Citation
Hale, K. (2003), "Successful governance and regulatory risk management", Balance Sheet, Vol. 11 No. 2. https://doi.org/10.1108/bs.2003.26511bab.001
Publisher
:Emerald Group Publishing Limited
Copyright © 2003, MCB UP Limited
Successful governance and regulatory risk management
Kari HaleKari
Hale is a partner with Deloitte & Touche Enterprise Risk Services.
Successful governance and regulatory risk management
Authorized businesses are facing enormous pressure from an unprecedented amount of complex regulatory obligations and increased external scrutiny on corporate governance. In today's exacting economic climate, actions – and the ability to prove you have taken action – speak louder than words.
With accountability resting firmly on directors' and senior management's shoulders, the chief executive and head of the audit committee need to maintain a consistently high standing with regulators who are challenging management to ask: can you demonstrate that all parts of the organization can safely and successfully absorb regulatory obligations? Can you show that the balance of risks and controls is appropriate? Most crucially, can you put the governance picture together for your business, and demonstrate how the board works with management to ensure that risk is understood and that effective controls are implemented?
Complying with the FSA
Good governance is vital to how well the business is run and how satisfied shareholders will be. An integral and mandatory element of such good governance is compliance with the FSA's High Level Standards (HLS), which spell out their risk-based approach to regulation. As the FSA is a key stakeholder of all financial services businesses, articulating your ability to meet these standards is paramount. The principles centre on:
- •
the FSA's role as a principle-based (not rules-based) regulator;
- •
clearly defined senior management arrangements;
- •
effective management information systems and controls;
- •
firms' and individuals' satisfaction of threshold conditions in order to engage in regulated activity – such conditions incorporate honesty, competence and financial soundness;
- •
statements of principles and codes of practice for approved persons; and
- •
creating a compliance culture within the organization.
Overall, it is important to acknowledge that, where appropriate, the FSA wants to lighten regulation rather than overburden authorized businesses. It feels the best way to achieve this is through promoting high standards of governance, risk management, and ethical behavior. Achieving good evaluations from the FSA in these areas should allow business to pursue their strategies unencumbered by excessive regulation – and with more time for development and implementation companies have a better chance of building competitive advantages.
The FSA Arrow
The FSA examines your HLS standards compliance via the Arrow framework; designed to help the FSA to maintain market confidence, promote public awareness, protect the consumer and reduce financial crime.
Many factors can increase your general vulnerability to regulatory risk, therefore leading to a poor Arrow evaluation. Inconsistent contact between your organization and the FSA, insufficiently informed staff, poor documentation and an overall lack of evidence showing that issues are being followed up may be detrimental to a company's risk ranking. Other factors the FSA could interpret as indicative of serious risk management failure within the organization might include: inadequate disaster recovery plans; poor management information systems; overlapping roles and responsibilities for risk; or insufficient resources applied to key risks or compliance areas.
To avoid such issues and ensure that you are in good shape, following a simple "5C" model for effective Arrow compliance may help:
- •
Culture – develop sound values and lead from the top. Creating and nurturing appropriate behaviors among staff bolsters responsible business practices and fosters good compliance.
- •
Compliance – know and obey the rules and ensure threshold conditions are always met.
- •
Control – you should implement appropriate controls and be proactive about high levels of control risk. Operating with high levels of business risk may be appropriate in relation to your strategy, but only where strong controls enable management to manage those risks effectively. High levels of control risk are never acceptable.
- •
Communication – those in charge of business management, risk management, internal audit and compliance need to facilitate the flow of information and effective decision making. The accountability and responsibility of senior management must be explicitly understood. Choosing a consistent language in which you can categorize and align risks, as well as a common structures and processes, will not only help you to run your business safely, but also it can help you articulate your risk profile as accurately as possible to the FSA. If the FSA understands your business and management processes, you can avoid surprises and create a constructive, rather than adversarial, relationship.
- •
Comprehension – you should be able to pinpoint and articulate the major sources of uncertainty facing your business, as well as understand how these are managed.
To achieve this, the board needs first to define its business strategy, objectives and plan, and ensure that specific responsibilities are allocated to senior management. Second, it must establish integrated governance processes and demonstrate the link of business strategy to risk management needs.
It can do this by articulating its appetite for risk and ensuring that management identify where significant risks to its strategy and objectives might arise, and implement controls and activities appropriate to manage these risks, so being in a strong position to continually monitor and report on them. Throughout, assurance and validation is needed to review and challenge the effectiveness of the process. This process is depicted in Figure 1.
Figure
1 Successful Arrow "compilance"
It is not by accident that the process will look familiar to anyone conversant with the demands of Turnbull "compliance". At the end of the day, good governance is its own reward, and an effective process will, or should, meet any regulatory benchmark.
At a time when Sarbanes-Oxley, Higgs and Smith are all "live" issues for businesses to respond to, when Basel II, CP142 and the Prudential Sourcebook are all driving detailed process re-engineering and impacting on governance, and with IAS implementation on the horizon, it is incumbent on business to be fighting fit in its risk management framework and process.
Effective compliance with the 5Cs should not only ensure your governance is fit for all these challenges, but also it will facilitate the right relationship with the FSA; a relationship with less intrusion, and even perhaps even one that imposes a lower capital charge.