Risk management is a continuous process rather than a linear one. A pragmatic Know Your Obligations (KYO) strategy starts with building an ongoing monitoring approach by deconstructing regulatory obligations and then measuring the performance of related procedures and controls to assure compliance. The final step is to evidence that compliance.
This is a critical part of the process because, as far regulators are concerned, without that supporting documentation, it’s like it didn’t happen.
If the first stage of a pragmatic Know Your Obligations strategy is deconstructing and understanding compliance obligations to define where you need to keep your focus, the next step is mapping policies, procedures and controls to performance indicators to be able to accurately assure compliance.
Essentially, at this stage, we need to answer the question: What do we actually need to monitor?
Regulations, frameworks, policies and controls define the day-to-day of the Chief Compliance Officer (CCO) and their teams. It’s fair to say that it is an important yet often troublesome undertaking to make sense of what can often be described as monitoring spaghetti. At the same time, the teams also need to ensure they are keeping senior execs and the Front Office engaged and compliant.
So how can the CCO set regulatory priorities, identify policy and procedure gaps and understand compliance obligations?
It’s been just about a year since the Bank of England’s Prudential Regulation Authority (PRA) issued the Dear CEO letter Thematic findings on the reliability of regulatory reporting, serving notice to firms that the agency has seen “a historic lack of focus, prioritisation, and investment in this area.”
It’s not a new problem but the letter has brought it into sharp relief. One year on, where are firms regarding the expectations around regulatory reporting and governance set out in the letter?
