Individual Accountability Regime – What is the Risk?

0

By the date this article is published, I will have spent over 300 working days focusing on the new Individual Accountability Regime!

I confess, it feels like it’s been coming for so long now that nothing about it feels ‘new’ any more.

In fact, it has been a topic of discussion across the industry for such an extended period that many of the fundamental principles and objectives seem lost in the past.

Don’t worry, I’m not intending to regurgitate all of the old reasons for change or the rationale for doing things differently – I am quite certain we are all sufficiently familiar them.

However, I do think that it is worth revisiting the new regime from the perspective of ‘Risk Management’. Without a doubt, the new regime adds a number of new, material risks to our businesses and amount of vigour to some of the existing ones.

Although ‘risk management’ is a regular agenda item for many of us, we are sometimes so busy with day to day operational management or coping with projects and change, that, the ‘risk’ perspective doesn’t receive the quality of attention it needs.

Many firms have dedicated risk management teams who concentrate on these things, particularly if you include ‘Conduct Risk’ within the umbrella. But, we should take a moment to think about the new risks……… in the real world.

What do I mean by this? I will explain…..

Risk Management professionals often consider ‘risks’ as ‘things’. A risk, once identified, needs to be documented, it needs an impact assessment, it needs a likelihood assessment, it needs mitigation actions identified and it needs contingent actions to be defined. Also, critically an identified risk needs an ‘owner’ – the person responsible for the preventing it from happening.

Usually when people refer to ‘risk management systems’, what they bring to mind are the tools for use by the risk professionals to manage all the stuff I’ve listed above, to give them a simple label – ‘risk registers’.

Managing these risks is our day job – from this perspective we are all risk professionals.

What I am more interested in considering are the systems and processes used by the operational business teams to help to prevent risks from occurring and creating issues.

Certainly risks need to be identified, tracked and monitored and specialist professionals and systems can help with this but if a risk is real, then it also needs to be managed within the day to day operational processes and activities of the business – otherwise it will manifest and affect customers and business outcomes.

In fact, in the ‘real’ world what a risk usually means is “something that can go wrong with an activity or process”

So, when we identify new risks (or review existing ones) it is essential that we link the risk to the operational activities that it impacts and especially the activities that give rise to the risk itself. As managers of teams and business activities, these are the things we are responsible for making work without mistakes – it is our job to prevent them from going wrong. Managing these risks is our day job – from this perspective we are all risk professionals.

Fortunately, the new obligations on firms under the Accountability Regime actually help to identify some of these risks for us and give us some clues about how to mitigate against them.

If you consider the Management Responsibility Map and the codified list of Prescribed Responsibilities, most either directly translated into new Risks or provide a ‘focus’ for existing risks to be considered afresh.

In the table below, I list some of the new Prescribed Responsibilities (PRs) and some ‘risk’ notes about them. The new regime specifically identifies the member of senior management who is now personally accountable for these business activities. This gives us a clear ultimate owner for any new risks, although others in the business will be delegated the responsibility for delivering working policy and processes to manage them. In one way, or another, the PRs listed opposite will impact on Training and Competence and HR teams once the new regime comes into effect in 2016.

If we then look into the details of the new regime we can easily find many more new risks, which we will need operational processes to manage. Almost all of the ‘changes’ we have made in response to the new Accountability Regime could be added our risk registers because we’ve (hopefully?) made them in response to a new obligation, which we now need to comply with.

For example, within Certification, there is the new ‘no gaps’ rule. This states that managers of anybody who is a ‘certification employee’ are also performing a ‘certification function’, unless they are a Senior Management Function holder. Taken in isolation this seems relatively simple but when the implications for daily activities are considered, it potentially has a significant impact.

This rule means that processes for managing absence, locums, successors, promotions, leavers and joiners etc. all need to be updated to ensure we don’t bring someone into a role who needs to be Certified and isn’t, for example a Branch Manager covering a Supervisor’s role for Mortgage Advice teams. Although there is an exception for ‘temporary cover’ for Certification employees, this only allows for up to 4 weeks, and then only if ‘unforeseen’. If it does happen, we need to record and report a breach.

Therefore, all of these processes need to be reviewed, probably updated to include Certification ‘checks’ (mitigating actions) and then our daily, weekly, monthly MI and oversight controls need to be updated to ensure our systems tell us if it does occur. Linked processes for rapid Certification assessments and issue of Certificates, or the ability to temporarily allocate responsibility to alternative staff probably need to be in our ‘contingency actions’.

Ideally, our systems will proactively tell us before the situation occurs to prevent the risk manifesting proactive – T&C processes, for example.

 

PR Description Risk Notes
A Responsibility for the firm’s performance of its obligations under the senior management regime New Risk that will impact:

·         Fit and Proper processes

·         Learning and Development

·         Training and CPD

·         HR

·         T&C

·         Recruitment & On-boarding

·         Operational MI and KPIs

·         Complaints

·         Breach Investigations and Reporting

·         Oversight and Governance

B Responsibility for the firm’s performance of its obligations under the employee certification regime New Risk that will impact:

·         Fit and Proper processes

·         Learning and Development

·         Training and CPD

·         HR

·         T&C

·         Recruitment & On-boarding

·         Operational MI

·         Performance Management

·         Management Reporting and Escalation Procedures

·         Locum and Succession planning

·         Quality Assurance and Checking

·         Complaints

·         Breach Investigations and Reporting

C Responsibility for compliance with the requirements of the regulatory system about the management responsibilities map New Risk that will impact

·         New processes for oversight and maintenance of the Map

·         New processes for oversight and maintenance of the Statements of Responsibility

·         Record Keeping arrangements

·         Timeliness and accuracy of updates and changes

·         Audit

G Responsibility for monitoring the effective implementation of policies and procedures for the induction, training and professional development of all persons performing designated senior management functions on behalf of the firm other than members of the governing body. Not quite a new risk but a new focus on obligations which have always existed

·         Senior Management assessments and Performance Reviews

·         Robust record keeping

·         Documented ‘Competence’ policy

·         Monitoring of L&D plans and CPD and TNA – individual and collective

·         Monitoring and assessment of ‘effectiveness’ of induction and development

H Responsibility for overseeing the adoption of the firm’s culture in the day-to-day management of the firm. Technically not a new risk but one that was probably not very explicitly assigned to specific Senior Managers

Either in addition to or along-side ‘professional standards’ or ‘culture’ initiatives within firms, embedding ‘culture’ in daily activity will have direct impact on HR and T&C teams.

F Responsibility for: (a) leading the development of; and (b) monitoring the effective implementation of; policies and procedures for the induction, training and professional development of all members of the firm’s governing body. See ‘G’ above.

This PR is very similar but will have a different ‘business owner’ in the Senior Management team.

It represents an ‘opportunity’ / ‘risk’ of a different perspective and interpretation which could vary the impact within the business.

Although focused on a few individuals, the approach to this obligation should set a tone for development and monitoring of key staff and management.

 

Another good example is the Regulatory References changes proposed under consultation papers, FCA CP 15/31 and PRA CP36/15. As headlines, this consultation introduces an obligation

  • To request references for CERT and SMF employees going back 6 years
  • Mandates the inclusion of specific information in the issued reference such as involvement in ‘concluded’ breaches

And crucially……

  • Mandates that the Firm updates any previous reference issued in the past 6 years, if new matters come to light

If these proposals are ratified, it will mean we need to update our record keeping for all references issued, including details of the firms we’ve issued them to and keep them for a minimum of 6 years. We will need a new process to issue updates to references and new processes to act on any updated references we may receive at any time up to 6 years after initial appointment, all with the associated ‘risks’ to be managed.

Over the recent months we have reviewed the functionality of our Insight GRC system in response to the Accountability Regime changes and identified a list of well over 100 regular operational processes that need to be reviewed and updated as a consequence. If anyone is interested in this list or any of the other SMR, CERT or Conduct Rules collateral I have spent some of the last 300 days (!!) compiling please do get in touch.

It would be a very useful action for everyone to review all of new regime obligations and process changes and to consider them from the perspective of the new risks they introduce –

  • What could go wrong?
  • How will I know?
  • How will I fix it when I find out?
  • What evidence will it need?
  • Who does it need to be reported to?

While it could be a time consuming and arduous task, what’s the risk?

Share.

About Author

Avatar photo

Carl Redfern is the Compliance Director and co-founder of Redland Business Solutions, the market leader in specialist GRC Solutions for the Financial Services industry, for the past 15 years I have spent my time: • Working with Industry Forums, Professional Bodies and Regulators to help to assess the impact and define the requirements of developing regulation. • Designing solutions to support key strategic functions within Compliance, T&C, Conduct Risk, Governance and Operations. • Helping businesses to develop the business case for people, culture and conduct initiatives. Most recently, I have been extensively involved in the development of the SM&CR regimes, working with industry bodies, both regulators and many firms, assessing the implications of the rules and designing specialist solutions to enable efficient and effective implementation. Redland have been voted the Best Solutions Provider – Senior Managers Regime with our specially designed technology solution, Insight SMR, to help firms comply with SM&CR and holistically integrate Certification with wider Culture and Conduct programmes.

Leave A Reply