But how do we encourage our staff to take responsibility and raise issues appropriately?
Most people are familiar with the basic risk management process.
But before you can begin to identify risk, you need to engage everyone within the firm. Firms should raise awareness by defining what is meant by risk. This would encourage staff to identify and flag risks. This means that the culture within a business needs to encourage staff to speak up and take ownership of their daily processes. A robust governance structure engenders staff participation and provides clear direction for the company.
Step 1: Strategy
In essence, risk management starts with your business strategy. How are you going to achieve your business goals? It’s not solely about profit. Firms need to consider how they deliver client outcomes under the Treating Customers Fairly (TCF) initiative. The regulators expect firms to demonstrate that they meet the six client outcomes.
- Reviewing corporate objectives
- Aligning corporate goals with client outcomes
- Supporting the business objectives with clearly defined department and individual objectives
- Discussing risks posed by third parties and contractors
There must be a clearly defined strategy that is cascaded down throughout the business. This helps to encourage a collaborative approach with everyone’s minds focused on the end objective.
Step 2: Corporate Culture
Like most things, staff copy what they see. If their line manager shows signs of malaise or lack of belief in the company’s strategy, how will staff react?
Firms need to:
- Define company values and how you wish to demonstrate them
- Identify ways to ensure that conduct reflects those values (such as remuneration policies)
Senior managers should use language that supports the company values and demonstrate behaviours sought.
Step 3: Clear & Consistent Communications
Staff must have a strong understanding of what they are trying to achieve in their respective roles. They need to understand what a risk is and have the appropriate mechanism in place to raise queries or flag when something does not seem right. This means clearly defined company policy supported by actions and clear communications.
- Explain to everyone what they need to do
- Demonstrate the link between corporate goals & values with staff objectives
- Be clear about expectations
Also crucial is ensuring reward and remuneration supports the ethos of meeting corporate goals. Hopefully, this will result in ensuring that firms also meet client expectations. For example, designing and delivering a product or service for a target audience.
Step 4: Controls
A control can be something straightforward. For example, “the company policy is that all personal trading must be approved before a trade taking place”. The policy sets the boundaries within which staff perform their duties. Likewise, there are specific procedures to be followed which enable approval. Firms should implement processes where staff raise a request and receive a response promptly, but also create an audit trail.
Such a process provides consistency in approach and an agreed way of conducting business. These policies and procedures act as controls. Likewise providing training to staff will raise awareness of an issue and encourage staff to query any concerns. Firms with easy to follow processes find that it aids the implementation and embedding of such controls.
Step 5: Ongoing Monitoring
Once policies and procedures have been implemented, firms’ compliance and internal audit teams start to test the effectiveness of controls. These reviews will help provide reassurance to the board that its risks are managed. What assurance can be delivered to your board that your systems and controls are effective?
Monitoring teams will look for hard evidence to support not only that a task has been completed, but that it has been conducted in the proper manner, with the correct sign-off. In effect, they are looking at the quality of completion and evidence to confirm why something was done. They will also look at the audit trail to confirm who did what and when.
Step 6: Reporting
The company’s board has a duty to manage its risks appropriately. It determines its risk appetite and requires reassurance that risks are controlled.
It is then the responsibility of a senior manager, usually the chief risk officer, to implement those decisions at an operational level. The board seeks reassurance from the senior manager and speedy notification of any developing trends.
How Ruleguard can help you:
Ruleguard is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.
The Ruleguard Issue and Breach management module is a dedicated software solution for raising and managing compliance risk incidents.
- create incidents as part of the Ruleguard attestation workflow or as standalone items within the system
- enter details such as discovery, reporting and resolution dates along with a full description of each item
- identify if a specific rule breach has occurred
- link breaches to your risks, controls and business processes
- generate management information enabling oversight of the full process
Get in touch with the Ruleguard team to learn more on 020 3965 2166 or hello@ruleguard.com
Don’t miss our latest webinar:
Ruleguard hosts monthly webinars on a variety of regulatory topics.
To register your interest in past events or upcoming webinars, please click here.
White Papers: Request a complimentary copy of our White Paper on Operational Resilience click here.
See our blog page for further articles or contact us via: hello@ruleguard.com
Contact the author
Head of Client Regulation| Ruleguard
