Category Archives: compliance consultancy services

Training & Competence – T&C

Training & Competence – T&C

Training & Competence t&c

The importance of this section cannot be under stated. Due to the changes in this area and post-Brexit potential changes, we consider it prudent to provide a link to the FCA Handbook 

Additionally, you may find these points useful;

How are individual training needs identified and by whom?
Identifying the training needs for each role in the T&C scheme should start with the professional knowledge / qualifications required of that role. Professional bodies like the CII (Chartered Institute of Finance) and Chartered Institute for Securities and Investment (CISI) run both training programmes and provide qualifications. A second source of guidance is your professional trade body. Many trade bodies host interest groups on T&C that will enable networking and the opportunity to benchmark with other similar organisations. The third source of guidance should be your internal HR team. If you don’t already have the competency requirements defined for the roles in the T&C scheme, they should have the expertise to help you define what these are. HR should be a key resource for guidance on the competency requirements of each role beyond the core set of professional knowledge / qualifications. Once defined for each role, these competency frameworks form the basis for the identification of training needs that should be aligned by role. All that remains then is to organise any training needs in a logical sequence. On a final note, training needs can arise at any time and a key part to effective identification is supervisors who are trained and capable of not only spotting training needs but providing appropriate support to resolve them.
How are the learning objectives, timescales, responsibilities and measurements set defined for each training need identified?
This depends on the nature of the training needs. There is a great deal of discretion for firms to decide how they define and subsequently deliver their training. Professional bodies usually set annual standards for continuing professional development (CPD) for their members and many firms will also have their own in-house expectations too. These CPD requirements will often be split into structured versus unstructured learning. In fact, the FCA requires that retail investment advisers need to complete 35 hours of CPD each year. Successful completion of this CPD enables the individual to retain their Statement of Professional Standing (SPS). Beyond the CPD targets set by professional bodies, firms can and do set their own CPD requirements. This should be linked to the required measurements and timescales and be evidenced as part of the T&C Scheme arrangements.
In essence, any training identified should be noted via a SMART training plan that allows anyone looking at an individual’s development to be able to see when the need was identified, how will it be met and, when it is met, how will the change be measured.
What is in place to ensure training remains effective and up to date?
Training plans should be subject to regular review. There should be corporate training input that is managed by a central training team and typically will cover the provision of e-learning together with behavioural type inputs such as selling skills, handling difficult clients etc. Then you have the localised training that will tend to be managed by the T&C Supervisor. This is where small needs are identified through other T&C activities and then localised on the spot training is delivered to meet the need.  The trick here though is once again for a well-trained supervisor who can identify, manage and deliver against these needs, ensuring of course that everything is documented on the individual’s records, because if you can’t evidence it then in the eyes of the regulator it didn’t happen.
Who is responsible for ensuring training is timely, appropriate and evaluated?
At a localised level it is the T&C supervisor that needs to cater for the needs of the individual through either 1:1, group or referred training. Each training intervention should be evidenced through some type of Training Event Record that details what the training need is, what the proposed solution is and how this will be taken into the workplace. A structured approach of this nature then allows the T&C Scheme activity to be reviewed by the most senior overseer of the scheme to help ensure that training needs are either being met in the field or referred where a more formalised response is required.
How is training evaluated and by whom?
Who takes responsibility for making assessments about the competence and capabilities of individuals will vary across different organisations. However, responsibility for evaluating the effectiveness of training tends to fall to the staff member’s immediate line manager, dedicated T&C supervisors or, in some cases, a mix of both. Because whilst training is the input, the most effective way of evaluating its success is looking at the output and that means reviewing the individual whilst operational in role. The T&C scheme should define who assesses what activities and training will typically be evaluated at the point of delivery (by the training team) and at the point of use by the supervisory team.

If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on 0207 097 1434 or email

This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

Why Is Document Version Control So Important?

Why Is Document Version Control So Important?

london compliance specialists regulatory PRA FCA


Why is Version Control Important?

Version control is important when documents are being created, and for any records that undergo a
lot of revision and redrafting or annual reviews. It helps us to track changes and identify when key decisions were
made along the way. It is particularly important for electronic documents that are being reviewed
by a number of different users.

Knowing which version of a document you are looking at is important if you are trying to find out which version of a policy is currently in force, or which version of a policy was in use at a particular time. It forms good records keeping practice which is particularly important in meeting our obligations under the Freedom of Information Act.

The aim of this document is to provide best practice guidance for applying version control to
different types of document at the University of Nottingham. This guidance covers best practice use
1. File Naming conventions
2. Version Numbers
3. Version Control Tables
4. Document control Tables

File Naming Conventions
At the simplest level you can use file naming conventions to identify the version of a document. Use
the file name of the document to determine both the version and status alongside the subject , for

Records Management Policy Draft v0.1

Records Management Policy Draft v0.3


Records Management Policy v1.0

Records Management Policy v1.1 (note: first revision – minor)

Records Management Policy v2.0

Remember to update the version number on the file name as well as the header (or footer) of the
document itself. It is easy to update a document and forget to rename the version number on either
the file name or the document which can lead to confusion.

Unless you don’t need to keep previous versions of the document, always save updated versions as
‘Read-only’ tag to ensure you are forced to create a new version the next time to go to update it.

File naming conventions alone will not tell you who made the change and what the change was. If it
is important to record this information use a version control table.

Version Numbers
Version numbering helps to distinguish one version of a document from another. For some
documents, you may decide that a simple numbering system consisting of consecutive whole
numbers is sufficient to help you keep track of which version you are working on. However,
documents that go numerous stages of development before a final version is reached, and for those
that are developed through input by multiple individuals, you may decide to adopt version numbers
to keep track of both minor and major changes to that document.

Minor Revisions
Minor revisions are small changes made to a document such as spelling or grammar
corrections, and other changes that… Minor revisions to a document are reflected by making
increments to the decimal number.

Major Revisions
Major revisions are changes to a document that require the document to be re-approved
(either by an individual or a group). Major revisions are reflected by incrementing the whole
number by 1.

document control version control

compliance consultants london fca authorisations

document control version control

Remember – when electronically storing documents, it is often best practice to include the date at the front in reverse, as computers store files incrementally. So – 1st March 2021 becomes 20210301.


If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

0207 097 1434 or email

This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

FCA Fine? You may be in good company!

Compliance Monitoring Plan template

FCA Fine? You may be in good company!

Penalties for regulatory compliance breaches can be eye-watering in scale.

2020 largest Fines
1. Goldman Sachs International (fined £97m)
PRIN 2 and PRIN 3 breaches – Risk management failures

2. Lloyds Bank, BoS & The Mortgage Business (fined £64m)
PRIN 3 & 6 breaches – Poor handing of mortgage customers

3. Commerzbank (fined £37.8m)
PRIN 3 breaches – AML failings

4. Barclays (fined £26m)
PRIN 6, PRIN 3, and CONC rules breaches – unfair treatment of customers in the Retail Banking sector

5. Charles Schwab (fined £8.96m)
PRIN 10 and 11, CASS and Section 20 FSMA breaches – Safeguarding and Compliance Issues

6. Moneybarn (fined £2.8m)
PRIN 6 & 7 and CONC rules breaches – Unfair treatment of customers

How could these fines have been avoided?

The FCA’s ‘Principles for Business’ (PRIN) set out the fundamental obligations for firms under the regulatory regime.

According to the FCA principle 3, a firm ‘must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’.

This refers to a firm’s:

  • Robust governance arrangements – rules, practice and processes. How Can We Help? We can review your arrangements.
    Skills, knowledge and expertise of staff – in other words train people!
  • Outsourcing responsibilities – know your suppliers and make sure they are compliant. How Can We Help? We can review your arrangements.
  • Reasonable steps – under SMCR you need to ensure you have decision making fully and appropriately records. How Can We Help? We can review your arrangements.
  • Record-keeping – keep records, and make sure they are accurate and up-to-date. How Can We Help? We can review your arrangements.
  • Conduct Risk – keep records of any T&C breaches, mis-selling, product design etc. How Can We Help? We can review your arrangements.
  • Conflicts of interest – keep a compliance register to avoid issues. How Can We Help? We can review your arrangements. 

The FCA will identify potential or actual consumer harm caused by the actions of firms or markets and take action to address that conduct. These penalties should act as a clear warning to any companies who aren’t taking financial compliance as seriously as they should be.

If you would like to have any of your processes, files, procedures, governance or strategy planning reviewed, in confidence, we can be contacted on the above number. Or, just complete the form below.


    Fca Principles For Business Conflicts Of Interest, Fca Principles For Business Rules, Fca Principles For Business Smcr, Fca Principles For Business Sourcebook, Fca Principles For Business Tcf, Fca Principles For Business Treating Customers Fairly, Principles For Business, Principles For Business Sustainability, Principles For Business Vulnerable Customers

    PSD2 Guide To Safeguarding & Wind Down Planning

    Compliance consultants london - failure - wind down planning

    PSD2 Guide To Safeguarding & Wind Down PlanningCompliance consultants London - PSD2 Safeguarding & Wind Down

    Download Our FREE Guide By Completing The Form Below!

      compliance consultants london

      Committee Terms of Reference – TOR

      Committee Terms of Reference (TOR)

      Committee Terms of Reference (TOR)


      Terms of Reference (TOR) form a foundation stone for the commencement of any workplace investigation. Much like a recipe, they set out the core people and components of the investigation, as well as the boundaries and methods to be utilised. Without solid terms of reference, an employer’s well-meaning attempt to gather information and fix a workplace problem can fail, or cause even more problems. As well as establishing an understanding of what is required and by when, TOR create an excellent framework for the more detailed investigation plan. Terms of reference can prevent such pitfalls as misunderstandings, unintended breaches of privacy, and negative effects on relationships. 

      There are no hard and fast rules regarding how and when TOR should be drafted. Some employers start with a Statement of Complaint and flesh out the terms of the proposed investigation based upon this central concern. Others call upon the services of a workplace investigator to actually assist in drafting TOR, particularly where a workplace problem is vast, sensitive, and/or complex. Sometimes it is important to wait and collate some preliminary materials prior to pinning down the exact terms of the investigation. In any event, it is important to start working on your TOR sooner rather than later, and certainly once a workplace investigation is confirmed.  
      Below are typical sections of a ToR document. Each section needs to be customized to the unique needs of your committee. More formal committees usually need more formal information and instructions
      Committee Name
      Official name of the committee or group
      Can be standing, ad hoc (special project) or advisory (related to another board, committee or project)
      Describe the purpose of the committee (what the committee will do, why it was created)
      Clearly describe what is in and out of scope for the committee
      Describe the decision making authority of the committee (decides, approves, recommends, etc.)
      Type and number of members, how members are appointed, how the chair and co-chair are appointed and a list of members (Name and functional role)
      Meeting arrangements
      Meeting frequency and location, meeting procedures (if applicable), quorum, details about agendas and minutes (how these will be distributed, available online, who prepares them, etc.), communication between meetings.
      Describe whom the committee will report to, in what format, how often
      Resources and budget
      Describe the available resources (people, rooms, equipment, etc.) available to the committee, Describe the funds available to the committee
      Describe the requested/required committee output
      State the ToR review frequency and next review date

      If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

      0207 097 1434 or email

      This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

      Treating Customers Fairly – TCF Checklist

      Treating Customers Fairly – TCF

      Treating Customers Fairly TCF Checklist

      The FCA no longer carries out TCF specific visits, however this does not mean that they think it is any the less important. It does mean that by now they expect the principles of TCF to be embedded in all firms and to be the bed rock of their business models. The principle is to ‘put the customer first’ in everything which we do. Therefore, if during a visit or an interview they get the impression that TCF is no longer a priority, they will certainly investigate further and this is where you will need FCA compliance consultant by your side.

      TCF applies to both Product Providers and Intermediaries. Broadly, the Regulator intends that:

      Product Providers should ensure that:
      • their products are appropriately designed for the target market
      • the marketing material is clear, fair, not misleading, and likely to be understood easily by those reading it
      • the product should perform according to the expectations given
      An Intermediary’s primary responsibility is to ensure that:
      the customer has all appropriate information in an understandable format, which means;
      For advice sales:
      • the clients’ attitude to investment risk and capacity for loss has been properly established
      • the product is suitable for the customer
      • the product is affordable
      • the post sales service meets the expectations created
      The TCF exercise, which all regulated firms should undertake no less than annually, is essentially a “Gap Analysis.” For the purposes of Risk Management, the FCA expectations could be broken down into 6 key areas:
      1. Senior Management Responsibilities
      2. Communication with Clients
      3. The Advice Process
      4. The Post Advice Process
      5. Disclosure and Payment for Services
      6. Staff Competence
      The following is a non-exhaustive list for your guidance.
      The TCF Outcomes Management Statement
      • TCF is central to our corporate culture
      • Senior management can demonstrate how TCF is embedded in our business strategy
      • The fair treatment of customers is central to our Firm’s culture
      • Senior management practice what they preach and re-inforce TCF on a day to day basis
      • Senior management have undertaken a TCF audit / gap analysis
      • An action plan has been agreed and is/has been implemented
      • Critical elements of TCF are included within our MI. This is regularly reported and acted on
      • Staff routinely share best practice and can explain what TCF looks like to them
      • Adherence to TCF practices are rewarded
      • Remuneration policy and staff rewards support TCF
      • Actions taken demonstrate adherence to TCF obligations are recorded
      • Feedback processes are in place to gauge client satisfaction
      • Responsibilities for TCF are clear, e.g. for taking action, monitoring results / identifying improvement areas
      • Staff are engaged, motivated and trained in what TCF means
      • Everyone within the business is truly client focused
      • All our people are well trained for the roles they perform
      Products and services marketed….meet the needs of identified customer groups and are marketed accordingly 
      • Advisers are able to identify target markets for specific products
      • Financial promotions are regularly reviewed for relevance and clarity
      • Advisers/managers demonstrate their knowledge of products
      • The sign-off process for advertising and promotions is rigorous
      • We are confident in our expertise to recommend and manage in our chosen markets
      • Our promotions are targeted to ensure they are aimed at the right clients
      Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale
      • TCF principles are reflected within T&C documentation, e.g. observation form
      • Content of documentation is not overly technical, e.g. suitability letter
      • Clients can clearly see the advice given and why, e.g. it isn’t buried in other documentation
      • Clients always understand the benefits of the advice / products recommended
      • Clients always understand the limitations and risks associated with the advice / products recommended
      • Documentation (such as suitability letters) are always tailored to individual clients
      Advice is suitable and takes account of their circumstances
      • Attitude to risk is clearly identified, understood by the client, documented, and matched by recommendations
      • Advice covers, where appropriate, non-income earning recommendations, e.g. National Savings, utilizing IHT annual allowance, repayment of debt
      • Soft facts are always collected on the fact find — not only what, but why?
      • Knowledge of adviser / supervisor products and associated advice areas is spot on —this is current and has been objectively assessed
      • There is no sales bias
      • Clients fully understand the status of the adviser and clearly understands the merits of the different remuneration methods
      • `Know your customer’ requirements are fully documented, e.g. limited advice or `client not prepared to disclose’ are the exception rather than the rule
      • We take time to understand our clients’ needs
      • We regularly review our stance on investment and technical issues
      • The fact find document readily captures all of the information we need about the clients circumstances for us to fully advise them.  
      Consumers are provided with products that perform as firms have led them to expect and the associated service is both of an acceptable standard and as they have been led to expect
      • Advice process includes a measurement of client satisfaction
      • Service standards (where agreed with a client) are met, e.g. time to write a report
      • Ongoing client reviews are always conducted as agreed with the client
      • Advice to existing clients is always the same as that to potential new clients, e.g. some advisers would not now recommend WP investments to new clients — what do we do about existing clients with WP investments?
      • Client reviews / contact methods are established with each client
      • Whatever client contact is agreed, this is followed through for both new and existing clients
      • Information is reviewed for relevance, accuracy, and clarity
      • Ensure clients expectations match provider service
      • Clients regularly complement us on our service
      Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint 
      • Complaints data / client feedback is reviewed to identify TCF issues
      • Staff and advisers know what a complaint is defined as and what to do when one is received
      • Service standards are in place and adhered to
      • Complaints investigated in a impartial manner without confrontation
      • Complaints processes in place and regularly reviewed (as applicable)
      • All client data is accurate, up-to-date, easy to use and accessible
      • Our database enables most client queries to be dealt with by support staff
      • Our software supports the main advice and business process

      If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

      0207 097 1434 or email

      compliance consultants london
      This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

      FCA Regulatory Assessment Audit

      FCA Regulatory Assessment Audit



      Other Posts In This Series

      The Back-Office System and Procedures

      The Back-Office System & Procedures

      The Back-Office System & Procedures

      Bringing in clients (New Business) seems to be the most exciting thing there is, right? That’s why there are so many marketing agencies popping up. Content strategy, copywriting, ads… they all are sexy.

      Doing the work is not as fun, but that’s how you get paid — so you give it a pass.

      But the Back-Office is not generally thought of as sexy. It’s a crucial component if you want to take your business to seven plus figures.
      What does Back-Office include?
      This system manages every foundational element that is needed to run a business — other than your New Business and Production teams.
      I’m talking about things such as legal, HR, rent, administrative and operational support, etc.
      Anything that is essentially non-billable and doesn’t directly contribute to your revenue is what I would leave under back-office.
      Effectively Managing The Back-Office.
      Something that I really try to make emphasis on throughout my content is that every system is comprised of people, processes, and tools. And the Back-Office is no exception.
      In the beginning, for many companies, one or two people were in charge of every single aspect of this system (in all systems, really). They are the ones signing contracts, sending invoices, finding contractors, hiring employees, etc.
      They think that they are working on the business. But, over time, things got more complex. They can’t do everything anymore, so they have to start hiring other people and delegating. They need processes and procedures to be the “go to” document to explain what to do when they are not there. It goes without saying, but people are a HUGE determinant factor of your success.
      You can help your people by setting up a process that optimised their efforts and minimises costs. But someone has to design that process. It can either be you or someone from your management team — but it has to be done.
      If you can document step by step the actions of your legal and hiring processes, for example, the business becomes less “You-dependent”.
      How will you generate candidates when there’s an available position at your company? Who will contact them? How many rounds of interviews will they have to go through? Who are the final decision-makers?
      It may seems like you are wasting a couple of hours to get that on a piece of paper. However, trust me: you’ll realise how much quicker and sustainable you can scale and grow after you have every system documented in detail. Note: having clearly defined guidelines will also help you make less emotional decisions.
      Think of tools as any apps, software, and other tech or old-school solutions that make your life easier.
      I’m sure you are already using them in some way: to improve the communication within your team, to onboard employees, to create invoices, etc.
      Automation will help you reduce the number of people your company needs to operate. It can even fully eliminate repetitive tasks from your daily to-do list.
      A couple of examples:
      You could send contracts through DocuSign to your new clients so that you can get that out of the way much faster. And you could automate sending the onboarding material as soon as they sign. Have a recurrent invoice sent at the end of every month. Obviously much easier, faster, and cheaper, right?
      Understanding the Real Cost of Your Back-Office:
      As I said before, the business owner/CEO– will usually manage the whole Back-Office system in the early days. That’s totally normal, but, as you grow, things will change. You’ll have more clients, you’ll expand your business, and you’ll need more employees to fill that need.
      But beware to not run into this issue:
      1. As you scale up, your back-office will also scale up.
      2. And you don’t want to underestimate how much it’s going to cost you.
      Yes, in the very beginning, it will only take time and effort — but not money. Which, obviously, is still a huge expense. But what happens when instead of sending one invoice, you need to send 10? Or you have to hire not one individual, but two or more? You can only service a certain amount of business areas while maintaining your quality standards.  
      Of course, when you have someone in charge of that, these costs have to now be factored into the equation. I’ve seen plenty of business owners that they didn’t plan for this and guess what happened?
      Their profit margins got screwed up and they realised they weren’t charging enough.
      Just as a reminder, this goes like this: revenue – cost to produce everything – everything else.
      Well, everything else will naturally increase over time as your business grows. You’ll want to reduce it as much as you can through automation, processes, and high-performing people, but it will happen.
      As long as you’re not just throwing unnecessary bodies and it comes from a place of growth, the back-office is a price that you should be willing and capable to assume. Just make sure you account for it and doesn’t come as a scary surprise.
      The Back-Office System Summary:
      • The Back-Office System includes anything that is essentially non-billable and doesn’t directly contribute to your revenue. I.e. legal, HR, rent, administration, and operational support.
      • As you grow, you’ll need to find people to take over every element in the system. Use the leverage from well-designed processes and tools to increase your output efficiency.
      • There’s a real cost of managing the Back-Office, especially as you scale. Make sure you factor it into your prices and profit targets.

      If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

      0207 097 1434 or email

      We Accept Crypto
      Ask Us For Details
      This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

      Compliance Bench-Mark Check: Annual Policy Review

      Annual Policy Review

      Annual Policy Review

      Best practice for all governance is at least an annual review of policies and Terms of Reference. Policies should be reviewed by the policy owner and submitted for republishing to the Board/Partners in good time. The updated policies should then be uploaded somewhere centrally (we can help with this) to create a single version of the truth copy. Version control needs to be maintained.

      The review should cover at least;-
      • Policy Owner TITLE
      • Review frequency Annual
      • Responsible for document management
      • Next Review Due Date TITLE 
      • Date
      • Security classification Restricted
      • Version control updated with salient changes?
      Content Questions
      • Is the policy consistent with the core values and principles, mission and strategic plan of the firm? YES/NO
      • Have there been deviations from the policy over the past year? If yes, were there a sufficient number to consider revising the policy? YES/NO
      • Are there ambiguities in the policy statement? Are there questions arising from this policy? (if yes, perhaps the policy needs rewording for greater clarity) YES/NO
      • Does the policy comply with current legislation? YES/NO
      • Have you amended to include any practices that may have been adopted (due to limitations or resource shortfalls) to ensure they are consistent with the policy statement? i.e., heuristics, short-cuts, workarounds. YES/NO
      • Checked for any contradictions within the policy statement? YES/NO
      • Checked for conflicts or contradiction of other policies? YES/NO
      • Is the policy consistent with current technology? YES/NO
      • Is language within the policy statement current? YES/NO
      • Is the policy consistently interpreted? YES/NO
      • Are the related procedures relevant and up to date? YES/NO
      • Is the scope (i.e., to whom or what it applies) accurate? YES/NO
      If there are any “No” answers, please review and amend the policy and/or procedures accordingly.

      If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

      0207 097 1434 or email

      Compliance Benchmark Audit and Projects
      This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

      Governance Risk & Compliance Frameworks

      Governance, Risk & Compliance Frameworks

      grc-risk-framework-compliance consultant-compliance consultants-fca compliance consultants

      Why is governance risk and compliance important?

      To ensure that businesses protect their information, have consistent cohesion departmentally, and follow all governmental regulations, a governance, risk and compliance, (GRC) program is important as new regulations can be overwhelming if a company doesn’t have a person or team to ensure updates are in place.

      What is GRC?
      Many people think of a platform when referring to GRC. But GRC refers to a capability that helps an organization achieve its objectives, with responsibility running right across the organization. GRC is a set of processes and practices that runs across departments and functions. GRC might be enabled by a dedicated platform and other tools, although this is not mandatory. While organizations generally don’t need to maintain a separate GRC department, most organizations have a team in place to manage the GRC platform and tools.
      What is the scope of GRC?
      By definition, the scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management. In practice, however, the scope of a GRC framework is further getting extended to information security management, quality management, ethics and values management, and business continuity management.
      What are the Elements of a GRC Framework?
      • Resources—required to conduct business, including strategies, policies, standards, procedures, organizational structure, roles and responsibilities, people, processes, technology, information, physical, financial and intellectual assets, and third parties (suppliers, vendors and contract employees).
      • Business attributes—the key attributes of a business include:
      • Performance, including goals, targets, outcomes, profitability and SLAs, etc.
      • Risk, including financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk and compliance risk, etc.
      • Compliance, including regulatory compliance (SOX, PCI/DSS, GDPR), legal compliance (labor laws), organizational compliance (policies and standards), security (human, physical and information security), quality, ethics and values.
      • Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, IT governance and legal governance. Management involves planning, organizing, leading, coordinating, controlling and reporting. Operations includes executing the process and function.
      • Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls and physical controls. Controls are applied to the resources as well as the attributes.
      • Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits. Internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits and security audits, etc.

      A good GRC Framework is reviewed periodically at monthly/quarterly reporting events to provide a complete audit trail of risk identification and awareness, risk management, understanding and mitigation and remedial plans. 

      It should consist of;
      Policies. Procedures and TORs for committees (inc BOD)
      Known Control Exceptions or Financial Crime breaches
      External Audit & Compliance Reports (Compliance Monitoring Plan Results)
      Risk Profiles and Appetite
      Summary of Existing Risks
      The Risk Register

      If you need to create, review or execute your Governance, Risk or Compliance strategy, call us today on 0207 097 1434 or email

      compliance consultants london
      This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

      Enterprise Governance Risk And Compliance, Governance Risk & Compliance (GRC) Tools, Governance Risk & Compliance Services, Governance Risk And Compliance In Banking, Governance Risk Compliance Consulting, Understanding Governance Risk And Compliance

      Current Activity
      Another Happy Client
      Another Happy Client