Governance
The supervision of business activities is the responsibility of the management of the organisation. A firm must have robust governance arrangements, which include:
- clear organisational structure;
- clear lines of responsibility;
- effective risk management processes which identify, manage, monitor and report risks that the business may be exposed to;
- effective internal controls including administrative and accounting procedures; and
- effective controls and safeguards for IT systems.
These arrangements and controls should be comprehensive but proportionate to the size, nature and complexity of the business and should take into account any technical criteria required by the firm’s business continuity planning.
Firms should ensure that they have:
- decision making procedures and a documented organisational structure that clearly specifies reporting lines and allocates functions and responsibilities;
- adequate internal controls to ensure compliance with decisions and procedures at all levels in the firm; and
- effective internal reporting and communication of information at all levels in the firm. Organisation charts should be produced.
These should:
- clearly identify roles, authority levels, supervisory and reporting lines for the firm;
- be communicated to all members of staff; and
- be regularly reviewed and updated.
Sample organisation charts and authority lists are included in the templates section at the end of this chapter (SYSC templates 1 to 3). Firms may wish to delegate authority to senior members of staff, such staff will need to:
- be assessed for their suitability to perform the role;
- be able to demonstrate their competence to perform the role;
- have clearly defined and communicated limits and extents of authority; and
- be supervised and monitored, including a process for following up any actions identified if delegation is found to have fallen down.
This information should be clearly recorded and updated regularly. If firms decide to outsource any work, then the same rules will apply.
As far as possible the organisation of the work should be segregated to reduce the likelihood of mismanagement and fraud.
Business Continuity
Firms should take reasonable steps to ensure the continuity of their regulated business activities. This includes having an adequate business continuity plan in place.
What is a business continuity plan?
These are sometimes known as disaster recovery plans. They are plans that ensure that the firm can continue to function and meet their regulatory obligations in the event of unforeseen interruptions to systems and procedures, e.g. fire, flood, loss of capital and/or loss of key staff. You should establish, implement and maintain an adequate business continuity policy.
The aim of this policy is to ensure that in the case of an interruption, any losses are limited and that essential data, functions and maintenance of regulatory activities is preserved. Where this is not possible the policy should ensure timely recovery of data, functions and resumption of regulatory activities.
What needs to be reviewed?
- How you will communicate to members of staff and to customers?
- Do you have alternative office premises?
- What are your critical functions and business processes?
- Are computer files backed up and kept off site?
- How paper files are stored and is there information on them that cannot be accessed via computer?
- Do you operate a clear desk policy?
- How do you store financial accounts, cheque books etc.?
- Are your business strategy plans secure?
The firm then needs to establish and maintain an effective business continuity plan for its entire operation.
Business continuity planning
This plan should, dependent on size of the firm, but could include the following:
- Resource requirements such as people, systems and other assets and the arrangements for obtaining these resources.
- Documented process for implementing the business continuity plan.
- Recovery priorities.
- Communication arrangements for internal and external concerned parties including: FCA, clients, staff and suppliers.
- Processesforvalidatingtheintegrityofanyinformationaffectedbytheinterruption.
- Recovery team activities checklist.
- Recovery team contact details.
- Staff contact details.
- Alternative accommodation requirements.
- Critical business functions.
- Critical business documents/data. 12.Critical PC/other systems applications. 13.Client list.
- Renewal list.
- Critical suppliers/services/markets.
- Counselling.
The plan needs to be documented, communicated to everyone in the firm, regularly updated and tested to ensure that it actually works.
A copy of a business continuity plan is included in the template section at the end of this chapter (SYSC Template 11).
Regular monitoring
Firms should monitor and on a regular basis, evaluate the adequacy and effectiveness of their systems and controls. To enable you to do this an audit checklist is included in the template section at the end of this chapter (SYSC Template 9). A compliance activity log detailing common compliance activities that need to be carried out during the year is also included in this section (SYSC Template 6).
Audit Committee
Depending on the size, nature and complexity of the firm it may be appropriate to set up an audit committee. An audit committee could:
- examine management’s process for ensuring the appropriateness and effectiveness of its systems and controls;
- examine the arrangements made by management to ensure compliance with requirements and standards;
- oversee the internal audit function; and
- provide an interface between management and external auditors.
An audit function should have an appropriate number of non-executive directors and formal terms of reference.
Persons directing the business
The senior personnel (normally Directors or equivalent) of a firm should be of sufficiently good repute and sufficiently experienced to ensure sound and prudent management of the firm.
Responsibility of senior personnel
A firm must ensure that directors and senior managers (senior management) have the responsibility for ensuring that the firm complies with its obligations under the regulatory system.
Senior management should receive, on a regular basis and at least annually, written reports on compliance of the firm. This should include their regulatory responsibilities and risk assessments. These reports should identify the remedial action taken where deficiencies have occurred.
They must also periodically review the effectiveness of the internal procedures put in place to meet regulatory requirements and take appropriate measures to address any deficiencies.
Apportionment of responsibility
The FCA requires a firm to apportion significant responsibilities amongst its directors, senior managers or partners, so that it is clear:
- who has responsibility; and
- that the business affairs are adequately monitored and controlled.
The firm also needs to make and keep a record of these arrangements (e.g. by means of an organisation chart). These records need to be kept up to date and kept for six years from the date it was superseded by a newer version.
Overall responsibility falls on the firm’s chief executive, senior partner or whoever assumes executive control. If this role is shared then the responsibilities become jointly owned. If there is no chief executive or equivalent, then the responsibilities will fall on the individual managers and directors responsible for the management of the firm.
With a smaller firm the business owner will become responsible for all or many of the functions.
The senior managers of the firm should be of sufficiently good repute and sufficiently experienced so as to ensure sound and prudent management of the firm.
Senior Manager responsibilities need to be formally documented in Statements of Responsibility as part of the Senior Managers and Certification Regime and are covered in the Supervision (SUP) section.