Implementation Of Compliance Monitoring Programme Framework Information Technology Essay

Implementation Of configuration observe Programme Framework Information Technology EssayOnly UK financial Services Authority (FSA) alone has issued over 13 million of fines in year 2011 so far (89m in 2010 and 23 in 2009).(FSA, 2011) For the large firms, the monetary value of much(prenominal) fine may be a drop in the ocean. Nevertheless, it may pose a major re personateational take a chance. concord to Bank of International Settlements Principles on obligingness form in banks (BIS, 200514), the responsibilities of the banks configuration Function (CF) should be to assist senior management in managing in effect the accordance happens faced by the bank.Furthermore, BIS survey on implementation of form principles in banks (2008) shows that the core tasks of the obligingness conk out defined in laws, regulations or binding guidance in respondent jurisdictions atomic event 18 observe and interrogatory conformism by performing sufficient and representative configurati on exam as well as reporting on a veritable(a) basis to senior management where the results of the contour testing should be inform in accordance with the banks knowledgeable risk management procedures.(BIS, 200514 20083)The greatness of an effective accord monitoring political platform is continually growing receivable to the join ond complexity of regulations, rising regulator activity and the growing preserve of non- obligingness.Compliance monitoring is, indeed, the heartbeat of any CF. The creation of conformity and policy manuals are important, however, such policy management might be ir pertinent withtaboo an effective contour monitoring. (ComplianceTrack, 2011) (Appendix)Therefore, it is essential that every CF takes prefer of monitoring surgery to its fullest in narrate to protect their companies from negative consequences that non-compliance in their area may live.The aim of this assignment is to briefly outline a example for Compliance observe Program me for a pan European Financial Services (FS) organisation. This I ground on the material discussed in class, further research, as well as my personal experience with Compliance gained in Irish and international companies operating non only when in the FS, but in addition in communications, hospitality and consultancy industries.The TeamworkCompliance, with Compliance observe at its core, is considered as the 2nd line of self-renunciation in the overall forbid accompany Integrated Assurance Framework, also known as the Three Lines of Defence. (Appendix)The moving in standing in the so called 1st line of defence owns, manages and fakes compliance risks through management, procedures, controls, quality authorization.The compliance monitoring then carried out by the CF in the 2nd line of defence submits assurance that the subscriber line adequately manages its compliance risks.In the final 3rd line of defence the Audit twain internal and remote performs the overall sound judgment of the sufficiency of compliance functions.BIS (200513) suggest there should be appropriate mechanisms for co-operation among all the preceding(prenominal) assurance suppliers within the Integrated Assurance Framework and with the head of compliance. These mechanisms should be sufficient to ensure that the head of compliance house perform his or her responsibilities effectively.Hence, non all compliance responsibilities are necessarily carried out by a compliance unit. Compliance responsibilities may be exercised by round in different de discontinuements. (Appendix1, 2) Such coordination with early(a) assurance providers may take away to one of the three following follow approaches (Zurich, 2010)1. suss out execution is performed by another assurance provider (e.g. Internal audit performs an AML analyse). In this case, CF should support the assurance provider with technical expertise during execution of the revaluation (e.g. support in setting up the reex amination program).2. Joint re trances. CF plane sectionicipates in a surveil led by another assurance provider. In this case only one report will be written by the assurance provider who has the re face lead.3. Compliance Reviews. If review types 1 or 2 are not feasible or adequate, CF performs an own Compliance review.BIS Principles (BIS, 200514) stress that if some of the Compliance responsibilities are carried out by staff in different departments, the allocation of responsibilities to for each one department should be clear.As might be expected, PWC research (200916) shows, that in practice the three lines of defence can and often do overlap, depending on the organisational compliance structure (e.g. embedded compliance staff in the transaction who undertake real-time surveillance of transactions to ensure compliance with AML, commercialize abuse or client straddle use rules).To resolve these confilicts, PWC recommends to put the CF squarely in the advisory category (i.e . in the minute line of defence). This promoter operationalising the first line of defence where compliance control and day-to-day monitoring becomes more clearly the responsibility of the descent, with the compliance function providing oversight and advice. (Appendix)The Virtuous Cycle (Compliance assurance offshoot)1. Risk AssessmentThe free burning cycle is usually annual and starts with risk assessment to detect potence compliance issues and risks, in accordance with companys risk appetite.The monitoring is typically (Appendix) mean on risk-based basis as this approach enables resources to be targeted to the areas where they are roughly regarded and will prove most effective, likelyly not only saving compliance costs but also gaining greater seam support for compliance measures. (Better Regulation, 2008)The following sources need to be considered to determine which compliance risks should be monitored on the highest group company level1. Risk assessments, which can, f or instance, be categorised by business areas or standards prescribed by regulator (e.g. FSA handbook categories)2. Regulatory Environment Laws, regulations, specific requests by the Regulator3. supervise currently executed and planned in the future periods by other assurance providers4. topical anesthetic risk assessments and compliance plansMoreover, the required depth, breath and absolute frequency monitoring activities depend on the size and complexity of the nature of the exertion and the company itself.2. Compliance PlanBased on this input, CF establishes its review needs, which should subsequently be discussed and coordinated with other assurance providers in order to leverage on the vivacious review frameworks and to avoid duplication, gaps and to limit business interruption.All defined reviews on compliance risks, irrespective of which assurance provider executes them, will be intromitd in the annual Compliance Monitoring Plan.This Compliance Plan typically details t he what (scope and objectives, problems/risks, priorities), who (resources), when (start and finish dates, major milestones), and how (activities to be carried out and data to be storeed).3. Compliance Data Collection and interrogatoryThe Compliance procedure manual tells you how to comply with the regulators rules. How do you, however, ensure that your company has been following this manual? The answer is by conducting compliance testing on a regular basis to see whether those procedures are working as expected, and what the exceptions are. (Cyriac, 2011)Hence, CF should have a process in place that tenaciously collects all the compliance- pertinent info.The list below defines the main issue and risk appointment activities that CF can use to monitor compliance risks (Zurich, 2010)Compliance interrogatoryThe aim of compliance testing is to conduct detailed evaluation of compliance- pertinent procedures and internal controls (manual and automated) built into company business pr ocesses to asses whether these are adequate to manage the risk within the scope of CF.Tests should be completed clearly, concisely and accurately, in line with CF and company standard methodologies.Ideally, large portion of such testing population can be sources from company management randomness system such as records of complaints, errors, exceptions, mitigating actions and their status, trends, and the like.Reasonable sample sizes when testing areas with a volume of data (e.g. trades) should be used. (Cyriac, 2011)Compliance monitoring is meant to be both proactive and reactive. It should collect data to prove the availability of controls and validations and it should also collect data relating to failure. (ComplianceTrack, 2011 PWC, 2005)The actual frequency of tests is dependant on the abovementioned risk assessments. As a general guideline, higher risk areas are recommended to be tested more regularly, at to the lowest degree monthly, medium risk areas, at least quarterly, and lower risk areas, at least annually. (Cyriac, 2011)As mentioned earlier, the CF can take advantage of the connections, resources and expertise within the Integrated assurance framework in certain circumstances where the CF may require to increase the independence, quality and/or frequency of their reviews.The following basic steps may be executed when performing a Compliance testReview Preparation and announcementInform the Business about the planned review and discuss review process, scope, timing and collaborationPrepare the review by gathering data and establishing the review programFieldworkExecute the review check to review program and file sustenance review documents and evidence treat observations and actions with the BusinessTesting by Other Assurance ProvidersRegular meetings should be arranged within the Integrated assurance framework to identify potential issues that might have an impact on compliance risks.Also, CF should be kept in the loop in regards to reports from other assurance providers.Complaints outside(a)Perhaps also part of a good MIS, complaint handling procedure should exist where all complaints are registered and tracked for regularly relevant compliance statistics (e. g. number of complaints, summary of major topics, actions taken, status, development needs).Complaints InternalTo boost employees to express concerns, an infrastructure for reports (often anonymous) should be in place (e.g. dedicated hint persons, hotlines, email address, web forms, etc.) and all staff informed and actively reminded of its existence.report issues are investigated and acted upon in timely manner and reported to relevant stakeholders (e.g. number of complaints, major topics, status, channels used for reporting).Day-to-day CounsellingCompliance should not be seen not just as a monitoring rooster but as an active, on exit support to management.As business more and more manifests the right behaviour embodying both integrity and innovation t he need for the CF to police its activities diminishes, and the value-adding direction role comes more to the fore. (Appendix?) (PWC, 2005)Having a good descent with the business is vital to the success of the compliance function, particularly when it comes to assessing the compliance risk of the business. Companies with a mature compliance culture tend to think of the compliance function as a vital element of business operations and no decisions on, for example, new business ventures or services would be taken without the involvement of the CF and its advice on all compliance risk areas. (Metheven, 2011)At the same time, however, the pendulum should not be allowed to swing unreservedly in the counsellor direction. Compliance has a critical role to play in compliance oversight and monitoring in order not only to provide the necessary comfort to (senior) management but also to frame the advice it provides going forward. A clear delineation needs to be set betwixt doing compliance and monitoring compliance.(PWC, 2005)Yet, interestingly, in PWC 2009 (15) survey of 76 financial institutions based in 16 European countries forty-eight percent of respondents say the oddment between the compliance management and the compliance monitoring programmes is still not fully understood within their organisation.Hence, CF should attend all committees where compliance risks may be discussed. Annual Relationship Management plan is a popular solution, outlining minimum required regular meetings with management to discuss potential risks, issues and new developments.Regulatory Environment MonitoringChanges in regulation, laws and industry should be monitored systematically. Where action is required, owner of the particular area should be advised of the head and the deadline for implementation. CF should ensure the owner has all support needed (compliance, court-ordered etc.) so the deadlines and requirements of the new regulation are met. As usual, it is important to keep a ll stakeholders informed.Compliance officers increasingly appreciate the need for a dogged dialogue with regulators to gain a better understanding of their changing expectations and the need to monitor the upstream risks of new regulations more effectively. (PWC, 20094) To ensure no surprises, or last-minute scrambling and theassociated unnecessary expense, particular attention should bepaid to monitoring new restrictive proposals. (PWC, 20099) How do we do it? UK monitor it, tell us about it, agree deadlines, service us to read the docs ensure interlingual rendition ok, bring directors into the loop,Regulatory Action MonitoringReviews, investigations and requests from regulatory bodies should be accepted and analysed. CF must ensure timely resolutions of such requests, possibly also coordinating the whole process.It is a good practice to share the results of the Regulators activities (e.g. regulatory review report including fines or sanctions where appropriate) and implementa tion progress (status of internal actions) with relevant stakeholders.TrainingThe best practice dictates that annual Training Plan should be established to communicate regulatory/compliance matters to employees of the organisation.These activities can be metric (e.g. coverage, success rate, completed by deadline) and results used as indicators for next periods.Local CF monitoringImportant part of Compliance monitoring in organisations consisting of various units/branches is to ensure that CFs across the company execute their tasks according to the company principles. (Appendix)This can be done by regular meetings of group CF with local CF units (e.g. one-to-one/joint, face-to-face/teleconference/online discussing risks, activities, infrastructure), reporting (e.g. issues, risks, activities, KPI performance), semiannual meetings with key local business stakeholders (e.g. satisfaction, cooperation, added-value, prioritization, resource), regular quality assurance reviews (carried ou t by CF and/or in cooperation with another assurance provider)Monitoring of Outsourced functions and activitiesThere are strong parallels in approach in equipment casualty of controlling third-party networks and outsourced functions or activities. (Appendix) Key control elements stressed by respondents embarrass Quality of the due diligence exercise prior to entering the human relationship Contracts and written agreements (service level agreements) Robust monitoring by the (local) compliance function and testing exercises (for example, mystery shopping) Ongoing communication and training sessions Metrics/controls/reporting Quality of the compliance function within the third-party distributor or outsourcer, and compliance policies in place, as well as a clear explanation of compliance processes Onsite reviews by compliance and internal audit Complaints analysis consecrated unit within the compliance function to oversee third-party distributors or outsourcers.Does IT help?Priority should be placed on the development and use of engineering science able to help management to really understand, on a timely and consistent basis, what is going on in the business. From the perspective of the CF, a strong technological infrastructure entails both sophisticated tools for monitoring compliance in business activities, together with appropriate tools for streamlining compliance function activities, and facilitating knowledge sharing. (PWC, 200511)The on the face of it low level of knowledge of IT within compliance functions supports the view that, in many organisations, the IT department is not considered to be a key stakeholder in the compliance function, and vice versa. However, PWC believe that technology is a key enabler to supporting compliance within the organisation, and presents a significant opportunity for many organisations.This means the use of technology toControl and manage processes that cut across systems and organisational boundaries. Compliance tou ches nearly every operating and administrative unit and business process in an organisation so the task of controlling and managing the compliance process itself is huge. Each of these require appropriate application of technology in order to establish sustainable compliance. (e.g. document management, status reporting, automated internal controls) reserve use of IT can improve the quality of information and speed of voice communication transferring data from one system to another, replacing manual processes for execution, analysis and reporting, challengingthe quality of data, modelling alternatives and delivering reports and dashboard information to decision makers. Reliable information increases confidence to take action. Identify and manage events in a consistent and auditable manner. Technology is used to identify events and report exceptions. This involves optimising control capabilities in existing business and support systems, use of integration technologies to bring togeth er information from disparate source systems and administering and monitoring of risk and control self-assessments and other surveys. relieve oneself accountability into the management and reporting of events.IT help ensure action by creating a closed loop environment that incorporates accountability for each accompanying and requires action.(PWC, 200561)According to PWC (2005) survey of 73 FS (63% banking, 19% investments, 18% insurance) institutions in 17 countries, 36 percent of respondents considered inadequate IT infrastructure for compliance monitoring as one of the biggest challenges of achieving a compliant organisation.(PWC, 2005 19)4. Data AnalysisResults of reviews on compliance risks, as defined above, should be captured and analyzed.Every Compliance function should systematically monitor and analyze the captured data in order to identify compliance risks, issues, problems and trends.Key Performance Indicators reflecting the monitoring activities can be an important pa rt of the reporting dashboard and help to identify trends on a local and group level.5. reportage and Follow upReports to stakeholders (e.g. those charged with governance) on compliance monitoring and analysis need to present a balanced view of the situation, risks, issues, actions taken, highlighting both positive and constructive/developmental aspects, and proposing improvement actions.Reporting happens according to reporting standards of the particular company but generally include the followingWrite and discuss report, observations and actions with the businessShare report with relevant stakeholdersFollow up actionsSample Reporting ContentExecutive heavysetBackgroundObjective and ScopeDescription of compliance testing/review carried outObservationsRating of quality of controls and processes under review.Actions6. ReviewBeing part of the Integrated assurance framework, Compliance should itself be subject to regular view usually annual as mentioned above usually by external and internal audit.Benchmarking with industry peers is also a beneficial practice.Without processes to judge program elements and implement necessary improvements, any compliance program will have difficulty staying efficient, effective and up to date. Well-developed routine monitoring and periodic assessment processes, with clear paths for communication of recommended changes, may be the best sign of a mature and effective management system. (OCEG, 20042)