– Treating customers fairly (TCF) - use of management information (MI) and customer research to show, for example, that the Sipp is being used by the target audience, that service standards are being met and that members understand the operators’ communications;
– Banned lists - of investments, introducers and other parties with mechanisms to prevent their use;
– Tested back-up systems - to allow business to continue when disaster strikes (such as flooding);
– Effective means for whistle-blowing - the Association of Certified Fraud Examiners reports that tip-offs are three times more effective than any other method for fraud prevention.
Managing risk ought to follow a simple cycle as characterised in Figure 1. Policies set out the risks in an area, explain the tolerance for the risks, how they are mitigated and the reasons for that. They also need to identify the records that need to be kept and the reporting and MI that is needed to allow ongoing review.
Controls are built into systems and processes so they correspond to the policy; training and personnel reviews need to do likewise.
The systems and processes need to capture data to show what is going on. That forms the basis of the MI that the governance body or management board review to monitor the level of adherence to the policy.
The whole process needs to continue in a loop with governance or management considering whether the policy remains fit for purpose, the controls are adequate and whether they are getting the information they need to form an accurate view and take the necessary action if changes are required.
Out of control
It sounds almost childishly straightforward. So why does the FCA continue to find operators that are not controlling risks in their business? What is the underlying cause?
Having a policy is the easy bit - you can probably get one off the internet in seconds. But having a piece of paper doesn’t mean a thing: it has to be put into practice continuously. That is why, right from the first thematic review, the regulator has hammered home systems and controls. Systems need to be joined up and controls built in to avoid blind spots and human error, to ensure that what should happen (say, a drawdown review) does and what shouldn’t (say, drawdown income in excess of the maximum) doesn’t. Our behaviour easily relapses to old habits. That is why MI is repeatedly mentioned. However, it is no use producing MI if it isn’t actually reviewed and the operator doesn’t do anything about what it finds. That is why ‘governance’ would be a still higher-scoring buzzword and rightly so. But not the highest.
The FCA’s Risk Outlook 2013 sets out its approach to conduct risks to its objectives. It identifies firms’ culture as a key driver of conduct risk. The foreword by chief executive Martin Wheatley talks about the effects of firms’ culture. Part A even includes a chapter on structure, processes, management, culture and behaviour.