Inadequate governance is regularly cited by regulators as a factor which has contributed to the failings of firms. From small firms to international global organisations, governance is worth investing in with a view to avoiding common pitfalls and wider issues.
The internal frameworks and reporting mechanisms within a firm will support a good governance framework.
We review material produced by the FCA and PRA including Final Notices relating to enforcement outcomes to identify best practice and lessons learned so that we can assist our clients to implement effective internal arrangements. We also assist clients in conducting internal governance reviews both proactively to provide additional assurance to senior management and reactively in response to incidents or regulatory enquiries.
Based on our experience of advising clients and taking into account lessons learned by those who have faced regulatory enforcement action, we set out below some practical tips that firms may want to consider in respect of four related areas: (i) committees and the Board; (ii) management information; (iii) information and escalation routes; and (iv) policies and procedures.
Whilst smaller firms will want to take a proportionate and risk-based approach, firms of all sizes should keep under regular review the extent to which any further steps could be taken or elements embedded so as to enhance their governance framework. Sometimes doing the simple things well and consistently can make a big difference to key outcomes but may be harder to achieve than expected amongst all the complexity of managing a business day to day. Going back to basics on governance can pay dividends in the long-run.
Committees and the Board
Certain firms will have various committees in place which will vary between companies and reflective of their size, nature and complexity. Committees are usually used as forums for decision-making, challenge and escalation. The type, number and membership of such committees should be kept under review so that the internal structure remains appropriate for the business and capable of dealing with any new external or internal developments with an adequate range of attendees and presenters to inform decision making.
Committees should cover all key areas of the business, and it should be clear where the remit of a committee starts and ends. The roles and responsibilities of the committee’s members and the committee as a whole, and details of the decisions it can take, should be documented within the Terms of Reference.
Minutes should be taken at committee meetings and a record of decisions should be taken and stored in accordance with a consistent record keeping methodology. Actions should be recorded and tracked to completion, and larger firms may have a dedicated secretariat to support with this tracking. Furthermore, firms may want to consider whether decisions are being taken in committees or via other routes and whether that seems appropriate.
The role of the Chair is also crucial within a committee, and they should be experienced enough to know the committee’s remit with depth and have the ability to challenge adequately and to support the delivery of the functions of the committee as set out in the Terms of Reference.
In terms of Boards, the FCA expects that they are well attuned to the main risks and issues that their business faces. There will also be certain roles that have particularly high standards expected of them by regulators – notably the CEO and the firm’s Chair. The CEO will be expected to deliver the strategy of the firm and lead the senior management and the broader staff population in a way that sets the right example. They will be expected to know and articulate the risks in their business, and demonstrate ways that their business is mitigating these. This is shown by the regularly used-tool by the FCA, ‘Dear CEO letters’ – correspondence addressed to the CEOs of firms where there are areas of regulatory concern. Chairs are expected to both support and challenge the CEO and Board from an independent standpoint, and it is expected that these individuals have a depth of experience and knowledge, as well as having a particular skill-set which enables them to challenge the executive in a way that supports the delivery of the firm’s aims.
Management information (MI) can take many forms, both qualitative and quantitative. The FCA has stated that MI ‘is important in analysing trends, helping [a firm] forecast the future and solve problems’1 and that MI should be ‘active’ rather than ‘merely reactive’ and should ‘address future risks rather than dealing with only known problems and should be acted on when necessary’. Whilst the FCA will be stating this in the context of UK financial services firms, the same can be applied to non-financial services firms and the MI that their management bodies are receiving.
Firms may want to evaluate the MI that is going to their management body and whether its content is appropriate in terms of level of detail and scope. In particular, management bodies may want to consider:
- whether the MI they receive is reflective of both the current and potential risks in their sector and whether adequate steps are being taken to ensure it remains so, including by way of internal and external risk monitoring;
- analysing their MI to see what is available and whether this is reflecting the right type of risks, and whether there are certain triggers in place for escalation;
- when the exact data that firms want is not there, or is under development, whether additional steps can be taken to ensure that they are maximising the data that they do have to garner insights, and investigating appropriately and promptly where required;
- evaluating how effective information flows are, from all the different business areas to management bodies, to see if there are any areas where improvements can be made. In times of crisis or operational disruption, it is likely that these flows will need to be sped up;
- reviewing the external sources that they rely on for market data and insights and evaluating whether these are providing them with what they require; and
- whether they have adequate horizon scanning in place so that their management bodies are kept informed on what could impact them in the short, medium and long-term.
Information and escalation routes
As well as in times of crisis or operational disruption, information flows are also important in the day to day running of a firm. Good information flows are important to ensure that the correct people within a firm are seeing the right information at the right time, while escalation routes are important to ensure that there are structured ways to reach senior management where required.
In terms of information flows, management bodies may want to ensure that they have coverage of all areas. They may want to look at how information is cascaded from the top of the organisation to the bottom, as well as vice versa. Firms may also want to evaluate how information is shared across business areas and whether this works in a way that supports what the firm is setting out to achieve. Firms also may want to consider how this is done practically, what works well and how that can be incorporated across the firm for consistency.
In terms of escalation routes, firms may want to consider the risk frameworks in place and how they document escalation methods within these, and whether these tolerances are correct and align to the broader risk appetite of the firm. This will also aid with ensuring that senior management are receiving the right information. To test this, senior individuals within firms may want to step back and consider, if an individual within their organisation saw something occurring that was wrong, what options would be available to them to escalate it and whether they would know how to access these routes and use them effectively. Whilst for most individuals, this rightly will be their manager, firms should consider the other routes available and whether staff are sufficiently educated on these mechanisms.
Policies and procedures
Policies and procedures enable a firm’s employees, at all levels, to understand a firm’s defined approach to an issue or area. Used effectively, they can provide clarity, drive up standards and support the correct matters being escalated. These documents will be looked upon to guide the direction an individual should take, and so it is important that they are robust, relevant and comprehensible.
It is important that policies and procedures are reviewed and updated at regular intervals. If the business grows, firms should consider whether their policies and procedures are still fit-for-purpose or whether they need amending. While it may seem simple, version control mechanisms will help ensure documents are kept up-to-date and documents having senior owners are more likely to be subject to adequate review and challenge.
If policies and procedures are linked to regulatory requirements, firms should consider how they have been tailored to apply to the business model of the firm rather than just relaying the rules. Firms may also want to consider whether providing example scenarios within their policies and procedures will aid staff on how the rules within them may apply in practical situations. For certain policies and procedures, it will be appropriate for firms to cover the whole suite of business lines and products, or if they do not, ensure that there is appropriate reason for doing so. Firms should also ensure that there are no inconsistencies between documents by taking a holistic view of them rather than looking at them one by one.
Finally, policies and procedures should generally be stored on a central repository so that staff can access them at all times, with previous or outdated versions clearly being marked as so.