You may have already read our previous article – ‘What makes compliance so hard’ and if you have, you will be in no doubt that compliance can indeed be exceedingly challenging given the complex system of regulatory principles and rules that apply.
So how, as a compliance manager, do you practically deal with the compliance challenge and make the job of ensuring organisational compliance more manageable? We at TCF have put our collective thinking caps on and come up with what we believe are some really useful insight based on our many years of experience working as and supporting and advising compliance managers. We hope you find them useful.
How can a compliance manager get the balance right between providing day to day support and advice to the business and carrying out their essential monitoring and assurance duties?
This is always a challenge – provide too much advice and support to the business and your limited time will disappear and your monitoring and assurance duties will suffer – provide too little and you are perceived as aloof and unhelpful and you potentially leave the business exposed to making easily preventable mistakes.
Our suggestion – interact proactively and early with the business – provide good support and advice to the business at the early phases of product development, marketing plans, technology upgrades, etc. By engaging with colleagues at an early stage and providing guidance to help the business implement compliant and consumer-friendly practices, it is likely to save a lot of time later. Not only can this avoid the need for redesigning or reshaping a product or a process but it can make the relationship between the business and the compliance function much more positive.
But beware, providing random support and advice to every ad-hoc request is going to eat up your day and render you totally ineffective and unable to carry out your basic duties. So get on the front foot and provide advice early and proactively.
How should a compliance manager ensure they have a good handle on how compliant the business is?
It’s important to ensure the compliance function has oversight of a broad range of business key performance and risk indicators. Many compliance managers tend to have favourite business areas thay they like to review and they spend too much time and effort focussed on that area to the detriment of the rest of the business.
The smart compliance manager will frequently ask themselves whether they have measures and data that cover the whole of the business. An easy cross check to do is a short annual review of each business area to ensure that the compliance manager is satisfied with the level of data and quality of interaction that they are having with the area.
A classic area that is often left untested and poorly monitored is IT, often followed by the commercial area and product development area – by comparison the business operations area is often heavily scrutinised.
Additionally a good compliance manager is proactive when asking for a proper quality of data. If we take the incident management / breach management process as an example – a rookie compliance manager may simply report the number of new incidents raised during a particular month and the number of incidents reported to the regulator. This will provide an indication of the volume of incidents occurring and a feel for the significance of those incidents. However, the experienced compliance manager will ask for further information that reflects how many incidents have not yet been fully dealt with and how long the ‘oldest’ incident has remained outstanding for. This extra information starts to paint a more comprehensive image of the volumes, the significance of the shortfalls, the overall volume outstanding and the urgency that such matters are given to address them. If the business can then add a narrative that reflects any trends they’ve identified and give brief details about the extent of customer impact it will take the quality of compliance oversight to a more effective level.
When it comes to monitoring the phrase to remember is ’trust less, test more’.
And a key to getting it right is to plan – all monitoring activities need to be well planned – as it’s important to understand what’s going to be monitored, when it will be monitored, what form the monitoring is going to take, etc. The activities need to cover the likely risks and issues that the business faces and of course take into account regulatory developments and other market related risks. All of these factors should be considered up front and ranked from a risk perspective, to enable a smart plan to be formulated.
When undertaking the monitoring activities, be they desk based reviews, management information reviews, call monitoring, online support assessments, file reviews, customer contact, etc. it’s really important to take into account evidence, more evidence and even more evidence. Conjecture can guide but it is not sufficient. Ensure you record your findings accurately and concisely and you’re a long way towards your goal.
This example may demonstrate the importance of undertaking a comprehensive monitoring job.
This particular task started with a fairly straightforward review of management information relating to a particular investment adviser, which showed no significant issues at all. Next up was a review of a sample of files that again reflected no serious concerns. So far, so good. To be fair, it would have been easy to accept the suggested position but it’s interesting to see what a further examination reflects. The next step was to contact at least three of the customers and confirm their understanding of the arrangements that had been made for them. This painted a different picture.
Whilst the records were clear and comprehensive, showing the two meetings the customer and the adviser had completed, showing the documentation issued to the customer and a copy of the suitability report confirming the recommendation made. When the customer was contacted and they had calmed down from the mention of the adviser’s name, the responses they provided reflected a very different series of events to those recorded within the file.
The findings from the customer contact resulted in a very difficult interview with the investment adviser. Now, had the monitoring process stopped after the file reviews, the discrepancy in the versions of the events would never have been identified or investigated. Thankfully, the discussions with the adviser clarified what had actually happened and the situation was addressed. Fortunately, such integrity issues are not seen too often.
From a monitoring viewpoint, the MI review was good, the file review was also good but the customer contact identified what had actually happened. As suggested, trust less, test more.
Horizon scanning, to keep abreast of regulatory and legislative changes, may not be the most straightforward exercise to keep control over. However, it is a really important task and one that needs to be given the respect it deserves as a failure to update policies and implement new rules will inevitably cause problems.
Given that regulatory changes originate from a number of different sources including the Government, the relevant UK regulators and other trade bodies, the challenge is to identify the changes that are applicable to your firm, engage with the relevant stakeholders in the business to ensure they are aware of the publications and support the process of making the necessary changes.
A good tip is to identify which bodies are providing relevant updates and arrange for notifications of change to be automatically sent to you by the bodies themselves. Arranging notifications from just those bodies should also ensure you avoid too much correspondent opinion and you’re able to focus on what’s important and relevant.
A smart compliance manager will also encourage the business to take the same step, with information which will be of relevance to their area. This will assist by ensuring the business is aware of upcoming regulatory changes at as early a stage as possible.
Overall though, horizon scanning requires attributes which remain key to all compliance activities. That is, an ability to join the dots, see the bigger picture and have a nose for trouble. These are vital skills and qualities which the compliance manager needs to develop and if you have it, well done and don’t lose it.
It may sound obvious, but it’s important not to lose the ability to step back when a standard day is packed with detailed reporting, metrics and assessments. Far too often when looking back at regulatory investigations and enforcement, many people (including lay people) will say ‘why did no one spot it?’ Especially when the firm had a virtual sea of metrics, systems and reporting. Frequently, having lots of systems and processes can squeeze out nous, anticipation and the bigger picture. The ability to make connections and a good nose are invaluable. These are assets worth valuing.
That’s all for now. We hope you have found these insights helpful. We’ve enjoyed collecting them. Many thanks to the TCF team for their input to this article. If you would like any specific advice or support then please do get in touch. You may also be interested to know that we now have available specific, practical courses to support the on-the-job development of compliance managers.