A firm’s operational error log can provide a great deal of information about its compliance culture. Consider the following:
Is it always the same individuals recording all the issues?
Has the log remained untouched for several months?
Are the identified issues correctly classified?
Are issues investigated and closed in a timely manner?
Items mentioned above can indicate issues stemming from poor governance and lack of ownership. In a manual spreadsheet it may be difficult to capture an accurate audit trail of any amendments. How can firms make their breach management process more robust?
Whilst staff are made aware of team procedures, they may not fully appreciate the impact of their individual actions. For this reason, it’s important that staff have a basic understanding of risk management and how it impacts their specific role. This means getting staff to think about the types of risk that exist in their daily tasks as well as the regulatory impact of a rule breach.
The operational error log should be owned and updated by the business. Operational controls are the first line of defence within firms. It’s important that teams are able to identify issues quickly and try to resolve those issues before they crystallise and have a greater impact.
Ownership of the error log means that where staff identify a potential issue, it’s their responsibility to enter it into the log and escalate it appropriately. By recording it, it gains attention from relevant people in the business and can be discussed further. Manual processes mean this requires someone to send a prompt email to relevant managers and teams to make a notification. Follow up includes arranging a call or meeting to discuss the issue.
Engage Control Functions:
Early engagement with risk and compliance teams means an issue can be discussed and any regulatory impacts identified quickly. Where a control has failed or is likely to fail, preventative measures can be discussed, agreed and implemented. This will help to document an agreed plan of action. Control functions can build a review into their monitoring programmes to confirm closure.
Where an issue has occurred, it’s important that as much information as possible is gathered. For example, noting the day an incident was identified, may not be the same as the date on which the incident actually occurred. The delay could be hours or days. In addition, understanding the scale of impact can take time.
When analysing incidents it’s important to identify the scale of the issue, including volume of transactions, or clients and other parties that are impacted.
Where an incident does occur, it’s important that it is escalated promptly. Early engagement with compliance will help to identify whether or not something is a breach of regulation. Where required, appropriate notifications to senior management, the board and the regulators can be made. This requires assessment of the incident and identification of any corresponding rules. At this stage it’s important that the firm makes a timely notification. The notification should include details of action taken to resolve the issue as well as how the firm aims to prevent the breach from recurring. In turn, an identified breach would be added to the Breaches log and updated following any contact with the regulators.
Embedding breach management processes is reliant upon encouraging and nurturing a collaborative effort. Raising a concern should be viewed as an opportunity to improve processes rather than pointing a finger of blame.
How Ruleguard can help
Ruleguard is an end to end platform that enables firms to log and manage regulatory risks. The Ruleguard Issue and Breach management module is a dedicated software solution for raising and managing compliance risk incidents. Detailed MI and reporting features allow full oversight of the process. To find out more contact us for further information on: Tel: 020 3965 2166 or email@example.com
Ruleguard hosts regular webinars on various subjects. To be added to our mailing list click here.
Visit our website to find out more about how Ruleguard can help:
Contact the author
Head of Client Regulation| Ruleguard