Non-executives - what actions are you taking on the issues you haven’t yet identified?

Posted: 27th July 2016

At our recent Non-Executive Forum, a delegate revealed that they were asked this question by the regulator. If put in the same position, how would you field it?

In reality, it’s a fantastic question, as it’s one that completely encapsulates the aim of principle-based regulation; it takes regulatory discussion away from the realm of the reactive and places the onus on a firm’s culture, governance and controls, its level of engagement with customer outcomes and the values it operates by.

Essentially, the ideal answer contains a robust justification – with evidence – of how the firm works to continuously refine and improve the customer experience.

This is the high-level, at least. When it comes to practically applying the concept of proactive compliance, there are many factors to consider.

To this end, many firms have taken big strides in the principle-led regulatory landscape to consider how they react to individual circumstances and vulnerability, and also how they test and improve the real outcomes they are providing.

However, without the ability to articulate their approach to the regulator, some important benefits of this type of work could go unrealised by firms and, worse still, if sufficient evidence is not provided for the customer-centric work taking place, a firm could still find itself subject to enforcement measures.

We recently spoke about how boards can better engage with internal regulatory experts to make more robust commercial decisions. Here, we turn our attention how a board can justify to the regulator its customer-centric culture, if and when it’s called upon to do so.

1.   Evidencing the risk-based approach

Firms should be ensuring that due diligence, business activities and internal audit procedures are risk-based and take into account the firm’s risk appetite.

It’s unreasonable for Senior Executives to believe that they can know everything going on in their firm, and as such, the way they interact with internal compliance functions is key – can you as a non-executive retain evidence of risk experts’ concerns, including how the issue was assessed, and why certain actions were or weren’t taken?

Some examples of evidence in this area might include:

• The documented results of ‘deep dives’ into areas of higher risk and/or concern
• The ability to produce examples of the MI provided to the board – this should be ‘forwards looking’ where possible, and trends should be monitored to spot and raise potential issues
• Evidence of activities such as mystery shopping (this tests frontline staff competency and your firm’s ability to react to individual circumstances)
• Evidence of outcomes testing that delves deeply into the customer experience and does not rely on customer satisfaction surveys
• The ability to articulate the rationale for the activity above, and what changes were prompted by it (equally, this activity can lead to the determination that no action need be taken – can you provide a narrative to this sort of decision making, also?)

2.   Evidencing a strong ‘three lines of defence’

An effective ‘3LOD’ model is pivotal to ensuring issues are contained and identified quickly. Many firms will have embedded this into their organisations, but in the interests of quantifying your approach to the regulator, it’s a good idea to periodically review the three lines of defence to ensure they are working effectively.

In the first line of defence, the business’s frontline staff and first line management are responsible for the identification and assessment of risks and controls. Does your firm have clear escalation policies for regulatory concerns? Being able to articulate your process, produce examples of the risks taken to the board and justify the decisions made around them is best practice here.

In the second line of defence, a firm’s compliance function challenges on completeness and accuracy of risk assessments, risk reporting and the adequacy of mitigation plans. Is robust challenge embraced in your firm? How often does the board engage the risk committee? Can you show how regulatory concerns are cross referenced with commercials and the firm’s risk appetite at board level?

In the third line of defence, internal audit provides independent and objective assurance on the robustness of the risk management framework and the appropriateness and effectiveness of internal controls. Does your firm have the capability to perform internal audit effectively? Are you realistic about whether the results of audit should prompt action? Simply performing internal audits is not enough to rebuff regulatory scrutiny – how can it contribute to your decisions to help refine your regulatory approach?

3.   Evidencing lessons learned from root cause analysis

Applying root cause analysis to past issues gives firms the opportunity to develop their future approach and lessen the likelihood of customer detriment and associated remediation exercises.

Can the board provide insight into the issues that have prompted root cause analysis to be performed on products, processes and the customer experience? If this activity is documented, your firm will be in a better position with the regulator. Can you as a board member articulate how the issues highlighted by root cause analysis led to positive changes within your firm?

If not, can you gain a better illustration of this as a board? This could be via engagement with your compliance function; however it may be that some process development is required in order to capture this information more comprehensively.

4.   Evidencing the strength of your MI

The MI your firm reports on can contribute much to regulatory discussion if reports are designed and executed successfully. Does your reporting bring data to life by providing a narrative to regulatory concerns and their implications?

Can you exemplify how your reporting alerts you to issues using samples of MI? A firm should have accurate thresholds in place to be able to determine where issues may arise and be able to produce trend analysis. This should of course feed into decision making, however it may that the regulator also wishes to know what the journey between the MI as presented and the decision to make changes looked like.

Success is Always A Product of good internal culture

It’s clear from the activities above that the regulator, if examining your firm, wants to find a forward-looking culture that seeks proactively to provide good customer outcomes, as opposed to finding a firm reacting to issues as they arise.

We hear a lot about culture in the industry, however, its intangibility means it can be difficult for firms to measure. Indeed, FCA Chief Andrew Bailey has recently attested to this.

Culture is in fact the sum of many composite parts, and just as the activities above can contribute greatly to a rich, customer-centric culture that is known and ‘lived’ around the business, not endorsing this kind of activity can take just as much away. When trying to gain a better view of a firm’s overall culture and how it ‘lives its values’, no part of the business is more empowered than the board.

When examined in this fashion, the board’s role in helping a firm pull in the same cultural – as well as strategic – direction is pivotal.

When it comes to satisfying the regulator over the issues you haven’t identified yet, it’s not just about the high standards of the products, processes, controls and governance you preside over today. In fact, it’s not always about how you intend to keep them high-quality – to reap the maximum benefit from customer-centric work, you must be able to show the path your firm has travelled.