1 / 51

COSRA / IARC Conference Cartagena, 2 September 2005

COSRA / IARC Conference Cartagena, 2 September 2005. Risk-based regulation in the UK. Joe Traynor & Mike O’Hagan Finance, Strategy & Risk Division, UK Financial Services Authority. Agenda. What a risk-based approach means in theory Why a risk-based approach

clarke
Download Presentation

COSRA / IARC Conference Cartagena, 2 September 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COSRA / IARC ConferenceCartagena, 2 September 2005 Risk-based regulation in the UK Joe Traynor & Mike O’Hagan Finance, Strategy & Risk Division, UK Financial Services Authority

  2. Agenda • What a risk-based approach means in theory • Why a risk-based approach • The UK FSA’s methodology– the “ARROW” risk framework • Current developments in ARROW

  3. Risk-based regulation in the UK What a risk-based approach means in theory

  4. Risk Management in the financial services industry • Aims vary, but usually a combination of protecting reputation, brand, earnings or capital. Its Board will agree its risk appetite – (e.g. aggressive, conservative) • The firm should identify the risks to their aims (e.g. to capital or profitability) and their causes – credit, market, operational, etc. • It will use an agreed method of measuring that risk – loan grading, value at risk, etc. • Primary risk managers are the business people who are closest to the risk – relationship managers, traders, settlement staff, etc. • Information is produced to help monitor risks • The level of risk taking is controlled – through limits, delegated authority, etc. • Independent risk management provides challenge

  5. WHAT WE ARE SEEKING TO ACHIEVEPrinciples of Risk Management in UK FSA • Primary aim is to achieve our statutory objectives. • The Board agrees our risk appetite by approving our budget and our risk policies in respect of that budget • We identify the risks to our statutory objectives and their causes – financial failure, misconduct, market abuse etc • We use an agreed method of measuring that risk – impact and probability etc • Our primary risk managers are the business people who are closest to the risk – firm relationship managers, operations, investment priority owners etc • Information is produced to help management monitor risks • The level of risk taking is controlled – through budgets, policies, delegated authority etc • Independent risk management provides challenge

  6. WHAT WE ARE SEEKING TO ACHIEVE Our Risk Management Mission To deliver an integrated approach to risk and resource management that enables us to manage our portfolio of risk and our resources in a dynamic way, consistent with industry best practice.

  7. The “ARROW” framework • “ARROW” is the framework that the FSA uses to measure risk and decide on appropriate responses. It not only provides the risk metrics, but also specifies the processes we use to identify, record, analyse and mitigate risks. • It has two components: • thefirm framework(used when assessing risks in individual firms); in ARROW, we call this “vertical” supervision; and • the consumer and industry-wide framework (used when assessing cross-cutting risks – those involving a number of firms, or relating to the market as a whole); we term this “thematic” or “horizontal” work.

  8. Risk Management Stages Risk Monitoring And Reporting Decision to be Risk Based Set a Risk Context Risk Control Risk Identification Set Risk Appetite Risk Mitigation Risk Measurement Included in “ARROW”

  9. Decision to be Risk Based Risk-based regulation in the UK Why use a risk-based approach?

  10. Decision to be Risk Based Why use a risk-based approach? • Finite resources available – never possible to do everything • This leads to a non-zero failure approach (with a corresponding risk appetite) • We therefore need a mechanism for prioritising our work: • focusing our efforts on the greatest risks • bear in mind tractability of issues (“biggest bang for our buck”) • Other factors made the risk-based approach necessary (but difficult to implement) in the UK FSA: • variety of cultures / backgrounds (requires consistency of resource and action decisions) • very broad scope of our regulatory remit (wide ranging statutory objectives and diversity of sectors regulated)

  11. Implications and benefits of the risk-based approach: focus on risks to our objectives (and on relevant outcomes) sound, consistent basis for justifying our approach and actions Builds in a proportionate response. “peace dividend” for well-behaved areas/firms – so they see the benefit of compliance provides a measure of success in a not-for-profit enterprise – risk / harm to our objectives is our currency Decision to be Risk Based Why use a risk-based approach? (cont’d)

  12. We believe that, in reality, every regulatory adopts a risk-based approach: none has infinite resource, so we all have to make choices about optimum deployment – this is essentially what risk-based regulation is all about; even those with a low tolerance for risk (e.g. visiting all firms every year) must still decide how intensive their response to each firm should be; at some level, these decisions will be based on the level of risk; the main difference between those who claim to be risk-based (like the FSA) and those that do not is the extent to which we attempt to apply an explicit, consistent framework to these decisions, and the level of pro-active work undertaken to prevent harm occurring before the event. Decision to be Risk Based Why use a risk-based approach? (cont’d)

  13. Set a Risk Context Risk-based regulation in the UK Setting a risk context

  14. Set a Risk Context Risk context • Need to define a concept of “harm” or failure. • Risk is then comprised of the probability and size of the harm. • More positively, there are also opportunities to improve on situations.

  15. Set a Risk Context The FSA context • Risk is defined as risks to our four statutory objectives (set out in the act of parliament which established the FSA in 2000): • maintaining confidence in the Financial System; • promoting public understanding of the financial system; • securing the appropriate degree of protection for consumers; and • reducing the extent to which it is possible to commit financial crime. • But these statutory objectives are too broad for effective day to day management, so a number of channels for risks have been identified.

  16. Set a Risk Context Risk channels • External • Financial failure of firms • Misconduct and mismanagement by firms • Consumer understanding • Financial fraud • Market abuse • Money laundering • Market quality • Internal • Delivery of FSA’s Strategic Priorities • FSA’s reputation • Economy and efficiency of FSA’s operations

  17. Set Risk Appetite Risk-based regulation in the UK Setting risk appetite

  18. Set Risk Appetite WHAT IS RISK APPETITE? “Risk appetite, at the organisational level, is the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.” (“The Orange Book” HM Treasury, 2004) • It is underpinned by: • a concept of risk that is shared across the organisation – bringing risk-based decision-making to individual processes; • an agreed system of measuring risks across the risk universe • genuine risk-based resourcing (whether measured in human, skill, technology or cash terms) • accountability – clear articulation about the action that is to be taken and by whom once risk thresholds have been breached. This will result in risk being escalated (and accountability transferred up the organisation).

  19. No mitigation • “Close & Continuous” monitoring • Justify mitigation • Enhanced monitoring • Mitigation (justify inaction) • Watchlist • Upward escalation • Mitigation • High intensity watchlist • Upward escalation • Remediation • High intensity watchlist • Upward escalation RISK APPETITE (FIRM RISKS) High • No action • Baseline monitoring • Justify mitigation • Monitoring • Mitigation (justify inaction) • Watchlist • Upward escalation • Mitigation • High intensity watchlist • Upward escalation • Remediation • High intensity watchlist • Upward escalation Medium High Impact • No Action • Baseline monitoring • Justify mitigation • Monitoring • Mitigation (justify inaction) • Monitoring • Mitigation • Watchlist • Upward escalation • Remediation • Watchlist • Upward escalation Medium Low • No Action • Baseline monitoring • No Action • Baseline monitoring • No Action • Baseline monitoring • Thematic mitigation • Baseline monitoring • Remediation • Baseline monitoring Low Low Medium Low High Crystallised Medium High Probability

  20. Risk Identification Risk-based regulation in the UK Risk identification

  21. Risk Identification Risk identification • The first stage in the risk cycle • where risks enter our perceived portfolio • Essentially intelligence-gathering (either through discrete actions or continuous monitoring) • Many sources – see next slide • Key issues around identification: • are the available sources sufficient? (gaps / overlaps) • do the different sources represent a coherent picture? • is the knowledge shared properly? (e.g. risks identified in one area – say an individual firm – passed on to others – say a sector team); consistent recording mechanisms? consistent standards? (types / measures of risk)

  22. Risk Identification Risk identification (cont’d) • FSA tools for identifying risk: • Supervision of firms • Visits to firms (either as part of a supervisory assessment, enforcement action, or other) • Information provided by firms (either on FSA request or firms’ initiative) • Monitoring of returns and similar data, and transaction monitoring • Information provided by others (e.g. Financial Ombudsman, overseas regulators, external auditors) • Thematic work • Project work • Retail intelligence • Market monitoring • Other external sources (e.g. press, other regulators, analysts, trade bodies and special-interest groups)

  23. Risk Measurement Risk-based regulation in the UK Measuring Risk

  24. Risk Measurement Risk Measurement • The Challenges facing Every Risk Manager • Wide range of types of risk • external or internal • Different size “footprint” for risks • widespread or local • specific to one firm type or generalised • short term or longer • Too many risks! • how to prioritise; how to categorise consistently and avoid duplication

  25. Risk Measurement FSA response to the Size challenge x PRIORITY for the FSA IMPACT of the problem if it occurs PROBABILITY of the problem occurring = Factors may include: Factors may include: • Size of firm • No. of retail consumers • Perceived importance • Business Risk • Control Measures • Consumer risk

  26. Risk Measurement Impact and probability – FSA’s response • Scoring of impact and probability is subjective – but subject to challenge and control (see later) Probability Crystallised High Medium-high Medium-low Low Impact High Medium-high Medium-low Low

  27. Priority risks Risk Measurement FSA: impact and probability scoring Relatively high-level scoring approach, based on supervisory judgement • Advantages • flexible • quick to implement • draws on expertise • easily understood • not spuriously accurate • Drawbacks • subjective • needs effective challenge • dependent on good experience • may not provide much differentiation Impact High Med. High Med. Low Low Low Med. Low Med. High High Crystallised Probability

  28. Business risks Strategy Market, credit, insurance and operational risk Financial soundness Nature of customers, products and services Control risks Treatment of customers Organisation Systems and controls Board, management and staff Compliance culture Risk Measurement Firm risk assessment – risk groups

  29. Risk Measurement Firm risk assessment process • Begins with requests for standard information from firm (e.g. internal audit and compliance reports) • Analysis of this information, along with sectoral and environmental factors and previous experience of the firm, leads to work plan for on-site visit. • Visit generally consists of a series of interviews with key staff and management. Very littlereview of documentation (e.g. client files). • During visit, information gaps are filled, and issues identified during planning are followed up. Further issues may also be identified. • The assessment is then written up, with both theindividual issues identifiedandthewhole firmbeing scored.

  30. Risk Measurement Firm risk assessment – results Financial failure Misconduct / mis- management Consumer under-standing Fraud & dishonesty Market abuse Money laundering Market quality Strategy Market, Credit & Op Financial soundness Customers / products TOTAL BUSINESS RISK Treatment of customers Organisation Systems & controls Board, Management Culture TOTAL CONTROL RISK NET PROBABILITY Market confidence Consumer protection Public awareness Financial crime

  31. Risk Mitigation Risk-based regulation in the UK Risk mitigation

  32. Risk Mitigation Risk mitigation • The most important stage in the risk cycle • the only one that actually makes any difference to the outside world! • Identification and assessment stages are (only) means of deciding whether and what mitigation to put in place (not ends in themselves) • Reduction in risk may be by reduced impact or (more likely) reduced probability of harm; should have a target / acceptable level of risk • Key issues around mitigation: • need to be clear about actions which actually reduce risk (rather than giving us more information about risk)? • actions must be proportionate and effective – use of both FSA resource and that of others (e.g. firms); should relate to the change in risk that can be achieved • measuring effectiveness of mitigation

  33. Risk Mitigation Risk mitigation (cont’d) • FSA tools for mitigating risk: • Supervision of firms • Improvements in controls, or reduction in business risk, or increased capital held, all in relation to an individual firm (either requested by supervisory team, or mandated through enforcement, or in cooperation with other regulators) • Thematic work • Improvements in controls, business risk or capital in multiple firms (either requested through (e.g.) Dear CEO Letters or mandated through rule changes) • Wider efforts to improve fin. markets (e.g. consumer education) – either FSA-only, or in cooperation with other bodies

  34. Risk Mitigation From measurement to mitigation • Risks are assessed from low to high • low – no mitigation required • medium-low – no mitigation expected, reason required if in place • medium-high – mitigation expected, reason required if not in place • high – mitigation required

  35. Risk Mitigation Presentation of risks Risk Today High Medium- high Mitigation Impact Medium- low Target Level Low Low Medium-low Medium-high High Crystallised Probability

  36. Risk Monitoring And Reporting Risk-based regulation in the UK Monitoring and reporting risks

  37. Risk Monitoring And Reporting Risks: monitoring and reporting • Regular reviews necessary to: • update list of identified issues and scoring • monitor progress on mitigation • allow FSA management to take strategic decisions • Balance between levels of detail • enough to assess effectiveness • ensure key facts and direction are clear

  38. Risk Monitoring And Reporting Presentation of risks Initial Risk High Medium- high Impact Medium- low Risk Today Target Level Low Low Medium-low Medium-high High Crystallised Probability

  39. Risk Monitoring And Reporting Classification of Risks Succession Planning Business Culture Management Information Corporate Governance Relationship with Regulators Priority Delivery, Treating Customers Fairly Reforming regulation of the retail market Financial Capability Improving transparency Developing our approach to Fraud Getting the best out of our staff making us easier to do business with increasing the effectiveness and transparency of enforcement work improving the implementation of our risk based approach Sectoral Risk, Banking Insurance Retail Intermediaries Asset Management Capital Markets Financial Crime Financial Stability Business Continuity Consumer Internal Risk, People Skills Quantity Turnover Retention Recruitment Processes (non-IS), Inadequacy Not followed Not comprehensive Processes (IS), Inadequacy Availability Dependency Information, Not sufficient Lost Vulnerable Finance, Accounting Policies and Procedures Financial and Regulatory Reporting Independence Policies and Procedures and Controls Audit Methodology Resources Independence Compliance Data Protection Freedom of Information Health & Safety Personnel Conflicts of interest Suspicious Transaction Monitoring and Reporting Legal Compliance Policy Methodology Resources Independence Training and Competence Record Keeping Monitoring Conflicts of interest Market surveillance Transaction Monitoring Suspicious Transaction Monitoring and Reporting Structured Products Internal Audit, Methodology Resources Independence Financial Control, Accounting Policies and Procedures Financial and Regulatory Reporting Independence Operating Controls, Policies and Procedures and Controls Human Resources Controls IT Controls Business Continuity MANAGEMENT GOVERNANCE AND CULTURE, Management, Quality of Management Quality of Strategy ENVIRONMENTAL RISK, Economic Environment Legislative/Political Risk Competition Risk Capital Market Efficiency CUSTOMER/PRODUCT RISKS, Type of Customer Consumer Knowledge Product/Service Characteristics BUSINESS MODEL RISK, Structure & Ownership Nature of owners Organisation structure Relationship with the Rest of the Group Operating risks, Sources of Business and Distribution Outsourcing Operations IT Systems FINANCIAL RISK, Credit Risk Market Risk Insurance Underwriting Risk Operational Risk Liquidity Risk Litigation/Legal Risk MARKET STRUCTURE/ CONDUCT CONTROLS, Membership Arrangements Market Cleanliness Clearing and Settlement Arrangements CUSTOMER/PRODUCT CONTROLS, Accepting Customers Client Classification Terms of Business and Client Agreements Client Identification (AML) Sales Process, New Product Development and Approval Sales Force Training Sales Force Remuneration KYC Suitability Product Disclosure Financial Promotions Post Sale Handling of Customers, Dealing and Managing Reporting Switching Products Switching Providers Complaints Handling Security of Client Assets CORPORATE CONTROLS, Risk Management Credit Risk Market Risk Insurance Risk Operational Risk Liquidity Risk Legal Risk Methodology Resources Independence Management, Quality of Management Quality of Strategy Succession Planning Business Culture Management Information Corporate Governance Political Risk Reputational Risk Risk Management Identification Measurement Monitoring Control External risks Priorities Sectors Internal risks

  40. Risk Monitoring And Reporting Format of individual risk reports

  41. Risk Control Risk-based regulation in the UK Controlling the risk process

  42. Risk Control Risk controls • Must be set in the context of the organisation • for example, devolved to business units in FSA • Clear responsibilities set out in a Risk Charter • Policies and Procedures set out • Compliance with those policies checked • Integrated with budget and strategic planning ensures no gaps • Independent challenge • Transparent management information • Provides assurance to all involved that decisions and process are fair

  43. Risk Control Challenge • Assessment and risk mitigation programme are challenged by senior management • for internal consistency • for consistency with risk appetite • against peer-groups

  44. Risk Control How risks are reported (simplified) Risk Identification & Assessment using FSA Frameworks Review and challenge at local business unit level Local management agree description and scoring/prioritisation of risks Central risk oversight review and challenge risks and compile a cross-FSA risk map (“The Dashboard”) Every 3 months, FSA senior management review and agree list of “Top Risks” and consider if additional resources should be applied to change mitigation efforts or timescales FSA Board receive regular reports on “Top 10” risks and progress

  45. Risk Control Example of an existing risk

  46. Risk Control What have we learnt so far? • Staff tend to be risk-averse; tendency to over-score impact and probability unless challenged. • Requiring clearer ownership of risks imposes better accountability and discipline. • The only way to track mitigation effectively is to describe the risk and target outcome very specifically. • Relies on adequate risk management skills and experience among staff to work.

  47. Risk-based regulation in the UK Evaluating and improving ARROW

  48. Evaluation • We believe that ARROW is at the forefront of supervisory best practice • requests for technical assistance are high • recent UK government reports such as Hampton and Arculus have praised our approach (compared with other UK regulators) • Effective risk management is a journey and not a destination, so it needs to evolve: • as our experience grows • as our needs grow (e.g. from our recent adoption of Mortgage & General Insurance regulation) • as our expectations grow

  49. Risk management vision

  50. ARROW’s evolutionary path ARROW 3 ? Outcome-based models ARROW 2.5 Stress and scenario testing ARROW 2.0 X Portfolio risk-based methods ARROW Individual risk-based methods RATE, FIBSPAM Assessment models Current position X

More Related