Go to content
News 17/06/26

Effective management requires more than just policy

In its SREP Market Overview 2025, the AFM notes that many firms have their foundations in order, but that implementation is lagging behind. Internal control and IT risks, in particular, require improvement. The message is clear: ensure that policies are not merely in place, but that they demonstrably work in practice.

In short

• Foundations in order, implementation lagging behind
• IT risk management falling short
• Greater clarity on roles and responsibilities needed

Foundations are in place, but implementation lags behind

Many companies have their policies and processes well organised. Think of compliance, regulations and professional competence. That is a positive development. At the same time, practice shows that the implementation of these is often not robust enough. For example, internal controls are not always carried out systematically or properly documented. Nor are processes always evaluated regularly. This creates the risk that policy looks sound on paper but does not work sufficiently in practice. It is precisely the day-to-day application that makes the difference.

ICT risk management is falling short

The sector is becoming increasingly dependent on IT, but risk management is lagging behind. Key areas such as identifying vulnerabilities, testing backups and preparing for incidents are not properly organised everywhere. This leaves organisations vulnerable. It is striking that whilst problems are often successfully identified, preventing them receives less attention. Particularly with the growing cyber threat, it is necessary to focus more firmly on this and to make clear agreements, including with external IT parties.

Greater clarity on roles and responsibilities is needed

Clear agreements are lacking on various issues: who is responsible, who supervises and how is monitoring carried out? This applies, for example, to best execution, sustainability and collaboration with third parties. Without a clear division of roles and ownership, there is a risk that important tasks will be left undone. Uncertainty can also arise vis-à-vis clients, for example regarding responsibilities in collaborative arrangements. By explicitly assigning responsibilities and better embedding processes, risks.

Next Steps

The AFM expects market participants to use the insights from the SREP market overview to take a critical look at their organisations and implement improvements where necessary.

Contact for this article

AFM

Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.