As Recommendation H began to be implemented, a significant change occurred in the understanding and implementation of internal control systems, first in banks, and then gradually in other areas of the financial market. With the recommendation came requirements making it mandatory to link primary goals of the organization with key control mechanisms (actions, processes) that are to aid in achieving these goals. Additionally, monitoring the use of these mechanisms is required in order to ensure that goals are being pursued.
One important requirement that the recommendation sets is maintaining an active control function matrix in the form of a computer system. This is intentional on the part of the regulatory body, as an IT system can help in maintaining the matrix thanks to multidimensional data storage, the possibility to link information and keep the history of all changes made to any element of the matrix. Oftentimes, the information stored in the matrix is confidential, which further necessitates the use of reliable and tested access control systems.
According to recommendation H and Minister of Development and Finances regulation of 2017, commercial and cooperative banks must maintain so-called control function matrices, which are descriptions of linking between essential processes and goals of the internal control system as well as key control mechanisms. This approach sets current standards for the functioning of compliance and internal audit departments, which support achieving strategic goals of the organization and minimizing operational risks.
Once key control mechanisms, such as procedures, duty assignment definitions, operation authorizations, access control and KPIs, have been specified and selected, the next step is to assign independent horizontal and vertical monitoring to each control mechanism. Part and parcel of the monitoring category are verifications, which are monitoring activities performed daily as normal business processes, as well as testing, which is performed periodically to verify whether control mechanisms effectively support/ensure the realization of goals.
Among the requirements set by Recommendation H is the obligation to systematically plan activities related to vertical and horizontal testing. In medium and large organizations it may prove a sizeable challenge to plan and coordinate testing, as the number of tests runs into hundreds and testing teams consist of a dozen members or more. AdaptiveMFK substantially aids in this process by allowing you to build operating and strategic plans while taking into consideration the resources if organizational units arranged into three lines of defense.
From the viewpoint of operating capabilities, a key element of maintaining a control function matrix is effective supervision over the recording of test results and current verifications. In this area AdaptiveMFK supports you by monitoring the lifecycles of test iterations. The application allows you to set up substitutes for personnel responsible for performing tests and verifications, record discrepancies and corrective measures, add proof of testing as attachments. In addition, the system allows for quality verification of test/verification results against critical test values or a team member’s expertise.
The problem of low effectiveness of the monitoring of discrepancies and corrective measures can be observed in practically all organizations that deal with corrective measures on a large scale or that have no systemic support for this process, but rely, for instance, on a spreadsheet. AdaptiveMFK ensures comprehensive support for monitoring the application of corrective measures through real-time access to information about the status of each recommendation as well as reporting to the individuals involved.
Effective running of a control function matrix based system of three lines of defence requires that all relevant organizational units become involved and take responsibility. This applies in equal measure to business process owners, units involved in the running of the process, second- and third-line units and management as well as boards of directors. AdaptiveMFK helps you to achieve this goal by mirroring the processes of change submission and approval in its electronic document circulation.
Another factor contributing to the clarity and reliability of the process is reporting and the function of data review. AdaptiveMFK gives you access to predefined reports as well as allowing you to export data to Excel spreadsheets or third-party reporting systems.