Tag: compliance presentation

Marcus had been Head of Regulatory Affairs at a mid-size insurance group for four years when the firm received notice of a thematic review by the regulator. The review focused on claims handling practices — an area where Marcus knew the firm had strengthened its processes significantly over the previous 18 months, following an internal audit that had identified several procedural gaps.

His instinct was to prepare a comprehensive presentation: documented evidence of every improvement made, metrics showing the reduction in complaints, an appendix with the remediation plan timeline. When he sat down with the compliance officer who would lead the preparation, she offered a different perspective. “They are not coming to see your improvements,” she said. “They are coming to test whether you understood why the gaps existed. The improvements are supporting evidence. They are not the answer.”

Marcus restructured his preparation entirely — from a catalogue of what had been fixed to a clear account of what had been wrong, why it had persisted, what the root causes were, and what structural changes meant it was now genuinely controlled. The review took place two months later. The regulatory team noted the quality of the organisation’s self-awareness as a positive finding. The fact of the prior gaps was not used against the firm because the firm could demonstrate it had understood them.

What Compliance Officers Are Actually Listening For

Regulatory reviewers and compliance officers operate with a specific assessment framework, whether or not that framework is made explicit. Understanding what they are assessing — as distinct from what questions they are asking — changes the preparation entirely.

The first thing they are assessing is organisational awareness: does the firm know what its obligations are, and does it have a clear view of where it is meeting them and where it is not? Organisations that present a picture of complete compliance across every area are typically treated with more scrutiny, not less, because no organisation with adequate self-assessment finds itself fully compliant across every dimension. The ability to identify and articulate gaps is evidence of a functioning compliance culture, not a liability.

The second thing they are assessing is ownership: when problems are identified, does responsibility sit with a specific, accountable person or team, or is it diffuse and institutional? Answers that reference “the organisation” or “the process” without identifying a named owner typically invite follow-up questions about accountability. Answers that reference a specific role and a documented remediation plan signal that the problem is being managed, not just acknowledged.

The third thing they are assessing is proportionality: is the firm’s response to identified risks proportionate to those risks? Over-engineered controls for minor risks and under-engineered controls for material risks both attract scrutiny. A firm that has deployed extensive resources to manage a low-probability, low-impact risk while a material risk sits with a single point of failure has demonstrated poor risk governance, regardless of the quality of the documentation.

For the preparation of formal compliance presentations that precede a regulatory Q&A, the structural approach in compliance presentations for regulatory boards covers the format and language conventions that regulators expect to see — and the ones that tend to produce friction.

Six Question Patterns in Regulatory Reviews

Regulatory Q&A sessions tend to follow recognisable question patterns. Identifying the pattern quickly — before forming the answer — significantly improves the quality of the response and reduces the risk of inadvertently providing information that creates new lines of inquiry.

The scoping question is designed to understand the boundaries of the firm’s activity in a particular area. “How many of your customers fall within this category?” or “What proportion of your portfolio is subject to this requirement?” These questions are factual, and the answer should be factual, specific, and unambiguous. If the exact figure is not available, state the best available estimate, the source, and when a more precise figure will be available. Do not approximate without flagging that you are approximating.

The process question tests whether the firm has a documented, repeatable procedure. “Walk me through how you handle this situation” or “What is the process when a customer makes this type of request?” The answer should describe the actual process in practice, not the documented ideal. If the documented process and the actual practice diverge — which regulators often know before asking — acknowledging the divergence and explaining why it exists is far more useful than presenting the documented version as the operational reality.

The ownership question identifies accountability. “Who is responsible for ensuring this is done?” These questions should be answered with a specific name or specific role, not a committee, team, or department. If ownership is genuinely shared or unclear, say so — and describe what is being done to clarify it. Vague ownership is a finding; acknowledging vague ownership and having a plan is a mitigant.

The evidence question asks for documentation. “What records do you keep of this?” or “Can you show me an example?” Have specific examples prepared before the session. Asking for time to locate evidence during a regulatory Q&A creates an impression of inadequate preparation that is difficult to recover from within the same session.

The remediation question tests the quality of the firm’s response to identified issues. “What have you done since this was identified?” Answers should include: what changed, when it changed, who made the change, and how the firm knows the change has been effective. Remediation without a verification mechanism is not complete remediation.

The stress question tests the boundaries of the firm’s position. “What would happen if [extreme scenario]?” or “How would this control hold if [assumption was wrong]?” These questions are not designed to find a fault — they are designed to understand whether the firm’s risk thinking extends beyond the baseline scenario. Acknowledging the limits of a control and describing the compensating measures for those limits is the response that demonstrates mature risk governance.

The Preparation Framework for Regulatory Q&A

Effective preparation for regulatory Q&A is not the same as rehearsing answers to anticipated questions. Rehearsed answers are often recognisable as such — they tend to be slightly too smooth, slightly too complete, and slightly disconnected from the specific question asked. Regulatory reviewers who ask the same questions in multiple firms become adept at distinguishing rehearsed responses from genuine understanding.

The preparation framework that produces better outcomes has three layers.

The first layer is factual verification. Before the session, verify the key facts — current figures, process descriptions, ownership assignments — rather than relying on memory. Know the numbers. Know the last audit date. Know the name of the person responsible for the control that is most likely to be questioned. Factual accuracy under follow-up questions is a significant trust signal; errors under follow-up — particularly errors that contradict something said earlier in the session — are recorded.

The second layer is gap mapping. Identify the areas where the firm’s position is least strong — where the documentation is incomplete, where the control is relatively recent, where there is a known remediation in progress. These are the areas where questions will be most difficult, and where the answer needs the most careful construction. The goal is not to conceal gaps; it is to be able to describe them clearly, with evidence of awareness and a credible remediation plan, rather than appearing to discover them in the room.

The third layer is scenario rehearsal. For each gap area, rehearse the answer to the worst version of the question — not the soft version that confirms your current position, but the version that directly challenges it. “Why did this take eighteen months to fix?” or “How do you know the control is working?” Rehearsing the difficult version means the actual question, which is rarely as sharp as the worst case, arrives as a manageable version of something already prepared for.

For the specific preparation techniques that apply when the Q&A is likely to include hostile or adversarial questions — common in enforcement-adjacent regulatory reviews — the approach in risk committee Q&A preparation covers how to identify the questions that expose the most significant vulnerabilities before the regulator does.

How to Handle Challenge Without Becoming Defensive

The most common error in regulatory Q&A is defensiveness. It manifests in several ways: excessive qualification of every answer, visible discomfort when a question implies criticism, or an impulse to explain away a finding before the reviewer has finished describing it. None of these responses are dishonest. All of them create the impression that the firm is managing a perception problem rather than a compliance problem — which is, from a regulatory perspective, a significantly more serious concern.

The discipline required is to receive challenge as information rather than attack. When a compliance officer says “We have seen in other firms that this type of control tends to break down under [condition] — how would yours hold up?”, the most useful response is genuine engagement with the hypothetical rather than immediate reassurance. “That is a fair stress to apply. Our current control would hold because [specific reason]. The area where we would be more exposed is [honest assessment], and we manage that through [compensating measure].” This kind of answer builds regulatory confidence; a smooth assurance that the control would hold under all conditions does not.

When a question reveals a gap that was not previously acknowledged — something the reviewer has found that the firm did not identify — the handling of that moment matters enormously. Immediate acknowledgement, followed by genuine engagement with the implications, is invariably received better than a search for an explanation that frames the gap as less significant than it appears. Regulators are experienced readers of defensive framing; the attempt to minimise rarely succeeds and always signals something.

Building the Document Trail That Supports Your Answers

In regulatory Q&A, the answer in the room and the document trail that supports it are both assessed. An answer that cannot be corroborated by documentation — however accurate it may be — is substantially weaker than an answer accompanied by a clear reference to the relevant record. The preparation for a regulatory Q&A session should include identification of the specific documents that support the key answers, not just rehearsal of those answers.

This does not mean arriving with a trolley of paper. It means knowing where each material claim is documented, being able to reference that document specifically when asked, and having a process for providing it promptly if requested. “That is documented in our Q3 internal audit report, section 4.2 — I can provide that directly after this session” is a materially stronger answer than an oral description of the same content without a reference.

For areas where documentation is in progress — where a remediation plan exists but is not yet complete, or where a control has been strengthened but the updated procedure has not yet been formally signed off — the honest answer is to describe the current state accurately, including what is and is not yet complete. Representing in-progress documentation as finalised creates a specific type of regulatory exposure that is worse than the underlying gap it was meant to conceal.

If you are preparing for a regulatory review, compliance committee appearance, or board Q&A session, the Executive Q&A Handling System provides a structured preparation approach for high-stakes question sessions where the questioner has authority over outcomes.

Common Mistakes That Invite Further Scrutiny

Several answering behaviours consistently generate additional regulatory questions rather than resolving the line of inquiry. Awareness of these patterns allows for a deliberate correction in real time.

Answering a narrower question than the one asked. When a compliance officer asks a broad question and receives a specific, narrow answer, they typically note that the broader question was not addressed and return to it. The pattern signals either that the presenter is managing the scope of the answer to avoid uncomfortable territory, or that they did not listen to the full question. Neither reading is helpful. If the scope of a question is genuinely unclear, ask for clarification before answering, rather than answering the narrowest reasonable interpretation.

Using passive constructions to avoid ownership. “Errors were made” and “the process was not followed” are passive constructions that obscure who is responsible. Regulators notice this, and it tends to extend the Q&A rather than conclude it, because the ownership question will be asked again more directly. Name the role and the accountability clearly.

Answering the follow-up question before it is asked. When a presenter anticipates a follow-up and answers it preemptively — “and I should also mention that we are aware of [related issue]…” — it often opens a new line of inquiry rather than closing the original one. Answer the question asked. Wait for the follow-up. This is not evasion; it is discipline. The information will come out, but in a controlled sequence rather than as a cascade of preemptive disclosures.

For guidance on handling the most challenging variant of regulatory questions — the kind that appear in board meetings after a significant incident — the analysis of hostile questions in board meetings covers the specific techniques that prevent a difficult question from becoming a damaging exchange.

Frequently Asked Questions

How should you handle a question in a regulatory review when you do not know the answer?

State clearly that you do not have the specific figure or detail to hand, commit to providing it after the session with a specific timeline, and do not estimate unless you explicitly flag that you are estimating. “I do not have that figure with me today. I will confirm the exact number and send it to you by [specific date].” Then follow through precisely. Regulatory reviewers track commitments made in sessions; a failure to deliver on a stated commitment is a finding in itself. What you must not do is guess without flagging that you are guessing — an incorrect figure presented as fact, later contradicted by documentation, creates a significantly worse impression than the original admission of uncertainty.

Should you disclose problems proactively in a regulatory Q&A, or wait to be asked?

Issues that are material to the scope of the review should be disclosed proactively, not withheld in the hope they will not be raised. Regulators who discover in the course of a review that the firm was aware of a material issue but did not volunteer it treat that as a culture and conduct concern — separate from, and additional to, the underlying compliance issue. For issues that are immaterial or tangential to the specific review scope, the discipline is to answer the questions asked fully and accurately, without volunteering additional lines of inquiry. The distinction between proactive transparency and preemptive disclosure of everything is one of materiality to the current review.

How long should answers be in a regulatory Q&A session?

Shorter than most presenters instinctively provide. A direct answer to a scoping question should be one to two sentences — the figure, the source, and a brief qualifier if needed. A process description should describe the actual process in three to five steps, not provide a comprehensive account of every exception and variation. Longer answers in regulatory Q&A tend to introduce new threads that generate follow-up questions, and they sometimes suggest that the presenter is using volume to manage the impression created by the answer. The regulators who ask short questions and receive long answers are typically more attentive to the qualifications and caveats woven into those answers than to the headline claim.