Good Management Information (MI) plays an important part in identifying, measuring, managing, and controlling risks of regulatory concern within firms. To be most effective it must be seen by the right people at the right time.
MI is a key component of good corporate governance. It enables the right business and strategic decisions to be taken and gives management sight of what is actually happening within the business, including the compliance department.
The information needs to be both quantitative and qualitative and is typically sourced from activities within the firm.
Other sources of the information might come from trigger events within the firm. Those being not as a result of a systematic monitoring activity but from escalations or materialisation of a risk, from ad hoc reviews or from the interaction with the regulator.
Good MI should be:
Seen by appropriate management who understand and review it;
Challenged so that anomalous or unexpected results are investigated;
Analysed and monitored enabling correct conclusions to be drawn from the data;
Acted upon to remedy the situation, allowing further investigation and to follow up; and
Recorded so that records are made of what has been done which can be studied to enable proper assessment.
Compliance Monitoring and MI
MI is needed to provide valuable intelligence into the treatment of clients, the conduct and behavior of employees, culture and breaches, as well as the effectiveness of conduct risk mitigants and controls.
Compliance MI should focus on areas such as policy breaches, conflicts of interest, best execution, financial crime, client contact and financial promotions.
Key Risk Indicators
Probably the most important benchmark used in assessing the MI is what is “normal”. The compliance department needs to ensure that if activity is happening outside of this then action is taken. Many firms choose to use Key Risk Indicators (KRIs). These are measures and metrics that relate to specific risks and demonstrate a change in the likelihood or consequence of the risk occurring. KRIs differ from Key Performance Indicators (KPIs) in that they are not concerned with how well something is being done, but rather the future adverse impact.
KRIs provide an early warning to identify potential events that may harm the business and have a number of benefits:
- Supporting risk assessments – KRIs help in adding more detail and information to risk assessments, making them more reliable and informative to management;
- Proactive management of emerging risks – KRIs allow for proactive identification of emerging risks by creating an informative framework in which to scan for what is on the horizon;
- Tolerance levels and thresholds – KRIs detail at what level a risk is considered important for attention or for direct intervention; and
- Trends – KRIs help management track trends of risks in the firm. This can help to identify areas where greater investment, oversight or monitoring may be required.
KRIs are most effective when they are:
- Measurable – quantifiable metrics (i.e. a number);
- Trackable – comparative to historic events;
- Predictable – provide warning signs; and
- Informative – measure the status of a risk
Prior to monitoring KRIs, threshold levels need to be determined and a decision made as to what levels trigger an action. This creates a pro-active, inclusive approach to the management of risk through the identification of actions that will reduce the likelihood of a risk event occurring. Also, it can limit the exposure within the risk appetite tolerances. KRI thresholds should be reviewed periodically to ensure they are set so the lower and upper limits trigger events or trends thus serving as predictive indicators. It is important that when setting these thresholds they do not contradict the firm’s risk appetite by considering:
- Risk appetite and tolerance;
- Available historical data on the KRI; and
- When management intervention should take place to ensure adequate action and mitigation.
Example of a typical threshold
Number of Active PEPs
Number of PEPs trading in the quarter
<1 per quarter
1 – 4 per quarter
>4 per quarter
Qualitative and Quantitative data
Qualitative data describes key activities or outside influences that may affect the running of the firm. Examples are:
- Contact with the regulators or other 3rd party agents;
- Mitigating action taken as a result of compliance monitoring;
- Regulatory updates;
- Fines or censures;
- Updated training plans or details of face-to-face training given; and
- Details of new approved persons.
Quantitative data is measurable and allows us to see differences and trends over a period of time. Possible types of quantitative data include:
- Best execution – number of trades where a client did not receive best execution;
- Breaches and incidents – the number of these in relation to PA dealing or transaction reporting; and
- Call Monitoring – the ratio of compliant to non-compliant calls.
Analysing trends in MI can help forecast future issues and solve problems that have been identified. It can be invaluable in monitoring customer treatment, expectations and outcomes. Active MI rather than reactive MI helps address future risks rather than dealing with only present day, known problems.
In conclusion, MI serves no purpose if it is not used correctly. Good MI not only improves a firm’s efficiency through better business performance, but it creates a better customer experience which ultimately can lead to added shareholder value.
How we can help
If you would like to discuss any aspects of MI or if you need help to assess and improve your current MI framework, please do not hesitate to contact us.