United Kingdom | Publication | May 2023
Inadequate governance is regularly cited by regulators as a factor which has contributed to the failings of firms. From small firms to international global organisations, governance is worth investing in with a view to avoiding common pitfalls and wider issues.
The internal frameworks and reporting mechanisms within a firm will support a good governance framework.
We review material produced by the FCA and PRA including Final Notices relating to enforcement outcomes to identify best practice and lessons learned so that we can assist our clients to implement effective internal arrangements. We also assist clients in conducting internal governance reviews both proactively to provide additional assurance to senior management and reactively in response to incidents or regulatory enquiries.
Based on our experience of advising clients and taking into account lessons learned by those who have faced regulatory enforcement action, we set out below some practical tips that firms may want to consider in respect of four related areas: (i) committees and the Board; (ii) management information; (iii) information and escalation routes; and (iv) policies and procedures.
Whilst smaller firms will want to take a proportionate and risk-based approach, firms of all sizes should keep under regular review the extent to which any further steps could be taken or elements embedded so as to enhance their governance framework. Sometimes doing the simple things well and consistently can make a big difference to key outcomes but may be harder to achieve than expected amongst all the complexity of managing a business day to day. Going back to basics on governance can pay dividends in the long-run.
Certain firms will have various committees in place which will vary between companies and reflective of their size, nature and complexity. Committees are usually used as forums for decision-making, challenge and escalation. The type, number and membership of such committees should be kept under review so that the internal structure remains appropriate for the business and capable of dealing with any new external or internal developments with an adequate range of attendees and presenters to inform decision making.
Committees should cover all key areas of the business, and it should be clear where the remit of a committee starts and ends. The roles and responsibilities of the committee’s members and the committee as a whole, and details of the decisions it can take, should be documented within the Terms of Reference.
Minutes should be taken at committee meetings and a record of decisions should be taken and stored in accordance with a consistent record keeping methodology. Actions should be recorded and tracked to completion, and larger firms may have a dedicated secretariat to support with this tracking. Furthermore, firms may want to consider whether decisions are being taken in committees or via other routes and whether that seems appropriate.
The role of the Chair is also crucial within a committee, and they should be experienced enough to know the committee’s remit with depth and have the ability to challenge adequately and to support the delivery of the functions of the committee as set out in the Terms of Reference.
In terms of Boards, the FCA expects that they are well attuned to the main risks and issues that their business faces. There will also be certain roles that have particularly high standards expected of them by regulators – notably the CEO and the firm’s Chair. The CEO will be expected to deliver the strategy of the firm and lead the senior management and the broader staff population in a way that sets the right example. They will be expected to know and articulate the risks in their business, and demonstrate ways that their business is mitigating these. This is shown by the regularly used-tool by the FCA, ‘Dear CEO letters’ – correspondence addressed to the CEOs of firms where there are areas of regulatory concern. Chairs are expected to both support and challenge the CEO and Board from an independent standpoint, and it is expected that these individuals have a depth of experience and knowledge, as well as having a particular skill-set which enables them to challenge the executive in a way that supports the delivery of the firm’s aims.
Management information (MI) can take many forms, both qualitative and quantitative. The FCA has stated that MI ‘is important in analysing trends, helping [a firm] forecast the future and solve problems’1 and that MI should be ‘active’ rather than ‘merely reactive’ and should ‘address future risks rather than dealing with only known problems and should be acted on when necessary’. Whilst the FCA will be stating this in the context of UK financial services firms, the same can be applied to non-financial services firms and the MI that their management bodies are receiving.
Firms may want to evaluate the MI that is going to their management body and whether its content is appropriate in terms of level of detail and scope. In particular, management bodies may want to consider:
As well as in times of crisis or operational disruption, information flows are also important in the day to day running of a firm. Good information flows are important to ensure that the correct people within a firm are seeing the right information at the right time, while escalation routes are important to ensure that there are structured ways to reach senior management where required.
In terms of information flows, management bodies may want to ensure that they have coverage of all areas. They may want to look at how information is cascaded from the top of the organisation to the bottom, as well as vice versa. Firms may also want to evaluate how information is shared across business areas and whether this works in a way that supports what the firm is setting out to achieve. Firms also may want to consider how this is done practically, what works well and how that can be incorporated across the firm for consistency.
In terms of escalation routes, firms may want to consider the risk frameworks in place and how they document escalation methods within these, and whether these tolerances are correct and align to the broader risk appetite of the firm. This will also aid with ensuring that senior management are receiving the right information. To test this, senior individuals within firms may want to step back and consider, if an individual within their organisation saw something occurring that was wrong, what options would be available to them to escalate it and whether they would know how to access these routes and use them effectively. Whilst for most individuals, this rightly will be their manager, firms should consider the other routes available and whether staff are sufficiently educated on these mechanisms.
Policies and procedures enable a firm’s employees, at all levels, to understand a firm’s defined approach to an issue or area. Used effectively, they can provide clarity, drive up standards and support the correct matters being escalated. These documents will be looked upon to guide the direction an individual should take, and so it is important that they are robust, relevant and comprehensible.
It is important that policies and procedures are reviewed and updated at regular intervals. If the business grows, firms should consider whether their policies and procedures are still fit-for-purpose or whether they need amending. While it may seem simple, version control mechanisms will help ensure documents are kept up-to-date and documents having senior owners are more likely to be subject to adequate review and challenge.
If policies and procedures are linked to regulatory requirements, firms should consider how they have been tailored to apply to the business model of the firm rather than just relaying the rules. Firms may also want to consider whether providing example scenarios within their policies and procedures will aid staff on how the rules within them may apply in practical situations. For certain policies and procedures, it will be appropriate for firms to cover the whole suite of business lines and products, or if they do not, ensure that there is appropriate reason for doing so. Firms should also ensure that there are no inconsistencies between documents by taking a holistic view of them rather than looking at them one by one.
Finally, policies and procedures should generally be stored on a central repository so that staff can access them at all times, with previous or outdated versions clearly being marked as so.
Publication
The UK remains a world leader in offshore wind, accounting for roughly 20 percent of global offshore wind capacity, with 11.3 GW operational. It is forecast that installed capacity will rise to 19.5 GW by mid 2020s.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025
