Advice From A Consultant: E-Communications Risk Assessment Tips
3rd June 2024 by Samuel Rossiter
When was the last time you conducted an e-communications risk assessment for your regulated firm?
With the rise of hybrid and remote working, it’s likely that your employees work from home at least some of the week and use a range of communication channels to conduct business (Microsoft Teams, Email, Slack, etc.)
If you’re aware of any new communication channels that your employees use at work that are not monitored, or if you haven’t conducted an e-communications risk assessment in a while, then it might be time to reassess the risks and controls that apply within your e-communications.
To help you, we’ve collaborated with Peter Bowyer, Compliance Consultant at Bovill Newgate, to give you some tips on how to conduct your e-communications risk assessment. This will be the first article in the series Advice From A Consultant, where we’ll be giving advice on what best practice looks like within several areas of your communications compliance.
Let’s get started…
How Often Should You Conduct Risk Assessments?
Peter says:
“Best practice is to conduct your risk assessments at least once per year or following a trigger event. If you work for a bigger and more complex firm, then you may want to conduct risk assessments more frequently. A trigger event can take many forms – from the introduction of a new business line to significant changing market conditions. Ultimately, any event that occurs intra-year which could change the extent or type of risk the business is exposed to should prompt firms to revisit the assessment.”
After conducting a risk assessment, you may find that your controls are still fit for purpose and that nothing needs to be changed. But a trigger event should still prompt you to conduct a risk assessment and review your controls to understand whether they are still appropriate to mitigate the risks within a specific framework.
What Should A Good Risk Assessment Cover?
Peter says:
“The best risk assessments will be tailored to your business. The FCA has previously expressed its concerns of firms using ‘off the shelf’ assessments that do not give any meaningful consideration to the specific risks the firm is exposed to. It should be a collaborative exercise taking into account feedback from the first and second lines of defence. And firms should not forget the ‘assessment’ part – this is an opportunity for firms to truly assess the extent of risk and the effectiveness of controls, rather than just listing risks and controls.”
Your risk assessment should:
- Identify the number of risks within a certain framework in your firm, such as within an e-communications framework, etc.
- Identify the extent of different types of risk within this framework
- Identify the number of existing controls in place to mitigate these risks
- Identify the methodology you are using to score the risks within this framework
- Identify what processes you have implemented to mitigate these risks
- Identify if any additional processes or controls should be implemented, if any new risks have been discovered or the extent of risk has changed
What Should Your E-Communications Risk Assessment Cover?
Peter says:
“When you conduct an e-communications risk assessment, make sure that you cover all your different communication channels and address the specific risks applicable to your firm. Be aware of when communication channels change and start emerging, such as if your employees have started using WhatsApp to talk to clients. It’s very important to keep up with the changes in technology and communication as they develop and reflect this within your risk assessment.”
Here are some questions you should think about:
- What risks can you identify within your electronic communications that are applicable to your firm and your regulated activities? This could be market abuse risks, money laundering risks, etc.
- Are you currently monitoring all electronic communication channels used to conduct business to mitigate these risks?
- Have you outlined clear processes to score the risks within your electronic communications and investigate high-risk activity?
- Are you aware of any electronic communication channels that your employees have started using to conduct business that are not currently being monitored?
- Is it worth updating your communications policies so that these new channels, such as WhatsApp, become approved for use at work?
- If you approve more channels for use at work, do you need to allocate extra resources or manpower to monitor these channels?
- Are you currently using methods such as random sampling to monitor your communications, whereby not all communications data is being captured and monitored?
- Do you need to invest in RegTech to ensure that all communication channels are being captured and monitored, so that no high-risk or malicious activity is missed?
Fingerprint provides regulated firms with a communications compliance platform that ingests and monitors all communications data, automatically identifies high-risk activity and provides all the investigation and reporting tools needed for compliance teams to shine. Our platform can also ingest and monitor WhatsApp so you can use this channel completely above board. Book a quick 30 mins chat with us if you’d like to learn more!
You can head over to our Articles page to read more useful content on communications compliance, along with our views on the latest news in the industry. You can also head to our Guides page to access more useful resources, such as a sample communications supervision policy.
Stay tuned for more advice from Peter in our Advice From A Consultant series.