Drafting Effective Risk Management Policies: Funds and SIBs

Published On: October 30, 2023| By |

With the official roll out of CIMA’s recent rules and statements of guidance on corporate governance, internal controls and other policies, there has been a lot of anxiety regarding getting the various policies and procedures in place.

The only thing that beats the anxiety about getting everything in place is the level of debate surrounding whether certain entities such as funds ‘really’ need to have those policies in place.

The answer to that question lies partly in the efforts made by CIMA to ensure that there are specific guidelines for entities such as funds, implying very clearly that these matters are at the very least, relevant to funds.

But ‘relevant’ doesn’t mean that funds are required to have detailed day to day procedures in place. It means they need to be able to demonstrate that they understand their ultimate obligations and are actually meeting them within the fund’s environment (which includes a wider set of parties in addition to the fund).

How do you do that if you are a fund’s board of directors?

You adopt written policies that do five key things:

  1. Sets out the fund environment/context and risk profile
  2. Demonstrates the Board’s acceptance of, and commitment to, their ultimate responsibility
  3. Shows very clear governance of the external service providers carrying out the day-to-day functions (client onboarding, IT functions etc.)
  4. Directly addresses the obligations (especially the ‘rules’ but also the key principles in the SOGs) that are imposed on the board of directors in CIMA’s documents
  5. Results in specific actions taken by the board of directors to address any direct obligations imposed on them.

The same approach applies to securities investments businesses, although the extent to which you can rely on the size, nature, and complexity provision to avoid having detailed procedures in place can be very different, depending on the circumstances relating to the SIB. Some SIBs have very similar circumstances to funds, with all day-to-day activities carried out by 3rd party service providers, some have 1 or 2 staff members (and typically very few clients) and others have more substantial operations.

Of course, for traditional operational regulated entities you will more likely need a full set of policies and detailed accompanying procedures to comply (although even in those cases the size, nature and complexity consideration remains relevant).

Finally, irrespective of the final strategy/nature of your policy, you should try to follow a robust procedure when drafting any set of policies. Taking the following steps might be useful (see the checklist below). And if your legal counsel/service provider is drafting those for you be sure to check that they have taken at least an equivalent approach.

Risk Management Policy Development Methodology

  • Define the policy’s scope and objective – Clearly define the scope of this policy, specifying the areas of governance and compliance (and parties) to which it applies.

  • Research and Analysis -Conduct thorough research on the relevant laws, regulations, industry standards, and best practices related to the area of risk management in the financial sector (and in particular, your sector).

  • Analyse the organisation’s structure, operations, risks, and industry-specific requirements to identify policy needs and gaps.

  • Consider how each requirement laid out in your policy will be carried out in practice (how will each director or other stakeholder comply?)

  • Risk Assessment – Conduct a comprehensive risk assessment to identify potential risks associated with governance and compliance within your company (or your client’s company of you are drafting as a service provider/consultant)

  • Prioritise identified risks based on severity, likelihood, and potential impact to guide policy development efforts.

  • Policy Formulation Consistency – Develop a consistent policy template that includes sections for policy scope, purpose, applicability, definitions, responsibilities, procedures, and reporting mechanisms.

  • Policy Review and Approval – Conduct an internal review of the policy draft to ensure accuracy, completeness, and alignment with regulatory requirements (I always carry out a gap analysis of the policy until it fully complies with the respective CIMA requirement).
  • Seek a legal review if possible before presenting to your board.
  • Obtain Board approval
  • Ensure effective communication of the new/revised policy to all relevant stakeholders (directors, staff, service providers etc.)
  • Include a periodic review requirement in each policy to ensure it remains effective.

If you have gone through that process or anything similar you will more likely end up with policies that comes very close to doing the job. No policy is ever perfect and having in place an effective set of policies means monitor their effectiveness and updating them over time.

FTS can help: we have developed over 40 key policies relating to AML, risk management, corporate governance, internal controls and other areas and across 5 different areas of financial services, including funds and securities businesses. Contact us at policies@ftscayman.com to find out more.

Recent posts

Categories

News & Insights
Events

Share This Story, Choose Your Platform!