Perspectives
Perspective 003Practice

Why independent challenge matters more than another policy review.

Policy reviews have value. But they rarely test whether controls operate in practice. Independent challenge brings a different lens.

By Everett MorganSummer 20266 min read
European institutional architecture in soft light
Executive brief

Reading time · 9 minutes  ·  Primary audience · Boards, MLROs, Heads of Compliance, Internal Audit, second-line assurance

Why this matters

Policy reviews continue to have value. But they answer a narrow question: is the documentation adequate. What supervisors now want firms to answer is broader: does the framework operate as its documentation implies. That question can only be answered by someone with the standing to disagree with the answer they are given, and the technical fluency to test it against real files. That is what independent challenge is for.

Key findings
  1. 01Recent European enforcement, from Starling Bank to ING Belgium and Revolut Bank, points repeatedly to the absence of effective challenge rather than the absence of policies.
  2. 02Independent challenge and internal audit are complementary, not substitutable. Internal audit tests the design and operation of controls. Independent challenge tests the judgement being exercised within them.
  3. 03The most useful independent reviews sample files, sit in operational meetings and read management information from the outside in. They do not confine themselves to interviews and document review.
  4. 04Challenge without standing produces polite reports. Standing requires either institutional seniority or independence from the accountability chain being reviewed, and preferably both.
Questions Boards should ask
  1. 01When was the last time an independent voice materially changed a financial crime decision in our firm, and can we describe the change?
  2. 02Do our second-line functions have the standing to overrule the first line when they need to, and is that standing visible in the minutes?
  3. 03If our next inspection concentrated on judgement rather than on documentation, who in the firm would we ask to stand behind those judgements?

The gap that policy review does not close

A policy review is a test of what the framework says it does. It checks that documents exist, that they reflect current regulation, that responsibilities are clearly allocated and that procedures cover the material scenarios. It is a necessary exercise and, done well, a useful one.

What a policy review will not tell a Board is whether the framework works. It will not tell the Board whether risk ratings were assigned correctly on the last hundred onboarded customers. It will not test whether the alert closure rationales in transaction monitoring reflect genuine analytical judgement or template language. It will not answer whether the escalations recorded on paper produced any change in the underlying decisions.

Perspective 002 set out five questions a Board should be able to answer about its financial crime framework. The uncomfortable truth is that policy review, on its own, cannot help a Board answer any of them. Only file-level, operational and governance-level challenge can do that.

What independent challenge actually means

The term is used loosely, sometimes to describe a peer review, sometimes an audit, sometimes an external consultant reading a policy suite. It is worth being precise about what supervisors now mean by it.

Independent challenge is the exercise of professional judgement against evidence, by someone who is neither responsible for producing that evidence nor accountable for the outcome being tested. The core of the exercise is not documentary. It is sampling files, sitting in the meetings where decisions are taken, testing the analytical reasoning that produced them, and forming a view of the framework from the outside in.

Three characteristics distinguish it from other second-line activity:

Internal audit provides part of this discipline, but rarely all of it. Audit typically operates on a three-year cycle, applies a structured methodology and reports at a level of generality that supports risk-rating conclusions. Independent challenge is faster, more granular and more specific. The two functions are complementary. Neither substitutes for the other.

Why firms resist genuine challenge

In the abstract, no Board resists challenge. In practice, resistance is common and rarely conscious. It usually takes one of three forms.

The first is scope compression. An initial engagement to test file quality becomes, by degrees, a policy readback with a file-sampling appendix. The change is presented as pragmatic; its effect is to preserve the framework's self-image.

The second is finding softening. Draft findings are shared for factual accuracy and returned with adjustments that dull the language, split composite findings into smaller items and re-classify significance. The published report reads as a measured contribution rather than a call to change.

The third is action-plan absorption. Findings are accepted and translated into a remediation plan of such breadth that individual accountability disappears into a portfolio owned by a project manager. Progress is reported in RAG status; the underlying weakness quietly persists.

How Boards should use independent challenge

Independent challenge is most useful when it is deployed deliberately, on a defined question, with a clear route into governance. The following practical actions consistently produce useful engagements.

How Claritas approaches independent challenge

Our starting point is that the value of a challenge engagement is measured by whether it changes the way the firm operates, not by the length of the report it produces. That has three practical consequences for how we work.

First, we scope narrowly. A single well-defined question answered against real evidence is worth more than a broad framework review that closes with a list of themes. Second, we sample. Interviews and document review inform the work, but the conclusions rest on files, meetings and MI reviewed in detail. Third, we report to the Board in the language the Board uses. Where a finding requires a decision, we say so. Where it requires a change in practice, we identify the change, the owner and the evidence that would demonstrate improvement.

The engagements that produce the most durable change tend to be short, focused and repeated. Boards find them more useful than either an annual audit cycle or a periodic comprehensive review, because they map cleanly onto the questions the Board is actually being asked to answer.

What success looks like
  • 01Independent challenge is a scheduled feature of the Board's assurance calendar, not an ad hoc response to a supervisory event.
  • 02The second line has documented standing to overrule the first line, and that standing has visibly been used in the last twelve months.
  • 03Challenge engagements are scoped against specific hypotheses tied to the Business-Wide Risk Assessment, not against generic themes.
  • 04Findings translate into a small number of named-owner actions tracked directly by the Audit or Risk Committee.
  • 05The firm can point to at least one material financial crime decision in the last year that changed as a result of independent challenge.
References
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation