Preparing for a regulatory inspection is daunting. Here I consider some of the work that needs to be done and how I would approach this.
I was speaking with a non-executive director of a licensed entity on Wednesday last week.
We were discussing governance and they were expecting a visit from their regulator.
Of course, it doesn’t really matter what industry you're in, what size you are, or what customers you serve, governance, risk and compliance are core themes.
“Perrin”, she started, “I’ve worked with you before and followed your work, your posts and articles with interest, so please, can you help us prepare?”
“Of course”, I replied, “what would you like me to do?”
“Ah, review our corporate governance policy, ‘comply or explain’ statement and our compliance policies.”
“Okay, can you send these across and I’ll take a look, but you know that this isn’t really what ‘governance’ is about? You know that this is not really what the regulator will be looking at?”
There was a brief quiet, as the call hung in the air and the metaphorical tumbleweed rolled down street.
I went on, “what they will be looking for is how you exercise control, how you make decisions, how you ensure quality, how you implement risk management and whether these lead to compliance”.
“Err...well in that case you had better do a more detailed review and assessment”, she said, “when are you available?”
Governance is not about minute taking
Governance is not about how many NEDs you have on the board
Governance is not about your remuneration policy
Risk is not about your Business Risk Assessment, and
Compliance is not only about your policies, procedures and controls
Governance is about
Your decision making,
Your operational control, and
Your culture.
Risk and compliance are intertwined with governance.
We approached the preparations using my model of governance.
We have begun by reviewing the scope of the regulator’s visit, being careful to be wide in our outlook and ensuring we took a holistic view.
We have begun to draw upon recent public announcements and sanctions that had been published, as well as those which are pending and where I’m involved.
We have begun to draw up a plan and will be notifying the regulator of the review, and the intentions of this review. She was a little hesitant about this, but we agreed that under the Principles of regulation and in the spirit of openness and co-operation, this was the best strategy.
We will assess the robustness and depth and breadth of the organisation’s risk management. Not just their Business Risk Assessment (BRA), but the entire framework, because of course the BRA is simply a part of this framework.
We will not only assess how the organisation approaches risk, but in some ways, more importantly, how they approach opportunity.
We will assess the organisation’s operational control and quality.
We will assess the effectiveness of communication across the organisation.
We will do all this using methods of assessment that will allow us to produce both qualitative and qualitative data on each of these aspects. You will need to have a measure of where you are, and where you need to be.
I said to her, "you will receive a comprehensive review of your governance, risk management and compliance, looking at aspects of:
Strategic position
Operational efficacy
Decision making quality
Risk and control frameworks, and
Organisational culture".
"You will receive a clear plan for you to follow, along with my support, on both implementation and ongoing monitoring."
If this is what you are getting from your advisers, from your consultants, then great. If, of course, you are unsure, please feel free to contact me for an initial discussion or consultation.
In kindness, Perrin
[As a subscriber or visitor to my blog, the element in bold is for you. A recognition from me of your likely desire to 'make things better'. It does not appear in my LinkedIn Posts or anywhere else]
Perrin