I1273818 - International Diploma in GRC - Unit 6

SEE GREEN SECTION
PAGE DOC
Un i t 6
How to M anage Regulator y

R isk for the B enefit of
Your Firm
Unit 6 How to Manage Regulatory Risk for the
Benefit of Your Firm
Learning Objectives
The purpose of this unit is to:
explain the risk management process

discuss general risk management principles
explore a generic risk management process
examine an effective GRC risk management system
discuss regulatory risk
examine how to manage the risks faced by a financial services business, including
dealing with issues and enforcement
explain how to categorise any breach of regulation, whom to inform about it and
how to draw up a plan to deal with it
demonstrate how internal investigations should be conducted
discuss the legal requirement to be open, honest and cooperative with the
regulator, and how to inform and interact with the regulator in any investigation.
1. Understanding the risk management process

1.1 Introduction
Risk management is a subdivision of general management. It attempts to codify

and structure a skill required by all managers in all management decisions.
Risk can be defined as the combination of the probability that an event will occur
and the severity and nature of its consequences if it does. Authorised financial
services firms are required to have systems and controls in place to manage
the risks they face in their operations – which includes the risk of breaching the
regulations that apply to their businesses.
Over time, the role risk management plays in the firm has evolved from being
a backwards view, asking how well risks were managed in the previous year, to
one focused on what will be done in the coming year, and identifying the risks to
incorporate in strategic decision making. A strategic approach to risk must include
cultural and organisational inputs as well as the more traditional ones of loss
mitigation and compliance with regulatory requirements.
More information on the transformation of the discipline can be found in work

from the Risk Management Association and McKinsey, which worked together to
produce briefings on Enterprise Wide Risk Management (EWRM).69 Enterprise risk
management is the overall management of risk that an organisation undertakes
to achieve its strategic aims. ‘Enterprise risk’ is the sum of the various risks the
69. http://www.rmahq.org/risk-management/enterprise-risk http://www.mckinsey.com/search.

aspx?q=ERM
180
Unit 6 Managing regulatory risk for the benefit of your firm
organisation takes in the various categories and focuses on optimising the balance
and interaction of the different types of risks.
1.1.1 Overview of risk management
The identification of risk management as a discrete management discipline is relatively

recent. Although there is much overlap between sectors, there are also differences
in approach. For example, the aviation industry may be evolving rather different
methodologies to those of the health services. It may also be the case that, even
within the same sector, firms adopt different approaches. Furthermore, in sectors such
as financial services, the regulators specify their own definitions and requirements.
Nevertheless, it is possible to identify generic standards. A useful benchmark is A

Risk Management Standard (2002)70 developed by three UK bodies, the Institute of
Risk Management (IRM), the Association of Insurance and Risk Managers and the
National Forum for Risk Management in the Public Sector. Thinking has, however,
moved on since the Standard was published, although the IRM has decided to
retain its support for the original risk management standard because it outlines
a practical and systematic approach to the management of risk for business
managers. This unit therefore develops some of the concepts in the Standard.
The Standard draws on the International Organization for Standardization’s

document ISO/IEC Guide 73 – Risk Management, which has subsequently been
updated in its Guide 79. Although it goes beyond the requirements of this unit, this
document will be useful to delegates with a particular interest in risk management.
The IRM lists the following commonly used risk management standards:
ISO 31000 2009 – Risk Management Principles and Guidelines

A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – developed in
2002 by the UK’s three main risk organisations.
ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
COSO 2004 – Enterprise Risk Management – Integrated Framework
OCEG ‘Red Book’ 2.0: 2009 – a Governance, Risk and Compliance
Capability Model.71
1.1.2 What is risk management?
Risk management is the process whereby firms methodically address the risks
attached to their past, present and future activities. The focus of good risk
management is the identification and management of risks.
To be effective, risk management must be integrated into the culture of the

firm. It cannot simply be left to a Risk Management department to attempt to
manage a firm’s risk in isolation. An effective policy and a risk programme led
by senior management and with the full backing of the board must be in place.
Responsibility should be assigned throughout the company – managers and
employees must be responsible for the management of risk as part of their
role. You will note that this is very similar to the approach required for effective
compliance management.
70. https://www.theirm.org/media/886059/ARMS_2002_IRM.pdf
71. http://www.theirm.org/knowledge-and-resources/risk-management-standards/
181
It is also important to incorporate risk management at the conceptual stage of

project work, as well as throughout a project‘s lifespan.
Effective risk management supports individual and corporate accountability, and

performance measurement and reward, thus promoting operational efficiency at all
levels. It also underpins the achievement of the firm’s objectives by:
improving decision making, planning and prioritisation by implementing

a system that promotes a comprehensive and structured understanding of
business activity, opportunity and threats
contributing to a more efficient use of capital and resources within the
organisation, therefore optimising operational efficiency
protecting and enhancing the firm’s assets and reputation, and
providing a framework for the firm that enables activity to take place in a
consistent and controlled manner.
It is possible to argue that the failures of management at several major banks –

HBOS, Barclays, and JP Morgan among them – show that some of the worst losses
had roots deeper than the 2008 credit crisis. Toxic internal culture and poor risk
management, not the sub-prime mortgage collapse, caused billion-dollar losses
at some of the world’s largest banks. However, without the exposure to sub-prime
mortgage losses, we have to question when and how these management failures
would have become apparent.
1.2 Stages in the risk management process
Risk management activities need to follow a reasonably set process in order to

be effective. Analysis of the risks faced by a firm is the starting point and comprises
the identification, description, quantification (or estimation) and evaluation of
these risks.
1.2.1 Risk identification
This is the method used to identify a firm’s exposure to risk or uncertainty. To

effectively identify all potential risk, an excellent knowledge is required of the
business and the market, as well as of the legal, social and political environment in
which it exists. The strategic and operational objectives of the firm, including issues
critical to its success and the threats and opportunities related to the achievement
of these objectives, must also be fully understood.
1.2.2 Risk description
The objective of risk description is to display the identified risks in a structured

format. This ensures a comprehensive risk identification, description and
assessment process. If the risk description is not absolutely clear then the rest of
the process may be flawed as a result.
The table below gives an example of a generic risk description template.72
72. Table taken from A Risk Management Standard (2002), Institute of Risk Management.
182
1. Name of risk (It is also useful to have a cataloguing system for

risks, for filing and reference purposes)
2. Scope of risk Qualitative description of the ‘vulnerable areas‘,
their size, type, frequency and catalysts
3. Nature of risk For example, ‘operational’, ‘financial’ or ‘compliance’
4. Stakeholders Who are the stakeholders and what are
their expectations?
5. Quantification Probability and consequences (see ‘Risk
of risk estimation‘ section 1.2.3 below)
6. Risk tolerance/ Loss potential and financial impact of risk
appetite Value at risk (£)
Probability and size of potential losses/gains
Objectives for control of the risk and desired level
of performance
Cost of implementing possible controls
7. Risk treatment & Primary means by which the risk is
control mechanisms currently managed
Level of confidence in existing controls
Identification of protocols for monitoring
and review
8. Potential action Recommendations to reduce risk
for improvement
9. Strategy, policy and Identification of function responsible for
operational developing Strategy, policy and procedures
developments
1.2.3 Risk estimation or quantification
Risk estimation (or quantification) requires an assessment of the probability that an

event will occur and the severity of the consequences if it does. Usually firms seek
to turn this into a ‘score’ to highlight the potential degree of risk.
Some consequences can be readily quantified (such as financial loss), while

others are much more difficult (reputational damage, for example). The overall
score is therefore likely to be derived from a combination of quantitative and
qualitative estimates.
Perhaps the simplest approach is to assess consequence and probability as High,

Medium or Low risk (H/M/L), and present the results in a 3 x 3 matrix.
183
Example
Each risk is estimated according to the following H/M/L categorisation.
Consequential damage
High Financial impact exceeds £y
Medium Financial impact between £x and £y
Low Financial impact less than £x
Probability
High (probable) Likely to occur every year
Medium (possible) Likely to occur within 10 years
Low (unlikely) Not likely to occur within 10 years
(Note that, in practice, risks will require significantly more complex definitions of
the H/M/L categories than this and a greater number of categories.)
The results can then be presented as a matrix. A collated matrix showing all the
risks faced by the firm may be helpful in giving an overall picture of the exposure
of the business.
Consequences
L M H
Probability
H
M
L
1.2.4 Risk evaluation
Having analysed all the risks to which it may be exposed, the business must decide
which should be accepted and which need to be mitigated. An obvious starting
point would be to prioritise those risks that are rated as ‘High’ in terms of both
consequence and probability. If there are a number of these, an order of priority
among them will need to be decided.
It may also be prudent to treat other, lower risks if, for example, the solution is quick
to achieve or low cost and will prevent the risk from escalating. The risk appetite
of the firm is particularly pertinent here – the business could choose to accept the
risk of taking no action, or conversely find a particular risk so unacceptable that it
should be avoided altogether.
Risk managers should use the outcome of the estimation/quantification stage to

indicate priorities, but it should not lead their evaluation blindly. The completed
184
Risk Description should be considered for each risk and each one considered in the
context of the range of risks facing the organisation. Criteria for deciding which
risks should be escalated to the board/Risk Committee should be agreed, and risks
reported accordingly.
1.2.5 Risk treatment
Risk treatment is the process of selecting and implementing a course of action

intended to modify a given risk. This part of the risk management process usually
occurs only if the risk, once evaluated, is outside the firm‘s risk appetite. If the risk
falls within the firm’s appetite for risk then it might be accepted. Nonetheless, it is
important that the risk continues to be monitored, as it may change over time.
Risk treatment includes, as its major elements, risk control/mitigation, risk

avoidance and risk transfer (including insurance).
Risk acceptance is where the firm decides that the risk the activity or product raises
is within the firm’s appetite.
Risk control or risk mitigation is where the firm decides the risk is outside its risk
appetite, but it wishes to continue offering the service or product. Here, some work
will be needed to reduce the risk posed.
Risk transfer could be an option where a firm wishes to continue with the
activity in question, but chooses to either outsource the activity to a third party,
or to take out some form of insurance to cover the possibility that the identified
risk will materialise.
Risk avoidance is the option where the firm considers that the risks posed are
too great in relation to the benefits of continuing to provide either the product
or the service. In this situation, withdrawing from the market in question is the
preferred option.
The risk assessment process assists in the effective and efficient operation of the
company by identifying those risks that require particular management attention.
Management then needs to prioritise mitigation actions in light of their potential
benefit to the organisation and review the completed Risk Descriptions in order to
consider the following questions.
Is the current internal control effective?

If a new control is proposed, to what degree will the risk be eliminated
or reduced?
Is the new proposed control cost effective? For example, what is the
implementation cost compared with the risk reduction benefit?
What is the company’s risk appetite? Could it simply accept the risk of
doing nothing?
Once risk mitigation has been agreed and implemented, a post implementation
review (PIR) is vital to assess the effectiveness of the actions taken, or identify any
further activity required.
185
1.2.6 Monitoring
Risk management should be a continuous process. It does not end after a single
risk assessment. Effective risk management involves a reporting and review
structure to monitor risks and ensure that they continue to be identified and
assessed. It also requires that appropriate controls and responses are put in place
to achieve the desired outcome.
If the risk appetite of the firm alters, a risk that does not itself change might
become unacceptable and require action. Regular audits of policy and procedures
should be carried out. Standards of performance also need to be periodically
reviewed in order to identify opportunities for improvement. This review of the
regime itself will be much broader in nature and is distinct from the PIR that should
follow the implementation of any individual risk treatment.
The monitoring process should provide reassurance to senior management that

there are appropriate systems and controls in place, and that the procedures are fit
for purpose, understood and complied with.
1.2.7 Review
Irrespective of the risk treatment, firms must continue to review the risks they
have identified as part of their continuous risk management processes. Actions
appropriate for managing a risk today may not be appropriate in the future, as
the regulatory environment, market, the firm’s risk appetite, or even economic
situations, change. So, risk management is a never-ending process.
1.3 What are the risk management options?
1.3.1 Risk based or cyclical approaches to risk management
Generally, there are two different ways of approaching the setting of standards in
risk management:
i. a risk based approach where those risks identified as having the highest
potential impact and probability (see section 1.2.3 above) are prioritised
ii. a cyclical approach, where all identified risks are reviewed and action taken
in a chronological order.
Both approaches have advantages and disadvantages.
In scenario (i), attention might be concentrated on addressing emerging high-

impact, high-probability risks, at the expense of ensuring that all risks are reviewed
over the year. So, some lower-impact, lower-probability risks are not assessed, and
the firm remains unaware that they have become more likely or that their impact,
should they materialise, has become more severe.
The converse would be the case in a cyclical approach (ii), where time and effort is
spent in reviewing low-impact, low-probability risks that would have minimal effect
on the firm if they materialised. The materialisation of high-impact, high-probability
risks, which are not being reviewed currently because they are scheduled for later
in the review cycle, could cause significant damage in the interim.
186
The reality for most firms is that they adopt some form of a hybrid approach,
combining a risk based approach with an annual review cycle, and this gives them
the flexibility they need to review emerging and urgent risks as they arise.
1.3.2 Responsibilities
All regulators will set out their expectations of the risk management controls and
systems they expect to be in place. This regime must apply to the management
of both conduct risk and prudential risk.
Take some time to research the expectations of the regulator(s) in your

own jurisdiction.
As an illustration, we will now look at the requirements set out by the Monetary
Authority of Singapore for financial services firms in that jurisdiction. MAS includes
risk management as a requirement of its regulatory and supervisory framework,73
and provides guidelines on risk management, which are designed to provide
financial services companies with assistance on risk management practices.
The internal controls
A system of effective internal controls is fundamental to the safe and sound

management of firms. Effective internal controls help the firm to protect and
enhance shareholders’ value and reduce the possibility of unexpected losses
or damage to its reputation. Internal controls are the policies, procedures and
processes established by the board of directors and senior management to provide
reasonable assurance on the safety, effectiveness and efficiency of the company’s
operations, the reliability of financial and managerial reporting and compliance
with regulatory requirements.
The MAS guidelines in this matter are not intended to be exhaustive nor do they
prescribe a uniform set of requirements on internal controls for all institutions.
The extent and degree to which a company adopts these guidelines should be
commensurate with its risk and business profile.
The risk management regime
The overall requirement is that a firm’s senior management must:
develop effective processes for identifying, managing, monitoring and

reporting the risks to which the firm is or might be exposed
establish, implement and maintain adequate risk management policies
and procedures, including effective procedures for risk assessment, which
identify the risks relating to the firm’s activities, processes and systems and,
where appropriate, set the level of risk tolerated by the firm
adopt effective arrangements, processes and mechanisms for managing the
risks relating to the firm’s activities, processes and systems, in light of the
established level of risk tolerance, and
73. http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-
Framework.aspx.
187
approve and periodically review the strategies and policies for taking up,
managing, monitoring and mitigating the risks to which the firm is or might
be exposed, including those posed by the macroeconomic environment in
which it operates, in relation to the current stage of the business cycle.
Senior management must also monitor:
the adequacy and effectiveness of the firm’s risk management policies

and procedures
the level of compliance by the firm and its directors, partners, employees
and appointed representatives with the arrangements and processes
adopted, as outlined above
the adequacy and effectiveness of measures taken to address any
deficiencies in those policies, procedures, arrangements, processes and
mechanisms, including failures by the directors or others to comply with
such arrangements or processes and mechanisms or to follow such policies
and procedures.
The MAS guideline requirements are that the board is collectively accountable
to stakeholders, including shareholders, for the long-term success and financial
soundness of the institution. To this end, it has the ultimate responsibility for
approving and overseeing implementation of the institution’s overall

strategic direction, risk appetite and strategy, and related policies
establishing and communicating corporate culture and values (such as
through a code of conduct)
establishing conflicts-of-interest policies and a strong control environment.
The board is responsible for overseeing the governance of risk in the firm. The
board should ensure that senior management maintains a sound system of risk
management and internal controls to safeguard stakeholders’ interests and the
company’s assets, and should determine the nature and extent of the significant
risks that the board is willing to take in achieving its strategic objectives. The
directors should understand the firm’s business strategy, nature of the business
activities, new products, material modifications to existing products, and major
management initiatives (such as systems, processes, business model and major
acquisitions) and their associated risks. These risks should be continuously
monitored and managed. The board should approve the undertaking of any
major activities.
Senior management should provide the board with information on all potentially
material risks facing the company, including those relevant to its risk profile,
capital and liquidity needs. Information should be comprehensive, accurate,
complete and timely.
With regard to risk culture and risk appetite, the board should:
set the tone from the top and inculcate an appropriate risk culture
throughout the firm
approve the risk appetite framework, which should be comprehensive,
actionable and consistent with the firm’s business strategy
188
review, at least annually, the risk profile, risk tolerance and risk strategy for
the business.
The board should ensure that senior management establishes a risk management
system for identifying, measuring, evaluating, monitoring, reporting and controlling
or mitigating risks regularly. The following areas should receive particular attention.
Risk management strategies, policies, processes and limits should be

properly documented and communicated within the firm. They should
be regularly reviewed and appropriately adjusted to reflect changing
risk appetites, risk profiles, capital strength, and market and
macroeconomic conditions.
Risk management policies and processes should provide a comprehensive
‘institution-wide’ view of the firm’s exposures to material risks, such as credit,
market, underwriting, liquidity, country and transfer, interest rate, legal,
compliance, fraud, reputational, strategic, regulatory and operational risks
Risk management processes should include assessment of risks arising
from the macroeconomic environment affecting the markets in which the
company operates and the results of such assessments should feed back
into these risk management processes.
Exception to policies, processes and limits should receive the prompt
attention of, and authorisation by, the appropriate level of management and
the board, where necessary.
The Risk Management function should be adequately resourced and
independent, with clearly delineated authority and responsibilities. The Risk
Management function should have access to the board to perform its duties
effectively. The team performing this function should report the firm’s risk
exposures directly to the board and senior management
Where models are used to measure components of risk, the board and
senior management should ensure that these models are tested and
validated regularly by an independent party. They should also understand
the limitations and uncertainties relating to the output of the models and
the risks inherent in their use.
1.4 Understanding critical risk types
Regulators describe the risk management regime they require and define the risks
they expect firms to monitor. The following are examples of key types of risk to
which firms will be exposed.
1.4.1 Regulatory risk
This is the risk that regulatory action may be taken against a firm for failure to
comply with regulatory requirements. Components of regulatory risk could include
compliance risk, competition risk, legal risk and prudential risk. It is important to
remember that this refers to more than just compliance with financial regulators’
regulations, but with any other regulations that apply to the firm.
1.4.2 Reputational risk
There is a risk that a firm’s reputation in its market or with peers, suppliers, the
public or employees will be damaged by the materialisation of a risk event.
189
This risk almost inevitably arises following the materialisation of any risk in more or
less any risk category. Safeguarding a firm’s reputation is one of the most difficult
and challenging tasks facing senior managers. Reputation is one of the most
important corporate assets and also one of the most difficult to protect. Reputation
can be a major source of competitive advantage.
Changes within the business environment may make firms more vulnerable to
reputational damage, with increased scrutiny from regulators, reduced client
loyalty, and the development of global media and communication all exposing
firms to increased risk in this regard. The experience of the international banking
sector since the collapse of many large banks, the rapid decline in banks’ share
prices, and the outcomes of investigations into scandals such as LIBOR and FOREX
rate-fixing by firms such as Barclays, UBS and Rabobank (see Unit 1, section 5.1.1
and Unit 4, section 3.4.1) are prime examples of the importance of maintaining
reputation and the wider impacts of damage.
It is easy to damage reputation, but much more difficult to repair the damage once
it is done. For this reason, it can be argued that reputational risk is a key factor in
strategic decision making for firms.
1.4.3 Financial risk
This is a wide term and can include many different risks. For example, the following
are financial risks:
Liquidity management risk

Funding management risk
Capital calculation risk (in terms of minimum capital asset ratios)
credit risk
tax reporting and tax compliance risk
accounting policy risk
budgeting and capital planning risk.
By their very nature, financial firms are exposed to many different forms of financial
risk, and the brief list above represents only a small sample.
1.4.4 Market risk
The European Banking Authority defined market risk as part of the introduction of
its Single Rulebook.
Market risk can be defined as the risk of losses in on and off-balance sheet positions
arising from adverse movements in market prices. From a regulatory perspective,
market risk stems from all the positions included in banks' trading book as well as
from commodity and foreign exchange risk positions in the whole balance sheet.
Traditionally, trading book portfolios consisted of liquid positions easy to trade or
hedge. However, developments in banks' portfolios have led to an increase in the
presence of credit risk and illiquid positions not suited to the original market
capital framework.74
74. European Banking Authority (EBA), https://www.eba.europa.eu/regulation-and-policy/

market-risk.
190
To this narrow definition, most firms also include property risk, inflation risk and
asset risk as they could all have varying degrees of influence in the different
markets in which a firm operates.
2. Designing an effective governance, risk and

compliance risk management system
2.1 The responsibilities of different parts of the firm
2.1.1 The board
The responsibility for determining a firm’s strategic direction and for creating the
environment and the structures for effective risk management lies ultimately with
the board, because the board is accountable for compliance.
The board should agree and publish a risk management policy, detailing its
approach to and appetite for risk, as well as its management. The policy should
also outline accountability and responsibility for risk management throughout the
firm, and approve its risk management framework as being fit for purpose. On a
practical level, the board must ensure that senior management in the firm establish
and maintain appropriate systems to plan and control its operations, and to ensure
there is compliance with relevant legislation and regulations.
To operate effectively, the risk management regime requires:
the full commitment and support of the chief executive, the board and the
senior management of the company
a clear assignment of risk management responsibilities throughout the firm
allocation of appropriate resources for training of all stakeholders.
This can be effectively achieved through a board Risk Committee, non-executive

committee, an Audit Committee, or a similar function in keeping with the
company’s operational model.
When establishing a risk management policy, the board should consider the nature
and extent of risks acceptable to the company in conjunction with its risk appetite,
the likelihood that such risks will materialise, how unacceptable risks should be
managed (in other words, the company’s ability to minimise their probability
and impact on the business), the costs and benefits of the risk against the cost of
control activity undertaken, the effectiveness of the risk management process and,
finally, the risk related implications of board decisions.
Risk appetite is not fixed: it will vary over time and can be difficult to articulate at
anything other than a very high level. Nonetheless, the board should endeavour to
make it as clear as possible. For example, the appetite could define its risk appetite
in simple terms along the lines of ‘the amount and type of risk the company seeks,
is prepared to accept, and is able to tolerate’. It is important to keep the appetite
under review.
191
2.1.2 The Compliance function
The role of the Compliance function will depend on the structure and size of the
firm. Larger firms are likely to operate some form of multi-layered risk management
structure – the ‘three lines of defence’ model is a good example of this.
In this approach, there is a segregation of risk management, risk oversight and

risk assurance.
Risk management – this is completed as part of the first line of defence, by

the part of the Compliance function responsible for the business line. In this
scenario, there would be a business line for each of the major product areas,
each responsible for risk decisions, measuring, monitoring and controlling
risks in its areas of accountability.
Risk oversight – this is completed as part of the second line of defence,
and is an independent challenge to risk decisions taken by the first line of
defence, by reviewing, challenging and reporting on the risk profile, and
making sure any mitigating actions taken by the first line are appropriate.
Risk assurance – the third line of defence. This role needs to be
independent and objective, providing assurance and consultation that adds
strategic value to the risk management process. An example of a third line
of defence could be the Group Audit function.
Small firms with limited operational breadth will not have this level of complexity,
so will not use the three lines of defence model. Nonetheless, the same basic
principles apply in that there must be risk management, risk oversight and risk
assurance built into compliance activities.
Regardless of the size of the risk management operation, the role of the
Compliance function itself will not vary and should include:
setting the policy and strategy for risk management

establishing internal risk policy and structures for business units
designing and reviewing processes for risk management
the championing of risk management at both a strategic and an
operational level
building a risk aware culture within the organisation through appropriate
training and education
developing risk response processes, including contingency and business
continuity programmes, and
preparing relevant management information and other reports on risk for
the board and other key stakeholders.
Reporting and management information that meets the needs of the recipients
must be available, and this falls to the Risk Management function of the
Compliance department. Reporting, MI and awareness of responsibility for risk are
required at various levels in a company.
192
2.1.3 Other risk management operations
These include internal and external auditors, legal teams, HR, learning and
development, marketing, etc. Nonetheless, perhaps the most significant risk
management activity is undertaken by the business units themselves.
Business units have primary responsibility for managing risk on a day-to-day basis.
Each business unit management team is therefore responsible for promoting
risk awareness within its operation. The effective management of risk ought to
be a standing agenda item at management meetings, and each business unit’s
management should ensure that it is incorporated into all stages of projects.
Business units require information to make operational decisions. Therefore they

need to:
understand all risks that fall into their area of responsibility, along with
those risks that arise in areas outside their responsibility but that could
still affect them
produce suitable performance indicators to allow the monitoring of key
business activities, progression towards objectives, and identification of
any developments that may require intervention
maintain systems that will identify variances in risk exposure in good time
to allow action to be taken
report systematically and promptly to senior management any new risks
or failures of existing control measures, and any perceived risks that
could materialise.
2.1.4 All employees
Finally, individuals have their own responsibilities with respect to risk management.
They should:
understand their own personal accountability for individual risks

report systematically and promptly to senior management any (perceived)
new risks or potential new risks, or failures of existing control measures
understand how they can enable and contribute toward continuous
improvement of the risk management response, and
understand that risk management and risk awareness are a key part of the
firm’s culture.
2.2 Managing regulatory risk
2.2.1 Understanding regulatory risk
A general definition of regulatory risk is that it is the risk of having a ‘licence to

operate’, or authorisation, withdrawn by a regulator, or having conditions applied
to the licence or authorisation. These conditions would have serious impacts on
the economic value of the enterprise.
193
In practical terms, regulatory changes that can affect businesses and their
operating models come about as a result of many factors, including:
international regulatory developments

national regulatory developments, including a change of regulator
increased focus on conduct risk, mis-selling, the extraterritoriality of key
international standards
managing the more ‘traditional’ reputational and regulatory risks allied
to anti money laundering, financial crime, anti bribery and corruption,
sanctions compliance, etc.
having to manage extensive sales remediation (as with KYC/CDD, treating
customers fairly).
2.2.2 Governance, risk and compliance and the reasons why we manage regulatory risk
Unit 7 will explain and illustrate the importance of corporate governance in

underpinning the whole of the GRC framework. Managing risk is also a key pillar
of GRC support because:
risk and control frameworks support the governance structure

regulatory risk management (RRM) gives firms an inventory of all the
regulatory framework components with which they have to comply
RRM highlights the regulatory developments, interprets them, and then
analyses current compliance, and any gaps that need to be filled
RRM also examines the effectiveness and appropriateness of controls in
place, and whether they respond to deficiencies identified by the regulator.
All the above appear to be reactive. RRM also helps firms to be strategic and
proactive – a holistic GRC model can add value to a firm by being aligned to
the overall company strategy and vision, by supporting decision making, and
by furthering operational efficiencies by de-duplication of overlapping risk
management efforts, controls and processes.
All this helps to further the compliance culture within a firm that understands not
only the individual components of GRC but also how the individual components
are inextricably linked.
2.3 Information flows and audiences
2.3.1 The importance of effective management information (MI)
In the UK, the Turnbull Review of 1999 was drawn up with the London Stock
Exchange,75 and was revised in 2005 by the Financial Reporting Council (FRC).
It gives the fullest guidance on internal controls, and informs directors of their
obligations, under the FRC Corporate Governance Code, for keeping good internal
controls in their companies, and having effective audits and checks in place. It
explains the importance of information in achieving good internal control, and sets
out a series of questions, including those below, that firms can ask themselves as
part of self-assessment. These are relevant in an international context as they are
examples of appropriate questions about MI.
75. http://www.ecgi.org/codes/documents/turnbul.pdf.
194
What are the nature and extent of the risks facing the company?
What are the extent and categories of risk that the company regards
as acceptable?
What is the likelihood that the risks concerned will materialise?
What is the company's ability to reduce the incidence and impact on the
business of risks that do materialise?
What are the costs of operating particular controls relative to the benefit
thereby obtained in managing the related risks?
The report goes on to say that an internal control system should:
help ensure the quality of internal and external reporting. This requires the
maintenance of proper records and processes that generate a flow of timely, relevant
and reliable information from within and outside the organisation.76
So, effective management information is central to this requirement. To be

effective, the MI must not only be relevant to the risks faced in the firm’s
operations, markets and activities, but also be accurate and up to date. This
means that senior management will have the information needed to make
accurate and appropriate decisions.
These are the key considerations in understanding if the MI is sufficient.
Do management and the board receive timely, relevant and reliable reports
on progress against business objectives and the related risks that provide
them with the information, from inside and outside the company, needed
for decision-making and management review purposes? This could include
performance reports and indicators of change, together with qualitative
information such as on customer satisfaction, employee attitudes, etc.
Are information needs and related information systems reassessed as
objectives and related risks change or as reporting deficiencies are identified?
Are periodic reporting procedures, including half-yearly and annual
reporting, effective in communicating a balanced and understandable
account of the company’s position and prospects?
Are there established channels of communication for individuals to report
suspected breaches of law or regulations or other improprieties?
Is there appropriate communication to the board (or board committees) on
the effectiveness of the monitoring processes on risk and control matters?
This should include reporting any significant failings or weaknesses on a
timely basis.
Are there specific arrangements for management monitoring and reporting
to the board on risk and control matters of particular importance? Such
matters could include, for example, actual or suspected fraud and other
illegal or irregular acts, or matters that could adversely affect the company’s
reputation or financial position.
76. https://frc.org.uk/Our-Work/Publications/Corporate-Governance/Turnbull-guidance-
October-2005.aspx.
195
2.3.2 Internal and external reporting
Internal reporting
Different levels within a firm require different information from the risk
management process.
Directors and senior executives need to make strategic decisions and determine
the correct course of action should a major issue arise. Therefore they must:
understand the most significant risks facing the firm and how they can
be addressed
publish a clear risk management policy covering both strategy
and responsibilities
be assured that the risk management process is working effectively
know how the firm will manage a crisis should one arise
ensure appropriate levels of risk awareness throughout the firm
understand the possible effects on shareholder value of deviations from
expected performance ranges
understand how to manage communications with all stakeholders.
External reporting
A company needs to report to its stakeholders (including the regulator) on

a regular basis, setting out its risk management policies and processes and
their effectiveness in achieving their stated objectives. The formal reporting
should address:
the control methods in place, particularly senior management risk

oversight responsibilities
the processes used to identify risks and how these risks are mitigated by
the risk management regime
the monitoring and review system in place, ensuring that the regime
remains both relevant and effective.
2.3.3 The decision making process
Decisions made by the board of a company are based on many factors, which
must include the firm’s appetite for risk. This appetite itself depends on numerous
factors, such as the general economic climate, political considerations, the culture
and ethics in the firm, market pressures and the need to be competitive, and the
needs of stakeholders such as shareholders.
It is important to understand that decisions are not taken in isolation, and boards
will come to strategic decisions and conclusions using complex methodologies. The
decision making process leads to outputs, which themselves become part of future
MI, so therefore they must be documented and retained.
196
3. Dealing with regulatory issues and enforcement

It is often said that when a risk materialises (or ‘crystallises’) it becomes an issue!
A regulatory issue can be defined as anything that indicates that a breach of a
regulatory obligation has taken place or suggests that a breach is likely to occur.
Examples of breaches can include:
the conducting of unauthorised business

an error or oversight that results in poor treatment of, or loss to,
a customer
a serious deterioration in the financial resources of a firm, leaving it with
insufficient capital to fulfil the terms of its licence, for example as a result
of ineffective controls or an internal control breach such as failure to
ensure that a controlled function is always undertaken by an specifically
licenced person.
3.1 What to do if you have a potential regulatory breach
3.1.1 Assessing the seriousness of a breach
Should a regulatory issue arise, the Compliance Officer is generally expected to

provide damage limitation solutions and to implement a strategy to avoid similar
breaches in future, for example by amending the firm’s systems and controls.
All regulatory breaches are serious but some are more serious than others. A
Compliance Officer is expected to be able to assess the seriousness of each
breach and respond proportionately. Issues to consider in applying a risk based
methodology to regulatory breaches include:
whether there is any criminality involved, the nature of the breach and the
regulated activity to which it relates
the reason for the breach (for example, human error or the deliberate
circumvention of controls)
the application and effectiveness of pertinent systems and controls
the number of employees involved in the breach (in other words, whether it
can be attributed to an individual’s performance or is more widespread, for
example resulting from an ineffective process)
the number of clients affected
the extent to which clients have been, or could be, affected
the amount and impact of any losses incurred by the firm
whether any impropriety took place
the fitness and properness of the individuals involved
the possible reputational impact on the firm or the industry as a whole.
Categorisation
A compliance professional should be able to categorise the seriousness of a breach

by adopting a risk based approach, as we have discussed in section 1.2 of this unit.
Once a breach has been categorised, it can then be dealt with appropriately.
197
Inexperienced compliance professionals may have a tendency to overreact to

regulatory breaches, classifying all levels of regulatory breach automatically as ‘high
risk’, without paying consideration to their relative significance. This could cause
unnecessary panic and concern within the company and perhaps lead to taking
action without following the decision making process in full.
The ability to categorise breaches accurately and deal with the situation rationally
is essential to prevent this situation from arising.  A balanced approach also
encourages staff to bring regulatory issues to the attention of compliance
professionals, safe in the knowledge that the issue will be treated on its relative
merits and that situations will not be made to appear more serious than they
really are. It is, however, worth remembering that small-scale or isolated problems
within the firm can develop into something larger if left unchecked. Even lower-
risk regulatory breaches must be addressed. Things that go wrong in a small way
have a habit of going wrong in a big way later and several small breaches can be
symptoms of something much larger.
A useful analogy for compliance professionals to bear in mind is that of the

importance of rectifying a tiny crack in the wing of an aircraft, for fear that
something much more significant may develop. As such, ‘near-miss’ regulatory
breaches should also be brought to the attention of a compliance officer so that a
particular shortcoming does not develop into a future breach. Staff in all business
areas need training to know how these may present themselves.
How widespread is the problem?
When a regulatory issue arises, the first priority is to gauge the nature and the
extent of the problem. Compliance professionals should attempt to establish the
whole extent of the issue so that having suitably identified it they can tackle it
in its entirety. An issue should not be referred to an external agency without first
accurately ascertaining its nature, materiality and regulatory risk classification.
It should be remembered that the action necessary to correct a breach can
subsequently be passed to an external agency but the responsibility for correcting
the breach cannot be transferred away from the regulated entity in which it arises.
Give some thought to complaint handling and the merits of reviewing those cases
where a customer has made an expression of dissatisfaction but where this has
not developed into a complaint. Could a review of the cases that were ‘almost
complaints’ be useful data for the firm?
3.1.2 Examples of regulatory breaches
Think about the three examples below.
Example 1
During a compliance audit, it is discovered that your business has been

undertaking a regulated activity without being in possession of the
correct authorisation.
198
Example 2
During a KYC (Know Your Customer) monitoring programme, a compliance

officer discovers that since the implementation, some years ago, of a legal
requirement to verify the identity of all new clients, a particular business unit has
failed to do so to the required standards. This failure indicates a breach of AML
(anti money laundering) legislation (which is a criminal offence) and a breach of a
licence condition.
Example 3
During a monitoring programme designed to assess the effectiveness of

complaint-handling procedures, a compliance officer discovers that – contrary
to a requirement to report all complaints to the regulator after a three-month
period – one of the ten complaints received in the year to date has not been
reported, despite being left unresolved for four months.
Clearly the first example is more serious than the second, which is in turn far more
serious than the third. Examples 1 and 2 are likely to be regarded as significant
regulatory breaches from which enforcement action is likely to follow. Example 3
may be capable of internal resolution depending upon the nature of the complaint
and previous conduct of the firm. Where regular complaint data reporting is
required by a regulator and an inaccurate report has been submitted, it may be
possible to request a re-submission.
3.2 Internal investigations
3.2.1 Conducting an investigation
The objective of an internal investigation into a regulatory breach is to

establish exactly what happened, how it has happened and why. There are
many reasons why a business will want to conduct an investigation, including:
to establish whether it is financially accountable and, if so, the amount

of any compensation that it should pay
to avoid a recurrence (by learning from its mistakes and taking
appropriate action)
to demonstrate to the regulator that it is taking steps to avoid a recurrence
to determine whether any disciplinary action against members of staff is
appropriate and justify this accordingly.
For the result of the investigations to be relied upon they must be conducted
by persons who are completely independent of any involvement in the matter
that is the subject of the investigation. So, line managers of teams where poor or
inadequate oversight may have been a contributing factor should not be involved
because they do not have the necessary objectivity. The appointment of external
counsel with regulatory expertise can be very helpful in carrying out investigations
and for determining steps for resolution. Such a counsel’s main value lies in their
broader knowledge of the marketplace and possible similar experiences with other
regulated firms.
199
In the case of a matter requiring criminal investigation, an internal investigation is

very likely to be inappropriate because of the risk that it will disturb evidence that
will be of interest to the police. Any internal investigation into internal failures that
involve criminality should be conducted with the knowledge and consent of
the police.
Internal investigations
Successfully conducting and reporting on internal investigations requires particular

skills, including the ability to:
follow an audit trail

interview employees and colleagues effectively
preserve evidence
identify criminal conduct (including fraud indicators)
assess evidence objectively
assess fitness, properness and competence of employees objectively
advise on remedial action to prevent recurrence.
A thorough investigation of a regulatory breach is required before compiling a

report on what went wrong. The golden rule is to remember that all individuals
involved may hold different perceptions of the same set of factual circumstances,
depending upon their pre-existing knowledge, attitudes and experience. It is
therefore crucial to collate all available perceptions in order to determine what
really happened and, perhaps more importantly, why.
Compliance professionals may sometimes overlook evidence provided by more

junior employees. This can be short sighted, as junior employees tend to be closer
to the day-to-day activity that often provides the vital details on what went wrong.
It is also important to realise that senior employees such as managers, directors or
client relationship officers may be more motivated by commercial considerations.
When visiting a company, regulators often interview employees from different

management levels in order to gain a better understanding of the overall
perception of an event, just as detailed above. It is therefore important that
the Compliance Officer is already aware of any information or opinion that the
regulator may uncover.
Finally, compliance professionals must be mindful of the dangers of ‘confirmation

bias’. This is the natural human tendency to formulate an opinion about a particular
issue and thereafter to pay regard only to information that confirms that opinion.
This can lead people to draw false conclusions about the factors that cause
breaches and other failures. It is important for compliance professionals to treat
each enquiry as a ‘blank sheet’ and not to preconceive ideas about what went
wrong, why it went wrong, or where any blame lies.
3.2.2 Notifying the board
A basic checklist of those who should be told of the regulatory issues should
be created. Who is informed will depend upon the severity of the breach.
Suggestions include:
200
all directors
the relevant board committee (typically the Audit Committee or the
Risk Committee)
the head office or parent company (which may then have to inform the
home regulator for the group if that is in a different jurisdiction)
the regulator
internal and/or external legal counsel
the police (if a criminal issue has arisen)
internal and/or external auditors.
The time between when a regulatory breach first comes to light and its being
reported to appropriate external parties should be as short as possible. Again,
depending on the size and complexity of the firm, the responsibility for notifying
the board may fall to specific teams or staff within the Compliance function.
3.2.3 Notifying the regulator
The role of a regulator is not only to undertake enforcement action but also to be
proactive in assisting firms to remedy deficiencies and continue in the conduct of
their business. So, it is important that firms report any regulatory breaches to their
regulator so that they can take advantage of the help that the regulator is able
to provide.
In many jurisdictions, regulatory laws specifically require regulated businesses to

be open, honest and cooperative with the regulator. Even where they do not, it is
seldom in the interests of a business not to inform a regulator of a problem that has
been discovered. It is generally best practice for a firm to be open and frank and to
make voluntary disclosure of all regulatory breaches. Following this requirement
of openness and honesty will not necessarily stop the regulator proceeding with
enforcement action, but it may reduce the severity of such action. The regulators
are quite specific about what being cooperative means and compliance
professionals should be aware of what is expected in this area.
Compliance professionals should also be aware of any detailed reporting

obligations. For example, many retail product providers have an obligation to notify
regulators of specific control failures and breaches. They should also be aware of
the evolving methods used by the regulators to gather data. Not only do they rely
on data disclosed from retail product providers through regular reporting, but they
also now seek information through other methods.
As a general rule it is advisable to consider what remedial action needs to be taken

before informing a regulator about a regulatory breach. Regulators like to be
proactively informed of problems, but they also like to be proactively informed of
proposed solutions. The regulator may not agree with the way in which a business
proposes to resolve a particular problem, but presenting a problem in conjunction
with a solution provides comfort to them, as it demonstrates that the firm is
attempting resolution and prevention of recurrence. The key to limiting the overall
damage caused by a regulatory breach is as much about the way in which a firm
reacts to the breach as the breach itself.
201
More minor breaches (where there is no substantive customer impact) can often
be dealt with by a telephone discussion, with follow-up emails to confirm and
document actions to be taken. More serious breaches, particularly where there
is an impact on customers, should involve a meeting with the regulator and this
should be called as quickly as possible. In more serious cases of high-risk regulatory
breaches, the Compliance Officer should attend with at least one director and, if
possible, the local chief executive. If a very serious issue has arisen, the meeting
ought to include a senior representative from the regulator’s supervisory function.
The way in which a meeting is called and handled by a business demonstrates to

a regulator how seriously the business is treating the issue. This is often taken into
account by the regulator in deciding upon a course of action.
It is vital that all the representatives of a business in attendance at the meeting can
demonstrate to the regulator that they understand the seriousness of the issue
being discussed and can demonstrate knowledge of regulatory requirements.
Situations in which one or more representatives appear not to comprehend
the potential implications of what is being revealed may cause the regulator to
speculate whether regulatory compliance is embedded in the business of the firm
and whether there are wider management and control issues to be examined.
The regulator should treat breach disclosures in confidence, except where it has a
legal obligation to disclose information to other bodies. If a regulator commences
an investigation, any information passed to it by the business will be passed under
compulsion of law, thus rendering irrelevant any concerns about breach of client
confidentiality (see section 3.3.3 below).
The assumption that a regulator will react to every regulatory breach by

commencing enforcement action is misplaced. Many firms, particularly those that
are newly regulated, can be surprised at the helpful and cooperative approach
adopted by regulators. Nonetheless, the relief that can result from realising that
a regulator adopts a conciliatory and helpful approach to news of a regulatory
breach can cause problems for some firms. Firms should be wary of an over-
enthusiastic response to a conciliatory stance by a regulator (for example,
proposing unrealistic deadlines for remedial action), as regulators are unlikely to
continue to be as accommodating if they are advised of a subsequent failure to
follow an agreed remedial action plan.
3.3 Managing a visit from the regulator
As discussed in section 3.2.3, the regulator should be informed at an early stage

that a business has committed a regulatory breach, after careful assessment of
the circumstances by the designated officer. Such an approach will help avoid the
possibility that the regulator will find out from another source, such as the police
or foreign regulatory authorities. It is much better if the regulator hears from the
firm itself.
Regulators have their own statutory responsibilities to discharge and will not want
to delay in acting on information. A regulator’s greatest fear relates to the ‘ticking
time bomb’ syndrome and having to explain why it did not take appropriate and
timely action once it had been given notice of the issues in a breach.
202
Depending on the seriousness of the issue, once on notice of a breach a regulator

may conclude that it has little choice but to undertake some form of investigative
work itself or to appoint a third party to do so. This depends in part upon a
regulator’s assessment of the likelihood that the organisation (or individuals within
it) may face a significant sanction as a result of an investigation. The regulator
must also consider its responsibility for supervising the business and achieving
an improvement in the way in which the firm is run in order for it to continue to
conduct business and avoid future breaches.
Example
A firm is conducting its business in the usual way. Internal compliance monitoring
reveals a material breach of a regulatory requirement. The Compliance Officer
informs a member of the regulator’s Supervisory department. The breach is so
significant that the Supervisory department advises the Enforcement division.
The Enforcement division then leads a detailed investigation and liaises with
the local law enforcement authorities and overseas regulators. Assuming that
the outcome of the investigation will be that the firm ought to be allowed to
continue to conduct business, it will come under much closer scrutiny by the
Supervision department until its risk profile is reduced, while the Enforcement
division carries out any resulting enforcement action. This could be the
imposition of a sanction against those individuals who were responsible for the
problem, the levying of a fine, or the temporary suspension of some of the firm’s
regulatory permissions, pending the completion of remedial actions.
We can see from this example that the consequences of the regulator’s
investigation are isolated to a degree. In most cases, the firm is able to continue to
conduct business (subject to enhanced supervision and the completion of remedial
actions). A firm stands a far greater chance of achieving such an outcome if it
voluntarily discloses problems to the regulator and cooperates in the conduct of
an investigation. Failure to act in this manner may lead a regulator to suspect there
are further concerns contained within a firm, prompting it to investigate wider
organisational issues.
Regulators increasingly use their powers to suspend firms’ permissions to carry

out specific activities, in order to contain the risk that they believe a firm may pose
to consumers. This usually happens at the beginning of an investigation and the
regulator can request that the firm does this on a voluntary basis.
3.3.1 How do regulators look for information?
Assuming that the regulator wants to instigate an investigation or obtain

information, a number of options are available. These include the right:
to require the provision of information

to require reports from skilled persons
to appoint investigators
to apply for a warrant to enter premises.
203
Such powers are common to most regulatory authorities. It is imperative that

compliance professionals are fully familiar with the information-gathering and
investigative powers at the disposal of their regulatory authorities.
It is normally possible for a regulator to commence an investigation by instructing

that a third-party reporting professional be appointed, which is at the expense
of the business concerned. The professional is required to provide a preliminary
report to the board of the company concerned, copied to the regulator. This may
be followed by the appointment of an inspector, tasked with obtaining detailed
evidence (under statutory caution) from persons having a continuing or past
relationship with the company. The appointment of an inspector is most likely to
occur when serious enforcement action is anticipated.
A regulator may only use evidence collected under regulatory powers for
regulatory purposes – not for purposes of criminal prosecution. This is because of
the self-incrimination provisions built into regulatory rules. If a decision is made
to prosecute for a criminal offence in relation to the same circumstances, then
evidence is generally needed on an alternative basis, either given voluntarily or
obtained by using a power granted under a separate criminal law. From the point
of view of a compliance professional employed within a business subject to both a
regulatory and a criminal investigation, this duplication of evidence gathering can
prove frustrating.
3.3.2 What can the regulator ask for?
Investigations are generally conducted using legal instruments known variously

as Production Orders or Investigatory Warrants. These allow regulators and other
law enforcement agencies to obtain documents or evidence, including statements.
There are many different terms used to describe these powers, and you should
familiarise yourself with the precise words used in your own jurisdiction.
Production Orders are generally instruments issued by courts upon applications

made by regulators or law enforcement agencies. These have the effect of
compelling the recipient person or company to produce the information or
material set out in the Production Order to the individuals identified within it.
Production Orders always oblige the recipient to comply within a set period of
time, beyond which the recipient is in danger of committing an offence or being
found in contempt of court.
It is rare for a Production Order to name the specific material that a recipient is
obliged to produce. Instead, it will refer to particular types of material relating
to certain aspects of particular relationships. The following is an example of
wording that might be contained in a Production Order used in suspected money
laundering cases.
204
Example
You are required to produce within 21 days true copies of the following
documents (covering the period 20 June 2012 to 4 July 2014) and to provide
an explanation of these documents (if so required) in respect of the account
numbered 45789354267 in the name of Y Ltd and any other account in the name
of Y Ltd, which is in the custody, possession or power of your bank.
All bank statements

Debit advice notes
Paying-in slips
Account opening and closing forms
Credit advice notices
Paid cheques (copied back and front)
Records showing account signatories
All correspondence and notes of telephone conversations between the
bank and individuals relating to Y Ltd.
The order allows the recipient (and therefore the Compliance Officer) a degree of
interpretation in respect of which material falls within its scope. This discretion,
however, must not be abused. The penalties for non-disclosure of (or, even worse,
destroying) incriminating material are severe and provide a further justification for
the secure retention of documents.
It must be remembered that law enforcement agencies do not treat a financial

institution differently from any other person or business that is subject to criminal
investigation under the standards of criminal law. Unlike regulators, the police
have no relationship with the firm to consider and everything is carried out to strict
criminal law standards.
3.3.3 What about privileged or confidential information?
Certain documents are subject to what is known as legal professional privilege.

The concept of legal professional privilege is based upon the public interest in
allowing persons to consult with their lawyers in absolute confidence, secure in
the knowledge that the information or advice that they are given by their lawyers
is protected. In effect, legal professional privilege is a confidentiality assurance
mechanism. It extends to any information exchanged or created in the provision
and receipt of legal advice or in contemplation of legal proceedings.
For a document to be protected by legal privilege it must substantively fall into

the above category of documents eligible to attract such protection. In other
words, the protection is not extended to documents that simply have ‘privileged’
stamped across them.
The privilege applies to the provision of both in-house and external legal
advice. As far as in-house advice is concerned, privilege may only be claimed in
relation to documents providing legal advice, but not to other forms of advice; for
example, advice on which strategy management should adopt in dealing with a
particular issue.
205
As a general rule, legal privilege allows businesses to refuse to produce or

share documents that are protected, even when they are requested. Regulatory
legislation often explicitly states that documents subject to legal privilege are not
required to be produced.
Client confidentiality is a sensitive issue which lies at the heart of a client/service

provider relationship and which automatically becomes a consideration when
an investigation commences and client-related information is shared. There are a
number of generally accepted exceptions to the duty of client confidentiality. It is
important that compliance professionals are aware of them:
where a disclosure is under compulsion of law

where there is a duty to the public to disclose, or
where the interest of the company requires disclosure and where the
disclosure is allowed by the express or implied consent of the customer/client.
A financial services business that discloses information requested by a regulator

or by law enforcement in the exercise of legal powers does not breach the duty of
client confidentiality.
Compliance professionals are often expected to manage a firm’s response to

Production Orders and Warrants, and it is vital that in so doing they ensure that
only the requested information is provided. The disclosure of any excess confidential
client information may constitute a breach of the duty of confidentiality.
It is worth remembering that regulators are generally not as interested in a firm’s

clients as they are in the way in which the firm is servicing its clients. There are,
of course, exceptions to this and regulators can develop an interest in particular
clients where:
evidence of money laundering is found unexpectedly and a suspicion

is formulated
evidence is being collected of a crime related to financial services, such as
insider dealing
the client makes a complaint, when the handling of that client’s affairs by
the firm is under already investigation.
It is important to note that the USA PATRIOT Act 2001 has extraterritorial powers,
which enable the US to reach far beyond its borders in legal matters. Compliance
professionals should be aware that transacting in US dollars or with US clients does
require a good understanding of these extraterritorial laws.
3.3.4 Open and honest approach
Firms have an obligation to be open and honest in their relationships with the
regulator. The potential impacts of failing to follow these requirements are best
illustrated in the following case studies of regulatory enforcements. Although they
both relate to enforcement action taken by the UK regulators, they both involve
international activities by the firms in question, and therefore show the need to
consider regulators in different jurisdictions when assessing the risks of regulatory
non-compliance.
206
Example: Goldman Sachs International (GSI)
On 9 September 2010, the FSA fined this firm £17.5m for failures of Principles 2,
3 and 11. The Principle 11 breach was in connection with GSI’s failure to disclose
a notice issued by the US Securities and Exchanges Commission (SEC). GSI failed
to inform the FSA that on 28 September 2009 the staff of the SEC had indicated
that it would serve, and then on 29 September 2009 did serve, a notice indicating
SEC’s proposal to recommend an enforcement action for serious violations of
US securities law by an Approved Person employed by GSI, relating to his prior
activities when working in the US for Goldman Sachs & Co (GSC).
A number of senior managers, including Approved Persons, at GSI were aware of

certain aspects of the SEC Investigation. Yet none of these individuals appeared
to have appreciated the potential regulatory impact of these matters on GSI, not
least because those handling the matter at GSI did not focus on the status of the
senior manager in question as an FSA Approved Person, or the implications of
the SEC’s allegations for GSI. Those handling the matter did not brief the relevant
senior managers at GSI on the implications of the SEC’s allegations for GSI. The
relevant senior managers at GSI did not appear to have considered the potential
regulatory impact on GSI because they understood that their central legal team
was handling the matter and that GSI’s Legal department was being made aware
of it. They assumed that since the Legal department was engaged, relevant
information would be passed to those individuals within the GS Group who
needed to know.
In fact, neither the legal nor the compliance staff in New York passed on the
relevant information to GSI Compliance. Those handling the matter in New York
appear to have focused exclusively on the regulatory implications of the SEC
Investigation for GSC and apparently not on the potential for specific regulatory
impact on GSI, even though certain relevant personnel in New York were aware
of the nature of the allegations made by the SEC.
By reason of the facts and concerns set out below, the FSA considered that GSI
had failed, in breach of Principle 11, to disclose to the FSA the SEC notice, which
was reasonably material to the assessment of the fitness and propriety of an FSA
Approved Person. Specifically, GSI failed to inform the FSA of the enforcement notice.
The FSA acknowledged that the Principle 11 breach in this case was not
deliberate, but inadvertent; however, it was nevertheless a serious breach in
view of:
the seniority and experience of the GSI managers who were aware of the
enforcement notice
the seriousness of the allegations made in the enforcement notice
the obvious regulatory implications for GSI arising from the enforcement
notice, namely that it was information that was reasonably material to an
assessment of the senior manager’s fitness and propriety for carrying out
a Controlled Function, and
the stature, resources and reputation of GSI.
207
Example: The Prudential Assurance Company Ltd (PAC)
On 27 March 2013, the FSA fined PAC £16m for breaching Principle 11 of the
Principles for Business, in that they failed to deal with the FSA in an open and
cooperative manner and for failing to disclose appropriately information of which
the FSA would reasonably expect notice.
On Monday 1 March 2010, PAC announced its intention to acquire AIA, a wholly-
owned subsidiary company of AIG. The original consideration proposed was
$35.5bn, including $20bn cash, to be funded via a rights issue. Given AIA’s size,
the transaction would have been transformative for PAC. The proposed rights
issue was planned to raise £14.5bn and would have been the biggest ever in
the UK. Subsequently, facing significant doubts about the extent to which it had
secured the requisite shareholder support, PAC sought to renegotiate the terms
of the transaction. AIG refused to accept a lower price, and on 3 June 2010 PAC
withdrew from the deal, shortly before its shareholders were due to vote on the
proposed rights issue.
The FSA had supervisory responsibilities for Prudential Group’s UK-regulated

subsidiaries. In addition, Prudential Group, though not itself authorised by the
FSA, was a controller of FSA-authorised entities and was an Insurance Holding
Company for the purposes of supplementary supervision under the EU Insurance
Directive on Insurance Groups (IGD). The FSA was responsible under the IGD
for undertaking supplementary supervision of PAC, and was also lead global
supervisor for the Prudential Group, responsible for coordinating supervisory
activities and information sharing among international regulators. Therefore
the FSA’s role included responsibility for understanding the Group’s solvency,
risk profile, intra-Group exposures and transactional issues, and for liaising with
relevant overseas regulators. Where it was necessary to require the Prudential
Group to take action, the FSA imposed requirements on PAC.
The proposed transaction involved substantial changes to the financial position,

strategy and risk profile of the Prudential Group as a whole, including potential
impacts on the UK-regulated entities within the group. The transaction’s size
and scale were of particular regulatory significance when viewed against the
background of the financial crisis in late 2008, in which certain major financial
institutions had required government intervention and recapitalisation following
similarly transformative transactions. Further, the impact and significance to the
Prudential Group, PAC, AIG (which itself had had to obtain financial assistance
from the US Treasury and the Federal Reserve Bank of New York during the
financial crisis) and AIA meant that the transaction had the potential to affect the
stability and confidence of the financial system in the UK
and abroad. In the circumstances the FSA’s regulatory responsibility was to

undertake intensive, detailed and thorough scrutiny of the proposed transaction.
PAC had failed to inform the FSA that Prudential was seeking to acquire AIA from
AIG in early 2010, until after the proposed transaction had been leaked to the
media on 27 February 2010. Accordingly, PAC had breached Principle 11 by failing
to deal with the FSA in an open and cooperative way and by failing to disclose
208
appropriately information of which the FSA would reasonably expect notice. In

particular, PAC failed to:
discuss with the FSA, at the earliest opportunity (and by 11 February 2010
at the latest) the proposed transaction, which could have led to a change
in corporate controller of PAC, or
disclose the proposed transaction at the meeting with the FSA
Supervision Team on 12 February 2010. The express purpose of that
meeting was to discuss the Prudential Group’s strategy.
At the meeting, the FSA asked detailed questions about the Prudential Group’s
strategy for growth in the Asian market and its plans for raising equity and
debt capital, and PAC discussed the strategy for expansion in Asia at length, but
omitted to mention the proposed acquisition.
The FSA expected to have an open and frank relationship with the firms it
supervises, as does the FCA today. It is essential that firms give due consideration
to their regulatory obligations at all times. In particular, timely and proactive
communication with the regulator is of fundamental importance to the
functioning of the regulatory system.
PAC’s conduct resulted in a significant risk that the wrong regulatory decision
would be made and hampered the FSA’s ability to assist overseas regulators with
their enquiries in relation to the transaction.
3.4 The sanctions a regulator can impose
Paragraph C10-12 of the International Organization of Securities Commissions

(IOSCO) Objectives and Principles 201077 provides that:
10 The Regulator should have comprehensive inspection, investigation and

surveillance powers.
11 The Regulator should have comprehensive enforcement powers.
12 The regulatory system should ensure an effective and credible use of inspection,
investigation, surveillance and enforcement powers and implementation of an
effective compliance program.
The objective of enforcement by a regulator can be viewed in similar terms to that

of criminal law: it acts as a threat to or deterrent for other firms, as well as ensuring
specific punishment for the firm that has exhibited unsatisfactory standards
of compliance. Traditionally, regulators have available to them a number of
enforcement-based tools, each designed to secure a particular outcome. Arguably,
the imposition of disciplinary action illustrates that the regulator is effective at
upholding standards, and helps to maintain market confidence and promote
public awareness of regulatory standards. Such action can also deter others from
committing regulatory misconduct provided that the action is fair, consistent
and robust. It is clear that the outcomes of regular enforcement actions do raise
awareness of areas of regulation where breaches of compliance standards have
taken place.
77. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD323.pdf.
209
This approach by regulators raises issues for the firms subject to regulation and
therefore for the compliance professionals working within them. An awareness of
how this might affect the firm should therefore be a consideration and it is essential
to maintain this awareness, for example by keeping a close eye on developments,
looking at cases and issues flagged by the regulator.
Typical regulator penalties will include:
private warnings
public censures (also called ‘naming and shaming’)
financial penalties (fines)
recovery of the regulator’s costs in prosecuting the matter
payment of restitution to affected consumers
compensation orders
disgorgement (ordering the repayment) of any profits arising from the non-
compliant activity
suspension of the firm’s permission to carry out regulated activities
withdrawal of a firm’s authorisation to conduct business
withdrawal of an individual’s licence or authorisation.
In the UK, under the Financial Services and Markets Act 2000, the FCA and the PRA
have a range of disciplinary, criminal and civil powers for taking action against
regulated and non-regulated firms and individuals who are failing or have failed to
meet the standards required. Examples of these powers include being able to:
censure firms and individuals through public statements

prevent an individual from undertaking specific regulated activities
impose financial penalties
suspend an individual from undertaking specific authorised activities
prohibit an individual from operating in the financial services market
seek injunctions
apply to a court to freeze assets
seek restitution orders
prosecute firms and individuals who undertake regulated activities
without authorisation
suspend a firm from undertaking specific regulated activities
withdraw a firm’s authorisation.
In the UK, the new Senior Managers and Certification Regime (SM&CR) has
introduced a new crime of ‘reckless misconduct’ and has three constituent elements:
the manager’s decision, whether active or passive, caused the failure of the
financial institution in question (for the purpose of this section, ‘decision’ has
been broadly defined to include a failure to prevent a decision)
at the time the decision was taken, the manager was aware of the risk that
such a decision might cause the failure of the financial institution (or its
group companies)
the manager’s conduct was ‘far below’ the reasonable standard expected
from a person in such a position.
210
Proceedings in respect of this offence may be commenced by the FCA or the PRA. A
successful conviction could lead to the individual being imprisoned for up to seven
years and/ or fined an unlimited amount.
3.5 The damage to reputation
While all the sanctions listed will have immediate impacts on the firms and
authorised individuals within a firm, we must not forget the intangible damage
they can cause. A firm’s reputation can be severely affected in a surprisingly short
period of time, and repairing this damage can take many years and divert valuable
resources away from more profitable activity.
Reputational damage can have immediate consequences. The firm’s competitors

will be quick to attract disaffected customers who will vote with their feet and
move their business elsewhere. The recent fines imposed on some of the largest
banks around the world for their manipulation of interest rate benchmarks solely in
the interests of profit have further damaged the reputation of an industry with an
already poor reputation.
But what about the less obvious consequences? What about those consumers
who, because of inertia, do not sever their links with the firm in question, but do
decide not to deepen their relationship in the future by taking their custom for
further products and services elsewhere? Or, what about those consumers who are
seeking particular products and services but actively avoid the company because
of its poor reputation? This is an example of the opportunity cost that comes from
reputational damage.
4. The links between risk management and GRC

Risk management should be a part of the overall firm-wide GRC systems and
controls within the company. It should be present throughout the whole of the
enterprise, from the board of directors down through all of its activities.
This relationship can be summarised in four different and separate processes.
4.1 Risk assessment and planning
A firm faces risks at all levels, whether from global issues based on market
conditions, or environmental issues specific to one location. Firms cannot plan for
or identify every single risk that might have an impact, but they should monitor
and analyse potential risks.
4.2 Risk identification and analysis
This is where there is a need for more detailed analysis of the likelihood that known
risks will materialise and, if they do, the possible impacts. The potential impacts
of the identified risks need to be quantified so that mitigation strategies can be
developed, to be used in the event that the risk does in fact materialise. In this
context, mitigation refers to assessing the best ways to manage or eliminate the
risk. This also allows the firm to identify the total costs the firm would face should
the risk materialise.
211
4.3 Developing a risk response strategy
This should be developed alongside the risk identification activities, and this
is where a firm needs to have plans and strategies to deal with the impacts
of risk materialisation. These strategies will also help the firm to return to
normal operations as soon as possible. Developing this approach also allows
firms to include analysis of any risk related opportunities, which could, for
example, include a review and overhaul of all products, not only to eliminate
any identified risks, but also to capitalise on opportunities that the risk analysis
has revealed.
4.4 Risk monitoring
In a GRC control framework, risk monitoring is an integral control. Monitoring

not only tracks the likelihood that the identified risk will materialise but also
monitors its status once the mitigating actions have been completed. The
idea is to keep on top of the position, and if needed, re-enter the risk
management process.
5. Making sure it does not happen again

This is a priority for most firms that, against the background of a regulatory
breach, wish to avoid future financial or potential reputational loss. No firm either
wants or is able to withstand such losses on a recurring basis. Regulators also
wish to avoid recurrences and, with this in mind, may therefore perform reviews
following an investigation, to ensure that remedial action plans are followed as
agreed and systems are strengthened accordingly. This can significantly increase
the regulatory burden on a firm.
Investigations by regulators and their resulting decisions can take long periods
of time; compliance professionals will want to introduce control enhancements
as soon as shortcomings have been identified, to limit the latter’s impact on
the business. Any action plan for the introduction of these improvements
should be passed to the regulator to enable the findings of any investigation to
include references to the improvements already made. This demonstrates good
management of an issue.
As we have seen, it is important to keep the regulator fully informed at all times
about what has been found and which particular issues have been identified for
resolution. In addition, a firm should proactively advise the regulator of its progress
in the implementation of any remedial action. This demonstrates that the firm is
serious about improving its conduct and addressing issues.
212
Unit 4 Know your regulator
Learning outcomes
By the end of this unit you should be able to:
define what is meant by ‘risk’, ‘risk management’ and ‘enterprise risk’

recognise some of the international standards on risk management and be
able to describe the stages of the risk management process in a financial
services context
appreciate the differences between the risk based and cyclical approaches to
risk management and their advantages and disadvantages
be able to explain the different types of risk faced by a financial services business
and how to approach them
understand the roles of the board, the compliance function, the business units
and individual employees in a successful risk management process
know the questions that should be asked and answered in order to generate
relevant management information for identifying, assessing, treating and
reporting on the risks facing the business
be able to assess the severity and extent of regulatory breaches, conduct an
internal investigation into identified or suspected breaches, and notify all
relevant parties as to your findings
know how to handle a visit from the regulator and understand how to respond
to court orders such as Production Orders
understand the sanctions that the regulators can impose and the possible
effects on the business
be able to identify the links between risk management and the GRC
control framework.
213

I1273818 - International Diploma in GRC - Unit 6

Uploaded by

Copyright:

Available Formats

I1273818 - International Diploma in GRC - Unit 6

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

I1273818 - International Diploma in GRC - Unit 6

Uploaded by

Copyright:

Available Formats

SEE GREEN SECTION

How to M anage Regulator y

The purpose of this unit is to:

 explain the risk management process

1. Understanding the risk management process

Risk management is a subdivision of general management. It attempts to codify

More information on the transformation of the discipline can be found in work

69. http://www.rmahq.org/risk-management/enterprise-risk http://www.mckinsey.com/search.

1.1.1 Overview of risk management

The identification of risk management as a discrete management discipline is relatively

Nevertheless, it is possible to identify generic standards. A useful benchmark is A

The Standard draws on the International Organization for Standardization’s

 ISO 31000 2009 – Risk Management Principles and Guidelines

1.1.2 What is risk management?

To be effective, risk management must be integrated into the culture of the

It is also important to incorporate risk management at the conceptual stage of

Effective risk management supports individual and corporate accountability, and

 improving decision making, planning and prioritisation by implementing

It is possible to argue that the failures of management at several major banks –

1.2 Stages in the risk management process

Risk management activities need to follow a reasonably set process in order to

1.2.1 Risk identification

This is the method used to identify a firm’s exposure to risk or uncertainty. To

1.2.2 Risk description

The objective of risk description is to display the identified risks in a structured

The table below gives an example of a generic risk description template.72

1. Name of risk (It is also useful to have a cataloguing system for

1.2.3 Risk estimation or quantification

Risk estimation (or quantification) requires an assessment of the probability that an

Some consequences can be readily quantified (such as financial loss), while

Perhaps the simplest approach is to assess consequence and probability as High,

Each risk is estimated according to the following H/M/L categorisation.

1.2.4 Risk evaluation

Risk managers should use the outcome of the estimation/quantification stage to

1.2.5 Risk treatment

Risk treatment is the process of selecting and implementing a course of action

Risk treatment includes, as its major elements, risk control/mitigation, risk

 Is the current internal control effective?

The monitoring process should provide reassurance to senior management that

1.3 What are the risk management options?

1.3.1 Risk based or cyclical approaches to risk management

Both approaches have advantages and disadvantages.

In scenario (i), attention might be concentrated on addressing emerging high-

Take some time to research the expectations of the regulator(s) in your

The internal controls

A system of effective internal controls is fundamental to the safe and sound

The risk management regime

The overall requirement is that a firm’s senior management must:

 develop effective processes for identifying, managing, monitoring and

Senior management must also monitor:

 the adequacy and effectiveness of the firm’s risk management policies

 approving and overseeing implementation of the institution’s overall

 Risk management strategies, policies, processes and limits should be

1.4 Understanding critical risk types

1.4.1 Regulatory risk

1.4.2 Reputational risk

1.4.3 Financial risk

 Liquidity management risk

1.4.4 Market risk

74. European Banking Authority (EBA), https://www.eba.europa.eu/regulation-and-policy/

explain the risk management process

ISO 31000 2009 – Risk Management Principles and Guidelines

improving decision making, planning and prioritisation by implementing

Is the current internal control effective?

develop effective processes for identifying, managing, monitoring and

the adequacy and effectiveness of the firm’s risk management policies

approving and overseeing implementation of the institution’s overall

Risk management strategies, policies, processes and limits should be

Liquidity management risk

Risk management – this is completed as part of the first line of defence, by

setting the policy and strategy for risk management

understand their own personal accountability for individual risks

international regulatory developments

risk and control frameworks support the governance structure

the control methods in place, particularly senior management risk

the conducting of unauthorised business

to establish whether it is financially accountable and, if so, the amount

follow an audit trail

to require the provision of information