Senior Management is under more pressure than ever to demonstrate compliance and risk-sensitive decision making – but the process by which they do it is straining under the sheer number and weight of obligations to manage.
36% of fines handed out by the FCA over the last 3 years – over a third – have been for failings related to management and control (PRIN 3)*. With an average penalty of £24 million firms cannot afford to be lax in this. Transparency of their firm’s systems and controls continues to be vital for leaders at Board level and within Senior Management Functions to ensure that their business is compliant and within risk tolerances.
Increasingly, during the ongoing pandemic, regulators expect comprehensive, responsible, and tangible governance and control to be operated by regulated firms. Creating transparency of firms’ regulatory activity across the business paramount. Not just for leaders at Board and Senior Management Functions levels (SMFs) but also in the supporting infrastructure within Compliance, Operations, Technology, Finance, Legal, and HR.
In their recent Joint Statement for Firms, the UK regulators outlined that firms must:
“Develop and implement mitigating actions and processes to ensure that they continue to operate an effective control environment: in particular, addressing any key reporting and other controls on which they have placed reliance historically, but which may not prove effective in the current environment. .. Consider how they will secure reliable and relevant information, on a continuing basis, in order to manage their future operations.”**
Joint statement by the Financial Conduct Authority (FCA), Financial Reporting Council (FRC) and Prudential Regulation Authority (PRA), 26th March 2020
‘Securing reliable and relevant information’ is harder than it sounds. The information required for this is frequently cobbled together in PowerPoint, Excel or other tools from a wide variety of disparate sources. This is inefficient and time intensive, and is subject to inconsistencies. Information may be out of date by the time it is produced, and often does not meet the level of detail required by the various audiences.
More than that, Senior Managers lack a consolidated view of their regulatory risk across their business. This is difficult to achieve given the number of areas they need to monitor, ongoing regulatory change, and the pace of digital transformation. Managers are often spending more time piecing together a picture of their overall regulatory ‘health’ and fighting fires than they are developing the business.
Compliance issues become like Whack-A-Mole, as soon as one gets whacked, another one pops up, and then another. Senior Management are effectively blindfolded holding the ‘mole hammer’ and have to ask a business analyst or a compliance officer “are there any moles today?” and “what do I hit?”.
These regulatory moles are not common or garden business problem moles. There may be hundreds of moles to whack at any given time. As a result, managers need the ability to triage the reports of mole sightings to decide which is most pressing. Which is most likely to ruin his or her lawn? Is it the Sanctions Breach mole, the Data Protection mole or Transaction Reporting mole?
Not only are there many of them – you need to keep records of which ones you’ve whacked and why. At some point you’ll need to evidence why you didn’t whack the Sanctions Breach mole immediately and provide the context for that decision. If you fail to whack enough of them, or the right ones, your business could be fined, or worse, you personally could end up in court.
This is a much more pressing issue due to the level of personal accountability, and broadened personal liability, introduced by the Senior Managers and Certification Regime (SM&CR). The SM&CR, which came into force on 9th December 2019, overhauled the Approved Persons Regime for individuals working in UK financial services firms. Placing more stringent requirements on senior managers to take responsibility for their firms’ activities through a ‘Duty of Responsibility’ to take ‘reasonable steps’ to prevent or stop regulatory breaches.
As the FCA Handbook states in their “Specific guidance on individual conduct rules” (COCON 4.2) addressed to Senior Managers: “SC2: You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.”***
We believe that one of these ‘Reasonable Steps’ is having appropriate reporting to achieve a clear view of the ‘Regulatory Health’ of their business and their risk points. Firms and Senior Managers need the ability to:
- Capture key regulatory risk metrics
- Link them to the appropriate compliance monitoring data
- Put those risk metrics into context across the business
- Generate a consolidated view of the business’ regulatory health and risk points
- Make it accessible & easily understandable to the relevant managers
- Make it ‘persistent’ over time to and allow ‘point in time’ views of risk levels
A solution that could a) take existing and live compliance data b) isolate the risk metrics that really ‘matter’, and c) present them in context across regulations and business areas is really needed for Senior Managers to have a picture of their overall risk.
Senior Management should know where the regulatory moles are – without having to ask. Rather than having to review reams of documentation, it could allow managers a more holistic and focused view of regulatory risk across their business, as well as save time and resource spent creating, managing, and reviewing PowerPoints. Knowing what to look for is half the battle after all.
Don’t let the moles ruin your lawn.
Join Leading Point’s webinar on this topic
On July 14th, experts from banks, hedge funds and market infrastructure providers will discuss how financial institutions can create transparency and insights from their regulatory risk data, and Leading Point will introduce their new industry-leading regulatory risk data system SMART_Dash.
Panellists will discuss:
– The challenges of internal regulatory oversight that all financial services firms are facing
– How businesses can create a consolidated view of their regulatory risk
– The ways that regulatory monitoring data can be more accessible
– An introduction to SMART_Dash; a revolutionary tool providing regulatory risk reassurance
1. Leading Point analysis of FCA fines related to PRIN 3 Management and control: A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” FCA Principles for Business https://www.handbook.fca.org.uk/handbook/PRIN/2/?view=chapter
3. “Specific guidance on individual conduct rules” (COCON 4.2) addressed to Senior Managers: https://www.handbook.fca.org.uk/handbook/COCON/4/2.html