Section 11 of the General Code deals with the control measures required:
“A provider must at all times have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate, as far as reasonably possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence, professional misconduct or culpable omissions.”
Section 12 of the General Code refers to the specific control measures required:
“A provider, excluding a representative, must, without limiting the generality of section 11, structure the internal control procedures concerned so as to provide reasonable assurance that-
(a) the relevant business can be carried on in an orderly and efficient manner;
(b) financial and other information used or provided by the provider will be reliable; and
(c) all applicable laws are complied with.”
Interestingly, (a) above also alludes to the need for succession planning, something we will expand on in a future article.
You have to include your risk management plan as part of your compliance report. The FSB has, on a number of occasions, commented on the poor quality of risk management plans they encountered during practice visits.
The FSB website contains a detailed document to help you construct your own personal plan. Click here to download a copy.