Asset management operations
£7.3billion assets under administration
Novia Financial is a wealth management service dedicated to investment advisors and their clients. It provides tools and software designed to manage the necessary information and reporting needed for investment purposes, whilst providing access to various product wrappers and investment funds.
The risk and compliance teams at Novia subscribe to the Risk and Compliance modules of Graci, but primarily make use of the Incident Management and Internal Loss Data functionality. The Graci Incident Management service allows the firm to define various data capture forms for different types of incidents, with bespoke field types and rules around required or optional data for each. Specific workflow can then be attached to each type of incident form, which can then automatically drive incidents as they are reported to the appropriate business unit and/or individual and/or job position for attention. Loss events reflect where a risk has manifested itself and usually results in either some form of financial loss, adverse efficiency impact, or an unexpected gain. The Graci Risk Internal Loss Data functionality allows the firm to record these losses and, based on industry-standard loss event data models, provides the ability to include event and impact types such as ‘near misses,’ opportunity costs and operationally driven credit losses.
Natalie Highmore, Compliance Associate at Novia, is the primary user of Graci, using it on a regular basis to record loss events and to extract management information. “Graci provides us with a framework to be able to log any complaints and breaches [incidents and loss events] that we have, to manage those through the process of identifying them and then rectifying them,” she explains. Brett Hanlon, Risk Manager at Novia also uses Graci to extract data for risk management purposes. “We use the root cause and trend data from our incidents and complaints to identify if there are any systemic failings in the business,” he says.
Graci allows the system administrator to tailor users’ access to individual elements within each module, so that only the relevant users are able to view, access, enter or extract data. “I like being able to centrally control people’s permission and access for the different elements we might not want everyone to have access to,” says Highmore. “We’re able to keep everything on a central system where different teams can access it and can manage everyone’s permissions – and also assign things to individuals.” Each of the users’ workflows for assigned tasks can also be centrally managed through the system via automated notification scheduling. Different forms for the same kind of incident can be applied to different parts of the organisation, with different workflow routing based on the source business entity, location and incident type.
Every module within Graci has been created with regulatory compliance challenges in mind. Examples of this (cited by Novia) include the requirements laid out in the FCA’s Senior Management Arrangements, Systems and Controls Sourcebook (SYSC) – which was created to promote responsibility amongst senior management for the many complex business elements within a firm that fall under the remit of the FCA – and the Dispute Resolution: Complaints Sourcebook (DISP). “There are requirements in DISP that state you have to have an accurate record of your complaints,” explains Hanlon. “We primarily use the system to record and manage complaints. The system contains the permanent record and facilitates the workflow of these cases. Failings or errors occurring in the business (breaches) are also recorded and managed using Graci. This helps us demonstrate appropriate systems and controls are in place in accordance with the SYSC regulations.”
When selecting the right GRC solution, a key decision is whether to enlist a third party, or build a solution from scratch in-house. Having worked with both types of system, Hanlon appreciates the benefits of using a dedicated supplier. “The benefit of an external system is of course hosting,” he says. “I like the fact that it hosts and manages our data for us, so I don’t have to mess around with spreadsheets and various other things during the month, and I have the ability to extract the raw data as required. There is no limit to me going in and saying I want all of the data for X period.” Enlisting a third party also means technical issues do not have to be dealt with in-house, saving valuable time and resources. “If there are any problems or defects they’ll be fixed and escalated by RiskBusiness,” says Hanlon. “We don’t have to worry about integration of the system, protection of data – we know that RiskBusiness is hosting it for us and protecting it in the appropriate manner.”