SYSC 13.6 People
A firm should consult SYSC 3.2.2 G to SYSC 3.2.5 G for guidance on reporting lines and delegation of functions within a firm and SYSC 3.2.13 G to SYSC 3.2.14 G for guidance on the suitability of employees and appointed representatives or, where applicable, its tied agents1. This section provides additional guidance on management of employees and other human resources in the context of operational risk.
A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:
- (1)
its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
- (2)
whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
- (3)
whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
- (4)
the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
- (5)
its arrangements for the continuity of operations in the event of employee unavailability or loss;
- (6)
the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
- (7)
the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.
Employee responsibilities
A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:
- (1)
appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
- (2)
appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
- (3)
clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
- (4)
training processes that enable employees to attain and maintain appropriate competence; and
- (5)
appropriate and properly enforced disciplinary and employment termination policies and procedures.
A firm should have regard to SYSC 13.6.3 G in relation to approved persons, people occupying positions of high personal trust (for example, security administration, payment and settlement functions); and people occupying positions requiring significant technical competence (for example, derivatives trading and technical security administration). A firm should also consider the rules and guidance for approved persons in other parts of the Handbook (including APER and SUP) and the rules and guidance on senior manager responsibilities in SYSC 2.1 (Apportionment of Responsibilities).