top of page
Consider carefully, at the outset, if you have sufficient resources within your organisation to manage the visit, as well as run the business. You cannot have a scenario where all your resources are tied up in managing the visit, and operations suffer.
There are key documents that need to be up to date, need to have been reviewed at periodic intervals and need to be fit for purpose. You could consider have them reviewed by an independent to satisfy yourself.
One of the growing interests of the regulator are the assurance processes within your organisation. Are they in place? Do they have sufficient independence? Are they receiving the attention of relevant persons and the Board?
The regulator has the right to speak with any of your staff. It is likely that they will indicate this in advance, however, as they progress through the visit, there may be members of various teams who need to be brought in to clarify certain processes or 'ways of doing things'. With this in mind, carefully preparing staff for the visit is paramount.
Whether it's IT provision, or more extensive regulatory elements that are being outsourced, such as fund administration, all these arrangements should be reviewed. In some sectors, it's a regulatory requirement to audit key outsourcing contracts. Given the nature of the visit, I would strongly suggest that a review be carried out of any compliance or risk functions or roles that are outsourced. This is of growing interest to most regulators.
Not all members of staff will be directly involved with the visit, however all staff should be aware that it's happening, what it involves and the overall process including timeframes. An onsite visit is an anxious time for the board and management, but it can and does evoke concerns at all levels. There is increasing activity in the sanctions space and staff will be acutely aware of the consequences of a poor visit. Clear and regular communication can allay some of those fears and anxieties.
It's fairly common for organisations to contact and bring in external support and guidance 'post' visit, especially if there have been a few findings and the expectation of a remediation or risk mitigation plan. Trouble is that this is the proverbial 'horse and bolted' scenario. It might be better to bring in support and perhaps carry out a pre-onsite review and give the board and staff experience of what an inspection feels like. It can reflect well with regulators, especially if this is done on an annual basis as routine.
This is clearly best practice in all events, however this is particularly important during this process. All documents shared, viewed, taken away need to be recorded. Conversations with all staff should be recorded in a minute or actually recorded. Any correspondence from anywhere inside the organisation should be filtered centrally through the team overseeing the visit. These all help with the requirements later where you will have to review the report for issues of fact. If you have all this recorded, if you feel there are 'issues of fact' you will be able to produce evidence to support your case.
Central to your overall relationship with the regulator is your openness and co-operation. The importance of this cannot be overstated, however, and this comes back to my thoughts above about 'fear of failure'. All regulators would rather hear about failures than uncover them during an onsite. If there have been any issues, instances of poor internal and external compliance assessments, these should all be reported and made visible at the outset, if they haven't already. All requests for information and documentation should be considered carefully by the internal team running the onsite, however there will be very few instance where there should be any reason to decline. However, each should be considered. Regulators have been known to push the boundaries of their own powers, not necessarily intentionally, but simply in the course of their work.
bottom of page