Академический Документы
Профессиональный Документы
Культура Документы
CEI Compliance
Page 1 of 7
With the list of products and services, produce a table where you can record any primary regulations that apply to the products and services offered? This is known as mapping your regulatory universe and is not restricted to just FSA rules. There are Advertising Standards Authority rules to consider as well as new and existing legislation concerning the business right down to employment and other obligations to consider. Identify the primary regulations that apply to the list you have formed in Step One.
Page 2 of 7
were over 89, 121,000. The smallest was 5,000 Riaz Ahmad For failing to act with competence . Failing to have suitable compliance & risk management.
Although this is provided as guidance you could define further levels and it is often useful to attach a monetary or number of customers value to them (as appropriate) so that you can start to form a risk appetite. Risk elements to consider are; Low o None or minor penalties or consequences; o Not a current regulatory priority; o Noncomplex requirement o Not an area that we generally have issues with
Medium o Potential for moderate penalties and/or consequences; o Currently a moderate focus or priority for regulators o Moderately complex with incomplete regulatory guidance o Periodic errors noted by examiners and testers High o Potential for significant penalties and/or consequences o Currently a high priority of regulators
Whitepaper by CEI Compliance Jan 2011 Author: Lee Werrell
Page 3 of 7
Step Two: Reputation Risk What is the level of public and customer concern/publicity over noncompliance? Low No or low concern likely; Medium Moderate concern possible; High Significant concern or loss of customer confidence likely Step Three: Inherent Risk Using the regulatory risk and reputation risk identified in steps 1 and 2, what is the inherent risk in each product and service? Inherent risk is defined as the risk before any controls are exercised or effected? Rank the risk by Regulatory Risk and Reputation Risk.
Warren Buffet said; It takes twenty years to build a reputation and five minutes to destroy it. He also said If you lose dollars for the firm, I will be understanding: If you lose reputation, I will be ruthless.
High Regulatory Risk Moderate Regulatory Risk Low Regulatory Risk Inherent Risk
Page 4 of 7
Step Two: Probability of Error Risk Evaluate the risk that error will occur due to prior history of error and changes in regulatory requirements, products, and/or services. Test/Audit/Exam Results o Low No errors in last review; o Moderate Minor errors in last review; o High Significant errors in last review
event. By estimating the frequency (1:20 operations pa is 5%, 1:100 operations is 1%) and you can work out your comfort level or risk appetite and likely impact of costs if left to run their course.
Change in regulatory requirements o Low No changes since last monitored; o Moderate Minor changes since last monitored; o High Significant changes since last monitored
Whitepaper by CEI Compliance Jan 2011 Author: Lee Werrell
Page 5 of 7
Where the words Low, Moderate and High Appear, will be the product or service name(s). At this point, the chart can be color coded so that cells that show Low Risk are Yellow, cells showing Moderate are Orange and cells showing High are Red. This provides information at a glance for management, the business lines and regulators. Step Two: Management Tolerance of Compliance Risk What is managements tolerance (risk appetite) of compliance risk? Are there instances where overall risk can be high, despite controls, and still be acceptable to management? If so, document why. If managements appetite for risk is low, the adequacy of controls must be rigorously monitored to ensure that residual risk is low. Note that the risk may be different by product or service. Take that into consideration along with managements overall view of compliance risk.
Page 6 of 7
The directions of risk can be monitored as part of the annual Compliance Monitoring Plan either by auditors, compliance or departmental responsible in conjunction with management on a more regular basis. There are alternative methods to use such as bottom up and top down assessments with Worst Case Scenarios and most likely occurrences to gauge and demonstrate the range of controls and their effectiveness. This is only a very generic guide and if you need a specific assessment please call us on 0800 compliancerisk@ceicompliance.co.uk
CEI Compliance can help provide a full compliance support service, reducing required management time, ensuring all areas are up to date and working for your firms long term benefit. Call 0800 689 9 689 today or go online at www.ceicompliance.co.uk
This whitepaper was written by Lee Werrell FInstSMM Chartered MCSI Cert PFS, founder of CEI Compliance Limited. Lee is contactable at any time and welcomes enquiries from all businesses. Call 0800 689 9 689
Page 7 of 7