In this final instalment of the Skilled Persons Review series, Thistle Initiatives Partner, Michael Knight-Robson, outlines the draft and final report, and the remediation programme that follows.
Receiving the draft report from a Skilled Person can be a daunting aspect in the review process. By this point, the fieldwork has been completed, initial conclusions have been formed, and the Regulatory Authority will have sight of the findings. While firms often view the draft as largely final, this stage represents one of the last meaningful opportunities to ensure that the report is accurate, proportionate, and reflective of the true control environment.
Handled correctly, this phase can materially influence both the final report and the nature of the remediation programme that follows. Handled poorly, it can result in inaccuracies becoming embedded, risk ratings being overstated, and unnecessary regulatory scrutiny. It is also the point at which internal stakeholders, often including Boards and senior management, begin to engage more closely with the outputs, making it even more important that what is presented is robust, defensible, and clearly understood.
Read the Full Report - Not Just the Executive Summary
This sounds like an obvious one, but from experience, it needs to be said. There is a natural tendency for senior stakeholders to focus on the executive summary, especially given that Skilled Person Reports can be well over 100 pages. While the executive summary provides a useful overview, it often simplifies complex findings and removes important context. Firms should ensure that the entire report is reviewed in detail, including methodology, sample selection, testing outcomes, and the rationale behind each finding. It is within these sections that the true substance of the review sits.
A detailed review often reveals nuance that is not visible at the summary level. Findings that appear severe may be based on limited samples or specific scenarios, while seemingly minor issues may point to broader systemic weaknesses. Without this level of scrutiny, firms risk misinterpreting both the severity and implications of the report. It is also important to assess whether the methodology applied is consistent with the scope agreed at the outset, as deviations can sometimes explain unexpected conclusions.
Challenge Risk Ratings Where Appropriate
Risk ratings assigned by the Skilled Person will carry significant weight with the Regulatory Authority, and it is important that they are proportionate and justified. Firms should be prepared to challenge these ratings where appropriate, but this must be done in a structured and evidence-based manner. As a general rule of thumb, findings that represent a clear regulatory breach are likely to be categorised as high risk. Issues relating to adherence to documented guidance or industry practice, recognising that guidance allows for interpretation, may be more appropriately considered medium risk. Administrative or low-impact issues may fall into low risk or be positioned as opportunities for improvement.
Any challenge should focus on ensuring proportionality rather than minimising issues. Overly defensive responses are unlikely to be effective, whereas well-reasoned arguments supported by evidence are more likely to lead to constructive outcomes. It can also be helpful to articulate the potential customer or financial crime risk impact (or lack thereof) when discussing ratings, as this anchors the conversation in outcomes rather than process.
Be Cautious When Challenging Regulatory Interpretation
While firms should challenge factual inaccuracies and disproportionate risk ratings, caution is required when it comes to disputing the Skilled Person’s interpretation of regulatory requirements. Skilled Persons are appointed for their expertise, and their views will carry weight with the Regulatory Authority. Challenges in this area should therefore only be made where there is a clear and demonstrable basis, such as explicit regulatory wording or widely accepted industry interpretation.
Attempting to challenge regulatory expectations without a strong foundation can undermine a firm’s credibility and detract from more substantive discussions. Where there is genuine ambiguity, a more effective approach may be to acknowledge differing interpretations while focusing on how the firm will enhance controls to mitigate any perceived risk.
Validating Control Testing Findings
Where the report identifies gaps in control testing, firms should independently revisit the underlying evidence. This includes re-reviewing files, data, and documentation to confirm whether the findings are accurate. This process should be objective. In some cases, firms may identify that the Skilled Person has not been provided with the full picture or has interpreted evidence differently. In others, the exercise will confirm that the issue is valid and requires remediation.
The objective is not to disprove findings, but to ensure that they are genuinely reflective of the control environment. Where discrepancies are identified, these should be raised promptly and supported with clear evidence. Firms should also consider whether the sample tested is representative, as isolated issues may not always indicate systemic failure. It is worth highlighting that should a firm identify documentation and/or information which should have been provided initially, but was not, the Skilled Person may consider requesting additional fees for providing documentation at such a late stage.
Validating Interview-Based Findings
Findings derived from interviews require particular attention. Interviews are inherently subjective, and there is potential for misinterpretation or loss of context. Firms should engage with interviewees to confirm what was said and how it has been represented in the report. This should not be approached as a fault-finding exercise, but as a means of ensuring consistency and clarity.
Differences in how processes are described, or informal explanations being interpreted as formal practice, can lead to misleading conclusions. Validating these points helps ensure that the report accurately reflects both the intended and actual operation of controls. It can also highlight training or communication gaps where staff understanding does not fully align with documented processes.
Work Proactively with the Skilled Person
This stage should be characterised by constructive and proactive engagement with the Skilled Person. The objective is to ensure that the draft report is accurate, balanced, and focused on meaningful outcomes.
Where inaccuracies are identified, firms should provide clear evidence and engage in open discussion. Where there are differences in interpretation, understanding the Skilled Person’s rationale is key to reaching a practical resolution.
Firms should aim to ensure that the draft report is as “clean” as possible before formal responses are submitted. Attempting to address issues solely through written responses, without prior dialogue, is often less effective and can lead to further established positions. A collaborative approach at this stage can also set a more constructive tone for ongoing regulatory engagement.
Focus Responses on Remediation
When providing formal responses to the report and any recommendations, the emphasis should be on remediation. The Regulatory Authority will primarily be interested in what actions the firm intends to take to address the identified issues. Responses should clearly set out the actions to be taken, associated timelines, and ownership. They should demonstrate that the firm has understood the issue and is taking appropriate steps to mitigate the underlying risk.
Where there is disagreement with a recommendation, this should ideally have been addressed through earlier discussions. However, even where differences remain, there will be an expectation that some form of action is taken. Importantly, firms do not need to follow recommendations exactly if they are not proportionate or aligned to the operating model. However, they should address the underlying issue in a way that is consistent with the intent of the recommendation. Regulators are focused on outcomes rather than strict adherence to suggested solutions. Clear linkage between findings, actions, and expected outcomes will strengthen the credibility of the response.
Moving from Report to Remediation to BAU
Receiving the final report is not the end of the Skilled Person review process, but the beginning of the remediation phase. The findings and responses will shape ongoing regulatory engagement and may influence future supervisory activity. Firms that approach this stage with rigour, transparency, and a focus on outcomes are better positioned to manage regulatory expectations and deliver sustainable improvements to their control frameworks. Establishing a clear remediation plan, supported by governance, tracking, and regular reporting, will be critical in demonstrating progress.
From experience, following the submission of the Final Report, firms always have the same question: “Is it over?” As mentioned at the start of the series, a Skilled Person review is a gruelling and intense regulatory scrutiny exercise, and therefore, it is no surprise that senior management is keen to understand whether they can take a breath. However, Regulatory Authorities are unlikely to confirm the Skilled Person review process is “over” until a firm can evidence that all identified issues have been effectively remediated and appropriately embedded. Consequently, firms should not expect an immediate “closure” of the Skilled Person review process, and in some cases, the Regulatory Authority may request a follow-up Skilled Person review (known as Stage 2/Phase 2) to validate that the firm’s systems and controls are now aligned to regulatory expectations.
How Thistle Initiatives Can Help
Thistle Initiatives is a member of the FCA’s Consultancy and Skilled Person Panel, specifically the following Lots:
- Lot B: Governance, accountability and culture
- Lot C: Controls and risk management frameworks
- Lot D: Conduct of Business
- Lot E: Financial Crime
- Lot F: Market Abuse
- Lot I: Prudential - Adequate Financial Resources for FCA solo-regulated firms
- Lot P: Business Consultancy
- Lot T: Risk/Risk Management
We are guided by a strong principle to be much more than a regulatory consultancy, thinking beyond the rule book and adding value to every project with a practical, proportionate, professional and personal touch. Our philosophy of providing an industry-leading service and hands-on approach, with problem-solving and a commercial focus, means we are trusted by the regulator and our clients alike. Our approach to Skilled Person reviews is focused on delivering outcomes that are value-adding to both the Firm and the Regulatory Authority.
Our people are our strength. Our regulatory experts come from a mix of backgrounds, including industry, consultancy and regulators, all of whom have many years of experience with regulatory challenges across financial services, meaning we know what the regulator wants and expects.
Should you need support, either a Skilled Person or someone supporting you through the Skilled Person review process, please get in touch.
Meet the Expert
Michael Knight-Robson, Financial Crime Partner 
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.