Reasonable steps: what are they and how do you evidence them?
A Senior Manager must take reasonable steps to ensure her function is controlled effectively and in compliance with regulation.
As highlighted in a recent speech by Mark Steward (Director of Enforcement and Market Oversight): “implementing the [senior managers regime] has meant firms have built into their systems explicit reasonable steps to prevent non-compliance. This has required an assessment of what may make a particular control system or function more vulnerable to failure because it is in those places that the senior manager’s reasonable steps need to be particularly evident.”
In this post, we consider what reasonable steps should look like in practice and the key areas where we expect a Senior Manager’s “reasonable steps” to be particularly evident/ well documented.
Click through to learn more about the key questions Senior Managers should be asking themselves to help determine what good looks like.
- What new responsibilities is the Senior Manager taking on? Are these clearly documented?
- What are key business priorities and current projects underway?
- What are the regulators’ concerns affecting the business area?
- Are there any gaps in skills/experience of the Senior Manager or relevant business area? What steps should be taken to remedy these gaps?
- What second line or third line testing has been undertaken in the business area? What were the key issues raised? How are/will these be prioritised and remediated?
- What are the key reports/MI that the Senior Manager’s predecessor received? Do these remain appropriate?
- Is there a need for improvement in the quality of record keeping?
- When should the Senior Manager undertake an initial review of the business area (60-90-100 days in role)? What will the scope of that review look like? How will it be documented?
Roles, responsibilities and delegation
- Is it clear from the Statement of Responsibilities precisely what the Senior Manager is responsible for?
- Where responsibilities are split/shared, is the division of responsibility clearly documented and well understood?
- How are delegation arrangements documented, and are responsibilities and reporting lines clear to staff (including dual reporting lines/matrix management)?
- If delegation arrangements are documented in job descriptions, when were they last updated? Do they accurately reflect the current reporting structures and responsibilities?
- What arrangements are in place for supervision of delegates, escalation/reporting? Do staff understand escalation routes?
- Is there an audit trail evidencing how issues have been reported/escalated?
Organisational, structure and governance
- Do governance arrangements facilitate effective oversight of the business/function for which the Senior Manager is responsible?
- Do committees with oversight responsibilities of the business/function have the appropriate membership (e.g. do they require attendance by second line compliance, risk or legal)? Are they advisory or decision-making fora?
- Are the responsibilities of relevant governance committees documented?
- Do minutes of the committee fairly reflect debate and challenge at the meetings?
- What reliance is placed on firm or group-wide governance arrangements? How does matrix management affect how and where issues are addressed and escalated?
- Are terms of reference, action-logging, standing agendas, meeting packs and minutes still fit for purpose? Is there a system in place for secure record keeping of these materials?
Risk management and control
- How does the Senior Manager’s business or function intersect with the firm’s risk management framework and is this sufficiently articulated and understood by delegates/direct reports?
- How does the Senior Manager rely on the three lines of defence to discharge her duties and ensure risk and control processes are operating as effectively and as intended?
- How do you demonstrate effective ownership and management of risks within your business/function?
- How is risk appetite set and how often is it reviewed?
- How are risks identified, assessed and managed and how are engaged are business management in this?
- How are crystallised risks reported and responded to, and lessons learned?
- What ongoing monitoring is undertaken of the business area?
Culture and people
- What is being done to set an appropriate “tone from the top” by the Senior Manager for her business line?
- What is the quality of training and awareness programmes?
- How can the Senior Manager ensure that performance management rewards good behaviour and discourage poor conduct?
- How does the Senior Manager ensure appropriate resourcing?
- How does the Senior Manager promote a “speak up” culture?
- Does the quality and quantity of MI/KRIs allow the Senior Manager to quickly identify and resolve issues?
- Is it presented in a way that focuses attention where it’s needed – on actions not being closed, new risks emerging, trends easily identified? (see our publication here for further insights into management information).
How we can help?
Whether new to role or a seasoned Senior Manager, we can provide induction or refresher training on reasonable steps and what good looks like.
We can test a Senior Manager’s framework for compliance. We would draw on our experience advising numerous firms across the financial services industry and our work on enforcement matters involving Senior Managers.
We can let you know how you fare against your peers, and provide insights into what the regulators really care about when things go wrong.