But it can be a double-edged sword. For example, the system’s controls may not allow benefits to be paid in specie, even though the scheme rules permit it. However, from time to time circumstances will arise where paying benefits, such as the PCLS or lump-sum death benefits in specie, allows you to deliver a clever solution to clients’ needs.
If the proposition is a flexible one and the system is well configured, there will even be a controlled process for circumventing the controls themselves. ‘User permissions’ control what people can do. They are set so users can only do things within the system commensurate with their roles, training and experience. Where there are more complex or higher risk processes – or where standard controls are to be circumvented for a legitimate reason – further authorisation is required from different individuals with greater skills and responsibilities.
Older systems often have much less sophisticated user permissions or none at all. Aside from leaving the operator – and your clients – more vulnerable to errors or rogue employees, it has other implications, such as affecting the quality of data.
Quality of data may sound abstract and obscure but imagine if anyone can enter any data they like, in whatever way they like. They could, for example, be more than one record for your firm but permission to pay adviser charging may be attached to only one of them. An investment that has failed due-diligence tests, say because the directors have previous involvement in scams, may be entered a second time, slightly differently, and allowed to proceed.
MI
The third little word, “MI” (‘management information’) is significantly dependent on the quality of data as well as other issues mentioned, such as data being in an available form or even in the system at all. It is not just for the management; the regulators have an interest and so do you.
There is a ream of regulatory reporting that has quietly gone on for years – product sales data to the FCA, event reports and accounting for tax to HMRC. But the FCA, in particular, expects much more than that.
High Level Principle 3 says: “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” MI is integral to doing this. A firm cannot monitor what it cannot measure and it cannot improve what it is not monitoring. MI should act like a profusion of dials on the Sipp machine, showing how everything is operating: service times (for example, for transfers), service quality (number and nature of complaints, for example), concentration of risk, including where client money and assets are held or how they are invested.