A strong business knows where its weak spots are. Being prepared for inclement conditions and knowing that your business can weather the storm is crucial in building an enterprise that will endure. Your company faces regular challenges that vary from the local to the global, from the personal to the national. Having a comprehensive understanding of the risks to your business is not only advisable. It is essential for an organisation that needs to navigate our uncertain modern times.
The Financial Conduct Authority has high expectations of its regulated firms. But what are the FCA’s expectations when it comes to risk management? How can you meet them? And what happens if risks are not properly managed? Let’s get straight into it. Or, take a look at our range of FCA compliance eLearning courses.
In a hurry? Jump to a specific section below.
- How does the FCA define risk management?
- The four categories of risk
- What is a control?
- The four categories of controls
- What are the FCA’s expectations when it comes to risk management?
- How can you meet the FCA’s risk management expectations?
- What happens if firms do not implement robust risk management?
What are risks and controls?
First things first, let’s look at the definitions of risk and controls.
How does the FCA define risk management?
The FCA defines risk as “a measure of the chance of something not going to plan, usually for the worse”. The International Organization for Standardization defines risk as “the effect of uncertainty on achieving objectives”. This focuses on the effect of incomplete knowledge of events on an organisation’s decision-making.
Both definitions acknowledge that sometimes things can go better than planned. This is known as ‘upside’ risk. But much of risk management is focused on the negatives or downsides.
What all good definitions of risk have in common is agreement that risk has two characteristics:
- Impact: an event has unwanted consequences or losses
- Probability: an event may or may not happen
Risk management involves taking action to lower the impact that a risk would have, and/or reduce the probability of a risk occurring in the first place. This action will control the overall risk exposure of the firm.
The four categories of risk
It is helpful to categorise risks to build a framework of understanding. These are the sources of risk, rather than the potential consequences. For example, a technology failure would be an operational risk, even though it may mean that a firm subsequently breaches its regulatory requirements.
1. Operational risk can take the form of technological or human risks. Technological risks can include power outages, hardware or software failures, cyber and/or malware attacks. This can lead to a loss of time as systems and equipment are fixed, the loss or corruption of data, and, in some cases, data breaches. Human risks can occur where an individual is not fully trained, or non-compliant with regulations. This could manifest in system failure if human input is incorrect, and could ultimately cause customer detriment
2. Conduct risk is broadly defined as any action by a regulated firm or its staff that causes customer detriment, or disruption to competition. Every decision made by a board and a firm’s employees holds some risk because, while the decisions aim to take a firm closer to its objectives, this may not always be achieved. This could be due to the decision itself or the way action was executed
3. Financial risk manifests in financial loss, but it can come from both internal and external factors. Internal factors include non-payment of service providers, leading to fines; poor financial planning, which can lead to unforeseen costs; and poor financial management, including overspending. External factors include changes in the value of financial instruments (market risk); the risk that a borrower may not be able to repay a loan (credit risk); and the risk that the market is illiquid in some way (liquidity risk)
4. Regulatory risk stems from the fact that firms are required to comply with the FCA’s rules as outlined in the Handbook, alongside several other rules and guidance from other regulators such as The Pensions Regulator and the Information Commissioner’s Office. They are exposed to this risk if they do not comply. This risk typically arises from one of the other three risk categories
Need help managing risk? We offer eLearning courses on operational risk, conduct risk, financial risk, operational resilience, and much more.
What is a control?
A control is an action that the firm takes to mitigate a risk by reducing the impact or likelihood of risk crystallisation. A control will be something tangible that can be evidenced. Policies, reconciliations, passcodes and fire alarm tests are all examples of controls.
The four categories of controls
Controls can be split into four categories:
1. Preventative controls: a control designed to avoid an unintended event or result. These controls may be automated (wholly performed by technology) or manual (requires human action)2. Detective controls: a control designed to discover an unintended event or result after it has occurred but in a timely manner. These controls may be automated or manual
3. Directive controls: a control that is designed to guide a firm towards its desired outcome
4. Corrective controls: a control that is designed to correct errors or risks and prevent the recurrence of further errors
What are the FCA’s expectations when it comes to risk management?
There are several rules and regulations that concern risk management. Let’s take a look at them in closer detail.
FCA Principles for business
The Principles are set out in PRIN 2.1 of the FCA’s Handbook. Principle 3 concerns management and control. It states that “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” Principles 2, 4, 8 and 10 are also relevant to the topic of risk management.
Senior Management Arrangements, Systems and Controls sourcebook (SYSC)
The SYSC sourcebook contains several rules and guidelines related to governance, systems, controls, and risk management.
Dual-regulated firms
For firms who are regulated both by the Financial Conduct Authority and the Prudential Regulation Authority, there is a handy list of the PRA's policies relating to risk management and controls for banks, building societies and investment firms.
Specific Sourcebooks
There are different rules and guidance in place for different firms, dependent on what regulated activity they undertake. Here are some examples:
- Conduct of Business Sourcebook (COBS): applies to inducements relating to business other than MiFID, equivalent third country or optional exemption business and insurance-based investment products
- Insurance Conduct of Business Sourcebook (ICOBS): concerns insurance companies and intermediaries
- Mortgages and Home Finance: Conduct of Business Sourcebook (MCOBS): applies to regulated mortgage contracts, home reversion plans and regulated sale and rent back agreements
How can you meet the FCA’s risk management expectations?
The FCA expects a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. Here’s how to do it in practice.
Set the tone from the top
The board of a regulated firm sets and is ultimately responsible for the objectives of the business. This includes objectives around business growth, as well as risk management, systems and controls.
As such, the board must set the tone from the top when it comes to risk management. It must ensure the expectations of the regulator and clients are continually exceeded. These topics should be discussed at the quarterly board meetings, or at relevant sub-committees. A member of the board, such as the chief risk officer, should be responsible for delivery and oversight of risk management.
Here are some examples of risk management commitments that firms should make to set the tone from the top:
- The board and staff should understand what risk actually means for the firm
Educating staff on the basics of risk is important to ensuring that the consideration of risks to the firm will be at the forefront of everything it does
- There should be an open dialogue with a ‘speak up’ culture towards risk
Staff should feel comfortable talking about risks, however large or inconsequential
- The process of identifying and escalating risks should be easy to follow
A clear and efficient process will aid risk identification and escalation
- Risk is considered when decisions are made
Risk management must be fully integrated into the firm’s decision-making process
- Staff understand that they will be held accountable for risk management
Responsibility for risk management extends beyond the directors
Use the right risk management metrics
Firms can use three risk metrics to monitor and manage their risks. Granular risk appetites, tolerances and risk-bearing capacities should be provided through qualitative and quantitative statements as an expression of the level of risk the firm will accept. The performance and exposure to risk against these statements should be reported to the board through management information.
The risk metrics should be reviewed at least annually in line with the annual budget. However, reviews should also occur in response to material business events. This may include the release of new product, onboarding of new clients, or where mistakes are made, to ensure that lessons learned are embedded into risk management across the business.
Maintain a risks and controls register
Firms must have in place a forward-looking risks and controls register that adequately documents their risk management approach. The register’s goal is to identify and classify risks to the firm, assess the controls in place, and determine and record the mitigation plans.
Regular assessments (perhaps bi-monthly and then quarterly), firms can focus on improving their controls and reducing their residual risk scores. Each director is responsible for risks in their area, but additional risk owners can be identified where it makes sense to do so. By combining scores into one register, senior management will have full sight of risks across the business. Risks should be escalated to the board if they breach their risk appetites so that active monitoring can take place.
Put risk management policies and procedures in place
Firms must have an inventory of policies and procedures to ensure that risk management is undertaken in a logical and efficient manner. These documents should be easily accessible to appropriate staff to ensure a consistency across the business.
While the risk management policy and procedure will directly concern risk management, a number of other policies are relevant to this endeavour, for example, policies and procedures relating to conflicts of interest, outsourcing, and business continuity planning. Use a consistent template for all your policies and procedures, and cross-reference them where relevant.
Document ownership must be clearly defined. Documents’ format and language should be standardised to ensure they are user-friendly.
Ongoing learning and development for all
Learning and development (L&D) should be embedded throughout a person’s time at a firm. Using a learning management system (LMS) such as Ciphr’s will make it easier to you to issue and monitor individuals’ continuous professional development (CPD).
Think about how you will structure training plans for new and existing staff. For example, a new employee might complete core regulatory eLearning courses – such as data protection, financial crime, and risk management – during their first two weeks. You might also wish to stipulate further mandatory training modules depending on the job role.
Through the rest of the year staff should undertake formal and informal training to attain the required number of CPD hours for their role.
Want practical tips on building an effective training programme for your financial services firm?
Report on and share management information
Adequate and appropriate management information (MI) is a key tool in risk management. Responsibility for the provision of information and its accuracy is vested in senior management. The chief risk officer should oversee the flow of information on risks and controls, and challenge the business to confirm that appropriate mitigating actions are being taken to keep risk within the board’s risk appetite.
What happens if firms do not implement robust risk management?
Poor risk management has a multiplier effect. First, firms are likely to have operational, financial and conduct risks crystallise in the form of customer detriment and monetary loss. However, their losses will be multiplied should the regulator discover their failings. This is known as regulatory risk.
Perhaps the most obvious example of risk crystallisation is rogue trading due to the sheer scale of financial losses, and their secondary effects. For example, Nick Leeson was a derivatives trader who undertook fraudulent, unauthorised and speculative trades, chalking up losses of £800 million. This lead to the collapse of the UK’s oldest merchant bank, Barings Bank, in 1995. Leeson was convicted of financial crime, and served over four years in prison.
Examples of FCA fines include £163 million issued to Deutsche Bank in 2017 for failing to maintain an adequate anti-money laundering (AML) control framework, and £48.65 million issued to TSB for operational risk management and governance failures.
Simplify FCA risk management with Ciphr eLearning
We’re here to help you get FCA risk management right with effective eLearning courses that make an impact. Created together with the author of this article, Victoria Sena, founder of Cherrybank Consulting, our suite of FCA compliance courses is designed for organisations that are regulated by the FCA. They’ll make sure that your form remains up to date with the latest legislation and regulatory requirements. These off-the-shelf eLearning courses can be deployed in weeks – helping your teams get up to speed, fast. Or if you prefer a more tailored approach, we can work with you to customise our content or develop bespoke eLearning courses that deliver on your precise requirements. Speak with one of our expert advisors today to find out what’s right for you.
About the author
Victoria Sena is founder of Cherrybank Consulting, an innovative consultancy founded in 2019 with a wealth of experience is growing regulated financial businesses in the UK and internationally. Specialising in governance, operations, risk, and compliance, Cherrybank has worked with start-ups and scale-ups across the financial spectrum including banks, asset managers, funds, corporate finance advisers and open banking platforms. You can get in touch here.