17 May 2021 Joseph Richmond Banking - Corporate Governance - Risk and Compliance

Decisions on data – why good MI is critical to Senior Manager oversight and decision making

Imagine a world in which Senior Managers are armed with perfect data on the performance of their business unit/function. Each day a Senior Manager is able to open a dashboard with real time data on financial performance, the extent to which the business is acting within risk appetite, performance of staff, overdue management actions, treatment of clients or customers etc. Underlying data inputs are robust, and the output contains trend analysis and insightful commentary enabling the Senior Manager to make reasoned, empirically grounded decisions to maximise opportunities and minimise potential risks before they crystallise. 

For most (if not all) institutions, management information (MI) of this calibre is aspiration not reality. It remains difficult enough to collect and present UK business line financial performance, let alone obtain detailed insight into conduct risk and other risk metrics. That being the reality, what are the regulatory expectations with regards to MI? What are the general principles of good MI and what questions should firms and Senior Managers be asking themselves when assessing the quality of their MI?

The regulators’ expectations 

All authorised firms are required to establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the firm which reflect the nature, scale and complexity of the business. Robust MI is one mechanism used by firms to discharge these obligations. 

Senior Managers are under a personal obligation to take “reasonable steps” to ensure the business for which they are responsible is controlled effectively, complies with regulatory requirements and that they delegate effectively. These obligations in one way or another require ongoing monitoring by Senior Managers. MI should form one of the key planks of evidence that Senior Managers rely upon to demonstrate compliance with their reasonable steps obligations. 

Aside from the general principles described above, little guidance exists as to what MI firms and Senior Managers should have in place. But when firms are subject to a Skilled Person’s review, supervisory review or other pre-enforcement action, lack of suitable MI is, in our experience, a recurring topic of adverse findings by UK regulators and Skilled Persons alike. Our work assisting firms in these contexts provides us with a unique insight into where regulators and Skilled Persons set the bar.

What good looks like

No doubt one of the reasons for there being little regulatory guidance on what good MI looks like is that requirements will vary considerably depending on the business. Even within institutions, the MI required by one business line will be different from the MI that should be in place for another.  However, in our experience, there are some general questions that firms can ask about the quality of their MI to set themselves up for success.   

Data sources

What are the data sources for the MI produced? Are these data sources reliable and tested? If unreliable, how may they be improved or what limitations need to appear in any MI produced?

Risk appetite

Does MI allow you to track against risk appetite? How have tolerances for RAG reporting been set? Is the rationale for risk appetite and tolerances clear? Are manual overrides available?

Timing

Is MI received sufficiently quickly to enable timely decision making? If detailed MI is only produced monthly/quarterly, can some form of interim data be produced to ensure adequate oversight?

UK-centric

If the Senior Manager’s responsibilities expand beyond the UK (e.g. Global or EMEA), does MI show performance and risks (including conduct risks) on a UK-only basis? If not, how does the Senior Manager identify and monitor UK-specific risks?

Volume

How voluminous is the MI received? Does the level of detail help or hinder decision making? If the latter, how may MI be streamlined to highlight relevant risks without hindering decision making?

Qualitative

Does MI contain a sufficient mix of quantitative and qualitative data? How prominent are conduct risk metrics and operational risk metrics within the MI compared to financial data/metrics?

Comment

Does MI contain a sufficient mix of commentary as well as data to quickly spot and understand the key issues? Does the commentary provide sufficient explanation as to what the data means?

Client /customer outcomes

Does MI contain data on the quality of client/customer outcomes achieved? Are processes in place to test fairness of customer/client outcomes sufficiently robust? What level of unfair outcomes is acceptable/ within appetite?

Trend analysis

Does MI allow Senior Managers to track trends over time? Does the trend analysis provide a reliable comparator (e.g. if the business or economic environment has changed considerably)?

Tracking

Is it clear how actions have been tracked and managed through to completion? Is it clear who has ownership for actions raised? Is the timing for completion of actions clear and prominence given to when such actions are overdue?
How we can help

We advise firms on a range of issues relating to the internal reporting and Senior Management oversight from board/executive effectiveness reviews, ‘Reasonable Steps’ assurance reviews to governance benchmarking reviews. Given the lack of regulatory guidance in this area, our experience advising firms in the context of pre-enforcement and enforcement actions gives us a unique insight into common pitfalls and the regulators’ approach, and provides us with the tools necessary to recommend improvements to the mix of MI used by firms prior to regulatory intervention. If you’d like to find out more about how Linklaters can help you, please contact us.