How you can improve your firm's governance and learn lessons from FCA enforcement

1. Roles and responsibilities

Have you recently reviewed your responsibility maps and statements of responsibility and in light of any changes such as new products or business lines or new risk frameworks.  If you were asked to provide these documents to the FCA, would they demonstrate clear and consistent allocation of responsibilities.  

Where regulatory attestations or other formal confirmations or processes have been mandated, has responsibility been allocated appropriately so that ownership is clear and is a robust governance process in place to support any individual providing them?  For example, is there a clear written description of steps to be taken and documented as part of the assurance process?  

2. Management information

When was the last time you carried out an audit of management information to consider whether it facilitates effective oversight through, for example:

• being pitched at the right ‘goldilocks’ level with sufficient information about the right things without overwhelming the recipients with too much detail on immaterial matters; 
• being designed with a regulatory lens and containing appropriate qualitative information in addition to quantitative data.  For example, for retail firms, does it contain information focused on customer outcomes including treatment of vulnerable customers and/or highlighting trends which may require further action (in addition to any financial performance updates); 
• being distributed to stakeholders so that they have enough time to review the information prior to relevant governance meetings;
• presenting information consistently to all relevant internal stakeholders and committees (as opposed to different information being received by different constituents); and
• being updated to take account of new strategies rolled out and to enable performance monitoring.

3. Minutes

Do your meeting minutes adequately evidence:

• discussion of relevant matters including the management information;
• challenge within the senior management group (as opposed to more passive acceptance of assurances);
• decision-making with regards to escalated matters including the rationale for decisions and any actions needed (with action owners and tracking to facilitate follow up); and
• the revisiting of any matters being kept under review to avoid these falling off the radar.

4. Resourcing

Is resourcing being managed appropriately? To what extent is there a clear plan to address any under-resourcing which has been escalated or temporary stretch, created for example by unusual activity diverting attention from BAU or significant periods of annual leave?  If a determination has been made that resourcing is adequate, what is the basis for this and has it been recorded?   

Are there any capability gaps at the governance level or in key functions arising for example from recent departures or new developments impacting the business and, if so, is there a plan to bridge these?  

If any vacancies have remained unfilled for a significant period, what steps are being taken to address associated risks such as tasks being carried out by those without the requisite skills and experience or not at all.

Is sufficient time being allowed for new joiners including members of the management team to embed and gain adequate understanding of the activities, risks and resources in their accountability areas. 

How do you address loss of institutional knowledge due to key stakeholders leaving over time (through for example documented handovers and effective central record-keeping)? 

5. Policies & Procedures

Are policies and processes:

• adequately documented;
• reviewed regularly to check for consistency and that they reflect adequate understanding of regulatory requirements including any publications such as Final Notices to ensure they continue to reflect good practice;
• updated in the event of any internal or external developments including any operational matters (such as use of personal devices) or changing regulatory requirements (such as sanctions updates);
• disseminated amongst and accessible to relevant stakeholders;
• implemented consistently (for example where driven by global standards have they been fully embedded and are they operating effectively in each relevant jurisdiction and within each entity at local level);
• sufficiently detailed including with regards to practical guidance on steps to take in certain scenarios;
• keeping pace with growth of the business and in keeping with current industry standards for similar organisations.

Are key risks being mitigated such as where:

• manual processes are reliant on knowledge or communication between key individuals or functions;
• automated processes delivering increased speed could be susceptible to reduced opportunity to check and correct; 
• differences in policies and procedures applicable to different businesses increase complexity and operational risk?

6. Monitoring and testing

Have any new systems been adequately tested both before, and sufficiently promptly after, implementation and in accordance with a formal methodology to ensure they are functioning as expected and as required and so that any recalibration can take place expeditiously.

Is testing carried out consistently across all relevant systems to identify any process gaps for particular activities?

Have any system changes or thresholds been reviewed to ensure they are still appropriate (for example where any pandemic-related adjustments were made and are still in place)?

Are any alerts that are generated subjected to consistent review and follow up action where appropriate?   

Has testing and calibration carried out been recorded appropriately?

Does the compliance monitoring programme and internal audit process adequately check adherence to relevant policies and procedures and effectiveness of training?

Does monitoring take a sufficiently holistic view (for example through regular end-to-end outcome testing of customer journeys)? 

Have opportunities to investigate, through for example third parties raising red flags or potential issues being identified internally, been grasped and actioned without undue delay? Is there an effective escalation process and an internal investigation policy for dealing with such matters?  

Where internal reviews have been carried out, have they been scoped appropriately; are they sufficiently outcomes focussed and have they given effective consideration to whether there are any root causes indicative of wider problems?

7. Projects

Do internal projects have an appropriate governance framework which may include allocating adequate resource with sufficiently diverse skill sets; utilisation of project management expertise; clearly defined terms of reference covering matters such as the objective of the project, senior management ownership and decision making arrangements and escalation criteria; and minutes of meetings with clear action trackers.  

8. Legal advice

Has legal advice been sought appropriately particularly with regards to any material interpretations of regulatory requirements?

Has all relevant information been provided to legal advisers and have the right questions been asked? 

Have you acted in accordance with legal advice or is there a clear rationale for any departure from the advice?

Have appropriate records been kept and maintained (see below)?

9. Training

What steps are being taken to mitigate the potentially increasing risks of individual failures being attributed to the firm and giving rise to a regulatory breach or a criminal offence?

How would you evidence that the training provided equips your staff with the necessary skills?

Is there sufficient focus on training in any strategic plans with a view to this being completed prior to any roll outs?

Is there a documented plan to address any additional training needs that have been identified with a clear timeframe and owner and with escalation where appropriate to governance forums or to 2LOD.

10. Record keeping

To what extent does your record-keeping assist in evidencing compliance with regulatory requirements?  If, for example, you were in receipt of an FCA information request or skilled person review, how quickly and confidently would you be able to provide information and documents requested (with particular focus on areas most likely to be in the regulatory spotlight). 

Do you have clear records of legal advice sought and obtained and have appropriate steps been taken to maintain any legal privilege?   

We continuously track and monitor regulatory enforcement action and advise firms, their boards and senior managers on all aspects of governance with a view to meeting the expectations of regulators such as the FCA and PRA so please get in touch if a conversation would be helpful or if you have any particular queries.