Designing your control matrix for safeguarding and CASS


The words ‘compliance control matrix’ or ‘risk and control framework’ can conjure up images of wading through spreadsheets and ticking meaningless boxes. But when set up right, these tools can unlock more efficient and seamless compliance.

Done properly, a control matrix can be a live representation of what happens across your firm and provide the foundation for effective governance. Adopting an automated approach will help, as will understanding the pitfalls. Above all staying on top of your control matrix is vital to make sure you get value out of it.

Designing a control matrix: pitfalls to avoid

Beware of the spreadsheets

We commonly see that companies use spreadsheets to manually document rule applicability, risks and controls. This can be a good starting point, but it has several drawbacks:

Manual nature

These spreadsheets are big! They’re not easy to navigate or extract insight from. They take a lot of time and effort for their maintenance and are also prone to becoming corrupted.

Static nature

Spreadsheets are static. It’s difficult to use them to do real-time impact assessments or to monitor the management of risks.

For example, if you have a new product, and you would like to understand if the current control environment can support it, it would be difficult to filter out the relevant controls and assess if changes to them are required. This is because there’s a lot of ‘noise’ within this type of spreadsheet making it difficult to get a clear overview between the risks, controls and processes at the firm.

Prone to inconsistencies

The manual nature of the matrixes means there is an increased risk of inconsistencies and duplications.

For example, we often see the same control included against multiple risks but with different wording used each time. This can make it look like there are several separate controls, which can cause ‘noise’ and impact MI and reporting.

Changes in regulation not captured promptly

When rules change, it’s time consuming to capture them in your spreadsheet, meaning they may not be reflected within your control environment promptly, risking non-compliance.

Prone to control gaps

When maintaining a risk matrix in a spreadsheet, the risk of control gaps is higher, and they are less straightforward to identify. We see that to try and make the spreadsheets easier to work with, firms sometimes amalgamate rules and therefore miss nuances, for which additional controls are needed.

Difficult to identify systemic failures in controls

With control matrixes maintained manually in spreadsheets, we also usually see highly manual breach and incident management processes. This can result in firms working to resolve the breach but not fully linking the cause of the breach to a specific control failure.

The IT issues

We often see firms failing to map IT controls and dependencies to their regulatory control environment. Mapping of automated controls is often good, but firms often miss dependencies on manual IT controls, such as detective controls relying on data derived by key systems.

Another thing that firms often miss is documenting data validation controls around data feeds between systems. For example, in the internal client money reconciliation, system feeds into the free cash calculation need to include only client money for clients who fall under the CASS 7 rules. Firms often forget to map controls that ensure that balances for all clients feed into the calculation and likewise, those that ensure that only client money feeds into the calculation.

Lastly, firms often fail to document controls relating to user access, certifications, recertifications and change management as part of their regulatory matrix.

Failure to fully engage in your IT environment when mapping controls can result in incomplete or inaccurate information feeding into the control matrix.

Outsourced/Offshored arrangements

When firms outsource or offshore processes and controls, they retain regulatory responsibility for compliance and therefore, need to have arrangements in place to oversee the activities performed by the third-party administrator (TPA). It’s important that control matrixes properly identify which controls are outsourced/offshored and which third parties they are outsourced/offshored to. This will allow an appropriate focus on outsourced/ offshored controls and processes, and therefore ensure that they are captured as part of the firm’s control framework.

Business line differences

We often see that even good control matrixes do not have sufficient information to ascertain which rules apply to which business lines. This can lead to a risk that rules are scoped-in for business lines to which they are not applicable or conversely, that business lines are relying on controls, which do not include relevant information for this business line.

Automated risk and control mapping

For many, an automated risk and control mapping system is the answer to a lot of these problems and provides some clear benefits.

Complete regulation mapping updated automatically

You have all relevant rules and regulations mapped within a system which are automatically updated in real time. The system highlights to you when this happens, so you know you need to act. The triggers also depend on what the change type, for example whether it’s a new rule, an amended rule, or a deleted rule.

This allows you to consult your control matrix and assess the change’s impact on your control framework as it happens.

Effective gap analysis

You can view your entire control framework and analyse how it maps back to the regulation as well as how the regulation maps back to your controls. The system can flag if there are any controls not mapped to rules, rules which have flagged as applicable but not mapped to controls, or rules not assessed for applicability

Effective third-party administrator (TPA) oversight

You can have the capability to tag where your controls operate – are these performed in-house, or do you outsource/offshore these to a third-party administrator (TPA)? If you use outsourcing arrangements, you can see which controls are impacted. Through the reporting functionality of automated solutions, you can also see:

  • How many CASS-critical activities sit with each outsourced entity – this can guide the level of oversight to different TPAs you would be using, with higher risk TPAs being monitored more closely.
  • If there is duplication of activities that can be streamlined into one location – for example with controls performed in the exact same way for different markets in different locations, rather than one centrally operated control for all markets – thus increasing efficiencies and cutting on costs.
  • Which third-parties controls are outsourced to. This is essential, as it can be used to map back to the service level agreements with these TPAs and ensure that there is such an agreement and that the activities listed in the agreement correspond to the activities undertaken. This can also be used as part of the CMAR process when responding to the question in Section 9.

This will show where oversight efforts should be focussed and can help you assess if the third-party administrator is still appropriate to perform these controls.

Incorporation of IT controls within your regulatory environment

An automated solution can also help you to assess how well your general control environment is automated and where there are human dependencies that might increase risk.

Further, through the reporting capabilities of the automated solution, you would be able to see how many controls rely on the same dependencies, thus identifying which of these are higher risk and require more monitoring activities (relating to change management or access).

Effective breach management

So, you have a robust control matrix. Your solution also has built in attestations, which allows you to map control deficiencies, near misses, breaches and other incidents to your controls.

This gives you a real insight into where your control weaknesses lie and therefore effectively target their remediation, be that through introducing new preventative or detective controls, or through changing the mix or design of controls. And if managed in sufficient detail, you can see where incidents due to a control failure in one control can have an impact over the operation of another control.

Next steps

With all the above in mind, the number one best practice is to keep on top of your control matrix, regardless of whether it is automated or manual. Only in doing so would you be able to exercise effective governance and derive real insight from any reports and information retrieved from your control matrix.

We can help

With market leading software provider Grath, we can offer an end-to-end regulatory compliance management tool to help you manage your CASS or safeguarding framework. The platform can help you effectively manage your control environment and provide insight and relevant information to your stakeholders.

We can also provide advice on compliance with CASS and safeguarding regulations and help you in designing control frameworks which work for you and help your integration with Grath.