The forever Regulatory focus on behaviour and outcomes increased even more following Andrew Bailey’s, CEO of the Financial Conduct Authority (FCA), comments at the recent Regulators Meeting on the future of conduct regulation and therefore compliance:
“A significant part of this debate turns on the issue of outcomes versus rules. Rules are a crucial mechanism for delivering outcomes, but can also be interpreted so rigidly as to become a box-ticking exercise”.
This is a lesson we want to see reflected in firm behaviour – any organisation that prioritises being within the rules over doing the right thing, will not stand up to scrutiny for long.’
This poses several questions:
- How does audit need to change to meet this focus on the right outcomes?
- What will the audit evidence look like if there are no documented and predetermined rules to subsequently audit against?
- What does ‘firm’ behaviour mean?
Perhaps it is better to focus on the last question. What is the regulator expecting from organisations? Well the first thing will be the focus to reduce the tick box mentality. Often this means ask a question, look for the evidence that the pre-determined rules, procedures and processes have been followed. If they have ‘tick the box’, if they haven’t raise a non-conformance. This is a backward looking approach. One that is focused on mechanistic outputs not outcomes which is the true deliverable, experienced by stakeholders.
This rule-based approach assumes that everything can be pre-determined and that human beings will always follow these rules. It assumes that people are robots, which they are not. In reality they have to react to situations that cannot always be predicted. The other factor is that rules are often someone’s mental construct. It may be a picture of reality, but it isn’t reality. These enduring failings of existing approaches is what, I believe, Andrew Bailey is targeting. By firm behaviour he may mean an expectation of change or, at least, a re-positioning of the balance between what can and cannot be predetermined and audit accordingly. A regulatory focus on behaviour and outcomes
Is the FCA alone in the change of focus?
Maybe not. International Standards have changed to be more risk and outcome based. I have seen little evidence that certification, accreditation bodies and suppliers of audit training have changed the audit techniques. Perhaps there hasn’t been enough pain yet. Unlike the Management Accounting world where their is pressure for change following the Carillon collapse and other well publicised failures. A Regulatory focus on behaviour and outcomes and its impact on conduct, compliance and performance risk. This is also being driven by changes in Corporate Reporting rules for larger organisations.
Avoiding the ‘will not stand up to scrutiny for long category’ trap?
No doubt some will say they have already made the change or in part which is good. Others may well be in denial believing what they currently do and have been doing for years is enough. There may not be a complete list of factors in terms of making this change. The following are offered as some thoughts and suggestions to meet this regulatory focus on behaviour and outcomes:
- Is this change increasing the cost of compliance? If it is or there is pressure to do so then this may be an indicator for a review of audit and risk activity.
- Do auditors know the difference between a mechanistic system focused on outputs and an organic system (reality) focused on outcomes and how to audit each?
- Do audit techniques gather evidence of what people achieve, the impact or outcome of how people behave, not just what they say they do or write down?
- Do auditors have the capability to consistently analyse the outcome of how people behave (the real evidence) and report this against business performance and compliance outcomes? (what does the evidence mean to risk and compliance, is it this the FCA and others are seeking to achieve).
- Do audit reports signpost predictive risk to compliance and performance outcomes? Is this predictive analytical approach allowing business leaders to see risk levels and thus manage individual and collective behaviour accordingly.
This business issue is not now just about compliance, it is about optimising business outcomes be that profitability, management of overheads, customer experience and other desired & undesired outcomes.