Compliance Risk Assessment
Click here to load reader
-
Upload
compliance-consultant -
Category
Business
-
view
3.062 -
download
0
description
Transcript of Compliance Risk Assessment
Steps for ComplianceRisk AssessmentIdentification and mitigation of controls
Auditing your Compliance Risk Areas can be daunting and time consuming unlessyou have a planned and agreed methodology. CEI Compliance Provide you withthat strategy in this document
CEI Compliance
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 1 of 7
2010 has seen a number of new rules and changes to old rules following the Walker Review andthe publication of PS10/15. The role of good governance in financial services firms continues tobe high on the international and domestic agenda.
Internationally, since January, the Basel Committee on Banking Supervision issued a set ofprinciples in March 2010 for consultation. These principles are for enhancing sound corporategovernance practices within banking organisations. In June, the European Commission publishedits Green paper on Corporate Governance.
Domestically, the Financial Reporting Council has now published a new (May 2010) edition ofthe UK Corporate Governance Code and in July 2010, published The UK Stewardship Code. TheFinancial Services Authority (FSA) Chief Executive Hector Sants’s made a speech on 17 June tothe Chartered Institute of Securities and Investments (CISI) conference drew attention to theimportance of a firm’s culture in developing good regulatory outcomes and the role thatgovernance plays in this.
Sir David Walker’s Review made several recommendations including the role of the Chief RiskOfficer and the establishment of Risk Committees and the temptation of many firms will be tosay “we are too small to consider risk officers or committees”, or using the FSA’s term of
appropriate and proportionate would claim that theyare not of significant size, turnover or risk rating towarrant such attention. In some cases this may be truebut in many it could be a false assumption. Therecould be a number of items that get overlookedbecause you have been running the business for yearsand are “on top of everything.” Unfortunately anumber of firms have found that they are often lackingin Systems & Controls (SYSC) requirements, evenArticle 3 Exempt firms, which quickly become apparentafter a themed visit from the FSA and a Section 166Report demand dropping into their inbox. This can beavoided and our eBook, A General Guide to S166Reports, available from the CEI Compliance website.
Risk assessment can be difficult to anyone who is tooclose to the business. However, that said, it is notimpossible and often a good 75% can be doneeffectively in this way. It is often best to get a third
party overview of the work done, just as you would expect a quality assurance check on peoplewho check files.
If you plan your activity and spend time using each step properly and thoroughly then you willform the basis of a Compliance Risk Register (CRR), supporting document to your ManagementInformation (MI) and provide a dashboard for presenting/reporting to the other seniormanagers within the firm. This also provides a handy tool (historic and contemporary) for anyregulatory visits and keeps you focussed on the higher risk elements and any that are nearingyour Compliance Risk Appetite (CRA). This not only makes good business sense but also helps toshow you have considered the elements to demonstrate that you are Treating Customers Fairly
In 2010, 10 individuals
and companies were
fined over £3,500,000
for “failing to have
adequate systems and
controls” or “failing to
have suitable
compliance and risk
management processes
in place”.
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 2 of 7
(TCF), specifically Outcomes 1 & 2. A free guide for TCF self-appraisal is available from the CEICompliance website.
PHASE 1 – Data Collection
Step One: Products and Services, employment and production environment
Make a list of all products and services that are offered. These could include any Mortgage,General Insurance as well as Life and Pensions or Investment products, Will writing referrals, TaxPlanning, Debt Counseling or any areas that your firm is involved in.
Step Two: Systems and Controls
If necessary, meet with Departmental Management or the Office Manager (depending on size)to identify what types of company or department policies, procedures, systems, and automationare in place? List these carefully as they form your controls. Interview Department Management to identify controls
o Policies and procedures to maintain complianceo Degree to which processes are centralised or decentralisedo Degree to which processes are automated or manualo Location where these products/services are soldo Location where the customers of these products/services are locatedo Degree of staff turnovero Training to maintain complianceo Are there plans for new products/services?o Have there been any changes in the product/service/controls in the past year?
If so describeo What about your Disaster
Recovery/Business Continuity plans?o How is your IT managed?
Summarise your controls Meet again to ensure that you have a complete and
accurate summary of controls (and not just yourinterpretation)
Step Three: Applicable Regulations
With the list of products and services, produce a tablewhere you can record any primary regulations that apply tothe products and services offered? This is known as mapping your regulatory universe and is notrestricted to just FSA rules. There are Advertising Standards Authority rules to consider as wellas new and existing legislation concerning the business right down to employment and otherobligations to consider.
Identify the primary regulations that apply to the list you have formed in Step One.
CEI can also help advise
you on your Disaster
Recovery and Business
Continuity Planning
including Pandemic
Preparations
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 3 of 7
Phase 2 – Inherent Risk Analysis
Whatever you do today there is risk. There is a risk of companies defaulting, there are risksconcerned with service level agreements not being honoured, and there are risks that clients maynot fully understand the range of products you advise on and it is important to redouble yourcontrols in these areas, for obvious reasons.
Step One: Regulatory Risk
The regulator has “hot buttons” and these may be Unregistered Collective Investment Schemes(UCIS) or it may be Structured Products and the guarantees offered. You need to be aware ofthe regulator’s expectations for compliance in the areas you operate in? What issues are at thetop of their current list? What is the complexity of the regulatory requirements or is there a lackof specific regulatory guidance.
Risk rating these areas will help you form a potential identifier for where you may need toconcentrate your efforts in risk mitigation. The FinancialOmbudsman Report (FOS) is a good indicator of thingsthat people complain about. Check it out and relate it toyour business, products or services.
Although this is provided as guidance you could definefurther levels and it is often useful to attach a monetaryor number of customers value to them (as appropriate)so that you can start to form a risk appetite.
Risk elements to consider are;
Low –o None or minor penalties or
consequences;o Not a current regulatory priority;o Noncomplex requiremento Not an area that we generally have
issues with
Medium –o Potential for moderate penalties and/or consequences;o Currently a moderate focus or priority for regulatorso Moderately complex with incomplete regulatory guidanceo Periodic errors noted by examiners and testers
High –o Potential for significant penalties and/or consequenceso Currently a high priority of regulators
The FSA fines in 2010 total
were over £89, 121,000.
The smallest was £5,000 –
Riaz Ahmad – “For failing
to act with competence ….
Failing to have suitable
compliance & risk
management”.Details can be found on the FSA
website
http://www.fsa.gov.uk/pages/abo
ut/media/facts/fines
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 4 of 7
o Highly complex requirement with incomplete regulatory guidanceo One of the leading areas where errors are noted
Step Two: Reputation Risk
What is the level of public and customerconcern/publicity over noncompliance? Low – No or low concern likely;
Medium – Moderate concern possible;
High – Significant concern or loss of customerconfidence likely
Step Three: Inherent Risk
Using the regulatory risk and reputation risk identifiedin steps 1 and 2, what is the inherent risk in eachproduct and service? Inherent risk is defined as therisk before any controls are exercised or effected?Rank the risk by Regulatory Risk and Reputation Risk.
High RegulatoryRisk
Moderate High High
Moderate RegulatoryRisk
Low Moderate High
Low RegulatoryRisk
Low Low Moderate
Inherent RiskLow Reputation
RiskModerate Reputation
RiskHigh Reputation Risk
Phase 3 Residual Risk Analysis
Step One: Operational Risk
Although this can often be subjective, we have found it best carried out with at least twopeople, preferably as a workshop. These are only guidelines and can be amended by you asrequired.
Simply evaluate the risk associated with: the presence or absence of internal controls,processes, and procedures to maintain compliance; the degree of centralisation ordecentralisation; level of automation to eliminate human error; staff turnover that couldcontribute to errors; and existence of adequate training, annual testing or other competencemeasures.
Warren Buffet said; “It
takes twenty years to
build a reputation and
five minutes to destroy
it.” He also said “If you
lose dollars for the firm,
I will be understanding:
If you lose reputation, I
will be ruthless.”
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 5 of 7
Low –o Presence of good internal controls, processes, and procedures to maintain
complianceo Centralisedo Partially or fully automatedo Low staff turnovero Adequate training has been providedo Account opened Face-to-Face on site (no distance sales)o Client is local, (lives/works)
Medium –o Some weaknesses or soft areas in internal controls, processes, or procedureso Partially decentralisedo Some automationo Moderate staff turnovero Minimal training provided infrequentlyo Account opened Face-to-Face off site (no distance sales)o Customer located relatively local (within 100 miles) and is maintained
adequately
High –o Weak or no internal controls, processes or procedureso Decentralizedo Not automatedo High staff turnovero No training providedo Account not opened Face-to-Faceo Customer located over 100 miles away
and much business is done byphone/fax/email.
Step Two: Probability of Error Risk
Evaluate the risk that error will occur due to prior historyof error and changes in regulatory requirements,products, and/or services.
Test/Audit/Exam Resultso Low – No errors in last review;o Moderate – Minor errors in last review;o High – Significant errors in last review
Change in regulatory requirementso Low – No changes since last monitored;o Moderate – Minor changes since last monitored;o High – Significant changes since last monitored
Probability of error can be
described as frequency of
event. By estimating the
frequency (1:20
operations pa is 5%, 1:100
operations is 1%) and you
can work out your comfort
level or risk appetite and
likely impact of costs if left
to run their course.
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 6 of 7
Change in product / serviceo Low – No changes since last monitored;o Moderate – Minor changes since last monitored;o High – Significant changes since last monitored
Step Three: Residual Risk
Using the information gathered in steps 1 and 2, what is the residual risk in each product andservice? That is, what is the risk after controls? Rank the risk by Operational Risk andProbability of Error Risk, which is the likelihood that an error will occur.
High Operational Risk Moderate High High
Moderate OperationalRisk
Low Moderate High
Low Operational Risk Low Low Moderate
Residual RiskLow Probability
of Error RiskModerate Probability
of Error RiskHigh Probability of
Error Risk
Phase 4 Overall Risk Analysis and Follow-up
Step One: Overall Risk
At this point, the risks can be charted on a sliding scale by product or service. For example:
High InherentRisk
Moderate High High
Moderate Inherent Risk Low Moderate High
Low InherentRisk
Low Low Moderate
Overall RiskLow Residual
RiskModerate Residual Risk
High ResidualRisk
Where the words Low, Moderate and High Appear, will be the product or service name(s). Atthis point, the chart can be color coded so that cells that show Low Risk are Yellow, cellsshowing Moderate are Orange and cells showing High are Red. This provides information “at aglance” for management, the business lines and regulators.
Step Two: Management Tolerance of Compliance Risk
What is management’s tolerance (risk appetite) of compliance risk? Are there instances whereoverall risk can be high, despite controls, and still be acceptable to management? If so,document why. If management’s appetite for risk is low, the adequacy of controls must berigorously monitored to ensure that residual risk is low. Note that the risk may be different byproduct or service. Take that into consideration along with management’s overall view ofcompliance risk.
COMPLIANCE RISK ASSESSMENT
Whitepaper by CEI Compliance Jan 2011Author: Lee Werrell
Page 7 of 7
Step Three: Direction of Risk
Consider the direction of risk and probable change in risk over the next twelve months.Categorise this for each product and service using the definitions listed below.
IncreasingManagement should take additional action through more controls or increasedreview.
Stable No additional action is required.
DecreasingManagement may want to consider decreasing controls and improvingefficiencies.
The directions of risk can be monitored as part of the annual Compliance Monitoring Plan eitherby auditors, compliance or departmental responsible in conjunction with management on amore regular basis. There are alternative methods to use such as bottom up and top downassessments with Worst Case Scenarios and most likely occurrences to gauge and demonstratethe range of controls and their effectiveness. This is only a very generic guide and if you need a
specific assessment please call us on 0800 689 9 689 or email
CEI Compliance can help provide a fullcompliance support service, reducing
required management time, ensuring allareas are up to date and working for your
firm’s long term benefit.
Call 0800 689 9 689 today or go online
at www.ceicompliance.co.uk
This whitepaper was written by Lee Werrell FInstSMM CharteredMCSI Cert PFS, founder of CEI Compliance Limited. Lee iscontactable at any time and welcomes enquiries from allbusinesses. Call 0800 689 9 689