Category Archives: Pathfinder Evolution

Governance, Risk & Compliance (GRC) Frameworks 2020 and on

rissk management framework template

Risk Management is an often overlooked or, even, misapplied process. Often seen as a tick the box exercise by many of the smaller thinking financial services companies. 

Good risk management doesn’t just work with the obvious and known risks, but a good governance, risk and compliance (GRC) framework will provide the firm the process and ability to dig deeper, raise questions, and even reveal previously unidentified, clarified or identified risks. By having effective controls it can create a culture of risk awareness and greater voluntary adherence to your compliance framework.

A good GRC framework will look at positive controls as well as negative areas of potentially unidentified risks or inefficiencies, but provide the rigour of a robust risk management framework template and process to manage whatever is found, with complete buy-in and ownership of the process owner impacted.
So what benefit does having positive controls in any risk framework?
Risk events or occurrences, can provide positive outcomes that are better known as ‘opportunities’.
These can take the form of;
  • Increased revenues, clarity around processes, reductions in costs and thus regulatory capital.
  • A robust and appropriately scalable risk framework template improves the ability and capacity to change quickly and as well as embedding any organisational or regulatory adoptions. It also enables not only an increased ability to deliver strategy in an environment of preventative measures but provides a greater predictability of outcomes, measured against known capacity, workflow and previous outcomes.
  • Finally, a seasoned risk manager with good data for only a few months can soon assist in better decision making and resilience when business like hits them with the unannounced and inevitable curve-balls.

Risk Management Framework Templates
GRC Frameworks fit together with all types of project management as well as the lowest forms of product governance and serves to provide communication to all stakeholders so as to avoid crises. By continually monitoring, with review and revision as necessary, everyone can see how the firm is moving ahead and has confidence in its progress.
Risk Management Framework Steps
Once established and implemented for a firm and their specific size, idiosyncrasies and management style, a risk framework template typically does not require high overhead or senior management involvement.
Initially, Risk Awareness Workshops would need to be hosted and facilitated by specialist consultants for the whole framework to be built, roles identified, governance formalised and the whole risk framework template explained to the staff.
The adaptation of a firm’s existing Governance, Risk and Compliance Management frameworks, including relevant systems and processes, can be done in the background, remotely by the specialist firm. This work is than promoted and launched by the specific risk committee agreed upon, to finalise and transition the firm to the new digitally managed framework.

Larger enterprises will take proportionately longer to implement, but having more data available will be beneficial as the faster learning over a greater number of projects or initiatives will be absorbed by their risk registers, translating into lessons learned.
In one intervention, we were tasked to rewrite the risk framework of a FTSE100 company (see Case Studies). We maintained their risk rating with the risk agencies and saved them 18% of their regulatory capital; a mere £99M. If we ask to work for a percentage of savings, you will understand why.

Risk is definitely not a four letter word.

To discuss your needs with digitally reducing your governance, risk and compliance framework call us on

0207 097 1434

or email


More details on out Regtech Solution HERE

Defining Reasonable Steps for FCA SMCR Protection Purposes

reasonable steps framework smcr

The FCA purposefully wrote existing guidance so that it is flexible and non-prescriptive, takes account of all relevant circumstances and recognises that what is reasonable is context-specific and will vary according to the facts of each individual case.

The guidance already provides, in DEPP 6.2.9-E(8) to (12), (14),(15) & (18), a lengthy and expressly non-exhaustive list of considerations the FCA will take into account in assessing whether a Senior Manager’s actions were reasonable in all the circumstances.

In addition to the points already noted above, that list includes factors the FCA believe relevant to, for example, delegation, the establishment of reporting lines, staff appraisal processes, role transition handovers, risk identification, expansions and restructurings, external professional advice, transaction monitoring and collective decision-making.

The Duty of Responsibility will apply to a wide variety of situations, firms and Senior Manager roles within those firms. The FCA do not believe that they can go further and specify the detail of reasonable steps by Senior Managers in different roles in each of those situations within different types of firms.


Evidencing compliance and administrative burden

The Duty of Responsibility imposes no additional obligation on a Senior Manager to explain or justify to us relevant steps they took and/or did not take, nor to keep records supporting such an explanation or justification.

As The FCA explained in CP17/42, as noted above and as The FCA’s existing relevant guidance in DEPP states, the burden of proof, in enforcing the Duty of Responsibility, lies on the FCA. The FCA will need to show that the relevant Senior Manager did not take the steps a person in their position could reasonably have been expected to take to avoid their firm’s relevant misconduct occurring or continuing.

“It may, however, be in the interests of a Senior Manager to keep records of relevant steps they take, in case questions are raised, whether by their firm, its lawyers, auditors, insurers or customers, the FCA or another regulator. The FCA do not believe it is necessary to make that general point in The FCA’s DEPP guidance on the Duty of Responsibility.” – FCA PS18/16 P9

Such records might be relevant not only to compliance with the Duty of Responsibility but also with The FCA’s Code of Conduct for Staff Sourcebook (COCON). COCON is part of the SM&CR and requires all Senior Managers, and many other staff of firms subject to the SM&CR, to act with due skill, care and diligence.

Further, any relevant FCA investigation is likely to take into account that each Senior Manager is also under a COCON obligation to take reasonable steps to make sure that the business of the firm for which they are responsible complies with the firm’s record-keeping obligations imposed by the FCA’s Handbook.

The FCA’s Handbook requires each firm to keep records allowing the FCA to monitor the firm’s compliance. This includes compliance with its obligations under the FCA’s Principles for Businesses to conduct its business with due skill, care and diligence and take reasonable care to organise and control its affairs responsibly and effectively.

For the avoidance of doubt, those COCON obligations will not, when the SM&CR is extended, be new to those individuals currently carrying out roles, at insurers and FCA solo-regulated firms, that will need, under the SM&CR, to be filled by Senior Managers.

All of those individuals are currently holders of Significant Influence Functions (SIFs) under The FCA’s Statements of Principle and Code of Practice for Approved Persons, which already require SIF holders to take such reasonable steps and act with due skill, care and diligence.

A Senior Manager’s or SIF holder’s failure to take reasonable steps in relation to that record-keeping by their business, which includes record keeping in relation to their management of that business, may, quite apart from the Duty of Responsibility, amount to misconduct for which the FCA will take disciplinary action.

To Help Us Help You With Your Reasonable Steps Call 0207 097 1434 TODAY!

And If You Want To Automate Your Compliance Monitoring &/or Risk Management