One of the fundamental obligations applicable to all regulated firms is the need to implement appropriate processes to manage risks.

"A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems." (Source: FCA Handbook, SYSC 4.1.1 R)

But how do we encourage colleagues to take responsibility and raise issues appropriately?

Good risk management brings many benefits to firms. Whether you’re a regulated firm or not, there is value in nurturing a corporate culture where staff throughout the company seek to improve standards. Most people are familiar with the basic risk management process:

The Risk Management Process

Identify - Assess - Monitor - Report - Improve

But before you can begin to identify risk, you need to engage everyone within the firm. Firms should raise awareness by defining what is meant by risk. This would encourage staff to identify and flag risks. This means that the culture within a business needs to encourage staff to speak up and take ownership of their daily processes. A robust governance structure engenders staff participation and provides clear direction for the company:

1. Governance

2. Culture

3. Control

STEP 1: STRATEGY

Risk management starts with your business strategy. How are you going to achieve your business goals? It’s not solely about profit. Firms need to consider how they deliver good outcomes for their customers.

Start by looking at your business objectives and engaging the board in discussions around:

• Reviewing corporate objectives

• Aligning corporate goals with client outcomes

• Supporting the business objectives with clearly defined department and individual objectives

• Consider risks posed by third parties and contractors.

There must be a clearly defined strategy that is cascaded down throughout the business. This helps to encourage a collaborative approach with everyone’s minds focused on the end objective.

STEP 2: CREATE A CORPORATE CULTURE

Like most things, staff copy what they see. If their line manager shows signs of malaise or lack of belief in the company’s strategy, how will staff react?

Firms need to:

• Define company values and how you wish to demonstrate them.

• Identify ways to ensure that conduct reflects those values (such as remuneration policies).

Senior managers should use language that supports the company values and demonstrate behaviours sought.

STEP 3: CLEAR & CONSISTENT COMMUNICATIONS

Staff must have a strong understanding of what they are trying to achieve in their respective roles. They need to understand what a risk is and have the appropriate mechanism in place to raise queries or flag when something does not seem right. This means clearly defined company policy supported by actions and clear communications that:

• Explain to everyone what they need to do.

• Set staff objectives that demonstrate corporate values and goals.

• Be clear about expectations.

STEP 4: CONTROLS

A control can be something straightforward. For example, “the company policy is that all personal trading must be approved before a trade taking place”. The policy sets the boundaries within which staff perform their duties. Firms should implement processes where staff raise a request and receive a response promptly, while also creating an audit trail. Processes provide consistency in approach and an agreed way of conducting business.

STEP 5: ONGOING MONITORING AND CONTROL

Once policies and procedures have been implemented, firms’ compliance and internal audit teams start to assess the effectiveness of controls. These reviews will help provide reassurance to the Board that its risks are managed.

Monitoring teams will look for hard evidence to support not only that a task has been completed, but that it has been conducted in the proper manner, with the correct sign-off. In effect, they are looking at the quality of completion and evidence to confirm why something was done. They will also look at the audit trail to confirm who did what and when.

STEP 6: REPORTING

The company’s Board has a duty to manage its risks appropriately. It determines its risk appetite and requires reassurance that risks are controlled.

It is then the responsibility of a senior manager, usually the chief risk officer, to implement those decisions at an operational level. The Board seeks reassurance from the senior manager and speedy notification of any developing trends.

This cycle of assessing and improving risk management should be emphasised within firms. Nothing remains static for very long. Engaging staff and building a risk culture helps to encourage staff to query the process and suggest changes in a controlled way. It also helps to keep the firm agile and resilient to changes.

PRISCILLA GAUDOIN
HEAD OF RISK & COMPLINCE, RULEGUARD

WWW.RULEGUARD.COM/OPERATIONAL-RISK-MANAGEMENT-SOFTWARE