Bovill: Financial services regulatory consultants
CLOSE
Bovill Newgate UK & Europe > Insights > Compliance monitoring: The four-step CMP

Compliance monitoring: The four-step CMP

| UK & Europe | Articles

Whatever your firm’s size, and whatever regulated activities you undertake, there’s a clear four stage approach which should sit behind any compliance monitoring framework.

Compliance teams will always be under pressure when it comes to the scope of what they can deliver. But the backdrop of Covid-19 has brought even more challenges:

  • The operational challenges of remote working
  • The inherent difficulties in line managing and overseeing a distributed workforce
  • The postponement of ‘business as usual’ activities such as training, updating of policies and procedures and ‘first line of defence’ quality assurance
  • The increased commercial pressures firms have been under
  • Greater focus from the regulators.

While these factors should prompt Chief Compliance Officers to produce a compliance monitoring plan – or CMP – which is broader and deeper in scope, the underlying principles of how the plan is created and executed remain the same.

compliance monitoring - four stage approach

Contents

1. Planning
2. Testing
3. Feedback
4. Follow-up
5. Outsourcing compliance monitoring?

At Bovill Newgate, we help firms in designing their compliance monitoring plans or providing outsourced compliance monitoring resources. While these firms differ in size and sector, there are common themes and issues. Our four-step CMP is a common approach which goes through the stages of: planning, testing, feedback and follow-up and is a useful starting point for any regulated firm.

1. Planning

Planning is the most important phase. The planning phase encompasses the ‘what, why, when and how’ of the monitoring activity.

Key challenges:

  • CCOs ‘self-edit’ on scope
  • There is insufficient alignment with other control functions
  • Plan is not aligned to the wider Enterprise Risk Management Framework
  • Plan can’t be justified.

What and why

CCOs need to be able to articulate and justify what they intend to monitor and, most importantly, why. This should be based on a valid, reliable and consistent assessment of the risks. While the CMP is a discrete and independent activity, it does not happen in isolation from the rest of the firm’s enterprise risk management framework (ERMF), and should be informed by – and inform – the activities of the other elements of the three lines of defence (3LoD).

Insights to develop, and validate the CMP should
come from:

  • Business plans, and the strategic objectives of the firm
  • Compliance generated horizon scanning (and analysis from other sources)
  • Second line Risk and their work on key risk indicators and the risk control self assessment process
  • Third line Internal Audit findings
  • First line ‘business as usual’ oversight activity, quality assurance, root cause analysis in complaints, and incident logs
  • The needs of the first line.

And it is the final point, the needs of the first line, that should be a key consideration. In firms with a mature 3LoD set up, senior management in the first line (mindful of their SMCR responsibilities) will be engaging with the compliance team, and highlighting areas of their businesses on which they are seeking assurance. Inevitably, most firms will not be operating at this level, so there will be more need for Compliance to proactively reach out to the first line, and seek their input. This outreach activity helps Compliance break out of the silo, and reinforces the impression that compliance monitoring is a collaborative exercise aimed at fixing the problems, not the blame.

When considering the range of areas in scope, CCOs should take a broad view of the risk landscape. It is insufficient for the compliance monitoring plan to merely focus on customer facing areas of the business, the full range of activities should be considered. For example, in an SMCR world this should include assessment of the firm’s governance framework and the effectiveness of senior management.

Equally, the CMP should not stop at the firm’s door. When it comes to outsourced services, the focus should be on the service, not where it is carried out. For example, if the risk landscape dictates that a review of complaints handling should be undertaken, and this function is outsourced, Compliance should be assessing the third party provider’s adherence to regulatory requirements. Conversely, if a broader review of outsourcing controls is required, this should focus on the firm’s first line, and their oversight of the third parties.

compliance monitoring - oversight

When

The timing of compliance monitoring activity is important, particularly in relation to other assessment activity happening within the firm. While the CMP will always be independent of the other activities performed by control functions, there should be some coordination of the activities to avoid excessive disruption in the first line. And where possible and practical, first line should be aware of the timetable of control function activities.

CCOs should also build sufficient flex into the plan to accommodate the potential need for additional monitoring activity, or changes in prioritisation. It should not be expected that the plan will be fixed, if the risk landscape for the firm changes.

How
The CMP should consider the capacity and capability of the compliance team to undertake the monitoring activity. If any additional resourcing is needed that should be factored in – either within the team, or via the use of third parties.

CCOs should not ‘self-edit’ the draft CMP, based on their current resource capacity. It is important that CCOs give senior management the full picture regarding what needs to be monitored. The business can then take a view regarding allocation of resources.

The CMP should be reviewed and formally approved by an appropriate committee within the organisation. Senior management should be able to demonstrate that they have considered the appropriateness of the approach, and the risks.

2. Testing

Compliance should work to formalise and document test plans which seek to assess the firm’s alignment with regulatory requirements. These assessments should be rules-, but also principles-focused.

Key challenges

  • Compliance have insufficient capacity and/or capability to undertake the monitoring
  • Time allotted is inadequate
  • Insufficient access to first line staff
  • Agreed methodology is not followed.

As the FCA has consistently said, compliance is not simply about following the rules, it is the attitude, behaviours, culture and most importantly outcomes. Compliance should consider:

  • How the documented processes align with requirements
  • Whether the processes are being followed
  • If failings have occurred, or if there is a material risk of future failings (a point that will become much more relevant as the FCA/PRA develop their requirements for operational resilience)
  • Whether staff (and importantly senior management) in the first line fully understand, and can articulate, the conduct risk outcomes they are controlling against.

Compliance should build sufficient time and resource into the CMP to enable these complex, and potentially subjective points to be fully analysed, and also discussed with senior management in the first line area.

Whilst Compliance will be looking at the business through a different lens to Risk or Audit, there should be a consistency of approach. Control frameworks within organisations are weaker if the functions operate in silos. There should be clear alignment in the methodologies and procedures used. It is sadly often the case that the relationships within the control functions are more dysfunctional than the relationships between first line and second/third line. Firms need to break the control functions out of this siloed thinking and ensure there is a joined up approach to monitoring and assurance activity. Engagement with Internal Audit is important to ensure that review areas are not duplicated as failure to do so can be a source of frustration for the wider business.

3. Feedback

Compliance monitoring findings should be fed back to the relevant business owner, and also to senior management, via whatever forum is most appropriate. As with audit findings, it is important that boards and excos received an independent and unfiltered view of what the compliance risks within the organisation are.

Key challenges

  • Reports have insufficient detail
  • Findings are inconsistent, and do not allow senior management to gain a clear picture, across the control functions
  • Senior management do not review compliance monitoring reports
  • Results do not feed into subsequent reviews.

The ratings of identified issues should be consistent with expectations of the ERMF, and aligned to those of other control functions. It is very frustrating for senior management to receive three different RAG ratings from Compliance, Risk and Audit. The firm should have a consensus as to ‘what good looks’ like, and this should flow from the risk appetite.

Compliance monitoring reports should provide a clear picture of:

What – detail on the failure, and the severity
Why – root cause analysis, and consideration of any wider issues
How – the proposed resolution
When – timeline for resolution, based on the risk identified.

4. Follow up

Compliance monitoring reports should be treated the same as internal audit reports, in terms of the expectation of follow-up and action. Senior management will be failing in their governance responsibilities if they do not ensure identified issues are addressed. To ensure visibility, outstanding actions should be tracked, and escalated to the appropriate forum, within the firm.

There is always scope for the first line to disagree with Compliance, particularly on the more subjective areas. But if first line do reject findings it should be clearly documented. The first line need to own that decision – and the liability, under SMCR.

Compliance monitoring should be an integral part of the overarching ERMF. And firms should embed adherence with:

  • A ‘compliance culture’ within the organisation
  • Senior management leading by example
  • The compliance culture being ‘baked-in’ to job descriptions and Statements of Responsibility
  • Non-compliance is reflected in performance management and appraisals.

 

5. Outsourcing compliance monitoring?

Compliance teams always face resourcing challenges, and the additional risks brought on by Covid-19 only make that stretch more difficult.

Many firms look to outsourcing elements of the CMP, as a solution. The outsourcing of compliance monitoring brings potential benefits to a firm such as:

  • access to specialist expertise
  • an industry-wide view
  • additional resource
  • headcount flexibility.

But when selecting an outsourced provider, firms should consider:

  • a partner who they can build a long-term relationship with
  • a provider who is prepared to invest the time, to really understand their business
  • professionals who will add-value, and provide suitable challenge.

At Bovill Newgate, we can help with any aspect of compliance monitoring. Get in touch to find out more.

Areas of focus

Want more insights like this?

Join our mailing list

Our insights

| UK & Europe

Consumer Duty complaints review offers food for thought on governance, MI, and reporting practices

The FCA’s first review of complaints since the Consumer Duty has cast doubt over the effectivenes...

| UK & Europe

Navigating the stepping stones of SDR

It has almost been a year since the first set of requirements of the Sustainability Disclosure Re...

| UK & Europe

Why compliance monitoring matters for Payments and E-Money firms

The payments and e-money sector has evolved fast and the FCA has been working hard to keep up. Th...
  • UK & Europe
  • CONTACT
  • UK & Europe
  • CONTACT
  • UK & Europe
  • CONTACT
  • UK & Europe
  • CONTACT
  • UK & Europe
  • CONTACT