Risk-based compliance monitoring

The Financial Services Authority has adopted a risk-based approach to regulation as the most efficient route to meeting its own statutory objectives under the Financial Services Markets Act 2000. Firms, which face similar resourcing constraints and need to adjust to the new second generation, “non-tickbox”, high-level regulation, are starting to follow suit. In the first article in a two-part series, Irwin Spilka, Head, Internal Audit and Compliance at the Stonehage Group delineates a model for risk-based compliance monitoring. In the second article, to be published next month, Mr Spilka explains how to configure the Compliance Department in order to move from “assessing compliance with rules” to a focus on the “effectiveness of management systems” and provides a clear application of the model and risk mapping.

The US Occupational Health and Safety Administration have rules on the use of respirators used by firefighters. These rules “prohibit tight-fitting respirators to be worn by employees who have facial hair that comes between the sealing surface of the face piece and the face”. These rules are in place to protect, as individuals with excessive facial hair, including stubble and wide sideburns that interfere with seals, cannot be expected to obtain as high a degree of respirator performance as clean-shaven individuals. There are also rules referring to the acceptability of size, curliness and texture of beards. Because of the focus on detail, compliance involves mastering the intricacies of the rules and then ensuring compliance. Compare this to UK Health and Safety legislation that requires employees to engage in a risk assessment, the purpose of which is to assist the employer in determining what measures a firm should take to comply with its statutory duties. The changing face of the UK financial services regulatory system can be compared to a move from the style of US health and safety regulation to the style of UK health and safety regulation.