Beginners guide to navigating a regulatory inspection

Beginners guide to navigating a regulatory inspection

By Fiachra Crean, Head of Supplier Relationship Management, AIB

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is? What, for you, are the benefits of attending a conference like Vendor Europe?

I’ve taken a very different route into the financial risk management profession. I qualified as a mechanical engineer, and spent the early part of career in oil & gas and micro-electronics industries. These industries seem a long way from financial risk, but there are many similarities as both are heavily regulated environments, and provide a good foundation for risk assessment and risk management.

I’ve been in the banking industry with Allied Irish Bank (AIB) in Dublin since 2008, and have been involved in third party and supply chain risk management role since 2015. Currently, I am part of AIB’s Strategic Sourcing team and responsible for Supplier Relationship Management. I am currently leading our organisational change project to introduce improved Third Party Risk Management across the bank.

How can financial institutions best prepare for regulatory inspection and what concerns do you expect to occur relating to understanding the scope of what is required?

It can be very difficult to determine the focus of the investigation, as the regulator’s description for an inspection is usually very broad so as not to restrict them in their undertaking. It is best to prepare thoroughly for all aspects of the topic being examined. We have found that an initial brainstorm involving multiple areas of the organisation, and considering previous inspections, helps to identify appropriate themes to start with. We then drill down into each theme to identify areas that are likely to be examined, and to gather evidence of the process and controls in place.

Often, there can be a sense of trepidation in the lead up to an inspection, which means that we spend more time focusing on the problems we foresee, rather than stressing the good controls that are in place. Awareness of any potential issues is important, and such issues can be identified as “Self-Identified”, along with the relevant implementation plan to resolve them. However, don’t forget about the controls that are in place. It is also important to use the inspection as an opportunity to tell the full story and demonstrate the good risk management practices that are already in place.

How can you engage regulators effectively?

Appointment of a single point of contact to channel all communications though, combined with efficient turnaround, and open and honest responses, worked effectively for us. We put considerable effort into answering queries as thoroughly as possible in order to minimise follow up questions.

We also sought feedback from the regulator as to how we were performing, and whether we were providing the information they were seeking. We sought to have a feedback meeting periodically to get a sense of whether our engagement was at the right level.

Additionally, make sure that all communications are documented and governed correctly is essential. Put in place the appropriate steering and working groups, and make sure that the right decision makers are present to engage.

What are some best practice methods when managing follow-up actions?

It may sound obvious, but the most important thing is to ensure that you are absolutely clear as to what the regulator is asking you to do and what they are expecting. It Is possible that the final report may be written by another area of the regulatory body than the one that undertook the inspection, and subsequently some ambiguity in terminology or sentiment may arise.  If in doubt, seek clarity!

Usually there will be an opportunity to engage with the regulator to agree the delivery timeframe. It is important that the timeframes are realistic both for you and the regulator. Where there are inter-dependencies for one action on another, these should be identified early and managed carefully.

Ideally, the completion of the remedial actions should be undertaken as a project, with a senior management sponsor, a definitive end date, and appropriate governance. Delivery of remedial actions on time is essential. Regardless of the scale and scope of the remedial actions, it is important to assign responsibility to named Individuals, to start addressing them early, and to track progress frequently.

Before declaring completion to the regulator, and submitting the necessary evidence, It is Important that sufficient internal assurance is completed to ensure that the remedial actions undertaken have satisfied the regulators requirements. Ideally an independent assurance function with the benefit of “a fresh pair of eyes” should be used to verify the solution, and ensure that the question asked is the question that is answered.

How do you see the impact of vendor and third party risk evolving over the next 6-12 months?

Given ever increasing regulatory requirements (such as EBA Guidelines on Outsourcing which come Into effect Q4 2019), I expect to see organisations continuing to employ and invest in first line risk management resources. In conjunction, I would expect to see organisations revising third party risk management processes to automate (where feasible) and improve efficiency.

I would also expect to see a greater uptake on shared service arrangements where risk information regarding third parties can be compiled centrally and shared by end user organisations. Shared assurance audits are a particular application where I would expect to see significant growth; it’s an area in its infancy, where the use of the model is advantageous to both third party and employing organisation.

Informal Questions

What three items would you take with you if you were stranded on a desert island?

1. A guitar – I’m not musical, but would love to learn to play the guitar, and reckon I’d have plenty of time (and space) to learn!
2. My Garmin – I need to make sure I keep up my steps!
3. A camera – I’m a keen appreciation for seascape photography, so a desert island is bound to offer some dramatic sea conditions with colourful sunrise and sunsets!

If you had not taken the career route to become a financial risk professional. What would you be doing right now?

I’d probably still be involved in energy and environmental engineering, with a focus on combatting climate change. I still have a great interest in new energy technology innovation and energy efficiency, including the need to dramatically increase supply from renewable energy sources, and decrease reliance on fossil fuels.

What TV show is your guilty pleasure?

Grand Designs – I’m always fascinated by what people choose to do when designing and building their ideal home.