Charles Maddocks explains how to meet FSA requirements for effective systems and controls

At a recent workshop, the FSA reiterated its stance on evidence: "We'll ask you if you do it, then we'll ask you to show us." To put it bluntly it is saying if you tell us, we won't believe you, if you can show us then we will.

And don't forget you may not even have the chance to tell it. If you are replying to a request for information then you have to send the evidence, often at short notice.

The training and competence, and conflicts of interest thematic letters were two recent examples of this.

This prompted me to look at my previous articles and to see the number of times I recommend creating and keeping records. This is by far the best evidence. And you should ensure that record keeping runs through everything you do. You never know when you might need it.

So what should you have available if asked to show it to the FSA? As consultants we are often asked for a check list. It's not that easy. What you create and keep by way of records is very much dictated by the size and complexity of your business. As ever, the FSA puts the responsibility on your shoulders. So here is an illustrative, but by no means exhaustive set of examples.

I make no apologies for starting with systems and controls. The more obvious areas, such as insurance conduct of business rules, training and competence, and complaints, get all the attention.

But the FSA is very hot on systems and controls. This is because it directly affects its aim of risk mitigation. A well run firm with adequate systems and controls shouldn't get into trouble. However, this is an area which, for some firms, is so much a part of everyday business that they forget to record it.

The FSA requires that significant responsibilities within the business are apportioned among the managers. This split should make it clear who has which responsibility. It should also allow the firm to be monitored and controlled effectively.

Also, you must allocate to one or more individuals the function of dealing with the apportionment of responsibilities. Also the function of overseeing the establishment and maintenance of systems and controls should be the responsibility of at least one person.

Having done so the FSA requires that you record the arrangements you have made to satisfy both apportionment and allocation and keep this up to date. This record must be retained for six years from the date on which it was superseded by a more up-to-date record.

Appropriate records might, for this purpose, include organisational charts and diagrams, project management documents, job descriptions, committee constitutions and terms of reference - provided they show a clear description of the firm's major functions.

It should also be kept up to date and any material change to the arrangements described as soon as reasonably practicable after that change has been made.

Some firms receiving 'arrow' visits have been caught out when the organisation chart shown to the FSA did not reflect recent changes and therefore the current position.

Having recorded this, you should now provide evidence that the controls are working. Evidence of regular, well-informed management meetings will help.

Make sure you record each meeting (even ad-hoc if they change a previous decision), the actions that were agreed and who they were allocated to.

As I said in my earlier article on proportionality, half a dozen key areas with actions, owners and deadlines should be sufficient.

You may also be asked whether you have a mechanism in place to prove those actions were followed through. Is this built into your management meeting agenda? It's human nature to concentrate on current issues and look ahead. Tie up the loose ends or you may be caught out later.

Anyone who's been through the Part IV application process knows how important a credible, detailed business plan is to the FSA. The HSF process prior to January 2005 didn't require the submission of a business plan for FSA scrutiny. But not to have an up-to-date plan, against which to measure your firm's performance, will be viewed as lacking control.

Business continuity planning is another strong piece of evidence of control. You should have it to hand, up to date and, if possible, tested.

I use the analogy of the passenger liner. If the captain is in the engine room stoking the boiler then he can't be on the bridge looking out for potential hazards on the horizon.

So your risk register is the evidence that, while you are busy fighting for that piece of new business, you still have a weather eye on the future. It could be risks to your business, but just as easily opportunities.

The trick is to keep it up to date. For this ICS recommends a compliance monitoring programme.

Regular (weekly, monthly, quarterly or annual) tasks are included in the programme and allocated to individuals. Policies and procedures are also included for regular review. The programme will provide senior management with the evidence that compliance within the firm is measured and appropriate remedial action taken.

Conflicts of interest have been high on the FSA's agenda. Have you recorded potential conflicts and the actions you've taken to mitigate them? Are the records up-to-date? Have they been reviewed and updated in the last 12 months?

These are just some examples of the evidence you may be asked to show. None would be easy to prepare from scratch, especially at short notice. So, as I said in my first article, get them in place now, use them and make them work for the benefit of your business. IT

' Charles Maddocks is marketing manager of Insurance Compliance Services.