X6 STEPS TO A HEALTHY REGULATORY GOVERNANCE, RISK AND COMPLIANCE [GRC] FRAMEWORK

X6 STEPS TO A HEALTHY REGULATORY GOVERNANCE, RISK AND COMPLIANCE [GRC] FRAMEWORK

Financial services regulators (take your pick:- JFSC, GFSC, MFSC etc.) are taking an increasingly robust approach with regulated firms.

Firms should therefore ask themselves what steps they can take to manage the risk of formal sanction.

Comsure would suggest the following x6:

1. First, firms should review (and, if necessary, enhance) their compliance resource as a matter of priority.
   • The JFSC has made clear (from its Compliance Monitoring guidance in 2013 through to its most recent public statements and civil penalties) that firms must have a compliance function that is resourced adequately
     1. https://www.comsuregroup.com/news/jfsc-director-general-comments-on-sg-kleinwort-hambros-fines-totalling-719-45121/
     2. https://www.comsuregroup.com/news/jersey-enforcement-lgl-sghambros-x5-critical-learning-points-for-boards-and-compliance-professionals/
   • Importantly, to address the above, firms are required to assess both the quantity and quality of that resource.
   • Further, firms must prepare and implement an effective compliance monitoring plan that is tailored to the specific risks faced by the firm and which is reviewed and updated to reflect the changes in those risks over time.
2. Second, the board must be able to show that it is discharging its role as the firm's governing body effectively. Questions that board members should ask themselves regularly include as follows:
   • Is the correct information being put before the board and with sufficient frequency?
   • Are the critical points in the board packs explained clearly to avoid 'information overload'?
   • Can the board evidence constructive debate, support and challenge?
   • Are actions recorded clearly in the minutes and assigned to a specific person, and is progress then reported back to the board?
   • If the answer to any of these questions is not a resounding YES, urgent improvements are needed.
3. Third, all accountabilities, responsibilities are to apportioned clearly within the firm; including:
   • Delegated authorities between the board and committees must set out the roles and responsibilities of each function.  And each function should be clear as to their reporting line and authorisation levels.
   • Matters "reserved for the board and the committee" must set out each function decision making responsibilities/authorisation levels.
   • Job descriptions must ensure that they set out the individual's role and responsibilities, and each individual should be clear as to their reporting line and (where appropriate) authorisation levels.
   • Managers should also ensure that they exercise appropriate oversight over those who they supervise.
4. Fourth, firms should seek appropriate independent validation (e.g., by group internal audit or an external consultant) of their compliance function and board effectiveness.
   • Such review and feedback by an objective party can be invaluable in challenging 'group think' and identifying areas for improvement.
5. Fifth, firms must keep adequate, orderly and up-to-date business and customer records.
   • Firms often view record keeping as a second-tier regulatory obligation of less importance than other substantive obligations. This is a serious error: adequate records build a 'corporate memory' and provide the necessary audit trail.
   • The firm can demonstrate compliance with more comprehensive regulatory requirements to the JFSC.
6. Sixth, firms must deal with the JFSC openly and cooperatively at all times.
   • The JFSC's ability to supervise firms depends on the quality of the information it receives, which means that it takes a dim view of firms that fail to be candid and cooperative. Therefore, it is in each firm's interest to cultivate a strong relationship with their regulator, both when responding to JFSC requests and in recognising when to make proactive disclosures.

Comsure has been helping firms over 16 years on the matters highlighted above.

If you wish to discuss any of the matters above, please contact Mathew as follows:

Mathew Beale - Chartered FCSI

Principal (Director) - Comsure Compliance Limited, Comsure Technology Limited (the "Comsure Group of Companies")

No 1 Bond Street Chambers, St Helier, Jersey, Channel Islands, JE2 3NP

Direct Tel: +44 (0) 1534 626841 - Mobile Tel: +44 (0) 7797 747 490 - Skype: comsurecompliance

mathewbeale@comsuregroup.com - www.comsuregroup.com