sometimes a breach should be tolerated — a temporary, deliberate exception with a sound rationale. The right pattern is that overrides are possible but never silent: each one is reviewed, approved or rejected by an authorized person, and recorded with its justification. An override that happens without review is how a small, sensible exception quietly becomes an unmonitored risk. Approval and documentation are what keep flexibility from becoming a loophole.
Remediation: closing the loop
Detecting a breach is only half the job; resolving it is the other half. Remediation plans turn a flagged breach into a tracked task with an owner and a completion state, so issues are actually closed rather than logged and forgotten. This is the difference between a compliance system that produces alerts and one that produces outcomes.


