Ruleguard’s regulatory insights & resources

Tips to create risk ownership within your firm

Written by Priscilla Gaudoin | Apr 24, 2024 3:48:06 PM
Strategies for Establishing Risk Ownership in Your Firm
 
One of the fundamental obligations applicable to all regulated firms is the need to implement appropriate processes to manage risks.
 
 

But how do we encourage our staff to take responsibility and raise issues appropriately?

Good risk management brings many benefits to firms. Whether you’re a regulated firm or not, there is a lot to be said for nurturing a corporate culture where staff throughout the company seek to improve standards.
 

Most people are familiar with the basic risk management process. 

 

But before you can begin to identify risk, you need to engage everyone within the firm. Firms should raise awareness by defining what is meant by risk. This would encourage staff to identify and flag risks. This means that the culture within a business needs to encourage staff to speak up and take ownership of their daily processes. A robust governance structure engenders staff participation and provides clear direction for the company. 

Step 1: Strategy

In essence, risk management starts with your business strategy. How are you going to achieve your business goals? It’s not solely about profit. Firms need to consider how they deliver client outcomes under the Treating Customers Fairly (TCF) initiative. The regulators expect firms to demonstrate that they meet the six client outcomes.

 Start by looking at your business objectives and engaging the board in discussions around:
 
  • Reviewing corporate objectives
  • Aligning corporate goals with client outcomes
  • Supporting the business objectives with clearly defined department and individual objectives
  • Discussing risks posed by third parties and contractors 

There must be a clearly defined strategy that is cascaded down throughout the business. This helps to encourage a collaborative approach with everyone’s minds focused on the end objective. 

Step 2: Corporate Culture 

Like most things, staff copy what they see. If their line manager shows signs of malaise or lack of belief in the company’s strategy, how will staff react? 

Firms need to:

  • Define company values and how you wish to demonstrate them
  • Identify ways to ensure that conduct reflects those values (such as remuneration policies) 

Senior managers should use language that supports the company values and demonstrate behaviours sought. 

Step 3: Clear & Consistent Communications

Staff must have a strong understanding of what they are trying to achieve in their respective roles. They need to understand what a risk is and have the appropriate mechanism in place to raise queries or flag when something does not seem right. This means clearly defined company policy supported by actions and clear communications.

  • Explain to everyone what they need to do
  • Demonstrate the link between corporate goals & values with staff objectives
  • Be clear about expectations 

Also crucial is ensuring reward and remuneration supports the ethos of meeting corporate goals. Hopefully, this will result in ensuring that firms also meet client expectations. For example, designing and delivering a product or service for a target audience.

Step 4: Controls

A control can be something straightforward. For example, “the company policy is that all personal trading must be approved before a trade taking place”. The policy sets the boundaries within which staff perform their duties. Likewise, there are specific procedures to be followed which enable approval. Firms should implement processes where staff raise a request and receive a response promptly, but also create an audit trail.

Such a process provides consistency in approach and an agreed way of conducting business. These policies and procedures act as controls. Likewise providing training to staff will raise awareness of an issue and encourage staff to query any concerns. Firms with easy to follow processes find that it aids the implementation and embedding of such controls. 

Step 5: Ongoing Monitoring

Once policies and procedures have been implemented, firms’ compliance and internal audit teams start to test the effectiveness of controls. These reviews will help provide reassurance to the board that its risks are managed. What assurance can be delivered to your board that your systems and controls are effective? 

Monitoring teams will look for hard evidence to support not only that a task has been completed, but that it has been conducted in the proper manner, with the correct sign-off. In effect, they are looking at the quality of completion and evidence to confirm why something was done. They will also look at the audit trail to confirm who did what and when.

Step 6: Reporting

The company’s board has a duty to manage its risks appropriately. It determines its risk appetite and requires reassurance that risks are controlled.

It is then the responsibility of a senior manager, usually the chief risk officer, to implement those decisions at an operational level. The board seeks reassurance from the senior manager and speedy notification of any developing trends.

This cycle of assessing and improving risk management should be emphasised within firms. Nothing remains static for very long. Firms may introduce new technology or a new outsourcing arrangement. When making those decisions, firms must also assess the level of risk to be borne with that new arrangement. Engaging staff in those discussions help to encourage staff to query the process and suggest changes in a controlled way.
 
 
 

How Ruleguard can help you:

Ruleguard is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.

The Ruleguard Issue and Breach management module is a dedicated software solution for raising and managing compliance risk incidents.

Our Incident and Breach Management solution enables firms to: 

  • create incidents as part of the Ruleguard attestation workflow or as standalone items within the system
  • enter details such as discovery, reporting and resolution dates along with a full description of each item
  • identify if a specific rule breach has occurred
  • link breaches to your risks, controls and business processes
  • generate management information enabling oversight of the full process 

If you’d like to learn more about the Ruleguard's Incident and Breach Management Solution please contact us for further information on: Tel: 0800 408 3845 or hello@ruleguard.com.
View full post