The following items are no longer specifically required under SYSC rules, however, they are implicit within the rules and guidance and are considered good business practice.
Business strategy/plan
One of the most significant changes in the FCA’s regulatory approach is that they expect firms to be proactive in running their business and establishing a compliant regime.
What does this mean?
They will expect you to take into account the future look of the business in any planning you do today.
Examples are:
- If the firm intends to grow through acquisition of new businesses, this must be taken into account in your solvency margins and also in your systems and controls (these need to be sufficient to meet the future intentions of the business).
- If the firm has older members of staff in key areas, they expect the firm to have considered succession planning.
The FCA expects firms to have a regulatory business plan however it is not prescriptive about the form such a plan should take, however, they will expect it to be documented and the achievement against such a plan to be monitored. The FCA will expect the firm to submit a regulatory business plan with any applications to vary permissions or add new permissions. If they undertake thematic or supervisory work with a firm they will ask to see a copy of this plan.
What should a regulatory business plan include?
- Background to the Firm
- Target markets and opportunity
- Products and Services being provided
- Long term strategy and growth plans
- Marketing and customer acquisition
- Advised and non-advised sales
- Employment background of Advisors – sale of insurance products
- Disaster Recovery and Business Continuity
- Business Risks
- Outsourcing Arrangements
- Conflicts of Interest
- Treating Customers Fairly
- Overview of systems and controls
You may have separate plans for training, recruitment, sales generation, but all these should link back to the main aims and objectives.
Management information
To ensure a firm is able to meet its obligations under Systems and Controls, and in particular those pertaining to monitoring compliance, risk control and conflicts of interest, a firm should provide its ‘governing body’ with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern”. Risks of regulatory concern are those risks which relate to fair treatment of customers, protection of consumers, confidence in the financial system and prevention of financial crime.
What is management information?
Management information (MI) is the data needed to ensure a firm is able to run the business on a day to day basis and also look forward to the future. It is up to you to decide what information is required, when and for whom, so that you can organise and control your activities and can comply with your regulatory obligations.
The FCA has stressed that the detail and extent of information required will depend on the nature, scale and complexity of the business. For smaller businesses you may want to know everything that is happening in the business. However, for larger businesses, you may only want aggregate and summary information.
The FCA requires that a firm’s management information (MI) is meeting the following criteria:
- is sufficient to identify, measure and control all the material risks in the business, including new products and new business;
- is timely to enable prompt action to be taken where necessary;
- is detailed enough (without being so detailed as to lose impact) for the various levels
- of management (including the ‘governing body’) that use it;
- covers the activities of branches, subsidiaries or appointed representatives;
- is not just be about static historical data, but also considers the possible range and variability of potential outcomes. Therefore, it should:
– include the results of stress and scenario testing to help identify the financial impact of risks in different scenarios e.g. results of any disaster recovery tests; and
– measure the ability of the business to withstand adverse conditions over a prolonged period e.g. slump in insurance sales.
Good MI should enable management to make good decisions and to do this it needs to be:
- Accurate – the correct numbers with any commentary contributed by the right people;
- Timely – available sufficiently quickly after the relevant business activity to enable managers to act;
- Relevant – displaying what a manager can directly influence or something that may need to be escalated to someone who can take the appropriate action; and
- Consistent – consistent on a period to period basis to allow managers to spot trends
and make sound decisions.
Examples of other types of MI that a firm might produce (according to their size and spread of business) include:
- profit and loss (including a breakdown of the results) for significant business/geographic areas or product lines;
- comparison of actual spend versus budget and explanation of variances;
- risk/reward information, capital used and allocation;
- sales and losses;
- customer satisfaction measures and complaints;
- performance of service providers;
- market share data;
- compliance with regulatory requirements (financial and other) e.g. breaches and actions taken;
- information on all risks facing the business including insurance, credit, market, operational risks (for example, processing and documentation errors,
- claims handling, business interruption, financial crime) and legal risk;
- potential conflicts of interest; and
- staff information, such as those joining the firm, leavers, those attaining professional qualification, promotions and succession planning.