Author: AxiomHQ – axiomhq.com
All regulated firms are obliged to conduct compliance monitoring. The compliance function is required to monitor and test compliance by performing sufficient and representative compliance testing.
It’s a continuous process with the findings feeding into the compliance monitoring programme (CMP). The CMP itself is reviewed at least annually and allows sufficient flexibility to adapt to changes in a firm’s risk profile and focus monitoring where it is required.
Once the CMP has been approved, then testing can begin. Various issues arise that can throw the entire programme off schedule from the start.
Planning for success:
By failing to prepare, you are preparing to fail. Benjamin Franklin
As with any project, preparation is required to ensure the best use of resources and to enable the monitoring programme to be completed on time.
The process should include a review and update of the relevant templates against the rules. To facilitate this your monitoring team needs to understand what they are testing.
Ensuring the compliance team’s regulatory knowledge is kept up-to-date is crucial in focusing attention in the right areas.
Awareness of any rule changes and how these have been adopted by the business is important preparation.
Reviewing and updating any test templates helps the monitoring team to scope the testing. This helps to form clearly defined Terms of Reference.
In practice this means identifying the right people to speak to within the business. It also means:
- setting out the scope of the current testing
- information required to complete testing
- specific steps required to complete the testing
- whose help is needed to test
- what will happen next
- identify your distribution list
Including relevant senior management in your distribution list helps staff understand the oversight and importance of the activity.
Clearly defined scope also helps the monitoring team to stay focused.
Isn’t it frustrating when you’re all set to start, but no one else seems ready to help you?
Clear communication and good relationships are essential to implementing your compliance monitoring programme (CMP). Sharing the programme’s schedule with internal audit can help to coordinate efforts.
Early engagement is vital. Schedule a meeting to discuss testing in advance. Let the business know what you’re doing, why it’s important, how they can help and the benefits to them and their teams. Not forgetting to check availability of the right people to help you during testing.
Where a firm engages third party service providers, testing needs to be scheduled ahead of time. An onsite visit or access to the third party staff may be available for a specific period of time. Here both communication and coordination of efforts helps to facilitate the testing. There may be several firms wishing to monitor the third party’s processes. How could you improve this for all parties? Could you leverage other audit information?
Where testing needs to be completed via trading platforms etc. access to the systems can cause delays and training may be required to enable testing to proceed. All of the above can impact your testing schedule and cause delays to the monitoring programme.
Having shared your Terms of Reference and set the scene for the monitoring, you’ll need the business to provide information. If you’re lucky, you can collate information electronically, but not all monitoring teams have that luxury.
Staff aren’t sure who owns the master copy of their team procedures or version control hasn’t been maintained. Perhaps documents are still in draft and not finalised… for months or years. The person who knows is away for a couple of weeks. Worse still, the information you need is not stored anywhere other than in personal emails.
Collating information from multiple sources can cause time delays especially where information is provided by third parties. Ensure you have a point of contact at each firm facilitate data collation and scheduling diaries. This will also assist in escalating any unforeseen issues.
Whilst monitoring may be performed manually or automated, the monitoring team needs to set time aside to analyse and assess the information they have gathered.
During this step in the process, inconsistencies and gaps may be identified. Data from multiple third parties may be provided in different formats or contain varying levels of detail. Such inconsistencies can delay analysis or cause misunderstanding.
The monitoring team should seek clarity at this stage to ensure testing is effective and enable vulnerabilities to be identified.
Monitoring teams also require an understanding of risk assessment. Often teams are so focused on identifying deficiencies that they lose sight of the risk assessment and risk posed to the business.
It’s always a good idea to sense check identified risks against the regulatory risk profile. Avoiding unnecessary alarm ringing helps to facilitate discussions and build trust and better collaboration with the business.
Reporting should be appropriate to the firm’s regulatory risk profile and activities.
Reports should include sufficient information to enable senior management’s understanding of identified risks and assess those risks in line with the firm’s risk appetite.
The reports should refer to the compliance risk assessment that has taken place during the reporting period, including:
- any changes in the compliance risk profile based on relevant measurements, such as performance indicators,
- summary of any identified breaches and/or deficiencies,
- the corrective action recommended to address deficiencies and identified owners
- report on corrective measures already taken.
Once the report is issued, the monitoring is not over. Any findings should be recorded in the relevant register or log.
Any actions should be followed up to ensure closure and where appropriate the regulatory risk profile should be updated. This then feeds into the monitoring programme and the cycle continues.
How Axiom HQ can help you:
Axiom HQ hosts webinars on various regulatory matters. To be added to our mailing list click here.
See our blog page for further articles or contact us via: [email protected]
Visit our website to find out more about how Axiom HQ can help: