REGULATORY VISIT PREPARATION
26 July 2020, 08:00:00
Preparing for a regulatory visit can feel a bit like embarking across La Coupée, the causeway which joins big Sark to little Sark.
It's about 100m long. It is a high ridge 80 metres (262 ft) above the sea which is only some three metres in width. It doesn't have to feel like that, however.
There have been a series of webinars over the last few months endeavouring to provide support and guidance to regulated organisations preparing for a visit from their regulator...I delivered one such webinar,
Below are the key takeaways, but during my session, I polled the attendees. This poll clearly indicated a considerable degree of nervousness, still, even now, after years of regulatory inspections.
I guess this could easily come from such a visit, however in my view this does not have to be the case. These visits should be approached with a degree of openness to the possibility of failure [not absolute failure of course, but the realisation that regardless of your organisation, non-compliance exists].
There is a degree of probability that areas of improvement may be identified.
Of course from failure, comes learning.
The trouble is, we do not see failure as a possibility, because failure is viewed as a measure of success, but it shouldn't be. The ability to being open to the possibility of failure is in fact an acceptance that perfection is idealistic.
Brené Brown, in her work and research studying vulnerability, fear, courage and shame, highlights:
“There is no innovation and creativity without failure. Period.”
She goes on to say in her TED Talk in 2012,
"Vulnerability is the birthplace of creativity, innovation and change."
These are not motivational quotes. These are statements stemming from over a decade of sound, valid and robust scientific research.
Failure has to be an option. It has to be on the table.
So where does this take you in your preparations for a regulatory visit?
Well, firstly, I'm not suggesting that you sit back and wait for failure. That's clearly not what I mean here. What I am suggesting is that you should not walk in fear of the regulator and that the best strategy is openness and willingness to co-operate, combined with a clear trail of evidence to demonstrate that you have committed to your obligations.
Not just in letter of the regulation, but also in its spirit.
Of course, all this withstanding, as a regulated entity, you need to ensure that you are prepared for any inspection. This is simply sense.
So, what can you/should you do?
1. Create a team to oversee the visit and ensure there is absolute clarity over the nature of the visit
This is critical. There should be a designated group, not a single person, a group, who are all responsible for the smooth running of the visit. They are not accountable for the outcome, however, that is a responsibility for the entire company.
2. Plan the schedule, the resources and the ownership
Consider carefully, at the outset, if you have sufficient resources within your organisation to manage the visit, as well as run the business. You cannot have a scenario where all your resources are tied up in managing the visit, and operations suffer.
3. Review your key documentation including your
☑ Business Strategy
☑ Business Risk Assessment
☑ Relevant policies
☑ Compliance monitoring and assurance programme
☑ Governance framework
There are key documents that need to be up to date, need to have been reviewed at periodic intervals and need to be fit for purpose. You could consider have them reviewed by an independent to satisfy yourself.
4. Ensure that all regulatory reviews have been undertaken such as
☑ Compliance effectiveness
☑ Corporate Governance
☑ Compliance policies
☑ Business Risk Assessment
One of the growing interests of the regulator are the assurance processes within your organisation. Are they in place? Do they have sufficient independence? Are they receiving the attention of relevant persons and the Board?
5. Prepare all senior and relevant staff thoroughly
The regulator has the right to speak with any of your staff. It is likely that they will indicate this in advance, however, as they progress through the visit, there may be members of various teams who need to be brought in to clarify certain processes or 'ways of doing things'. With this in mind, carefully preparing staff for the visit is paramount.
6. Review your outsourcing arrangements ensuring they have had proper ongoing oversight, especially if this is compliance support
Whether it's IT provision, or more extensive regulatory elements that are being outsourced, such as fund administration, all these arrangements should be reviewed. In some sectors, it's a regulatory requirement to audit key outsourcing contracts. Given the nature of the visit, I would strongly suggest that a review be carried out of any compliance or risk functions or roles that are outsourced. This is of growing interest to most regulators.
7. Communicate regularly and clearly to all staff
Not all members of staff will be directly involved with the visit, however all staff should be aware that it's happening, what it involves and the overall process including timeframes. An onsite visit is an anxious time for the board and management, but it can and does evoke concerns at all levels. There is increasing activity in the sanctions space and staff will be acutely aware of the consequences of a poor visit. Clear and regular communication can allay some of those fears and anxieties.
8. Consider any external support or guidance
It's fairly common for organisations to contact and bring in external support and guidance 'post' visit, especially if there have been a few findings and the expectation of a remediation or risk mitigation plan. Trouble is that this is the proverbial 'horse and bolted' scenario. It might be better to bring in support and perhaps carry out a pre-onsite review and give the board and staff experience of what an inspection feels like. It can reflect well with regulators, especially if this is done on an annual basis as routine.
9. Record in detail all meetings, correspondence with the regulator
This is clearly best practice in all events, however this is particularly important during this process. All documents shared, viewed, taken away need to be recorded. Conversations with all staff should be recorded in a minute or actually recorded. Any correspondence from anywhere inside the organisation should be filtered centrally through the team overseeing the visit. These all help with the requirements later where you will have to review the report for issues of fact. If you have all this recorded, if you feel there are 'issues of fact' you will be able to produce evidence to support your case.
10. Be open and co-operative at all times
Central to your overall relationship with the regulator is your openness and co-operation. The importance of this cannot be overstated, however, and this comes back to my thoughts above about 'fear of failure'. All regulators would rather hear about failures than uncover them during an onsite. If there have been any issues, instances of poor internal and external compliance assessments, these should all be reported and made visible at the outset, if they haven't already. All requests for information and documentation should be considered carefully by the internal team running the onsite, however there will be very few instance where there should be any reason to decline. However, each should be considered. Regulators have been known to push the boundaries of their own powers, not necessarily intentionally, but simply in the course of their work.
The key overall themes here are, thorough preparation, detailed and clear communication and openness.
Consider each of the elements carefully, especially those which touch on regulatory obligations at their core.
Regulatory visits are a part of the licensing process.
My best advice, is in fact to have regular meetings with your regulator throughout the year. Let them know and update them on key changes to your business, or any issues you encounter, whether they are regulatory obligations or not. This helps in building the trust that should exist between regulator and licensee.
It also serves to support the possibility for failure and the opportunity for learning that comes with it.