Building a strong control framework is now a sector-wide necessity. Associate director Rebecca Deane outlines how Grant Thornton helps firms get it right.
Many of our clients are banks that are looking to establish or enhance existing control and conduct frameworks. We also work with investment management firms and other financial services companies that are looking to do the same thing. To date, the focus has been directed chiefly at the wholesale banks, but all parts of the wholesale and consumer markets, including buy-side firms, brokers and infrastructure firms are building out and enhancing their front office control frameworks.
What should it look like?
The Senior Managers and Certification Regime (SM&CR), which will be applicable to all UK financial services firms in 2019, is clear that accountability for front office risks resides with the business and lies with the senior managers and certified staff of the front office. In addition, MiFID II, the Market Abuse Regulation, and the Benchmarking Regulations, have introduced enhanced expectations with respect to controls in many areas.
In line with regulation, we would absolutely expect our clients to have a robust 1st line of defence, and that includes an effective front office controls framework. Historically, all too often, firms have relied too heavily on the 2nd and 3rd lines of defence.
We stress to clients that the front office must drive the controls agenda within the first line and connect through into the 2nd line control framework. The front office knows the business, they know the clients, they know the key risks, they understand the market impact of misconduct and they understand the motives of those on the desk. It is key that the control agenda is driven by the frontline as opposed to a compliance or risk function telling the front office what they should look out for.
Today, there is more likely to be a more robust 1st line of defence than there was a few years ago but gaps still exist and improvement is widely needed. The terminology may vary, as some firms have a chief controls officer, while others have a risk and controls officer. In general, all firms have a front office control function that monitors key risks. We offer expertise in reviewing these functions and ensuring that the control framework is robust, control processes are being followed, any required attestations are being made, and that 1st line controls are separate from a strong 2nd line of defence.
We would expect clients to have their 1st line risk assessment, and for purposes of consistency and reporting we would expect to see a collective taxonomy, with consistent methodology and definitions, across an organisation. Additionally, we expect that the 1st line looks at these risks independently of its 2nd line.
What do we find?
Are we sometimes surprised by what we find? Sometimes, yes. Some have the controls in place but not the proper documentation to support that they are operating effectively. Others might have controls that are not functioning properly. Often policies, procedures or reviews might be missing, or the IT configuration has changed and is not working as it should.
But the biggest issue is when relevant controls have not been designed at all. The firm might have identified a source of potential misconduct or abuse within the organisation, but it hasn’t thought about the controls that should be in place to prevent abuse in the first place or detect it quickly. In these instances, we work with the firm to design appropriate controls.
A question of culture
It’s also very important that clients do not rely just on controls. We expect firms to seriously consider culture and conduct. This is key.
We look at three main areas. First, does the remuneration structure reward undue risk taking and insufficient attention to the needs of the firm’s clients? Secondly, is there a consistent messaging about culture from the top of the organisation and senior managers? And, thirdly, are the messages from the top being instilled into daily business practice?
The control framework cannot just be backward-looking either. Firms often focus on past misconduct or current risks, but they should be forward-focused and, for example, identify political or regulatory risks on the horizon. Firms should also be looking outward as well as inward when they assess possible risks.
Monitoring and surveillance advice is a part of what we offer to clients, both front office monitoring and T+1 compliance surveillance, while understanding the data used. Investment managers are enhancing their surveillance programmes, too. We work across the first two lines of defence to develop policies and put standards and processes in place, recognising that the same data can be used by more than just the front office. And where they already have these in place, then we help to devise enhancements.