Senior Management Arrangements, Systems & Controls SYSC
7.1 Introduction
SYSC (Senior Management Arrangements, Systems & Controls) details the FCA’s requirements for firms to have effective and appropriate systems and controls in place to ensure compliance with regulatory requirements and mitigation against risk.
This compliance manual contains many of those controls in the form of policies, procedures and guidance information and provides specific Risk Management procedures and measures for mitigating against and managing both internal and external risk factors.
SYSC also encourages the company Director/s and Senior Managers to take responsibility for ensuring that the relevant systems and controls are developed, implemented, monitored and maintained to comply with regulatory requirements and business expectations.
Whilst not directly accountable for the development and implementation of compliant procedures, systems and controls, all staff are expected to read and understand the controls in place to guarantee regulatory requirements are met and to comply with the rules; in addition to taking responsibility for any procedure or governing guidance that relates to their own job role or business area.
Compliance applies to everyone and is a foundation on which this firm has been built and it is a contractual expectation and requirement that you comply with the rules, requirements and procedures at all times.
7.2 General Organisational Requirements
Within the company, significant responsibilities have been given to key staff, to ensure that the oversight of each designated compliance aspect or business activity is monitored. The staff and responsibility they have been assigned are detailed below and more information regarding the Approved Persons and Controlled Functions can be read in the relevant sections/s of this manual.
Area of Responsibility | Assigned to | Position |
e.g. Money Laundering Officer | e.g. Bob Smith | e.g. Senior Manager |
e.g. Operational Procedures | e.g. Jane Jones | e.g. Director |
e.g. Compliance Oversight | e.g. Jim Davies | e.g. Compliance Manager |
e.g. Health & Safety | ||
e.g. IT & Risk Management | ||
e.g. Complaint Handling |
This record is kept up-to-date and overall responsibility for the monitoring and oversight of this record is with [Compliance Officer].
The General Requirements as defined the SYSC 4 of the FCA Handbook have been addressed in differing sections of this manual, a reference to each location is therefore provided below for ease of use.
[Once you have customised this compliance manual and added/removed any sections specific to your business type, you can note below where each general requirement is located in the manual for ease of reference.]
General Requirements (SYSC 4) | Compliance Manual Section |
Organisational Chart | |
Apportioning of Responsibilities | |
Regular Monitoring | |
Confidentiality of Information | |
Business Continuity | |
Risk Management | |
Internal Reporting | |
Administrative Procedures | |
Accounting Procedures |
7.2.1 Insert: Business Continuity
[As a BCP/ DR plan is comprehensive, confidential and business specific, you should reference the location of the document here as oppose to including the full content in your manual. We have included a basic BCP Template in 02_Manual_Supporting_Documents.]
7.3 Compliance
The company has a regulatory and ethical responsibility to ensure that we develop, implement and maintain adequate and effective policies and procedures to ensure that the firm, it’s business activities, staff and manager are all compliant with their obligations under the regulatory system.
This Compliance Manual provides the policies, procedures and guidance information that is used to ensure this compliance and the training and dissemination of any such documents throughout the firm.
7.3.1 Compliance With the Rules
SUP 15.3.11 of the FCA Handbook requires a firm to notify the regulator (and any other relevant party, e.g. the customer, ICO, 3rd parties etc) of any breaches of rules and other requirements in or under the Consumer Credit Act 1974 or breaches of the FCA Handbook rules. the company has robust and documented compliance breach procedures for any instance of compliance failings, which are disseminated to staff within this manual and as part of their induction and ongoing compliance training.
SUP 15.3.11 states that a firm must notify the FCA of:
- A significant breach of a rule (which includes a Principle, a Statement of Principle or a COCON rule)
- A significant breach of any requirement imposed by the CCA or by regulations or an order made under the CCA
- A breach of any requirement imposed by the Act or by regulations or an order made under the Act by the Treasury
- The bringing of a prosecution for, or a conviction of, any offence under the Act or the CCA
- A breach of a directly applicable provision in the MiFID Regulation
- A breach of a directly applicable provision in the EU CRR or any directly applicable regulations made under CRD or the EU CRR
- A breach of any requirement in regulation 4C(3) (or any successor provision) of the Financial Services and Markets Act 2000 Regulations 2007
Notifications made by the company of any compliance breach under SUP 15.3.11, the ICO regulations or our own internal breach protocols include: –
- Information about any circumstances relevant to the breach or offence
- Identification of the rule, requirement or offence
- Information about any steps that the firm or authorised person has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence
7.4 Compliance Breach Policy & Procedure
- Policy Statement
The company are committed to our obligations under the regulatory system and maintain a robust and structured program for compliance adherence and monitoring. We carry out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any compliance breaches, this policy states our intent and objectives for dealing with such a breach.
Although we understand that not all risks can be completed mitigated, we operate a robust and structured system of controls, measures and processes to help protect our business and customers from the risks associated with compliance breaches.
- Purpose
The purpose of this policy is to provide an overview of the Company’s approach to any form of compliance breach within the organisation, to set out and explain who is responsible for reporting, communicating and investigating any such breach and to explain our definition of a breach.
The aim of this policy is to prevent compliance breaches within the organisation and to provide guidance on protocols for any breaches which may occur. Staff are kept informed of any changes to this policy and its associated procedures and any reviews and/or updates are disseminated by the Compliance Officer.
- Scope
The policy applies to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
- What Is a Breach?
The Company’s definition of a breach for the purposes of this and related documents, is a divergence from any standard operating procedure (SOP), which causes a failure to meet the required compliance standards as laid out by our own compliance program objectives and/or those of any regulatory body.
Compliance in this document means any area of business that is subject to rules, laws or guidelines set out by a third-party which are to be followed and which, when breached, could cause emotional, reputational or financial damage to a third party.
For the purposes of this document, a breach is classed as a divergence from any standard operating procedure (SOP), which causes a failure to meet the required compliance standards as laid out by our own compliance program objectives and/or those of any regulatory body.
Such incident examples include (but are not limited to): –
- Not ensuring TCF principles are followed during verbal/written tasks
- Failing to carry out the set DPA checks during incoming/outgoing calls
- Disclosure of system/confidential data to unauthorised personnel or third parties
- Hacking or attempted hacking by staff, third-parties or outsiders
- Suspected breach of the firewalls or malicious attack
- Unattended terminals left logged in
- Confidential storage areas left unlocked whilst unattended
- Attempts to obtain information by deception (e.g. fake phone calls or e-mails)
- Disclosure of Restricted or confidential information (e.g. passwords, key-codes) to unauthorised personnel
- Discovery of malicious or unauthorised software, such as a computer virus
- Suspected or actual Data Protection Act breaches
- Suspected or actual Data Security breaches
- Loss of portable/remote computing equipment (e.g. Laptop; Blackberry)
- Actual or attempted unauthorised entry to a secure area
- Actual or attempted tailgating
- Unauthorised or unattended visitors
- Confidential documents (hard-copy or electronic) left in public view or view of windows/outside access
- Breach Monitoring & Reporting
The company has a [Compliance Officer/Senior Manager] who is responsible for the review and investigation of any compliance breach, regardless of the severity or containment. All breaches must be reported to this person with immediate effect, whereby the Compliance Breach Procedures and Compliance Breach Incident Form will be used and followed.
All breaches will be investigated in full and a report given to the Senior Management and Directors once containment has been achieved. Risk assessment procedures will then be utilised to review and amend any areas highlighted by a gap analysis and logged in the Change Management and Document Control records.
- Objectives
- To maintain a robust set of compliance procedures which aim to mitigate against any risk and provide a compliant environment for trading and business activities
- To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow
- To ensure that any compliance breaches are reported to the correct regulatory bodies within the timeframes as set out in their code of practice or handbooks
- To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
- To use the Compliance Breach Incident Form for all breaches, regardless of severity so that any patterns in causes can be identified and corrected
- To comply with regulating bodies and laws on compliance breach methods, procedures and controls
- To protect consumers, clients and staff – including their data, information and identity
6.1 Compliance Breach Rules
The Company has a regulatory and ethical responsibility to ensure that we develop, implement and maintain adequate and effective policies and procedures to ensure that the firm, it’s business activities, staff and manager are all compliant with their obligations under the regulatory and legal system.
SUP 15.3.11 of the FCA Handbook requires a firm to notify the regulator (and any other relevant party, e.g. the customer, ICO, 3rd parties etc) of any breaches of rules and other requirements in or under the Consumer Credit Act 1974 or breaches of the FCA Handbook rules. The Company has robust and documented compliance breach procedures for any instance of compliance failings, which are disseminated to staff as part of their induction and ongoing compliance training.
SUP 15.3.11 states that a firm must notify the FCA of:
- A significant breach of a rule (which includes a Principle, a Statement of Principle or a COCON rule)
- A significant breach of any requirement imposed by the CCA or by regulations or an order made under the CCA
- A breach of any requirement imposed by the Act or by regulations or an order made under the Act by the Treasury
- The bringing of a prosecution for, or a conviction of, any offence under the Act or the CCA
- A breach of a directly applicable provision in the MiFID Regulation
- A breach of a directly applicable provision in the EU CRR or any directly applicable regulations made under CRD or the EU CRR
- A breach of any requirement in regulation 4C(3) (or any successor provision) of the Financial Services and Markets Act 2000 Regulations 2007
Notifications made by the company of any compliance breach under SUP 15.3.11, the ICO regulations or our own internal breach protocols include: –
- Information about any circumstances relevant to the breach or offence
- Identification of the rule, requirement or offence
- Information about any steps that the firm or authorised person has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence
- Procedures
7.1 Identification of an Incident
As soon as a breach has been identified, it should be reported to both a line manager and the reporting officer (Compliance Officer/Senior Management) immediately so that breach procedures can be initiated and followed without delay.
Reporting incidents is essential to the compliant functioning of the Company and is not about apportioning blame. These procedures are for the protection of the Company, its staff, customers, clients and third parties and are of the utmost importance for legal regulatory compliance.
As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measure should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting.
7.2 Breach Recording & Notification
7.2.1 Step 1
The Company has a Breach Incident Form (Appendix A) which is located at the end of this procedure document and is to be completed after every instance of an incident, regardless of severity or outcome. Completed forms are to be logged in the Breach Incident Folder (electronic or hard copy) and to be logged on a Risk Assessment Record so that any subsequent breach can be cross-referenced.
The completing of the Breach Incident Form (Appendix A) is only to be actioned after containment has been achieved and is only to be completed and signed off by the Compliance Officer or a member of the Senior Management Team.
7.2.2 Step 2
A full investigation is to be conducted and recorded on the incident form, the outcome of which is to be communicated to all staff involved in the breach in addition to upper management. A copy of the completed incident form is to be filed for audit and record purposes.
7.2.3 Step 3
Where the breach relates to a Data Protection issue, the Information Commissioners Office (ICO) are to be notified in accordance with their protocols and their ‘Security Breach Notification Form’ is to be completed and submitted. In addition, any client/customers whose data or personal information has been compromised should be notified as soon as possible and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.
7.2.4 Step 4
Under section SUP 15.3 of the FCA Handbook, a firm must notify the FCA with immediate effect if it becomes aware that the following has occurred: –
- a) the firm has failed to satisfy one or more of the threshold condition (COND)
b) any matter which could have a significant impact of the firm’s reputation
c) any matter which could affect the firm’s ability to continue to provide adequate services to its customers and/or which could result in detriment to the customer
d) any matter in respect of the firm which could result in serious financial consequences to the UK financial system and/or to other firms
The [Compliance Officer] is responsible for liaising with the designated FCA representatives on any matter which falls into one or more of the above categories and for following the rules and requirements as defined by the FCA Handbook.
8. Risk Assessment
8.1 Human Error
Where the compliance breach is the result of human error, an investigation into the root cause is to be conducted and a formal interview with the employee is to be held.
A review of the procedure/s associated with the breach is to be conducted and a full risk assessment completed in accordance with The Company’s existing Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate any future occurrence of the same root cause.
Resultant employee outcomes of such an investigation can include, but are not limited to: –
- Re-training in specific/all compliance areas
- Re-assessment of compliance knowledge and understanding
- Suspension from compliance related tasks
- Formal warning (in-line with The Company’s disciplinary procedures)
8.2 System Error
Where the compliance breach is the result of a system error/failure, the IT team are to work in conjunction with the Compliance Officer to assess the risk and investigation the root cause of the breach. A gap analysis is to be completed on the system/s involved and a full review and report to be added to the Compliance Breach Incident Form (Appendix A). is to be conducted and a formal interview with the employee is to be held.
Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause.
Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident:
- Attempting to recover any lost equipment or personal information
- Shutting down an IT system
- Removing an employee from their tasks
- The use of back-ups to restore lost, damaged or stolen information
- Making a building secure
- If the incident involves any entry codes or passwords, then these codes must be changed immediately, and members of staff informed
8.3 Assessment of Risk and Investigation
The Compliance Officer should ascertain what information was involved in the compliance breach and what subsequent steps are required to remedy the situation and mitigate and further breaches. The lead investigator should look at: –
- The type of information involved
- It’s sensitivity or personal content
- What protections are in place (e.g. encryption)?
- What happened to the information/Where is it now?
- Whether there are any wider consequences/implications to the incident
The appointed lead should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation and any recommendations for future work/actions.
- Breach Notifications
[Applicable where the breach involves personal data regulated under DPA18/GDPR]
The Company understands that we have obligations and a duty to report data breaches in certain instances. All staff are aware of these circumstances and we have strict internal reporting lines to ensure that data breaches falling within the notification criteria are identified and reported without undue delay.
9.1 Supervisory Authority Notification
The Supervisory Authority is to be notified of any breach where it is likely to result in a risk to the rights and freedoms of individuals. These are situations which if the breach were ignored, it would lead to significant detrimental effects on the individual.
Where applicable, the Supervisory Authority is notified of the breach no later than 72 hours after us becoming aware of it and are kept notified throughout any breach investigation, being provided with a full report, including outcomes and mitigating actions as soon as possible and always within any specified timeframes.
If for any reason it is not possible to notify the Supervisory Authority of the breach within 72 hours, the notification will be made as soon as is feasible, accompanied by reasons for any delay. Where a breach is assessed by the DPO and deemed to be unlikely to result in a risk to the rights and freedoms of natural persons, we reserve the right not to inform the Supervisory Authority in accordance with Article 33 of the GDPR.
The notification to the Supervisory Authority will contain: –
- A description of the nature of the personal data breach
- The categories and approximate number of data subjects affected
- The categories and approximate number of personal data records concerned
- The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)
- A description of the likely consequences of the personal data breach
- A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)
Breach incident procedures and an investigation are always carried out, regardless of our notification obligations and outcomes and reports are retained to be made available to the Supervisory Authority if requested.
Where the Company acts in the capacity of a processor, we will ensure that controller is notified of the breach without undue delay. In instances where we act in the capacity of a controller using an external processor, we have a written agreement in place to state that the processor is obligated to notify us without undue delay after becoming aware of a personal data breach.
9.2 Data Subject Notification
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will always communicate the personal data breach to the data subject without undue delay, in a written format and in a clear and legible format.
The notification to the Data Subject shall include: –
- The nature of the personal data breach
- The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)
- A description of the likely consequences of the personal data breach
- A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)
We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organisational protection measures which render the data unintelligible to any person who is not authorised to access it (i.e. encryption, data masking etc) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.
If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.
Please refer to our GDPR Data Breach Policies, Procedures and Incident form for the specific process of investigating ang recorded a personal information breach.
10. Record Keeping
All records and notes taking during the identification, assessment and investigation of the compliance breach are to be logged and signed by the compliance officer and retained for a period of 6 years from the date of the incident. Incident forms are to be reviewed monthly to assess for patterns or breach reoccurrences and actions taken to prevent further incidents from occurring.
11. Responsibilities
The Company will ensure that all staff are provided with the time, resources and support to learn, understand and implement all procedures within this document, as well as their responsibilities and the breach incident reporting lines.
The Compliance Officer and Senior Management are responsible for regular compliance audits and gap analysis monitoring and their subsequent reviews and action follow ups. There is a continuous audit trail of all compliance reviews and procedural amendments and feedback to ensure continuity through each process and task.
7.4.1 Breach Incident Form Templates
[Insert location/hyperlink to external location of this document]
[We have included a Compliance Breach Incident Form template form in 02_Manual_Supporting_Docs. If you have purchased the GDPR version, you will also have a specific Data Breach Form included in the SET010_GDPR_Bundle]
7.5 Internal Audits
The purpose of internal audits is to assess, monitor, review and analyse the procedures, systems and controls that the company has in place to ensure that they are compliant with the regulatory requirements.
It is our responsibility as a regulated firm to carry out frequent audits on all procedures and to review the results and provide gap analysis information so that any shortcomings can be assessed and corrected without negative consequences occurring.
Section SYSC 6.2 of the FCA Handbook advises that a firm has a responsibility to: –
- establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm’s systems, internal control mechanisms and arrangements
- issue recommendations based on the result of work carried out in accordance with (1)
- verify compliance with those recommendations
- to report in relation to internal audit matters in accordance with SYSC 4.3.2 R
7.6 Audit & Monitoring Policy & Procedures
- Policy Statement
An internal audit, as it applies to the Company is an independent and unbiased assessment and appraisal process that reviews all operations, tasks, functions and business activities within our organisation. Audits are completed by varying staff members in accordance with the activity being reviewed.
This Audit & Monitoring Policy has been developed to assist the Company and its staff in the assessment, monitoring, review and analysis of all business functions, procedures, systems and controls; with the aim of ensuring that all legal, contractual and regulatory standards and requirements are met, complied with and maintained.
It is our responsibility to carry out frequent audits on all procedures and to review the results and provide gap analysis information, so that any short-comings or gaps can be assessed and corrected without negative consequences occurring, thus reducing the risk to our customers, clients and associated third-parties.
The Company has a responsibility to: –
- establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm’s systems, internal control mechanisms and arrangements
- monitor and evidence compliance with the relevant laws, regulations, contracts and codes of conduct as applicable to our organisation
- review processes and procedures on a frequent basis to ensure that they are still fit for purpose and adequately meet the requirements and purpose of the task they relate to
- keep abreast of laws and regulations that apply to the Company, so that procedures, controls and systems can be updated as soon as any changes or revisions occur
- provide feedback and appraisals to employees using monitoring and audit data and management information
- Purpose
The purpose of this policy is to provide the Company’s statement of intent, objectives and step-by-step procedures, as they relate to compliance monitoring and internal audits, along with any associated procedures and documentation. The Company carries out internal audits on all its employees, systems, processes and business activities in conjunction with the below objectives and in accordance with legal, contractual and regulatory guidance in all compliance areas, with the purpose of ensuring compliance, preventing breaches, assessing risks and protecting individuals and their personal data.
Our internal audit procedures are an assurance as to the effectiveness of our corporate governance, risk and compliance, business continuity management and internal controls. We aim to provide an independent and objective review of all business activities, operations, processing activities, financial systems, IT systems, and internal controls; through operational, financial and performance related audits. The procedures and related documents named herein, give the organisation and its employees, structure and guidance for carrying out internal audits.
- Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
The [Named Person/Senior Manager/Compliance Officer] (hereinafter referred to as the lead officer) is responsible for carrying out and/or overseeing all audits and ensures compliance with the below business areas. Where the process or activity relates to the processing of personal data or any data protection regulation, the Data Protection Officer (or appointed person) has joint responsibility with the lead officer. The lead officer can also appoint an audit team to assess and ensure compliance across the organisation.
- Operational Audits
- Compliance Audits
- Financial Audits
- Anti-Money Laundering & Financial Crime Audits
- Information Security & Business Continuity Audits
- Data Protection & Processing Activity Audits
- [Add/Delete specific regulatory requirement] (i.e. FCA, PRA etc)
- Objectives
The company conducts internal audits with the objective of providing management information to organisational staff and third parties (including clients, regulators, external auditors and suppliers) and to ensure that efficient systems and processes are in place to achieve the overall business objectives.
The main objectives of our internal audits are to: –
- Ensure compliance with regulatory, legal and contractual rules
- Ensure adherence to and compliance with FCA Handbook rules as they apply to this organisation and the industry within it operates
- Prevent compliance breaches and exposure to risks
- Promote an anti-fraud and anti-bribery corporate environment
- Provide assurance and give confidence to suppliers and clients
- Assess the effectiveness and functionality of all business activities
- Promote a culture of assessment, review and action to maintain growth and efficiency
- Keep systems and activities up to date in accordance with industry standards
- Provide a systematic and structured approach to assessment and review
- Maintain an audit history log for regulatory and investigative purposes
- Review and assess the effectiveness and adequacy of procedures, internal controls and systems
- Check for compliance breaches or risk-based divergence from SOP’s
- Ensure third-party data is secure within the remit of the business activities
- Ensure the organisations assets and interests are adequately protected
- Ensure that risks are identified and mitigated against
4.1 Code of Ethics
Staff who conduct internal audits, whether on one-off or frequent basis, will adhere to the below code of ethics as used by standard auditors: –
- a) Competency – staff tasked with completing internal audits will have training and experience in this area and will continue an ongoing course of professional development in relation to audit procedures, industry standards and regulatory expectations. Staff will be knowledgeable and able to carry out audits in a consistent and capable manner and will apply these skills in the performance of the internal audit services.
b) Objectivity – staff who engage in any aspect on internal audit will remain objective, unbiased and be independent in both their approach and administering of the audit procedures. Information gathered for audit purposes will be done so in a professional and objective manner and will be used to adhere to the relevant objectives, roles and responsibilities
c) Confidentiality – internal audit staff will respect the information gathering during audits and will use the data solely for the purpose/s it is intended for. No information will be disclosed unless it is for specific audit purposes or is a legal, contractual or regulatory obligation - Compliance Monitoring & Internal Audit Procedures
The Company will appoint a lead auditor for each audit project for the purposes of continuity and recourse but will also assign internal audit functions to supervisors, line managers, departmental managers and senior managers as the system or process necessitates. All staff engaging in audit procedures will hereafter be referred to as ‘Audit Staff’.
The Audit Staff are responsible for utilising a systematic and disciplined approach to evaluating and assessing internal controls, systems and processes and to improve their effectiveness and efficiency as they relate to the business objectives.
Audit Staff are responsible for developing and maintaining a comprehensive audit program, which will include (but are not limited to): –
- Audit Checklists
- Evaluation Plans
- Audit Policy
- Audit Procedures
- Audit Records
- Rolling Audit Assessments
- Due Diligence Third Party Checks
- [Add/delete as applicable]
The audit program will ensure compliance with accounting standards, regulatory requirements, data protection laws, legal and contractual obligations, relevant accreditation and codes of conduct followed by the Company and our own operating policies and procedures.
The Audit Staff are responsible for communicating all audit results and subsequent system/process changes with the relevant staff and to produce management information which will include recommendation for alterations of any activities, practices or systems that do not meet the expected or required standards.
The Audit Staff are responsible for the development, evaluation, monitoring and review of the below audit areas.
5.1 Financial Conduct Authority (FCA) Handbook Audits
These audits are to assess all business activities and systems and to ensure that the organisation is operating within the rules and guidelines as laid out in the FCA Handbook and as applicable to this organisation’s regulated activities. This includes (but is not limited to) audits and assessments on the below areas: –
- Treating Customers Fairly Principles
- Vulnerable Customers
- Complaints Procedures
- Conduct of Business Requirements
- Systems & Controls
- FCA Handbook Compliance
- [Add/Delete]
Compliance audits serve the purpose of ensuring adherence to the FCA’s rules and guidelines and any recommendations are usually improvements in systems and/or processes that help to ensure compliance with the FCA.
5.2 Operational Audits
Such audits and monitoring are to assess operational business activities and systems that are specific to the functioning and continued trading of the company. The frequency of such audits is noted on the Compliance Monitoring Document and are designed to ensure that the organisation is operating within our standard operating procedures and business and employment law. This includes (but is not limited to) audits and assessments on the below areas: –
- Staff Training, Development & Competence
- Records Management & Retention
- Internal Systems & Controls
- Risk Assessment Management
- HR Functions and Procedures
- Recruitment, Selection & Induction Processes
- Outsourcing & Due Diligence Procedures
- Management & Leadership Programs
- [Add/Delete]
These audits ensure that all processes and systems are at their most effective and efficient when assessed against the main business objectives and operating procedures.
5.3 Compliance Function Audits
These audits involve all business activities and systems that have an associated or direct impact on regulatory or legal compliance and are essential to the compliant functioning of the company.
These areas include: –
- Data Protection
- Freedom of Information Act
- Information & Physical Security
- PCI Compliance
- Anti-Money Laundering & Financial Crime
- Anti-Bribery
- [Add/Delete]
These compliance audits serve the purpose of ensuring adherence to regulators rules, guidelines, laws and codes of conduct. They are audited on a frequent and rolling basis against the requirements of the relevant law or regulation.
5.4 Financial Audits
These audits review the accounting systems and processes and assess all financial transactions to ensure that all funds are being used, recorded and reported accurately and properly. Such audits must be carried out by staff who are trained and knowledgeable in the finance area, which can include external accountant audits if applicable.
Financial audits determine if the internal controls governing the cash and assets associated with the organisation are effective, efficient and fit for purpose and that adequate process controls are in place to mitigate against financial crime.
- Frequency of Audits
Audit frequency is determined by the risk rating and regulatory implications of the business activity involved. Processes and systems are given an audit rating and assigned a frequency of check dependant on this rating. The audit rating takes into consideration how often the activity is performed, its regulatory impact, its risk rating and its priority as a business function. This information is detailed on the Compliance Monitoring & Audit Evaluation Plan.
- The Audit Program
7.1 Scope of Audit Program
To ensure complete coverage, the audit component of the compliance program includes testing of the firm’s compliance with specific regulatory and legal requirements as well as its own internal compliance policies and procedures. These seek to assess the adequacy of the compliance program itself and provide a gap analysis report for senior management. Risk assessment procedures are detailed in the Risk Management documents and are not included in this policy.
7.2 Methods and Audit Techniques
The methods of internal audits and checks include: –
- Call Monitoring – listening to staff calls, both internal and external and auditing against written call procedures and compliance requirements.
- Physical Audit – the auditor carries out the activity themselves to evaluate the process/system involved in the audit and to ensure compliance and functionality.
- Monitored Audit – the auditor assesses an employee carrying out a business activity to assess staff adherence to company procedures and regulatory compliance.
- Email Reviews – a sample of internal and external emails are reviewed to ensure compliance with business processes and compliance requirements.
- Employee Interviews – staff are involved in discussions about business activities and systems to ensure their knowledge and competence are at an acceptable level for the hired role.
- Document Control – existing procedures and policies are reviewed by the auditors to ensure they are fit for purpose, efficient and effective and that they adhere to regulatory requirements.
- Risk Assessment – mitigating strategies associated with each business activity are reviewed and followed to ensure that they mitigate against the associated risk and are fit for purpose.
- [Add/Delete]
7.3 Development of the Audit Plan
The [Insert Responsible Person/s] is/are responsible for the development and integration of the Audit Plan, including those areas outlined in the Compliance Monitoring Programme Document and those unscheduled audits, required where errors and/or gaps have been identified.
The company creates an Audit Plan at the start of each [day/week/month/year*], which documents the specific audits, staff, compliance areas and/or projects to be performed by the Internal Audit Team. The Audit Plan is then submitted to the Senior Management/Directors for review and approval.
7.4 Communication
The Internal Audit Team will schedule a meeting with the department manager/s of the area, staff or process to be audited. They will relay the identified reason, scope and objectives of the audit, provides guidance on the estimated duration of the audit and ask for input prior to undertaking the review. Where any factors or issues have been raised, these are included in the audit notes.
All staff involved in the audit process are kept informed and are provided with guidance and information as applicable to the task being carried out. They are also kept informed on any findings and follow up reviews on a regular basis. In some instance, findings are addressed immediately.
7.5 Audit & Monitoring Process
Although the company recognises that every audit and/or project is unique, our audit process does follow similar steps for most areas, with an aim to minimise risks and increase efficiencies within the company.
The procedures for internal audits and compliance checks are as follows: –
- Choose activity or system to be audited
- Determine a timeline. Since audits are often disruptive to daily functions, you should aim to allow the departments to maintain daily routines as much as possible, while still allotting time to complete the review thoroughly.
- Create a checklist of items that the auditor should observe when reviewing a file/task/account/employee.
- Use a Compliance Monitoring & Internal Audit Assessment Form to log all methods and findings
- Obtain copy of the current activity procedure from document control
- Assess the process being performed against the steps on the procedural document and note any differences on the CMIA Form
- Determine a timeline. Since audits are often disruptive to daily functions, you should aim to allow the departments to maintain daily routines as much as possible, while still allotting time to complete the review thoroughly.
- List recommended actions if activity performed unsuccessfully
- Note audit log information on the CMIA Evaluation Plan
- Create MI report of audit results and communicate with relevant staff
- [Add/Delete]
All CMIA Forms are to be kept (either electronically or as hard copies) as an audit history log and used in conjunction with the CMIA Evaluation Plan.
Auditors must obtain all evidence necessary for the effective completion of the audit, for which the auditor’s judgement based on experience, knowledge and intuition is to be used. A thorough knowledge of the concepts underlying audit evidence will help the auditor to improve the audit quality and efficiency of the process.
7.6 Auditor Expectations
It is common practice at the company, to utilise existing task procedures to carry out audits and to ensure that these procedures are suitable, up-to-date and compliant. However, any audit also necessitates utilising an auditor’s opinions, observations, experience and recommendations as part of the audit process. To this end, all members of the Audit Team are obligated by professional standards to act objectively, exercise due professional care and collect sufficient and relevant information to provide a sound basis for audit observations and recommendations.
We ensure that where any staff member is expected to carry out audits, they hold sufficient skills, knowledge and experience to do so and that they meet all the regulatory requirements for performing an audit and monitoring role. We also provide all auditing staff with a thorough knowledge of the concepts underlying audit evidence and procedures, to better aid the auditor, improve the audit quality and maximise the efficiency of the process.
7.7 Audit Evidence
Whilst some audits are reliant solely on the following of existing procedures and ensuring that they are carried out in full and that those procedures are still fit for purpose and compliant, there is also a need to complete audits that require evidence and the collation of information. Where this is the case, the evidence is expected to support the auditors in their role and to demonstrate sufficiency, competence and compliance.
Below are some of the evidence types used during our audit processes: –
- Physical Evidence – obtained through observation, inquiry and existing documentation
- Testimonial Evidence – taken from interviews, statements and assessments from any person/s involved in the process being audited
- Documentary Evidence – consisting of any existing documents, reports, meeting minutes, contracts, procedures or records relevant to the audit process and/or the task/person being reviewed
- Analytical Evidence – gathered and documented through the analysis of any information collected by the auditor during the audit
- Procedure Evidence – utilising existing task procedures to complete a walk-through of the task completion and auditing standards against those procedures
- [Add/Delete]
- Reference Documents
Documents and procedures associated with this policy are as below: –
- Compliance Monitoring Document
- Quality Assurance Policy & Procedures
- Compliance Policy
- Internal Audit Evaluation Plan & Record
- Risk Management Documents
- Compliance Breach Procedures
9.Roles & Responsibilities
The company’s roles and responsibilities as they relate to compliance monitoring and internal audits are to: –
- review and assess the effectiveness and adequacy of procedures, internal controls and systems
- check for compliance breaches or risk-based divergence from SOP’s
- ensure that the desired level of quality assurance is maintained
- ensure that staff are offering the accurate, appropriate and compliant advice, products and services
- ensure that customer risks are identified and mitigated against
The Compliance Officer has overall responsibility for the monitoring and audit process, associated reviews and management information and reporting, however all managers must take accountability for their own staff and department areas and follow a consistent program of staff monitoring and training.
7.7 Quality Assurance & Performance Policy & Procedures
- Purpose
Quality Assurance is defined as ‘the maintenance of a desired level of quality in a service or product, especially by means of attention to every stage of the process of delivery or production.’
The purpose of this Quality Assurance Policy & Procedure document is to provide the company’s aims, objectives and measures for the quality control of our products, services and staff performance. Our aim is to maintain a high standard of quality in the services that we deliver, customer outcomes, staff support and training and regulatory compliance.
Through the company’s quality standards and objectives, we have implemented a framework that defines what is acceptable and not acceptable from the services that we provide. These standards enable us to audit, measure, review and assess all services and outcomes against a set of targets and objectives and to act where a service or outcome does not meet the required standards.
It is the company’s aim and responsibility to ensure that the desired level of quality assurance is always maintained through audits and monitoring and that all employees are made aware of the policy and procedures, as well as understanding the quality definitions and how those standards are met and maintained.
- Policy Statement
The company is committed to ensuring that it delivers the highest level of quality in the services that it delivers. To do this, we will ensure that we implement and maintain an effective and efficient quality assurance process and that all services, products, customer outcomes, treatment of customers, management and staff functions are included in the quality control and audit processes.
We have created this policy and associated set of procedures to support and achieve our quality standards and objectives, which have been created with the aim of: –
- Remaining compliant with legal and regulatory requirements
- Eliminating deficiencies and inaccuracies in our services and staff performance
- Ensuring high quality standards are achieved and maintained
- Customer outcomes are always above the desired level of quality
- Desired quality of service can be maintained as an ongoing concern
- Scope
The policy and the associated procedures apply to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation.
The Compliance Officer has overall responsibility for ensuring that quality controls and measures are in place and that all staff are made aware of them and understand the quality assurance standards.
Records are to be kept of all quality audits, customer outcomes, complaints and staff training and performance to ensure there is adequate and relevant management information available to carry achieve the desired level of quality assurance.
- Objectives
The company conducts internal staff audits on performance and service levels to ensure that the desired standards of quality assurance are being met and maintained. Our approach to audits and monitoring follows the Plan, Do, Check and Act (PDCA) approach, enabling us to systematically monitor our staff and service levels against regulatory and our own objectives and standards.
We use the data collected during monitoring and audits to collate management information and reporting data to maintain our high standards and ensure compliance with legal and regulatory requirements.
The main objectives of our quality assurance and staff internal audit procedure are to: –
- ensure that we have robust and structured processes, policies, procedures and controls in place for providing the services that we offer
- ensure compliance with regulatory, legal and contractual rules
- ensure good and satisfactory customer outcomes
- operate within the parameters of the TCF principles
- identify and manage vulnerable customers
- assess personal and financial circumstances where applicable
- promote a culture of assessment, review and action to maintain growth and efficiency
- maintain consistency in work methods throughout the organisation
- monitor and assess staff performance and service levels
- ensure staff professional development and continued learning & competency
- implement root cause analysis to carry out improvements
- to provide management information for assessing customer outcomes
- Staff Monitoring
As a regulated firm, the company understands how important it is to monitor the service and advice that our staff are providing and to ensure that we comply with all aspects and requirements set out in the FCA handbook.
Our staff monitoring controls and procedures utilise: –
- Call Monitoring Checklists (live & recorded)
- KPI Performance Management
- Target Achievement Levels
- Treating Customers Fairly Audits
- Vulnerable Customer Audits
- Data Protection Audits
- Competency Tests
- Adherence to Script Prompts
- [Add/delete as applicable]
The main areas that we monitor and assess for staff service and performance are: –
- TCF Outcomes (through calls, emails, letters and account working)
- Adherence to Data Protection Act and standards
- Customer Advice (quality, appropriate, affordable and sustainable)
- Service Solutions offered
- Vulnerable Customer standards
- Customer Satisfaction
- Quality of Calls and Emails (advice, etiquette etc)
- Transparency & Disclosure
- Cross-selling
- Financial Promotions
- Staff Incentives & Bonus Schemes
- Complaints
- [Add/delete as applicable]
- Methods and Audit Procedures
The company’s aims to meet the above objectives in relation to quality assurance by using the Plan, Do, Check and Act (PDCA) method. Staff and process audits are planned by assessing the desired outcomes, quality and regulatory compliance that the task/service must conform to and then using the Staff Monitoring Form (Appendix A) for recording.
The ‘Do’ stage involves the actual provision of the service that we offer and monitoring the outcomes against a set of pre-defined standards.
The advice or performance level being monitoring is checked against the Staff Monitoring Form standards and any failings or shortcomings are processed to the ‘Act’ stage which involves a period or review with the staff member and compliance officer and measures being put into place to prevent further quality assurance breaches. Such actions include: –
- Additional Staff Training
- Changing the Existing Procedure (to better meet the regulatory requirements & desired outcomes)
- Improving a Process
- [Add/delete as applicable]
The methods of internal audits and checks include: –
- Call Monitoring – listening to staff calls, both internal and external and auditing against written call procedures and compliance requirements.
- Physical Audit – the auditor carries out the activity themselves to evaluate the process/system involved in the audit and to ensure compliance and functionality.
- Monitored Audit – the auditor assesses an employee carrying out a business activity to assess staff adherence to company procedures and regulatory compliance.
- Email Reviews – a sample of internal and external emails are reviewed to ensure compliance with business processes and compliance requirements.
- Employee Interviews – staff are involved in discussions about business activities and systems to ensure their knowledge and competence are at an acceptable level for the hired role.
- Document Control – existing procedures and policies are reviewed by the auditors to ensure they are fit for purpose, efficient and effective and that they adhere to regulatory requirements.
- Risk Assessment – mitigating strategies associated with each business activity are reviewed and followed to ensure that they mitigate against the associated risk and are fit for purpose.
- [Add/Delete]
6.1 Audit Procedures
All staff monitoring audits (calls, accounts, performance, advice etc) are completing using the Staff Monitoring Form. This allows for the quality assurance objectives to be assessed and management information to be collated on customer outcomes.
- The auditor must plan the area or staff member to be monitoring and ensure that adequate time and resources are available to enable a thorough audit
- A Staff Monitoring Form must be completed for every audit carried out
- Live or pre-recorded call monitoring must also utilise the Call Monitoring Audit Form
- Where live account, email or call audits are carried out, staff are not to be advised of the monitoring prior to it taking place
- When monitoring staff service levels and/or performance, account history, call recordings and email/letter correspondence must be monitored and reviewed to ensure a full audit is carried out
- After the Staff Monitoring Form has been completed, root causes of any failings must be logged and reported to the Directors and Compliance Officer
- Changes to any processes must immediately follow any root cause identification, including additional staff training and/or temporary suspension from job role
- Procedure or control changes must be disseminated throughout the organisation with a full explanation on why the changes have occurred and how they better meet the desired quality assurance objectives.
- Role & Responsibilities
The company’s roles and responsibilities as they relate to quality assurance and internal staff audits are to: –
- review and assess the effectiveness and adequacy of procedures, internal controls and systems
- check for compliance breaches or risk-based divergence from SOP’s
- ensure that the desired level of quality assurance is maintained
- ensure that staff are offering the accurate, appropriate and compliant advice, products and services
- ensure that customer risks are identified and mitigated against
The Compliance Officer has overall responsibility for the QA process and associated audits; however, all managers must take accountability for their own staff and department areas and follow a consistent program of staff monitoring and training.
7.7.1 Employee Monitoring Form Template
[Insert location/hyperlink to external location of this document]
[An Employee Monitoring Form Template is included in 03_Employee_Training_Induction]
7.8 Risk Management
As regulated under FCA Handbook sections SYSC 4.11 and SYSC 7.1, the company has procedures, systems and controls in place to identify, manage, report and mitigate against risks. These include carrying out risk assessments on all systems and business activities and recording the finding on our Risk Register.
We also use a Risk Matrix to assign each risk an impact and probability rating, which enables us to tier all risks and create mitigating processes to minimise the likelihood of a risk occurring.
Both internal and external risks are identified, assessed and recorded by the firm, in addition to all new procedures, new business activities and new systems which are risk assessed in a hypothetical manner prior to implementation.
7.8.1 Risk Management Policy & Procedures
- Policy Statement
The Company are committed to ensuring that we understand and adhere to all regulatory and legal requirements regarding our risk management obligations. Whilst we accept that not all risks can be eliminated, we are committed to ensuring robust and effective controls, measures and processes to identify gaps and risks, have proportionate oversight functions and mitigate risk where possible.
Operational managers are tasked with risk mitigation and we utilise the Three Lines of Defence model in our approach, ensuring that effective management control, adequate risk control and compliance oversight functions and internal independent audits are established within our risk management framework. Effective lines of communication and collaboration across the Company, ensures that gaps are easily, and quickly identified and duplicated process or functions are removed.
This document states our risk management objectives and sets out our approach to managing and mitigating risks, as well as providing defined and detailed procedures for identification, assessment, mitigation and corrective actions. We are dedicated to ensuring that all employees are fully trained and understand the implications of risk and know that our structured procedures, systems and controls have been put into place to identify the risks, mitigate where possible and prevent unnecessary harm or damage to any individual or entity.
- Purpose
The purpose of this policy is to provide our objectives, intent, approach and procedures for risk management and assessment, and to act as a guidance document for employees and third parties. Effective risk management requires a robust and defined framework, detailing the functions, actions and controls used to identify, assess and prevent risks.
In addition to standard business risks and those associated with our business type and industry, we also recognise the risks that result from processing personal data and understand our obligation to protect and secure personal data by identifying and mitigating the risks posed. The Company are committed to ensuring a risk-based approach towards personal data and the protection of individual’s rights and freedoms and utilise such an approach as an effective tool for securing personal data and mitigating associated risks. We have dedicated data protection policies in place for specific risk assessment around personal data.
- Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
- What is Risk?
The Company’s definition of a ‘risk’ is: –
An event, action or cause leading to uncertainty in the outcome of the Company’s operations. This risk may be financial, reputational, regulatory, legal or ethical and can affect one to many persons associated with the Company.
With regards to privacy and the protection of data, we define ‘risk’ in terms of the severity, impact and/or probability a breach, function or processing activity would have on individuals. When referring to business risks, we consider varying factors, including internal and external risks; those posed by systems and/or processing and those posed by employees or customers. We consider the systems, entities or individuals who will be affected or compromised, the severity of any impact (i.e. loss, threat, unauthorised disclosure) and whether mitigating controls and measures already in place (or able to be implemented) would reduce impact, severity and/or probability.
The stages in risk assessment are to: –
- identify the main risks to your objectives, business and customers
- assess/measure the importance, impact and likelihood of the risk
- mitigate the risks through corrective actions, controls and operational measures
- reassess the risk importance, impact and likelihood
- carry out ongoing monitoring of the risk and mitigating controls
- Objectives
The Company has developed several objectives for identifying, assessing, mitigating and monitoring risks.
The Company ensures that we: –
- Identify and assess all risks and where necessary, treat/address them in a timely manner
- Have effective processes to identify, manage, monitor and report the risks we are (or might be) exposed to
- Establish, implement and maintain adequate risk management and security policies and procedures, including effective controls for risk assessment, identifying the risks relating to our activities, processes and systems, and where appropriate, set the level of risk tolerated by us
- Apply adequate and effective controls to mitigate the identified risks within the agreed parameters and regularly test these controls to ensure that they remain effective and appropriate
- Review risks (frequency determined by risk score) and related procedures for adequacy and relevance, as well as re-assessing new risks that we might me exposed to
- Conduct reverse stress testing to ensure that the controls, systems and procedures put into place for risk management are effective and mitigate the risks of business failure
- Have a compliant and robust remuneration policy and procedure in place to prevent internal risks associated with unfair business practices through competitive sales and/or advice
- Provide staff with sufficient training and support to manage our risk management obligations and objectives
- Conduct risk assessments on all new business ventures, systems, and functions to ensure that they are aligned with the goals and objectives in this policy
- Assign responsibilities for risk management, security and data protection and ensure an unbiased, supported role for each
- Ensure there are processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts associated with our business activities and information (risk register)
- Utilise a risk matrix for rating and scoring the impact and likelihood of nay identified risk and using this score for the frequency of monitoring, migration requirements and for making informed decision about the risk(s)
- Identify and analyse the GDPR requirements for risks relating to personal data, with emphasis on any high-risk processing activities and processing special categories of personal data
- Review all processing activities on a frequent basis to assess their risk rating and to identify any gaps or new risks associated with the processing of personal data
- Define procedures and reporting mechanisms for data protection impact assessments (DPIA) where mandatory under the data protection laws
- To have effective companywide risk assessment procedures for identifying, assessing and managing the risks associated with money laundering and terrorist financing
- To have dedicated and robust due diligence procedures and controls in place to aid in risk reduction and management
- Data Protection Risks
Where the Company processes personal information as part of our business activities, we have risk assessment measures in place with the specific purpose of assessing the risk posed to individual’s when their data is processed and the risk of the processing activity itself.
Recital 74 of the GDPR states that: “the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should consider the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.”
Whilst the risk measures and management around data protection and privacy are within the scope of this risk assessment document, any activity identified as high-risk or meeting the Article 35 requirements are subject to our separate Data Protection Impact Assessment (DPIA) Procedures.
- Money Laundering Risks
The Company has dedicated Risk Assessment procedures and controls for the company-wide identification and management of the risks associated with financial crime. Whilst the risk measures and management around money laundering and terrorist financing are within the scope of this risk assessment document, we utilise our AML Risk Assessment and AML Policy & Procedures to mitigate and management our obligations in preventing financial crime.
- Approach to Risk Management
The Company utilises the Three Lines of Defence approach in our risk management, which provides an effective framework for our 3-tiered method of identifying, assessing and managing risk. It is essential to the functioning and compliance of our business that all risks are identified and managed and that reporting lines and communication are effective and efficient. Using an ownership, oversight and audit framework allows a multi-faceted approach to risk, preventing gaps and removing duplications.
Our Three Lines of Defence framework is: –
- Operational and line managers are given responsible for identifying, assessing, managing and owning risk in their defined area and are tasked with developing and implementing corrective actions where applicable. Managers are responsible for the employees in their department and for supervising procedures and tasks associated with any defined risks. Risk controls, measures and the day-to-day monitoring fall within the managers remit. Operational managers are also responsible for training employees in risk management and the Company’s risk approach.
- [Senior Management/Compliance Officer] are responsible for the oversight of the managers and their approach to risk, ensuring that a second line of defence is in place. This second level monitors and assesses the controls, measures and corrective actions that are in place and report directly to the [Directors/Governing Bodies/Oversight Committee]. The [Senior Management/Compliance Officer] are responsible for the quality management of the risk functions of all managers and are tasked with ensuring the appropriate, adequate and effective operation of those functions. Senior Management are also responsible for providing training and support to the operational managers.
- We have [a dedicated Auditor/Audit Team] who act as the third line of defence and provide independent monitoring and analysis of the overall risk management functions and approach. The auditor reports directly to the [Directors/Governing Bodies/Oversight Committee] and provides management information reporting on any issues and/or areas for improvement. Having an independent audit role enables the Company to assess, review and improve our risk management function and to ensure that we take a universal approach when assessing and managing risk. The auditor is also responsible for assessing regulatory functions and processes against the relevant standards, regulations and legislation and ensuring their compliance and adequacy
8.1 Response to Risk
The Company employs 4 main options in response to any risks: –
- Tolerate – if we cannot reduce the risk in a specific area, we can decide to tolerate the risk (i.e. do nothing further to reduce the risk). Tolerated risks are to be noted on the Risk Register, without any intended further actions. If the risk is shown as ‘green’ after existing mitigating actions are taken, it is usually okay to tolerate it. Tolerated risks are those with low or no impact effect and/or probability of future recurrence.
- Treat – if we can reduce the risk in a reasonable way by identifying mitigating actions and implementing them, we do so. For most risks on the Risk Register, this is the action that is/will be taken. If there is any probability of the risk occurring again, it must be treated, and the necessary mitigating actions put into place to prevent further occurrence.
- Transfer – in this case, some risks can be transferred to other organisations (i.e. by way of using insurance or outsourcing certain tasks/services).
- Terminate – this applies to risks we cannot mitigate other than by no longer carrying out work in that area. (i.e. if a planned project is deemed too high risk and the risks cannot be mitigated, we may decide to cancel the project).
8.2 First Line Procedures
8.2.1 Identify the Risk
All first line procedures are the responsibility of the operational managers. All areas of a manager’s department are reviewed to identify risk, including: –
- All staff, including due diligence, background checks, [insert any employee checks you do]
- All tasks and activities carried out within the business as part of its functioning
- Systems and controls
- Existing procedures relating to legal and regulatory obligations, rules and requirements
- Suppliers and other third-party associations
- Customers and clients
- Compliant logs
- Previous insurance claims
- [Add/delete as applicable]
Identified risks are recorded on the risk register, regardless of rating, impact or likelihood. The identification stage includes: –
- Defining the risk in a clear and simple statement
- Recording the risk on the risk register
- Deciding who has overall responsibility for the risk
8.2.2 Assess the Risk
A risk assessment is carried out on all risks, regardless of impact or likelihood. Risks are recorded on the register and the assessment also rates the risk in terms of the probability and impact.
During the risk assessment stage, we: –
- Define the risk in a clear statement
- Identifying if the risk does/could adversely affect the function or delivery of the project that the risk relates to
- Record the objectives and benefits of the function/project to enable risk acceptance decision
- Assess the importance, probability and the impact of each risk
- Decide whether the level of risk is acceptable
- Identify possible mitigating or corrective actions that can be taken to eliminate or reduce the risk impact and/or likelihood
- Review whether any existing control measures are effective
- Decide what action should be taken to control or mitigate the risk
- Decide how urgently the action needs to be taken
8.2.3 Risk Rating
Part of the risk assessment is to rate the risk in terms of impact and likelihood (probability of the risk occurring). We use a predefined Risk Matrix to give each risk a rating, which assists in manging the risk and deciding on further actions. The rating provides a colour code for how severe the risk is and therefore the necessity of putting mitigating/corrective actions into place.
Risks will usually fall into one of three categories: –
- Risks to Individuals – Any risk that affects an individual (data subject, employee, client etc). The main risks to individuals are posed by data protection risks and information processing
- Compliance Risks – These can arise where the assessment response indicates that a breach of standards, legislation and/or regulations will occur if the function, activity or processing goes ahead. This can also include breaching codes of conduct as relevant to a company’s business type or the services/products offered
- Corporate Risks – Risks that will affect the business, including reputation, revenue, fines and sanctions
The risk rating table below uses the common ‘Red, Amber, Green (RAG)’ matrix, where each risk is given a RAG score based on the likelihood versus the impact. This rating is also provided in more detail in our Risk Matrix.
LIKELIHOOD |
IMPACT |
|||||
|
Trivial (1) | Minor (2) | Moderate (3) | Major (4) | Severe (5) | |
Certain (5) | Low Med | Medium | High | Very High | Very High | |
Likely (4) | Low | Low Med | Med High | High | Very High | |
Possible (3) | Low | Low Med | Medium | Med High | High | |
Unlikely (2) | Low | Low Med | Low Med | Medium | Med High | |
Rare (1) | Low | Low | Low Med | Medium | Medium | |
Impact Score x Likelihood Score = Risk Rating |
- GREEN – Where an assessment outcome is Green, we still work to see if we can develop and implement any solutions or mitigating actions that can be applied to reduce the risk impact down as far as possible. However, most green rated risks are acceptable and so focus should be placed on those with higher ratings. Even where a green RAG rating has been given at the identification stage, this risk will still be added to the mitigating actions template for continuity and to ensure that all risks have been recorded and assessed.
- AMBER – Where an assessment outcome is Amber, mitigating actions are always proposed and outcomes envisaged, before the activity is approved. The aim is to reduce all risks down to a green (acceptable) level, however there will be occasions when the activity must take place for business/legal/best interest reasons and so some of the risks associated with running a business will persist and must be accepted into the project. All solutions and mitigating actions must first be considered, tried and applied if possible. If the risk is associated with the processing of personal data, the risk should be escalated to the Data Impact Assessment screening questions to ascertain if a complete DPIA is required.
- RED – Where an assessment outcome is Red, it indicates that either or both impact and/or likelihood scores are unacceptable, and that complete solutions and mitigating actions would be required to bring both indicators down to an acceptable level. Some activities are eliminated at this point as the impact is considered too high risk to proceed.
However, in instances where the activity or project is essential or is a legal requirement, the proposed solutions and mitigating actions are applied, and a further risk assessment carried out to see if the risk score can be reduced to an acceptable. If the risk is associated with the processing of personal data, the risk should be escalated to the Data Impact Assessment screening questions to ascertain if a complete DPIA is required.
Once the risk assessment has been carried out, we use the overall risk rating to make the decision whether to: –
- PREVENT: High-probability/high-impact risk (we actively work to mitigate these)
- ACCEPT: Low-probability/low-impact risks (maintain vigilance)
- CONTAIN: High-probability/low-impact risk (minimise likelihood of occurrence)
- PLAN: Low-probability/high-impact risks (plan steps to take if this occurs)
Managing risks involves: –
- Eliminating them as far as is reasonably practical
- If it is not possible/practical to eliminate a risk, we aim to minimise it as far as is reasonable to do so
- Applying corrective actions to mitigate a risk where possible
Where a risk or its affects can be managed, or controlled, we operate a hierarchy system based on the risk matrix rating. We prioritize those risks with the highest rating (therefore most likely to occur and/or could have the most impact) as those that should have controls put into place to immediately eliminate/minimise them. We then work through the risk register putting controls into place based on a descending rating order.
To control or eliminate the assessed risk, we use a hierarchy of control. Where possible, we always aim to eliminate a risk, as we recognise that this is the most effective form of control. However, where elimination is not an option, we aim to minimise the risk by working through the alternatives in our hierarchy system.
[If you have a system/controls in place already for managing risks, replace the below with your own approach.]
Level 1 Risk Mitigation Measures | RISK REMOVAL |
The most effective control measure involves eliminating the risk altogether along with any associated affects. Where possible, we will either opt to not introduce the risk into the business in the first place, or if already in place and the risk has been assessed as an elimination option, we will take steps to remove the risk/activity altogether. | |
Level 2 Risk Mitigation Measures | RISK SUBSTITUTION/ISOLATION |
If total removal of the risk is not possible due to business or external factors, we will aim to substitute the risk object/situation with an appropriate alternative that produces less of a risk.
Level 2 measures include: –
|
|
Level 3 Risk Mitigation Measures | RISK REDUCTION |
Where the impact and/or probability of a risk is medium to low and where possible, we try to reduce the likelihood of the risk occurring and/or the effects and impact that the risk might have. This is done through mitigating and correction actions, including: –
|
|
Level 4 Risk Mitigation Measures | ACCEPT THE RISK |
Where the impact and/or probability of a risk is low and where we are unable to apply any of the measures for levels 1-3, we accept the risk and its implications. Level 4 is only applied where a risk is unlikely to cause any measured damage or harm to the business, its customers and/or any associated entity or individual.
Where a risk is accepted, we still have an incident response plan and business continuity plan in place to ensure that if a low-probability risk occurs, we have the procedures, resources and controls in place to manage it. |
When risks are identified and assessed as being acceptable to the functioning of the business and cannot be eliminated, we develop and implement mitigating actions where possible, to reduce the impact and/or likelihood of the risk. Managers use the Risk Mitigating Action Plan for each risk, detailing what actions, processes and controls can be used to reduce the risk.
Corrective actions are defined as those required where there has been an issue or breach. A new or first identified risk is given mitigating actions to reduce the impact and likelihood, however where those actions fail to prevent the risk from occurring, managers are required to carry out a reassessment of the risk and any failing processes or functions that contributed to it occurring. Some risks are expected during business and cannot be eliminated, however as time, resources and technology develops, it is possible to put new actions into place to mitigate risks.
Managers use the below Risk Management Corrective Action Plan for assessing a risk that has occurred and to put new corrective actions into place.
RISK MANAGEMENT CORRECTIVE ACTION PLAN |
|||
Assessor Name: | Date: | Risk: | |
Did the risk occur due to it not being previously identified? | YES/NO | ||
Had the risk previously been assessed and had mitigating actions implemented? | YES/NO | ||
Cause/s Identified:
|
|||
Cause/s to be Corrected:
|
|||
New Mitigating Strategies | Indicators of Success | Monitoring Methods | |
e.g. 2 persons check team prior to data upload | e.g. zero upload errors | e.g. audits | |
e.g. consistent data results from both team checkers | e.g. 3rd person checks prior to upload | ||
|
Click edit button to change this text.
8.4 Risk Register
The Company uses a Risk Register to record the details of all the risks identified within the business. These include internal and external risks, ongoing risks and those defined at the beginning and during the life of a project. All risks are rated based on their impact and probability, with the risk then being added to the register and the rating being used to make decisions on mitigating and corrective actions. Managers are responsible for adding each identified risk to the register and for reviewing the risks monthly.
Our Risk Register includes: –
- A unique identifier for each risk
- A description of the risk
- Risk Score/Rating
- Assessment of probability and/or impact
- Who is responsible for managing the risk?
- Summary of proposed corrective and/or preventative actions
9. Second Line Procedures
9.1 Review & Monitor the Risks
The controls and procedures that operational managers put in place to identify, assess and manage the risks associated with our business are monitored and reviewed regularly to make sure they work as planned and are adequate and effective. Senior Managers/Compliance Officer are responsible for monitoring and auditing the risks and their corrective actions, as well as the support and training provided by the managers to employees in their respective departments.
Senior Managers/Compliance Officer are tasked with ensuring the effective risk management functions and practices by operational management and to support and assist those managers in setting targets, defining the risks and reporting requirements. Quality management forms a large part of the second line of defence approach, which aims to remove gaps and duplicated processes.
Senior Management/The Compliance Officer establishes processes and functions to ensure that managers and the first line of defence is adequate, effective and is operating as intended. This level is essential to the Company for ensuring an added oversight function and reducing the human error element that is present in all processes and actions.
Senior Management/The Compliance Officer use several methods and controls in their oversight capacity, including (but not limited to): –
- Carrying out audits and tests to ensure that the controls in place work and are effective
- Disaster Recovery tests to ensure that back-ups and controls are effective and appropriate
- Manager and team meetings are held each month to keep the staff informed of any changes to the risk management program and to ensure that staff know and understand their risk management responsibilities
- Scenario testing is carried out on staff and systems so that any gaps can be identified and rectified
- Identifying and communicating known and new issues and gaps
- Assisting management in developing and implementing effective risk controls and measures
- Supporting and training managers in their risk management functions and duties
- Reporting to the [Directors/Governing Bodies/Oversight Committee]
10. Third Line Procedures
10.1 Audits
To ensure a complete and effective approach to risk management, The Company uses the Three Lines of Defence model, which incorporates an independent auditor/audit committee who review, audit and report to the [Directors/Governing Bodies/Oversight Committee].
The auditor(s) is provided with the budget, tools and resources to carry out independent, unbiased and objective audits of all risks, their identifications, assessment, classification and management as well as assessing and auditing the Senior Management functions and approach. This third level of defence enables us to objectively review our risk management processes and ensure that all areas are operating effectively, adequately and proportionately.
The auditor(s) uses multiple methods to assess and review the functions and employees to ensure the effectiveness of governance, risk management and internal controls. Their remit includes: –
- Reporting to the [Directors/Governing Bodies/Oversight Committee]
- Assessing all elements and facets of the risk management framework
- Reviewing the support and training provided by the managers to employees and the Senior Managers/Compliance Officer to the Managers
- Reviewing the Risk Register and Mitigating/Corrective Action plans and assessing their ratings and outcomes
- Auditing the functions and processes in place to reduce/mitigate risk and ensure they are appropriate, effective and adequate
- Ensuring the reliability and integrity of the management reporting processes
- Reviewing and ensuring compliance with regulations and laws
[NOTE: If your company does not use the Three Lines of Defence approach or you are too small to incorporate a separate internal audit function – make sure you edit and customise this document to suit your needs and include your actual procedures.]
10.2 Documenting Risk Assessments
The Company details throughout this document how and when the stages of risk assessment are recorded. We understand the need and requirement to document all identification, mitigating actions, risk ratings, reviews and audits and maintain effective and adequate documents for evaluation, pattern analysis and compliance.
It is our aim to fully evidence and demonstrate all aspects of our risk assessments (including DPIA’s for which the documentation requirements are stated in our DPIA Procedures and AML risks specific in our AML Risk Assessment Document), which are documented in all cases, regardless of the size, scope, nature or rating the risk carries. Ensuring accurate and adequate records enables effective breach management, risk analysis and compliance with our regulatory and legal obligations; as well as being able to provide such evidence to supervising authorities or bodies upon request.
11. Responsibilities
The Company will ensure that all staff are provided with the time, resources and support to learn, understand and implement all Risk Assessment and Management documents and related procedures and that departmental managers are supported in completing the Risk Register.
Where the risk involves personal data; the Data Protection Officer is consulted and involved in all decisions and mitigating actions, including making the decision as to whether a risk should be escalated to the Data Protection Impact Assessment screening question stage.
Where the risk is related to financial crime; the Money Laundering Reporting Officer or Nominated Officer are consulted and involved in all decisions and mitigating actions.
12. Associated Documents
The Company has a robust and defined document control system with policies, controls, procedures and measures for all business, contractual, legal, statutory and regulatory requirements. Some policies overlap with other functions or activities, with the below documents needing to be read and used in conjunction with our Risk Management Policy & Procedures: –
- Data Protection Policy & Procedures
- Privacy by Design & Security of Processing
- Data Protection Impact Assessment (DPIA) Procedure
- Breach Management & Incident Reporting Policy & Procedures
- Information Security Policy & Procedures
- Access Control Policy
- Audit & Monitoring Policy & Procedures
- Business Continuity Plan
- Anti-Money Laundering Policy & Procedures
- AML Risk Assessment
- AML Checklist
- Due Diligence Policy & Procedures
- Due Diligence Questionnaires & Checklist
7.8.2 Risk Mitigating Action Plan
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.8.3 Risk Register
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.9 Outsourcing
Outsourcing is defined as using a third-party to carry out any activity or service that your firm relies upon or would usually complete themselves. This can range from basic service providers such as mailing companies or stationers, through to outsourcing operational or regulatory requirements such as having external IT providers or lead generators.
Where a firm outsources any function or activity that is regulated by the FCA, the firm is still responsible for complying with the regulatory requirements and will be held accountable for any failings or breaches. It is for this reason that the company, has robust controls and procedures in place to identify, check, assess and monitors any 3rd party service provider with whom it establishes a relationship.
7.9.1 General Requirements
Under the FCA Handbook section SYSC 8.1, with reference to the rules and guidance contained therein; the company confirms that it complies with the below rules and guidance as provided under the regulatory system.
The company agrees to: –
- avoid any undue operational risks when relying on a service provider for all or part of an operational function
- not outsource any important operational risk that may impair the quality of the firm’s internal control or the regulators ability to monitor the firm’s compliance with our obligations under the regulatory system
- implement policies and procedures which govern the use of outsourcing and any service provider used
- implement procedures to carry out due diligence checks and assessments on any service provider used for outsourcing and to record all checks for audit purposes
- to carry our frequent and rolling audits (physical and remote) on any service provider in relation to their conduct, ability to perform the outsourced task and required compliance
- ensure that the service provider has the correct ability, capacity and any required authorisation to carry out the required function
- ensure that the service provider protects any sensitive and/or confidential information supplied to them in the course to the business relationship
- identify and implement disaster recovery and business continuity procedures and contingencies for any service or function that has been outsourced and to carry out periodic reviews and texts of any such plans
7.9.2 Introducer/Lead Generator Agreement
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.10 Outsourcing & Supplier Policy & Procedures
1. Policy Statement
The company outsources various operational functions to third parties where there is a business need or where the outsourcing of such functions is a legal, statutory, contractual or regulatory requirement. In doing so, we understand that additional risk can be posed to both business and customers and as such we are committed to ensuring the continued quality, standards and compliance of any outsourced process that is aimed for in all our in-house services and functions.
Where any task or activity is outsourced, the company employs structured and robust assessment, due diligence and monitoring measures and procedures, both prior to entering into any supplier contract and for the duration of the business relationship. Our dedicated procedures are used to initiate, maintain and monitor the operational function of the outsourced process as well as to assess the expertise, quality and ongoing compliance of the supplier or vendor.
The company is committed to providing a professional, reliant and transparent service, which includes any outsourced functions and we ensure that any third-party service providers are suitable, competent and trustworthy prior to committing to any working relationship. We also ensure that where a function is outsourced, we have back-up service providers in place should there be a failure with the primary provider.
2. Purpose
The purpose of this policy and procedure document is to provide the company’s statement of intent and objectives for how we manage and monitor our outsourced business services and/or processes and the supplier carrying out those functions. It also provides step by step procedures and guidance for staff and associated individuals/firms, with regards to the company’s processes and methodology for outsourced services and/or business functions.
This overall purpose of the document is to ensure that the company has set suitable and effectives objectives to meet our regulatory and ethical obligations for any outsourced processes and to enable our staff to identify, manage and mitigate against the financial, operational and business risks associated with any service or function that must be outsourced. Our aim is to use only those firms and individuals who are compliant, competent, suitable and reliable and the procedures used during our due diligence checks and ongoing monitoring of any supplier or provider ensures that we can achieve this.
3. Scope
This policy applies in full to the company and its staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas). Any member of staff who does not follow this policy and any associated procedures will be subject to disciplinary procedures and possible termination from the company.
4. What is Outsourcing?
For the purposes of this document, ‘outsourcing’ refers to any business function or service that is provided by or contracted out to an external, non-associated provider or supplier. Examples of commonly outsourced functions include postal and mailing services, wastepaper disposal, disaster recovery and translations.
Outsourcing usually happens for 3 reasons: –
- a firm is unable to complete a function or service in-house, possibly due to constraints on resources, time, space or the skill level needed to complete the task
- it is more cost effective to outsource certain functions or processes (e.g. mailing or waste disposal)
- there is a legal or regulatory requirement for outsourcing (i.e. in debt collection where only licenced legal professionals or courts can carry out certain tasks)
Business Process Outsourcing (BPO) is the specific outsourcing of business processes (as oppose to assets or people) and has become a common part of most businesses in today’s market. There are 2 main definitions of BPO: –
Horizontal BPO – horizontal BPO focusses on delivering generic support and process functions that relates to all industries as a general part of business. The supplier or vendor specialises in carrying out particular functions across multiple industry domains, such as recruitment, mailing, waste disposal, HR or accounting.
Vertical BPO – vertical BPO is more industry specific with the supplier or vendor focusing on a limited number of sectors or industries and the functions providing being industry specific. Vertical suppliers can be found in industries such as financial services, retail and healthcare and aim to be experts in the industry and functions that they provide.
Where a regulated firm outsources any of its business functions, it has a duty to its staff, customers and regulators to ensure that the function is still being completed compliantly, ethically and satisfactorily. It is ultimately the firm’s responsibility to ensure compliance, even when the function or process is being completed elsewhere, which is why strict and robust outsourcing policy and procedures documents are necessary.
5. Objectives
The company confirms that in relation to outsourcing business services or processes and when using the services of 3rd parties, lead generators and/or introducers, we will ensure that the below objectives and obligations are met through implementing the relevant procedures, systems and controls.
Under the FCA Handbook section SYSC 8.1 and with reference to the rules and guidance contained therein and in accordance with our own internal objectives; the company agrees to: –
- avoid any undue operational risks when relying on a service provider for all or part of an operational function
- not to outsource any important operational risk that may impair the quality of the firm’s internal control or the regulators ability to monitor the firm’s compliance with our obligations under the regulatory system
- implement policies and procedures which govern the use of outsourcing and any service provider used
- carry our frequent and rolling audits (physical and remote) on any service provider in relation to their conduct, ability to perform the outsourced task and required compliance
- ensure that the service provider has the correct ability, capacity and any required authorisation to carry out the required function
- ensure that the service provider protects any sensitive and/or confidential information supplied to them in the course to the business relationship
- identify and implement disaster recovery and business continuity procedures and contingencies for any service or function that has been outsourced and to carry out periodic reviews and texts of any such plans
- ensure that a Contract and Service Level Agreement (SLA) is in place and agreed to by both the firm and service provider, prior to any business relationship forming
- carry out a due diligence check and assessment prior to signing the contract and will record the checks and completed forms on the Service Provider Register
- ensure that no outsourcing arrangement diminishes our ability to meet our contractual, regulatory and compliance obligations
- evaluate all risks associated with the outsourcing functions and supplier and score according to our Risk Assessment Matrix to ensure viability of implementation
- ensure the providers ability to maintain the privacy, security, and data protection obligations as applicable to our firm, business type and industry
- have specific procedures and SLA clauses set up for outsourced functions that occur in different time zones and/or countries; to ensure compliance with local law as well as our own regulatory requirements and to prevent risks associated with time differences
- enforce and monitor that all 3rd parties used for outsourcing or as contractors, lead generators or introducers, comply with and agree to follow this Outsourcing Policy & Procedure and the obligations and procedures contained herein as well as accepting our Due Diligence checks, ongoing monitoring and evaluation and selection procedures
6. Risk Assessment
Prior to outsourcing any business service or function, the company will identify any operational, financial and/or business risks that may present themselves by using an external provider or outsourcing a specific service or process. These risks will be assessed using the Risk Matrix and assigned an impact/probability rating which will form part of the firm’s decision on whether to proceed with the outsourcing.
Other risks that can be associated with outsourcing are: –
- Financial
- Reputation
- Service/Product Quality
- Delays
- Timeframes
- Ability to Comply with Regulatory Requirements
6.1 Due Diligence
The company uses [WebCHeck] searches, individual/director identity checks and a comprehensive Due Diligence Questionnaire and Checklist to ensure that any service provider considered for a business relationship is fit for purpose, reliable, suitable, competent, qualified and experienced.
- In addition to the questions and assessment areas contained in our Due Diligence checks, the selection of providers for outsourced services is also based on the following criteria: –
- Length of experience and depth of expertise in the services and/or functions being offered
- Obtaining samples and evidence of any similar previous work carried out
- Obtaining references or testimonials from previous and/or existing clients
- Cost analysis of services and/or processes provided
- Contractual arrangements consistent with this Outsourcing Policy and Procedures
6.2 Outsourced Functions Register
For any process, function or service that is outsourced, the company maintains a register of the details relating to each provider for regulatory and monitoring purposes. Our Outsourced Functions Register enables us to meet our obligations under this policy and procedure document and to ensure that all outsourced functions are handled according to our own strict procedures and protocols.
Our Outsourced Functions Register is in an external document located at [add location/hyperlink for register]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7. Procedures
7.1 Assessment & Analysis
Prior to any outsourcing agreement being made, the below procedures must be followed and recorded for each new relationship.
- The service/function being considered for outsourcing must be assessed to see if it is a general business activity or involves all or part of a regulated activity.a. Where the service/function to be outsourced is part of a regulated activity, the firm must also be assessed and monitored for their compliance with the FCA regulations in the applicable area.
- An ‘outsource risk/benefit analysis assessment’ is completed for the function/service under consideration, which must include the below information: –
a. Possible efficiency/monetary/quality gains by outsourcing the service
b. List of detailed risks associated with outsourcing the service
c. List of defined benefits and downsides to outsourcing the service
d. Departments and/or staff who will be affected by/involved in the outsourced function
e. Arrangement for monitoring the quality and compliance of the outsourced functions and supplier
f. Scope and timeframe for outsourcing the process or service
g. Internal staff changes, and additional training needed in relation to the outsourcing
h. Implementation of any new systems
7.2 Preparation & Selection
- After the initial decision to proceed with outsourcing has been made, the company creates a criteria list to be used in the selection stage of the outsourcing process. The criteria list is specific to each project and details the objectives, obligations, standards and requirements that must be met by the supplier.
- We then collate a list of suitable vendors who can be considered as the outsourced function provider. This list is compiled using all vendors in the market who are suitable to provide the outsourced function. This list is generally large in the initial stage, so we use a Request for Information (RFI) for to narrow down the choices based on the criteria set in step one above.
7.2.1 Request for Information (RFI)
We use a template RFI to collect written information about the capabilities of various suppliers so that the information provided can be assessed against our selection criteria and used for comparative purposes. Each RFI is edited to fit the purpose of the outsourced project and then sent out to the chosen vendors.
[As each RFI is business type and project specific, we have not provided a template for this document, so you should create a generic RFI template that can be used/edited for each supplier project.]
All RFI’s are given a submission date by when all responses must be received. Responding vendor information is then compared and assessed against the pre-set criteria and project requirements. A reduced list of vendors is then selected to proceed to the next stage in the process.
7.2.2 Request for Proposal (RFP)
Vendors proceeding through to the Request for Proposal (RFP) stage of our outsourcing process have been assessed against strict criteria and are deemed capable to commit to providing the relevant services or process. At this stage, we now create an RFP document with specific details about the scope and requirements of the project to ensure that vendors can respond to and price accordingly. Such information includes, but is not limited to: –
- Scope of opportunity
- Relevant requirements and objectives
- Timescales and project length
- Staff & training requirements
- Industry requirements
- Regulatory requirements
- Systems, technology and/or governance requirements
- SLA and/or Contract specifics
- Volume of data (where applicable) or job size
- Ongoing monitoring & due diligence
- Outcomes and performance
The RFP document is then distributed to all participating vendors with specific information on the engagement requirements timelines for questions and responses and key information.
7.3 Evaluation
Once all completed RFP’s have been received, we enter into the evaluation stage of the outsourcing process. At this stage, any vendors who are unable to meet the criteria and requirements set out in the RFP are discounted from further consideration. The evaluation stage takes those from the RFP list through to the short-list stage where we chose a primary and secondary provider for the outsourced services and/or process.
- The project lead for the specific outsourcing project handles the evaluation stage and also communicates with the vendor POC as noted on the RFP’s
- All answers to the RFP questions are assessed and any clarifications obtained from the relevant POC and are noted on an attachment to the RFP for future reference
- We employ a scoring process for evaluating the RFP’s so that a comparable assessment of each vendor can be made
- Vendors who are discounted at this stage due to low scoring, are contacted in writing within 4 weeks and provided with a summary of why they have been unsuccessful in bidding for this project
- Firms exceeding the minimum set score for the relevant project are added to a short-list and further risk assessed until we select a primary and secondary provider
- At this stage, we start the due diligence and change management processes of the selected vendors
7.4 Allocation & Due Diligence
Once the primary and secondary vendors have been chosen, we draft up a Service Level Agreement applicable to the chosen vendors and service or process to be outsourced and a binding contract between ourselves and the vendor. Negotiating any clauses or requirements is carried out at this stage by the project lead and vendor POC until both firms agree to commit and proceed.
-
- One vendor is chosen as the dedicated (primary) service provider and a second vendor placed in a back-up (secondary) position to ensure compliance and continued service in the event of any business failure of loss of use of the primary provider.
- Both vendors are added to the Supplier List and Outsourced Functions Register
- A due diligence audit and questionnaire is completed for both the primary and secondary providers prior to any agreement being entered into. In addition to the due diligence questionnaire, the company will ensure that it considers the: –
-
-
- a. company’s reputation and history
-
- b. quality of services provided to other customers
-
- c. number and competence of staff and managers
-
- d. financial stability of the company and commercial record
-
- e. retention rates of the company’s employee
-
- f. company’s adherence to relevant regulatory requirements and laws
-
- A detailed company check, and background search must be completed on both the service provider and back-up provider, prior to any agreement being made
- A physical visit to the primary providers’ services location must be made with a view to carrying out a physical on-site audit.
-
-
-
7.5 Outsourcing Agreement
Once the primary and secondary providers have been assessed, selected and approved, they will be added to their Supplier List and Outsourced Functions Register and an outsourcing agreement (or SLA) is then created and signed by both parties. The agreement will address the below areas: –
- Duties and obligations of the company
- Duties and obligations of the service provider
- Applicable law to outsourcing agreement
- Regulations that apply to the outsourced service/function
- Duration of the Agreement
- Terms of the Agreement
- Reporting
- Audits & Monitoring
- Dispute Resolution
- Confidentiality Agreement
- Non-Compete Agreement
- Appeal & Enforcement
Upon completion of the agreement, the initial outsourcing commences on a 28-day trial with weekly monitoring checks. The process for outsourcing is as below: –
[If you have your own existing procedures for outsourcing a service to a provider, please include them here]
- If it is possible to outsource part of the service or to outsource in stages/sections, then this should be the default position for all service providers.
- Where the service provider has access to any internal systems, technical and physical access controls will be used and overseen by the IT Manager to prevent unauthorised access or data breaches.
- All existing in-house provisions and staff for the outsourced service, will be retained and made readily available throughout the initial implementation period to avoid delays or risks to the business or regulated activities.
- End of day reports are to be provided by the service provider for the first 28 days and then as per the agreed contract terms going forwards
- Monitoring checks will be carried out daily during the implementation period, to include: –
- Service/function quality
- Regulatory compliance
- Contractual compliance
- Suitability
- Efficiency
- After the first 28 days of outsourcing, the compliance officer and primary outsource team will review the service provider against the initial ‘outsource risk/benefit analysis assessment’ to ensure that the outsourcing is viable and suitable on a long-term basis.
- Monitoring & Audits
Monitoring of the quality, compliance and result of the outsourced service/process is carried out every [*1/2/4/8 weeks] to ensure that the service provider and outsourced function remain compliant with contractual and regulatory requirements and are both viable and suitable for business needs. Monthly remote audits are carried out and recorded, with a physical audit being conducted on a quarterly basis.
- Audit checklists are to be used when monitoring the performance and service provision of the outsourced service.
b. Checklists are to be retained for 6 years after the working relationship has been terminated.
c. Due diligence questionnaires are repeated on an annual basis with company and financial checks to be included.
d. Where there are specific FCA regulations that affect or involve the outsourced process or service, these are monitored for compliance on a weekly basis against the handbook requirements and our own internal objectives
To ensure the productivity, effectiveness and suitability of the outsources service or process, the company ensures that the below key principles are monitored and met for the duration of the relationship: –
- Compliance with the regulation, contractual and legal requirements is adhered to and maintained
- Continued measurements and assessment of the benefits and suitability against the projects initial criteria
- Ongoing risk assessments with any business and/or vendor changes and staff retention
- Training of new staff for both our business and the vendor
- Continual review and assessment of security and data protection standards and requirements
- Ongoing assessment that the vendor meets and achieves the SLA requirements and project criteria
- Audit and benchmarking measures and controls implemented, used and maintained
- Continued communication with the vendor and specific POC throughout the business relationship
- Ensuring records and documentation are maintained and retained as per the SLA and legal requirements
- Dispute resolution and complaint monitoring
- Responsibilities
The company has a corporate and regulatory obligation and responsibility to ensure that any service or business function that it outsources to a 3rd party service provider, is not subject to any operational risks or that there is not a loss of quality in the service provided.
[Designated Person] has overall responsibility for handling all service provider contracts, SLA’s, due diligence checks, audits and monitoring and for implementing and monitoring the firm’s procedures in relation to outsourcing.
Management are responsible for designating suitable owners of business processes that are outsourced, overseeing the outsourcing activities and ensuring that this policy is followed. They also have full responsibility for mandating commercial or security controls to manage the risks arising from outsourcing.
7.10.1 Outsourced Functions Register
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.11 Record Keeping
The company has structured and robust records management procedures in place to log all services, transactions and relevant requirements as laid out in SYSC 9.1 and COBS 9.5 of the FCA Handbook.
Records are kept for the regulatory, contractual or legal retention period and are used, managed and stored in accordance with regulatory and business requirements in addition to the requirements defined by the Information Commissioners Office (ICO) under the Data Protection laws and its principles.
The company keeps records for operational, regulatory and audit purposes and is committed to fair, transparent and ethical business practices in relation to recording its information, services and transactions. We have a procedural waste destruction policy and procedures which define how our records are disposed of, both in hard copy and electronic formats and we retain evidence of any such destruction in accordance with the legal and regulatory requirements.
7.11.1 Guidance on Record Keeping
The company confirms that it complies with the regulatory rules and guidance provided on record keeping and in particular that we: –
- can produce all required records in the English language and on paper
- if any retained record of a communication that was not in the English language is required, we will retain such communication in the format and language that it was originally obtained in – however, we have provisions in place to provide any such record in a translated format to the English language on request
- have procedures and controls in place regarding the adequacy of, access to and security of any retained records, in accordance with the regulatory and statutory obligations.
7.11.2 Meeting Minutes Template
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.12 Records Management Policy
- Policy Statement
The company recognises and understands that the efficient management of its records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations and to enable the effective management of the organisation as a whole.
This policy and related documents meet the standards and expectations set out by the FCA and other associated regulatory bodies on the management of business records, with the direct aim of ensuring a robust and structured approach to document control and systems.
- Purpose
The purpose of this policy is to provide the company’s statement of intent on how it provides a structured and compliant records management system with records being defined as all documents, regardless of the format, which facilitate the business activities, and which are thereafter retained to provide evidence of its transactions or activities.
Such records may be created, received or maintained in hard copy or in an electronic format with the overall definition of records management being a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, distribution, storage and disposal of records (as defined by ISO15489). It constitutes a series of integrated systems related to the core processes of the organisation which ensure that evidence of, and information about, its activities and transactions are captured and maintained as viable records.
- Scope
The policy applies to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirement.
- Objectives
Records contain information that are a unique and invaluable resource and important operational asset. A systematic approach to the management of the company’s records is essential to protect and preserve such records as evidence of all business actions and activities.
Records management is necessary to: –
- ensure that the business conducts itself in a structured, efficient and accountable manner
- ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems
- support core business functions and providing evidence of conduct and the appropriate maintenance of associated tools, resources and outputs to clients and regulator.
- meet legislative, statutory and regulatory requirements
- deliver services to staff and stakeholders in a consistent and equitable manner
- assist in document policy formation and managerial decision making
- provide continuity in the event of a disaster
- protect the interests of the organisation and the rights of employees, clients and present and future stakeholders
The company will manage records efficiently and systematically, in a manner consistent with ISO15489 and regulatory Codes of Practice on Records Management. Records will be created, maintained and retained in order to provide information about and evidence of the company’s transactions and activities. Retention schedules will govern the period that records will be retained and can be found in the related Record Retention Periods document.
Records management training is mandatory for all staff as part of the company’s statutory and compliance training programme.
- Responsibilities
the company has a corporate responsibility to maintain its records and record-keeping systems in accordance with the regulatory environment. [Designated Person] is responsible for drafting and providing guidance for good records management practice and promoting compliance with this policy in addition to advising on the policy and best practice. [The Administration Team] have overall responsibility for the easy, appropriate and timely retrieval of information, its storage and destruction in conjunction with this policy.
Line Managers of each department have overall responsibility for the management of records generated by their department’ activities, namely to ensure that the records created, received and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the objectives of this policy.
[Designated Person] is responsible for ensuring that records of all meetings with a direct impact on core business functions or document control, are logged and disseminated in accordance with this and related policies.
Line Managers are responsible for ensuring that full records of any team meetings are kept and retained and copies to be distributed and shared electronically with other relevant staff members.
The company will ensure that all staff are provided with the time, resources and support to learn, understand and implement the records management documents and related procedures and that departmental managers are supported in completion of the records management training, assessments and audits.
7.13 Change Management Policy
- Policy Statement
The company’s change management policy and procedures set out our statement of intent, objectives and procedures and contains guidance to managers and staff who are involved in the development and implementation of changes in working arrangements, procedures and practices of the organisation. The document also applies to managing changes involving redundancy and the redeployment of staff due to resources, including the ending of fixed term employment contracts.
We are committed to ensuring that changes in the workplace whether with systems, processes or staff, are managed effectively and efficiently and that all risks are taken into consideration prior to implementing any changes. We understand that changes can be disruptive to those involved and that a clear set of objectives and steps are necessary for ensuring effective communication throughout the process. the company seeks to establish fair, robust, and transparent principles and processes so that staff are supported throughout any changes and the interests of our customers are always considered.
- Purpose
Change management and the requirement for change in the workplace can arise for a variety of reasons and the impact of change can also differ greatly. In recognition of this, the company will take steps to engage and support managers and staff appropriately during any significant workplace change.
It is the company’s aim to maintain and enhance the efficiency and effectiveness with which its core purposes and activities are carried out while seeking to safeguard confidential information, legal, contractual and regulatory requirements and laws and both the existing and future employment of staff.
The purpose of this Change Management policy and its related procedures is to establish the fair, robust, and transparent principles and processes to be followed so that the company’s interests are protected, and all staff are treated fairly.
Change management as it relates to this and any complimentary document is the amendment, revision, deletion or removal or any record, procedure, task, role or employee which can or does affect the business in part or as a whole. Such change is to be recorded, disseminated and explained in such a way as to ensure the fair, legal and regulatory due diligence is afforded.
- Scope
The policy applies to all the company staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
- What is Change Management?
Change Management can be defined in two separate ways, both of which are addressed in this policy and procedure document.
- a) Information/IT Change Management – changes made to business documents, systems and/or processes.
- b) Employee/Role Change Management – changes made to job roles or staff, including contractual hours and redundancy.
It is natural that when change is introduced into an organisation, one or more of the below will be impacted: –
- Processes
- Systems
- Organisation structure
- Job roles
- Customers
- Outcomes
Change must therefore be affected with consideration and planning, hence the requirement for change management protocols. Organisational change is driven by the business needs of the company and can be triggered by either the external environment or by an internal review of service and/or system requirements.
5. Objectives
Change is an essential part of any business, however the effects of change to processes and roles can be both disrupting and stressful for those involved. Changes in business can occur for many reasons, but usually involve improvements to the business overall but making staff and/or procedural changes throughout the life of the business.
It is important that change is managed fairly and in a transparent way and that when changes are made to existing processes or business activities, due care and attention is paid to ensure that risks have been assessed, identified and mitigated against prior to any such change being actioned.
The Change Management policy and procedures have been put into place to ensure that: –
- the business conducts itself and any change in a fair, transparent and secure manner enabling accountability to be clear at each step
- managers and staff are kept informed about considered, pending and current changes taking place within the organisation
- changes are conducted in accordance with any operational, legal, contractual and regulatory laws and guidance
- records of all changes are kept as per the associated retention period specified and audits on any previous changes can be completed
- changes and process and/or systems are assessed and reviewed prior to amendment and a risk assessment is carried out on possible change implications
- risks associated with change will be mitigated against where possible
- employment law will be followed regarding changes to staff roles, hours and redundancy
The company will manage change efficiently and systematically, in a manner consistent with ethical and legal requirements and expectations.
6. Change Management Procedures
6.1 Document, Process and IT Change Management
The company proposes to conduct and accomplish changes in the most effective and efficient manner whilst minimising the impact to business, staff, costs, customers/clients and risks.
All IT/Process changes within the organisation will be documented in the Change Management Log and all changes involving systems, documents and/or existing procedures will follow the below procedural steps: –
- Formally Request a Change – All requests for change will be documented within the Change Management Log and will be overseen by [Designated Person]. A new change record will be created and a new request for change will be completed by the [Designated Person] with input from the person/s requesting/suggesting the change.
- Categorise and Prioritise the Change – The [Designated Person] will assess the urgency and impact of the change on the infrastructure, end user productivity and budget.
- Analyse and Justify the Change – The [Designated Person] will work alongside the person/s requesting the change to develop justification for the change and to identify how the change may impact the staff, business operations and company budget. A risk and impact analysis are also completed at this stage to ensure that technical, informational, and ethical impacts and risks have been considered and assessed.
- Approve and Schedule the Change – An efficient process for implementing the Request for Change (RFC) is created and assessed by Senior Management, Directors, Compliance Officer and IT Managers to ensures that all risks and impacts have been identified and all involved staff have been made aware of the proposed changes and route to implement said change.
- Complete the Implementation of the Change – Following the approved process for implementing the change, those assigned the change task will complete the change and ensure that the Change Management Log and any other affected documents or systems are updated accordingly.
- Post-Implementation Review – A post-implementation review is conducted to ensure whether the change has achieved the desired goals. Post-implementation actions include deciding to accept, modify or back-out the change and finalising the change documentation within the Change Management Log.
In following the above steps and processes for carrying out a change within the company, we ensure that the below measures are also undertaken: –
- Consultation with key stakeholders prior to any change taking place
- All changes and requests are documented and authorised
- Change is assessed to ensure if meets the agreed business needs and/or objectives
- Standards changes are logged within 7 working days of the planned change start date
- All change management plans have a clearly defined and documented scope
- Plans and supporting documentation are provided and disseminated to all employee at least 2 weeks before any significant change and 1 week before any minor change
- All changes are assessed for risk, impact and business benefit, regardless of size or scope
- Where employee training is required in relation to the proposed change, this is developed and implemented prior to the change taking effect
- We fully consider and create a plan for how the change can be reversed or remedied if unsuccessful
6.2 Types of Change
There are three types of changes that are based on approvals needed through the change management process: –
- Standard Change – A relatively low-risk change with well-understood outcomes that is regularly made during business. A Standard change follows pre-determined processes, is pre-approved by change management processes and may be made at the discretion of an individual employee, provided it has been defined as Standard per the Change Management assessment process.
- Significant Change – A Significant change is one that has medium to high risk for critical services, involves less understood risks, has less predictable outcomes, and/or is a change that is not regularly made during business. Because of the ability to affect services, any proposed Significant change must be reviewed by Senior Management and/or the proposed Change Management Officer.
- Emergency Change – this is like a Significant change but must be executed with utmost urgency. There may be fewer people involved in the change management process review, and the change assessment may involve fewer steps, but any Emergency change must be authorized by company Directors, the Compliance Officer and the IT Manager.
6.3 Request for Change (RFC)
The Request for Change (RFC) is a standard document or form that is created by the person/s requesting the change. It contains and captures all the relevant information about the proposed change, ranging from basic facts about the change to more complex and technical specifications necessary for completing the change.
Initiators of the proposed change should seek to identify as much of the following information as possible: –
- Unique Identifier or Account Number
- Date of submission
- Change Owner
- Initiator of the RFC
- Proposed Change Summary
- Priority level
- Description of the Change
- Reason for the Change to be implemented
- Costs
- Benefits
- Consequences (if the change is or is not implemented)
- Services/systems/employees/departments affected by the change
- Risks
- Mitigating factors
- Timeframe
- Budget
- Additional information
- Supporting documents
6.4 Business Risk & Impact Analysis
Any change to a document, process or system will carry a risk and can leave gaps in tasks which may be overlooked. It is essential that all changes are assessed prior to implementation for both impact and risk that could be caused to the business.
The [Designated Person] will consult and work closely with each business unit to advise on the proposed change and to conduct a business risk and impact analysis. The business risk and impact analysis are completed when a new change record is created. The business risk and impact process evaluate the impact of the change as it relates to the ability of the company to conduct business.
The assessment should: –
- Evaluate business risk/impact of both doing and not doing the change
- Analyse the timing of the change to resolve any conflicts and minimise impact
- Ensure all affected parties and departments are aware of the change and understand its impact
- Determine if the implementation of the change conflicts with the business cycle
- Ensure current business requirements and objectives are still able to be met during and after the change.
6.5 Implementing the Change
Once the RFC has been assessed and approved, the process can then move into the implementation stage. The process for implementing that change as devised by the Change Manager and person/s requesting the change is to be used at this stage and followed exactly.
Once the change has been implemented, the Change Management Log is to be completed and any previous version of the document or process (if applicable) is to be revised and a new version added to the Document Control System.
It is important to note on the Change Management Log: –
- What was changed
- Who made the change
- When the change was made
- Why the change was made
- Implementation date
- Authorised by
6.6 Staff and Role Change Management
The company understands that change to roles, tasks and staffing can be both disruptive and stressful for those involved and as such this Change Management document gives guidance for managing changes that relate to staff and their roles.
This document should be read in conjunction with the Employee Handbook and Redundancy Procedures for the full obligations and processes with staff and/or role change management.
6.7 Task or Process Reallocation
It is essential from time to time for tasks to be reallocated to other staff or departments for financial, operational or educational purposes and whilst such reallocations are not deemed by the company as being a part of the Change Management plan, it is still important that we carry out such changes with fair and transparent consideration.
Where task reallocations occur, all staff involved will be advised accordingly and offered a chance to ask questions regarding the change. Support and training will be provided where applicable and mentorship given for a designated period, as applicable to the task involved.
6.8 Restructuring
Company restructuring can occur for a variety of reasons and can also be a method for avoiding redundancy in some cases. Where restructuring is an option, a Consultation Team should be set up with a view to managing the restructuring and any subsequent changes and staff questions.
An Impact Assessment for Change and a Staff Well Being Risk Assessment should be undertaken by the Consultation Team where restructuring is being considered, with additional help from the HR department and if applicable the legal team. The aim of such assessments is to identify if any action is required before and during the restructure. The outcomes of these will be reviewed as appropriate during the process to identify any further actions required.
The Consultation Team will consider any roles in the existing structure of the organisation which can be reasonably matched to roles or staff in the proposed new structure. This will identify staff whose roles will and will not be affected. Wherever possible, affected staff will be able to express an interest in positions in the new structure and as such will be offered support and training to make them fit for purpose in the new role.
6.9 Post-Restructuring Review
When restructuring has concluded, there should be follow ups at 3, 6, 12 and 26 weeks with all staff affected by the change in one-to-one groups with the Consultation Team or a member of the HR department. These reviews are to assess the effectiveness of the restructuring and to ensure that staff affected are happy and supported in their new roles.
Such reviews will focus on improvement and measures to manage the change, rather than changing decisions made during restructuring.
6.10 Redundancy
It is always the aim of the company to avoid redundancy where possible and to implement a restructuring program instead. However, where redundancies are deemed essential, all appropriate steps will be taken to minimise the emotional and financial impact to staff.
The standard Change Management steps are to be followed regarding handling the change associated with redundancies, however the Employee Handbook and company Redundancy Policy and Procedures are to be followed in this instance.
- Responsibilities
The company has a corporate and ethical responsibility to ensure that change within the workplace is managed in a fair and transparent manner. Where the change applies to documents or procedures, the Change Management Log is to be used to record the reason for change, change date and authorising manager as well as providing clear evidence that any changes have been assessed for risk and mitigating actions put into place.
[Designated Person] is responsible for drafting changes, keeping the Change Management Log up-to-date and for and providing guidance and support to managers and staff. This is for promoting best practice and compliance and for ensuring that change is managed in accordance with the related procedures.
Line Managers of each department have overall responsibility for the change management within their own area of work and with that of their staff, however this is to be run in accordance with [Designated Person], who is to be kept informed of changes at all times.
The company will ensure that all staff are provided with the time, resources and support to learn, understand and implement change management procedures and that any changes are conducted in accordance with operational, contractual and legal guidance in mind.
7.13.1 Change Request Form
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.13.2 Change Management Register
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.14 Conflict of Interest
A conflict of interest can occur where a person or firm could have their motivations influenced or corrupted by having an invested, personal, financial or emotional interest in a situation or activity.
The company confirms that it complies with its obligations under the regulatory system and that we have the required procedures and controls in place to: –
- identify conflict of interest between us (including all staff or any people linked to us), and a client of the firm or between a client of the firm and another client
- have a record of any type of conflict which may arise due to the nature and services that our firms offer and that any conflicts identified are added to this list and disseminated immediately
- manage any conflict and aim to prevent them prior to them arising
- ensure that where a conflict of interest cannot be prevented, it is disclosed to the client/s prior to any agreements or advice being provided
The company has a robust and comprehensive conflicts of interest policy and procedures in place which are maintained and reviewed frequently in accordance with our internal audit procedures.
7.14.1 Chinese Walls
Chinese walls are also referred to as ‘Information Barriers’ and are designed to prevent the spread of confidential information within a firm, which in turn helps to mitigate against conflicts of interest by ensuring that information is only available to those who need operational access to it.
Chinese walls within the company have been created between departments to prevent the unnecessary flow of information which is not relevant or required by other departments or employees to perform their job roles or tasks.
In their handbook, the FCA defines a Chinese Wall as “that is, an arrangement that requires information held by a person in the course of carrying on one part of the business to be withheld from, or not to be used for, persons with or for whom it acts in the course of carrying on another part of its business.”
7.15 Conflict of Interest Policy
- Policy Statement
The company are committed to the identification and fair management of any conflict of interest which may arise in the normal course of business. In accordance with the Financial Conduct Authority (FCA) handbook and specifically Principle 8 and section SYSC 10, we aim to manage conflicts of interest fairly, both between the company and our customers, and between any customer and another client.
- Purpose
This purpose of this policy is to provide clear guidance on managing conflicts of interest and to ensure a fair and transparent approach. As a service provider in the [Financial Services/Consumer Credit] sector, it is natural that we face conflict of interest from time to time, and it is our aim to take measures and implement controls identify and manage any such conflict.
- Scope
The policy applies to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
- What Is a Conflict of Interest?
A conflict of interest as it relates to business is defined as an action or relationship that may impair the ability to make an objective and fair decision. This conflict can arise from the impairment of an individual employee or as a business activity.
A conflict of interest in a financial firm is defined as an employee or the firm itself having a financial interest in a client or business activity with which it is involved, resulting in the potential compromise of the advice, products or services provided to the detriment of the client.
Financial conflicts of interest are seen to be tangible, because they can be seen and measured, however this is not always the case and, so it is important for firms to put controls, systems and procedures in place to assess, identify, manage and monitor conflicts of interest.
5. Objectives
The company has laid out the below objectives which it aims to meet when dealing with financial conflicts of interest: –
- Ensure clear procedures are in place for identifying and managing conflicts of interest.
- Ensure that all staff are provided with training on identifying and dealing with conflicts of interest, including being advised of the responsible person within the firm.
- Ensure that we comply with FCA Principle 8 and handbook section SYSC 10 on managing conflicts of interest.
- We will ensure that any conflict, including potential conflicts, are recorded and continuously monitored, including any risks associated with such conflicts.
- We will maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps to prevent conflicts of interest as defined in SYSC 10.1.3.
- If the mitigating measures and controls used to prevent conflicts of interest are not successful in preventing risk to clients, we will clearly disclose the general nature and sources of the conflicts before undertaking any working relationship with the client.
- We will ensure that this Conflicts of Interest policy is updated and maintained in accordance with legal and regulatory requirements and any updates are communicated to staff in a timely manner.
6. Types of Conflict of Interest Relevant to the company
6.1 Types of Conflict of Interest
When identifying conflicts of interest that may arise, the company considers whether the firm or any employee: –
- Is likely to make a financial gain, or avoid a financial loss, at the expense of the client.
- Has an interest in the outcome of a service provided to the client, or of a transaction carried out on behalf of the client, which is distinct from the client’s interest in that outcome.
- Has a financial or other incentive to favour the interest of another client or group of clients over the interests of the client.
- Carries on the same business as the client.
- Receives or will receive from a person other than the client, an inducement in relation to a service provided to the client, in the form of monies, goods or services, other than the standard commission or fee for that service.
6.2 Circumstances Leading to Conflicts of Interest
[Section SYSC 10.1.11 of the FCA Handbook advises what should be contained in this COI Policy, which includes circumstances which constitute or may give rise to a conflict of interest in your business – below YOU must add the circumstances relevant to your business that could result in a conflict of interest.]
EXAMPLES
- Providing services in different capacities at the same time
- Giving financial advice that directly benefits the firm and/or any of its employees
- Acting for more than one client in a financial transaction
- Accepting benefits or gifts that could be construed as conflicting with our duties to the client
- ADD YOUR CIRCUMSTANCES IN PLACE OF THESE
7. Our Measures and Procedures
The full Conflicts of Interest procedures for the company can be found in our separate Procedure Document [This is not supplied as they are bespoke to each firm], however below is a summary of the measures and controls we have in place to identify and manage conflicts of interest.
7.1 Information Barriers
Effective and robust procedures are in place to control the flow of information where a client may be at risk of a conflict of interest. Access to confidential information is restricted to those staff members who have a proper requirement due to the nature of their role or business activity. Information barriers have been set up as part of our COI procedures to prevent the flow of information to and from other parts of the firm, which serves to mitigate against conflicts of interest.
The company complies with all laws and regulations on the handling of any such information and procedures are in place for the use, storage and retention of any such data.
7.2 Separate Supervision
If two or more departments with the firm could incur a conflict of interest in the working together, these departments have clear separation of duties as well as separate supervisory procedures and managers.
7.3 Remuneration
Any staff member that is open to conflicts of interest in their role or business activities are not subject to commissions or bonuses that are performance related. Any incentives or bonuses offered to staff are strictly monitored by management to ensure that conflicts of interest are not a deciding factor and cannot be misconstrued as such. No pay is linked to specific clients or transactions.
7.4 Disclosure
Where there is no way to prevent the conflict of interest, the company will disclose the nature and source of the conflict to the client/s prior to forming a working relationship with them. All disclosed conflicts will be recorded on the COI Register for auditing and regulatory purposes.
This disclosure is done with the intent of allowing the client to make an informed decision regarding the working relationship and nature of the conflict.
7.5 Removal from Duty
On occasion, staff may be removed from tasks, transactions or working client accounts where a known conflict of interest has been identified.
- Record Keeping
In accordance with the FCA rules for identifying and managing Conflicts of Interest, the company maintain a COI Register which contains all the regulated activities undertaken by the firm in which any conflict of interest that entailed a material risk of damage to the interests of one or more clients has arisen or may have arisen.
- Responsibilities
9.1 The company ensures that all staff are provided with the time, training and support to learn, understand and implement the Conflicts of Interest Policy and subsequent procedures. Management are responsible for a top down approach and in ensuring that all staff are included and have the support needed to meet the regulatory requirements in this area.
9.2 The Compliance Officer and Senior Management are responsible for developing the procedures to identify and manage conflicts of interest and for monitoring these procedures to ensure that they are fit for purpose.
7.15.1 Conflict of Interest Register
The company utilise a Conflict of Interest Register for recording actual and possible conflicts, who is involved, the type of conflict and any action taken to mitigate or remove the conflict. This register is maintained by [insert name], who is responsible for keeping the records up to date, reporting to management and ensuring that any actions have been implemented within a set timeframe. All records are retained for a minimum of 6 months after the interest has expired.
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.15.2 INSERT: Conflict of Interest Procedures
[Insert your existing procedures for Conflict of Interest here, ensuring that they comply with the requirements under SYSC 10 if applicable to your firm.]
7.16 Whistleblowing
The company complies with all aspects of the Public Interest Disclosure Act 1998 and adopts a positive approach towards staff reporting any potential r suspected wrong doings as they apply to legislative, regulatory or statutory requirements.
Our policy provides further information on our intentions in this area and contains guidance for staff on reporting any such wrongdoing and assurances as to the confidentiality of any report.
We confirm that we have provisions in place to comply with the PIDA and have internal procedures which are clearly communicated to all staff with regards to any concerns that they may have.
7.16.1 Public Interest Disclosure Act
The Public Interest Disclosure Act 1998 is an Act of Parliament that includes provisions for protecting whistleblower’s from any adverse or detrimental treatment by their employer or colleagues. The aim of the Act is to ensure that any wrong doings within an organisation, can be reported to the authorities or regulators without the reporter fearing repercussions in relation to their job or treatment.
The company supports the whistleblowing provisions and has put an internal policy in to place to ensure that its staff feel no adverse or negative consequences or pressure when considering reporting any wrong doings.
7.17 Whistleblowing Policy & Procedures
- Policy Statement
The company takes seriously any valid and non-malicious disclosure of a failing within the firm, either by the firm itself through operational failings or by any staff member or associated individual.
We support all staff and encourage an open and transparent workplace where employees feel safe to report any concerns that they may have. When a person/employee reports a concern and advises that the disclosure has been made under the firm’s Whistleblower Policy, we will take every measure to ensure that the staff members’ identity is protected and that they are treated in a fair and confidential manner.
The company complies with all aspects of the Public Interest Disclosure Act 1998 and adopts a positive approach towards staff reporting any potential r suspected wrong doings as they apply to legislative, regulatory or statutory requirements.
Our policy provides further information on our intentions in this area and contains guidance for staff on reporting any such wrongdoing and assurances as to the confidentiality of any report. We confirm that we have provisions in place to comply with the PIDA and have internal procedures which are clearly communicated to all staff with regards to any concerns that they may have.
- Purpose
The purpose of this policy is to provide the company’s intent and approach with regards to complying with the Public Interest Disclosure Act 1998 and our own internal Whistleblower Policy and procedures. The policy is designed to deal with any concern raised in relation to issues which are in the public interest and are not already covered within the company’s existing policies and procedures.
We maintain a transparent and open workplace where all staff are encouraged to report any suspicions or concerns to a Manager or designated person without fear of recrimination or further consequences. All such reports are held in the strictest confidence and reporting staff will be treated with due consideration and respect.
- Scope
This policy applies in full to the company and its staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas). Any member of staff who does not follow this policy and any associated procedures will be subject to disciplinary procedures and possible termination from the company.
- What is Whistleblowing?
For the purposes of this policy, ‘whistleblowing’ refers to any individual who has become aware of an illegal activity taking place in or in association with the company and who shares this information with another person, authority or regulator, for the purposes of reporting it.
The person doing the reporting is known by the term ‘whistleblower’. This person can be an employee, contractor, agent, client, supplier or any other 3rd party associated with the company. Despite the stigma surrounding the term ‘whistleblowing’, the company views this act in a positive light and will work to protect the identity and reputation of any person who comes forward to report actual or suspected illegal activities.
4.1 Who Can Raise a Concern?
Any member of staff who has reasonable belief of a qualifying disclosure can raise and/or report a concern. A qualifying disclosure is information about malpractice, which include, but is not limited to, criminal offences, failure to comply with legal and/or regulatory obligations, threats to or breaches of health and safety of an individual, damage to the environment and/or a deliberate attempt to cover up any of the above.
Under the Public Interest Disclosure Act 1998, all workers, including temporary agency staff and persons on training courses (excluding volunteers) can raise a concern without malice and in good faith. Disclosures must not be made for purposes of personal gain and the policy does not apply to personal grievances regarding: –
- An employee’s terms and conditions of employment
- Any aspect of the working relationship
- Complaints of bullying or harassment
- Disciplinary matters
4.2 Public Interest Disclosure Act 1998
The Public Interest Disclosure Act 1998 is an Act of Parliament that includes provisions for protecting whistleblower’s from any adverse or detrimental treatment by their employer or colleagues. The aim of the Act is to ensure that any wrong doings within an organisation, can be reported to the authorities or regulators without the reporter fearing repercussions in relation to their job or treatment.
The company supports the Whistleblowing provisions and has put an internal policy in to place to ensure that its staff feel no adverse or negative consequences or pressure when considering reporting any wrong doings.
Under section SYSC 18.2 of the FCA Handbook, the regulator advises that: –
Under the PIDA, any clause or term in an agreement between a worker and his employer is void in so far as it purports to preclude the worker from making a protected disclosure (that is, “blow the whistle”).
In accordance with section 1 of the PIDA: –
- a protected disclosure is a qualifying disclosure which meets the relevant requirements set out in part 4A of the Employment Rights Act 1961
- a qualifying disclosure is a disclosure, made in the public interest, of information which, in the reasonable belief of the worker making the disclosure, tends to show that one or more of the following (a “failure”) has been, is being, or is likely to be, committed: –
- a criminal offence
- a failure to comply with any legal obligation
- a miscarriage of justice
- the putting of the health and safety of an individual in danger
- damage to the environment
- deliberate concealment relating to any of the above
The company confirms that it understands the above clauses and has taken into consideration any provisions within the Act which apply to the firm, when developing and implementing our Whistleblower Policy and Procedures.
- Objectives
It is the company aims to ensure that: –
- All staff are made aware of their rights under the PIDA
- All staff are made aware of any verbal or written procedures and guidance that we have in place and how it applies to them
- All staff are aware that any concerns or suspicions of wrongdoing are to be reported to a manager immediately and that any such report will not purport any negative consequences or detrimental treatment within the workplace by any other staff member
- Staff are made aware of alternate reporting lines (i.e. Compliance Officer, HR Manager), should they wish not to disclose their concern to a direct line manager
- Staff are made aware that any false or malicious reports will be penalised by the firm and disciplinary action will be taken
- All staff are made aware of external advice providers with who they can communicate
- All staff are protected from victimisation, harassment or disciplinary action as a result of any disclosure.
The whistleblower should make it clear that they are making their disclosure within the terms of this whistleblowing policy, which ensures that the recipient of the disclosed information realises this and takes the necessary action to investigate the disclosure and to protect the whistleblower’s identity.
In accordance with the FCA’s updated regulatory requirements on whistleblowing, the company will ensure that the below regulatory objectives are met and put into place.
The company confirms that we will: –
- appoint a Senior Manager as our whistleblower’s champion
- put in place internal whistleblowing arrangements able to handle all types of disclosure from all types of person
- put text in settlement agreements explaining that our workers have a legal right to blow the whistle
- tell our UK-based employees about the FCA and PRA whistleblowing services
- present a report on whistleblowing to the board at least annually
- inform the FCA if we lose an employment tribunal with a whistleblower
- require our appointed representatives and tied agents to tell their UK-based employees about the FCA whistleblowing service
- Whistleblower Protection & Rights
The company takes any suggestion or report of illegal activity associated with the company very seriously and will always carry out a full investigation into any allegations. This policy has been written in consideration of the Public Interest Disclosure Act 1998, which protects any employee who makes a disclosure about certain matters of concern, when those disclosures are made in accordance with the Act’s provisions and in good faith.
We fully support that clause in this Act which makes it unlawful to dismiss anyone or allow them to be victimised on the basis that they have made an appropriate lawful disclosure in accordance with the Act. We will also ensure that any employee who makes a disclosure under this Act and policy is supported and protected against harassment and/or victimisation.
The company does not tolerate any harassment or victimisation of a whistleblower (including informal pressures, suggestions or remarks) and will take appropriate action to protect any employee who raises a concern in good faith. Any employee found to be the cause of harassment or victimisation will be considered to have committed a serious disciplinary offence and will be dealt with under the disciplinary rules and procedures.
All concerns will be treated in confidence and every effort will be made not to reveal the identity of the disclosing employee if they so wish. We also support the act of making disclosures anonymously if an employee feels this is their only options, however we would encourage any employee to put their name to any allegation where possible so that a follow up and proper investigation can be conducted.
- Procedure
The company ensures that all staff are aware of the Whistleblowing Policy and Procedures and are provided with access to the Whistleblowing Incident form and reporting lines. Any employee wishing to raise a concern, is asked to follow the below process.
7.1 Raising a Concern
- Obtain a copy of the Whistleblowing Complaint Form from [Insert hard Copy/Electronic Location of Form]
- Complete the Whistleblowing Complaint Form, ensuring all details are provided
- Submit the completed form to [Insert Name/Position]
7.2 Non-Whistleblowing Complaints
Where the assigned investigator deems the complaint to be dealt with under alternate company procedures (e.g. general complaint procedure, grievance procedure), they will advise the person making the disclosure as to the appropriate steps to follow.
7.3 Whistleblowing Complaints
Where the investigator considers the complaint to be subject to the Whistleblowing Procedures, the complaint assessment process is followed, and the investigator decides whether the matter raised should be: –
- Investigated internally
- Referred to an external auditor
- Referred for independent enquiry
- Reported to the authorities and/or regulating body
7.4 Complaint Assessment
All Whistleblowing Complaint Forms are assigned to a designated person who is responsible for: –
- Investigating the concern raised
- Decide if the complaint should be dealt with under the Whistleblowing Procedure
- Gathering additional and/or supporting information
- Reviewing the complaint
- Completing the Whistleblowing Complaint Form
Where the investigator decides not to proceed with an investigation or that no outcome actions are required after reviewing the complaint details; this decision is explained fully to the individual who raised the concern.
The individual is then advised that if they disagree with the decision not to proceed, they may report the incident again to [Insert Name/Position] or an independent body.
7.5 Investigation Outcome
Where the complaint was founded, the investigator will complete the Whistleblowing Complaint Form with the review outcome and advise of the next steps to be taken. Where the incident is dealt with internally, resulting actions are recorded on the form and any formal disciplinary actions (if applicable) are noted.
- Responsibilities
It is the responsibility of all managers to ensure that this policy is disseminated to and understood by all staff and that the supplementing procedures and reporting lines are also made clear and are available for reference.
All staff are expected to comply with the PIDA, any related regulatory requirements and our own internal policy and procedures, failure to do so may lead to disciplinary action being taken.
7.17.1 Whistleblowing Complaint Form
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.18 Remuneration
Remuneration is defined as a benefit or reward of employment and includes payments such as salary, benefits (company car, health plan etc.), bonuses, commissions and overtime wages.
Such remunerations must be paid in a way that does not expose the firm to any additional risks or acts of bribery and the company has a strict Remuneration Policy & Procedures in place to ensure that we comply with all legal and regulatory requirements in this area.
Where any performance related salary or commission is applicable to a job role, the company has ensured that it meets the regulatory requirements and that risk assessments have been carried out to mitigate against any known or unknown risks and acts of unintentional bribery.
Any documents that related to performance related pay – such as appraisals or employee performance reviews, are retained for audit purposes and are recorded appropriate to comply with the regulating requirement.
[Mortgage/Home Finance Activities] We confirm that were the firm or any staff working on behalf of the firm are paid by commission, this is always disclosed in writing (and verbally where applicable) to consumers. Relevant written materials have a disclosure statement advising that they have the right to ask for information on the commissions paid by different lenders. They are also provided with ways to access relevant market data to allow them to respond to such a request.
We also ensure that in compliance with the Mortgage Credit Directive (MCD), the remuneration of our advisers is not contingent on any of their sales targets.
7.18.1 FCA Remuneration Code Principles
- Principle 1: Risk management and risk tolerance
- Principle 2: Supporting business strategy, objectives, values and long-term interests of the firm
- Principle 3: Avoiding conflicts of interest
- Principle 4: Governance
- Principle 5: Control functions
- Principle 6: Remuneration and capital
- Principle 7: Exceptional government intervention
- Principle 8: Profit-based measurement and risk adjustment
- Principle 9: Pension policy
- Principle 10: Personal investment strategies
- Principle 11: Non-compliance with the Remuneration Code
- Principle 12: Remuneration structures – introduction
- Principle 12(a): Remuneration structures – general requirement
- Principle 12(b): Remuneration structures – assessment of performance
- Principle 12(c): Remuneration structures – guaranteed variable remuneration
- Principle 12(d): Remuneration structures – ratios between fixed and variable components of total remuneration
- Principle 12(e): Remuneration structures – payments related to early termination
- Principle 12(f): Remuneration structures – retained shares or other instruments
- Principle 12(g): Remuneration structures – deferral
- Principle 12(h): Remuneration structures – performance adjustment, etc.
7.19 Remuneration Policy
1) Purpose
The purpose of this policy is to provide the company intent and approach with regards remuneration and to ensure that we comply with the regulatory requirements as laid out by the FCA in section SYSC 19 of their handbook.
We maintain a clear and detailed records of all remuneration procedures and any associated documents, which includes (but is not limited to), performance appraisals, interviews, contractual agreements and remuneration structures.
We promote a fair and transparent remuneration system and are able to provide risk assessments for each remuneration area to show that any associated operational or external risk has been identified, considered and mitigated against where applicable.
2) Objectives
It is the company’s aim to ensure that: –
- Any remuneration benefits (health cover, pensions etc) have their own policies and have been put into place after careful risk assessments have been carried out
- We have a robust and clear remuneration structure in place which is available to all staff
- Staff are remunerated in accordance with the achievement of the objectives linked to their functions, independent of the performance of the business areas they control
- Remuneration and any associated benefits are adequate to ensure qualified and skilled staff are attracted to the relevant positions
- We identify any Code Staff and keep their details recorded for regulatory purposes
- Have measures in place to ensure that all Code Staff are made aware of the policies, procedures and regulations regarding remuneration and that they understand any implications of this status in relation to the requirements of the Code
- Have procedures in place to ensure effective risk management
- Have a robust Conflicts of Interest Policy, Procedures and employee guidance in relation to remuneration
- Consumers are always made aware if we are paid by commission and are advised of their right to ask for information on the commissions paid by different lenders. They are also provided with ways to access relevant market data to allow them to respond to such a request
- We comply with the Mortgage Credit Directive (MCD) and ensure that the remuneration of our advisers is not contingent on any of their sales targets
3) Reward Schemes
[Detail any bonus schemes or other reward schemes that you have in place to remunerate or incentivise Code Staff for performance]
- Add scheme here
- Add scheme here
- Add scheme here
- Add scheme here
4) Responsibilities
It is the responsibility of all managers to ensure that this policy is disseminated to and understood by all code staff and that the supplementing procedures and regulatory rules are made clear and accessible at all times.
Code staff are expected to comply with regulatory requirements in addition to the firm’s policy and procedures on remuneration and to understand the Remuneration Principles as defined in the FCA handbook.
7.19.1 INSERT: Remuneration Procedures
[Insert your existing procedures for Remuneration & Benefits here, ensuring that they comply with the requirements under SYSC 19 as applicable to your firm.]
Click edit button to change this text.
Click edit button to change this text.