Author: AxiomHQ – axiomhq.com
One of the fundamental obligations applicable to all regulated firms is the need to implement appropriate processes to manage risks.
A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
(Source: FCA Handbook, SYSC 4.1.1 R )
But how do we encourage our staff to take responsibility and raise issues appropriately?
Good risk management brings many benefits to firms. Whether you’re a regulated firm or not, there is a lot to be said for nurturing a corporate culture where staff throughout the company seek to improve standards.
Firms should raise awareness by defining what is meant by risk. This would encourage staff to identify and flag risks. This means that the culture within a business needs to encourage staff to speak up and take ownership of their daily processes. A robust governance structure engenders staff participation and provides clear direction for the company.
Step 1: Strategy
In essence, risk management starts with your business strategy. How are you going to achieve your business goals? It’s not solely about profit. Firms need to consider how they deliver client outcomes under the Treating Customers Fairly (TCF) initiative. The regulators expect firms to demonstrate that they meet the six client outcomes.
All firms must be able to show consistently that fair treatment of customers is at the heart of their business model.
(FCA: Treating Customers Fairly)
Start by looking at your business objectives and engaging the board in discussions around:
- Reviewing corporate objectives
- Aligning corporate goals with client outcomes
- Supporting the business objectives with clearly defined department and individual objectives
- Consider risks posed by third parties and contractors
There must be a clearly defined strategy that is cascaded down throughout the business. This helps to encourage a collaborative approach with everyone’s minds focused on the end objective.
Step 2: Create a Corporate Culture
Like most things, staff copy what they see. If their line manager shows signs of malaise or lack of belief in the company’s strategy, how will staff react?
Firms need to:
- Define company values and how you wish to demonstrate them, as well as
- Identifying ways to ensure that conduct reflects those values (such as remuneration policies)
Senior managers should use language that supports the company values and demonstrate behaviours sought.
Step 3: Clear & Consistent Communications
Staff must have a strong understanding of what they are trying to achieve in their respective roles. They need to understand what a risk is and have the appropriate mechanism in place to raise queries or flag when something does not seem right. This means clearly defined company policy supported by actions and clear communications.
- Explain to everyone what they need to do
- Staff objectives need to demonstrate corporate values and goals
- Be clear about expectations
Also crucial is ensuring reward and remuneration supports the ethos of meeting corporate goals. Hopefully, this will result in ensuring that firms also meet client expectations. For example, designing and delivering a product or service for a target audience.
Step 4: Controls
A control can be something straightforward. For example, “the company policy is that all personal trading must be approved before a trade taking place”. The policy sets the boundaries within which staff perform their duties. Likewise, there are specific procedures to be followed which enable approval. Firms should implement processes where staff raise a request and receive a response promptly, but also create an audit trail.
Such a process provides consistency in approach and an agreed way of conducting business. These policies and procedures act as controls. Likewise providing training to staff will raise awareness of an issue and encourage staff to query any concerns. Firms with easy to follow processes find that it aids the implementation and embedding of such controls.
Step 5: Ongoing Monitoring and Control
Once policies and procedures have been implemented, firms’ compliance and internal audit teams start to test the effectiveness of controls. These reviews will help provide reassurance to the board that its risks are managed. What assurance can be delivered to your board that your systems and controls are effective?
Monitoring teams will look for hard evidence to support not only that a task has been completed, but that it has been conducted in the proper manner, with the correct sign-off. In effect, they are looking at the quality of completion and evidence to confirm why something was done. They will also look at the audit trail to confirm who did what and when.
Step 6: Reporting
The company’s board has a duty to manage its risks appropriately. It determines its risk appetite and requires reassurance that risks are controlled.
It is then the responsibility of a senior manager, usually the chief risk officer, to implement those decisions at an operational level. The board seeks reassurance from the senior manager and speedy notification of any developing trends.
Risk management systems provide management with regular reports to give assurance that risks are being managed appropriately and that internal controls are adequate.
This cycle of assessing and improving risk management should be emphasised within firms. Nothing remains static for very long. Firms may introduce new technology or a new outsourcing arrangement. When making those decisions, firms must also assess the level of risk to be borne with that new arrangement. Engaging staff in those discussions help to encourage staff to query the process and suggest changes in a controlled way.
How Axiom HQ can help you:
AxiomHQ is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.
The Axiom Issue and Breach management module is a dedicated software solution for raising and managing compliance risk incidents. https://www.axiomhq.com/issues-and-breaches
Our solution enables firms to:
- create incidents as part of the Axiom attestation workflow or as standalone items within the system
- enter details such as discovery, reporting and resolution dates along with a full description of each item
- identify if a specific rule breach has occurred
- link breaches to your risks, controls and business processes
- generate management information enabling oversight of the full process
Get in touch with the Axiom HQ team to learn more on 020 3965 2166 or [email protected].