Setting up and embedding your GRC framework

As a newly authorised crypto asset business one of the most important things you’ll need to ensure, right from the start, is that you have set up and embedded your governance, risk management and compliance (GRC) framework.

Quite simply GRC is an integrated collection of functions or capabilities which enable a firm to reliably achieve its objectives with certainty and integrity.

Setting it up is one thing; embedding it is quite another. And the important thing from the regulatory standpoint is evidencing. How are you going to show the regulator, when it really counts, how well your processes are working and are truly embedded?

Evidence of governance

• Consistent management, proper oversight and accountability

• A defined strategy that clearly sets out business objectives

• Directors that have appropriate skills and experience and receive adequate training and support in discharging their Board duties

• A culture that is well defined, communicated effectively and leads to good customer outcomes

• Tools to ensure that the firm’s overall business performance is being effectively measured

• Relevant policies in place and being maintained

You need to ensure both that people are empowered but also that you can verify that they are doing what you have asked them to do. People need to be accountable for their decisions and held accountable. And it’s no good if the senior managers or the Board understand the risks in the business but people lower down the firm, operational people actually doing the business, don’t. When FCA personnel test these things they don’t go straight to the Board; they start at grassroots level to make sure people understand what they are doing.

Evidence of risk management

• An effective risk management framework in place

• Staff who are aware and informed about risk within the firm

• Risks being reported in a timely manner and adequate information being provided to executives and business people on risk management

• Regular assessment of the maturity and fitness for purpose of the risk framework given business

It’s the same kind of thing as governance. You’ve got to provide evidence that you’re actually doing what you said would do. Essentially it means having the kind of framework where people at operational levels of the firm are well-informed and aware of the risks. Clear timely reporting is a very good indicator. And remember your risk management framework is not static; it’s a dynamic framework which evolves as your business evolves. As your volumes increase and your business develops you need to constantly reassess that, at least on an annual basis.

Evidence of compliance

• Compliance manuals, policies and procedures

• A compliance monitoring programme

• Staff training and means of assessing their competence

• An experienced compliance function which assesses the quality of the firm’s activities

• Ownership and tracking of identified issues

• Compliance reporting that is articulate and effective

Manuals, procedures and other forms of documentation are a starting point but only that. You also need a compliance monitoring plan and then you need to test it, to evidence that it’s actually embedded and that you’re using it. You also need to assess the competence of your staff, regularly train them and reinforce that training. You may need an in-house experienced compliance function, or you may in some cases be able to outsource that. But the vital aspect of compliance whichever model you use is ensuring ownership of issues. The regulators want to know that people in your organisation are taking ownership and things are not falling between the cracks.