The four opening questions, decoded.
The opening questions vary in phrasing but rarely in substance. Four questions recur across FCA supervisory meetings, Section 166 scoping conversations, and PRA continuous-assessment dialogue.
- What has changed in the firm since we last spoke?
- What is the most significant risk on the senior management team's mind, today?
- How is the firm assured that the controls in [area] are operating effectively?
- What would you escalate to us, and what wouldn't you?
Each question tests something the supervisor cannot read out of the firm's regulatory returns. The first tests management awareness. The second tests senior judgement and prioritisation. The third tests control effectiveness and assurance discipline. The fourth, the most subtle, tests the firm's understanding of its own obligation to notify.
What good answers actually look like.
What has changed. A good answer is specific and short. "Two material changes in the period. We onboarded a new outsourced provider for X, completed in March, with the impact assessment shared with you in April. And our COO retired, with the new COO starting in June, briefed on her statement of responsibilities." That is the answer. Not a recital of all activity. The supervisor will probe for what the firm chose not to mention.
The most significant risk. The wrong answer is a generic risk category, "cyber" or "third party" or "regulatory change". The right answer is specific to the firm and includes the mitigation. "Concentration risk on a single payments provider. Live discussion at exec committee. Action plan signed off last week. Quarterly milestones to dilute by Q4." That answer demonstrates senior awareness, ownership and management.
Assurance of controls. The supervisor wants three layers in the answer. Management self-assessment with frequency. Internal-audit coverage with last-audit date. Independent or external review where relevant. The phrase the supervisor is listening for is "three lines", with concrete evidence behind each.
Escalation judgement. The most common error is to say "we'd tell you about everything material". The supervisor knows that is not true and does not expect it. The correct answer references the firm's documented escalation policy, names the threshold above which an issue would be notified, and acknowledges that judgement calls happen below the threshold.
The two preparation artefacts that earn the benefit of the doubt.
Two artefacts, prepared before any meeting, change the tone of the engagement materially.
The change log. A one-page log of every material change in the period since the last supervisory contact. Outsourcing changes, senior personnel changes, regulatory perimeter changes, control changes, incidents notified and incidents not notified with rationale. The supervisor never asks for this artefact. Producing it unprompted, on first ask, signals that the firm runs a tight ship and saves twenty minutes of probing.
The top-three risk paper. A two-page paper, in plain language, that names the three risks the senior management team is currently working on. Owner, mitigation, milestones, residual position. Refreshed monthly. If the supervisor's second question is "what is on your mind", the firm hands over the paper and the conversation moves forward.
What to do if the firm is on the back foot.
If the firm is on the back foot, having just had an incident or a notification or a finding, the opening questions take a different cast but the principle holds. The supervisor is testing whether the firm understands its own position.
The wrong move is to be defensive. The right move is to be specific. "We had X. The cause was Y. The impact was Z. We notified you on date A. The remediation is B, owned by C, completed by D." If any of those elements is missing, the supervisor will assume the worst. If all of them are present, the conversation moves to mitigation.
Thirty minutes is a small surface. It is also where most firms set the tone of the next two years of supervision.
