Add to collection(s) Add to saved
  1. Business
  2. Finance

FSA's Risk Architecture

advertisement 
COSRA / IARC Conference
Cartagena, 2 September 2005
Risk-based regulation in the UK
Joe Traynor & Mike O’Hagan
Finance, Strategy & Risk Division,
UK Financial Services Authority
Agenda
• What a risk-based approach means in theory
• Why a risk-based approach
• The UK FSA’s methodology– the “ARROW” risk framework
• Current developments in ARROW
2
Risk-based regulation in the UK
• What a risk-based approach
means in theory
Risk Management in the financial services industry
• Aims vary, but usually a combination of protecting reputation,
brand, earnings or capital. Its Board will agree its risk appetite –
(e.g. aggressive, conservative)
• The firm should identify the risks to their aims (e.g. to capital or
profitability) and their causes – credit, market, operational, etc.
• It will use an agreed method of measuring that risk – loan grading,
value at risk, etc.
• Primary risk managers are the business people who are closest to
the risk – relationship managers, traders, settlement staff, etc.
• Information is produced to help monitor risks
• The level of risk taking is controlled – through limits, delegated
authority, etc.
• Independent risk management provides challenge
4
WHAT WE ARE SEEKING TO ACHIEVE
Principles of Risk Management in UK FSA
• Primary aim is to achieve our statutory objectives.
• The Board agrees our risk appetite by approving our budget and
our risk policies in respect of that budget
• We identify the risks to our statutory objectives and their
causes – financial failure, misconduct, market abuse etc
• We use an agreed method of measuring that risk – impact and
probability etc
• Our primary risk managers are the business people who are
closest to the risk – firm relationship managers, operations,
investment priority owners etc
• Information is produced to help management monitor risks
• The level of risk taking is controlled – through budgets,
policies, delegated authority etc
• Independent risk management provides challenge
5
WHAT WE ARE SEEKING TO ACHIEVE
Our Risk Management Mission
To deliver an integrated approach to risk and resource management that
enables us to manage our portfolio of risk and our resources in a dynamic
way, consistent with industry best practice.
6
The “ARROW” framework
• “ARROW” is the framework that the FSA uses to measure risk and
decide on appropriate responses. It not only provides the risk
metrics, but also specifies the processes we use to identify,
record, analyse and mitigate risks.
• It has two components:
• the firm framework (used when assessing risks in individual
firms); in ARROW, we call this “vertical” supervision; and
• the consumer and industry-wide framework (used when
assessing cross-cutting risks – those involving a number of firms,
or relating to the market as a whole); we term this “thematic”
or “horizontal” work.
7
Risk Management Stages
Decision
to be
Risk Based
Risk
Monitoring
And
Reporting
Set a
Risk
Context
Set Risk
Appetite
Risk
Control
Risk
Identification
Risk
Mitigation
Risk
Measurement
Included in “ARROW”
8
Decision
to be
Risk Based
Risk-based regulation in the UK
• Why use a risk-based approach?
Why use a risk-based approach?
Decision
to be
Risk Based
• Finite resources available – never possible to do everything
• This leads to a non-zero failure approach (with a corresponding
risk appetite)
• We therefore need a mechanism for prioritising our work:
• focusing our efforts on the greatest risks
• bear in mind tractability of issues (“biggest bang for our buck”)
• Other factors made the risk-based approach necessary (but difficult
to implement) in the UK FSA:
• variety of cultures / backgrounds (requires consistency of
resource and action decisions)
• very broad scope of our regulatory remit (wide ranging
statutory objectives and diversity of sectors regulated)
10
Why use a risk-based approach? (cont’d)
Decision
to be
Risk Based
• Implications and benefits of the risk-based approach:
• focus on risks to our objectives (and on relevant outcomes)
• sound, consistent basis for justifying our approach and actions
• Builds in a proportionate response.
– “peace dividend” for well-behaved areas/firms – so they
see the benefit of compliance
• provides a measure of success in a not-for-profit enterprise –
risk / harm to our objectives is our currency
11
Why use a risk-based approach? (cont’d)
Decision
to be
Risk Based
• We believe that, in reality, every regulatory adopts a risk-based
approach:
• none has infinite resource, so we all have to make choices
about optimum deployment – this is essentially what risk-based
regulation is all about;
• even those with a low tolerance for risk (e.g. visiting all firms
every year) must still decide how intensive their response to
each firm should be;
• at some level, these decisions will be based on the level of
risk; the main difference between those who claim to be riskbased (like the FSA) and those that do not is the extent to
which we attempt to apply an explicit, consistent framework to
these decisions, and the level of pro-active work undertaken to
prevent harm occurring before the event.
12
Set a
Risk
Context
Risk-based regulation in the UK
• Setting a risk context
Risk context
Set a
Risk
Context
• Need to define a concept of “harm” or failure.
• Risk is then comprised of the probability and size
of the harm.
• More positively, there are also opportunities to
improve on situations.
14
The FSA context
Set a
Risk
Context
• Risk is defined as risks to our four statutory objectives (set out
in the act of parliament which established the FSA in 2000):
– maintaining confidence in the Financial System;
– promoting public understanding of the financial system;
– securing the appropriate degree of protection for
consumers; and
– reducing the extent to which it is possible to commit
financial crime.
• But these statutory objectives are too broad for effective day to
day management, so a number of channels for risks have been
identified.
15
Risk channels
Set a
Risk
Context
• External
· Financial failure of firms
· Misconduct and mismanagement by firms
· Consumer understanding
· Financial fraud
· Market abuse
· Money laundering
· Market quality
• Internal
· Delivery of FSA’s Strategic Priorities
· FSA’s reputation
· Economy and efficiency of FSA’s operations
16
Set Risk
Appetite
Risk-based regulation in the UK
• Setting risk appetite
WHAT IS RISK APPETITE?
Set Risk
Appetite
“Risk appetite, at the organisational level, is the amount
of risk that an organisation is prepared to accept, tolerate,
or be exposed to at any point in time.”
(“The Orange Book” HM Treasury, 2004)
It is underpinned by:
• a concept of risk that is shared across the organisation –
bringing risk-based decision-making to individual processes;
• an agreed system of measuring risks across the risk universe
• genuine risk-based resourcing (whether measured in human,
skill, technology or cash terms)
• accountability – clear articulation about the action that is to be
taken and by whom once risk thresholds have been breached.
This will result in risk being escalated (and accountability
transferred up the organisation).
18
High
Impact
Medium
High
Medium
Low
Low
• No
mitigation
• “Close &
Continuous”
monitoring
• Justify
mitigation
• Enhanced
monitoring
• Mitigation
(justify
inaction)
• Watchlist
• Upward
escalation
• Mitigation
• High
intensity
watchlist
• Upward
escalation
• Remediation
• High
intensity
watchlist
• Upward
escalation
• No action
• Baseline
monitoring
• Justify
mitigation
• Monitoring
• Mitigation
(justify
inaction)
• Watchlist
• Upward
escalation
• Mitigation
• High
intensity
watchlist
• Upward
escalation
• Remediation
• High
intensity
watchlist
• Upward
escalation
• No Action
• Baseline
monitoring
• Justify
mitigation
• Monitoring
• Mitigation
(justify
inaction)
• Monitoring
• Mitigation
• Watchlist
• Upward
escalation
• Remediation
• Watchlist
• Upward
escalation
• No Action
• Baseline
monitoring
• No Action
• Baseline
monitoring
• No Action
• Baseline
monitoring
• Thematic
mitigation
• Baseline
monitoring
• Remediation
• Baseline
monitoring
Low
Medium
Low
High
Crystallised
RISK APPETITE
(FIRM RISKS)
Medium
High
Probability
19
Risk
Identification
Risk-based regulation in the UK
• Risk identification
Risk identification
Risk
Identification
• The first stage in the risk cycle
• where risks enter our perceived portfolio
• Essentially intelligence-gathering (either through discrete actions or
continuous monitoring)
• Many sources – see next slide
• Key issues around identification:
• are the available sources sufficient? (gaps / overlaps)
• do the different sources represent a coherent picture?
• is the knowledge shared properly? (e.g. risks identified in one
area – say an individual firm – passed on to others – say a sector
team); consistent recording mechanisms? consistent standards?
(types / measures of risk)
21
Risk identification (cont’d)
Risk
Identification
• FSA tools for identifying risk:
Supervision of firms
• Visits to firms (either as part of a
supervisory assessment, enforcement
action, or other)
• Information provided by firms (either on
FSA request or firms’ initiative)
• Monitoring of returns and similar data,
and transaction monitoring
Thematic work
• Project work
• Retail intelligence
• Market monitoring
• Other external sources (e.g. press,
other regulators, analysts, trade bodies
and special-interest groups)
• Information provided by others (e.g.
Financial Ombudsman, overseas
regulators, external auditors)
22
Risk
Measurement
Risk-based regulation in the UK
• Measuring Risk
Risk Measurement
Risk
Measurement
• The Challenges facing Every Risk Manager
• Wide range of types of risk
– external or internal
• Different size “footprint” for risks
– widespread or local
– specific to one firm type or generalised
– short term or longer
• Too many risks!
– how to prioritise; how to categorise
consistently and avoid duplication
24
FSA response to the Size challenge
PRIORITY
for the FSA
=
IMPACT
of the problem
if it occurs
Risk
Measurement
x
PROBABILITY
of the problem
occurring
Factors may include:
Factors may include:
• Size of firm
• No. of retail consumers
• Perceived importance
• Business Risk
• Control Measures
• Consumer risk
25
Impact and probability – FSA’s response
Risk
Measurement
• Scoring of impact and probability is subjective –
but subject to challenge and control (see later)
Impact
Probability
High
Crystallised
Medium-high
High
Medium-low
Medium-high
Low
Medium-low
Low
26
FSA: impact and probability scoring
Risk
Measurement
Relatively high-level scoring approach,
based on supervisory judgement
• Advantages
• flexible
• quick to implement
• draws on expertise
• easily understood
• not spuriously accurate
• Drawbacks
• subjective
• needs effective challenge
• dependent on good
experience
• may not provide much
differentiation
Impact
Priority
risks
High
Med.
High
Med.
Low
Low
Low Med. Low Med. High High Crystallised
Probability
27
Firm risk assessment – risk groups
Business risks
Control risks
• Strategy
• Market, credit,
insurance and
operational risk
• Financial soundness
• Nature of customers,
products and services
•
•
•
•
Risk
Measurement
Treatment of customers
Organisation
Systems and controls
Board, management
and staff
• Compliance culture
28
Firm risk assessment process
Risk
Measurement
• Begins with requests for standard information from firm (e.g.
internal audit and compliance reports)
• Analysis of this information, along with sectoral and
environmental factors and previous experience of the firm,
leads to work plan for on-site visit.
• Visit generally consists of a series of interviews with key staff
and management. Very little review of documentation (e.g.
client files).
• During visit, information gaps are filled, and issues identified
during planning are followed up. Further issues may also be
identified.
• The assessment is then written up, with both the individual
issues identified and the whole firm being scored.
29
Risk
Measurement
Firm risk assessment – results
Financial
failure
Misconduct
/ mismanagement
Consumer
understanding
Fraud &
dishonesty
Market
abuse
Money
laundering
Market
quality
Strategy
Market, Credit & Op
Financial soundness
Customers / products
TOTAL BUSINESS RISK
Treatment of customers
Organisation
Systems & controls
Board, Management
Culture
TOTAL CONTROL RISK
NET PROBABILITY
Market
Consumer
confidence protection
Public
awareness
Financial
crime
30
Risk
Mitigation
Risk-based regulation in the UK
• Risk mitigation
Risk mitigation
Risk
Mitigation
• The most important stage in the risk cycle
• the only one that actually makes any difference
to the outside world!
• Identification and assessment stages are (only) means of deciding
whether and what mitigation to put in place (not ends in
themselves)
• Reduction in risk may be by reduced impact or (more likely)
reduced probability of harm; should have a target / acceptable
level of risk
• Key issues around mitigation:
• need to be clear about actions which actually reduce risk
(rather than giving us more information about risk)?
• actions must be proportionate and effective – use of both FSA
resource and that of others (e.g. firms); should relate to the
change in risk that can be achieved
• measuring effectiveness of mitigation
32
Risk mitigation (cont’d)
Risk
Mitigation
• FSA tools for mitigating risk:
Supervision of firms
Thematic work
• Improvements in controls, or reduction • Improvements in controls, business risk
in business risk, or increased capital
or capital in multiple firms (either
held, all in relation to an individual firm
requested through (e.g.) Dear CEO
(either requested by supervisory team,
Letters or mandated through rule
or mandated through enforcement, or
changes)
in cooperation with other regulators)
• Wider efforts to improve fin. markets
(e.g. consumer education) – either FSAonly, or in cooperation with other
bodies
33
From measurement to mitigation
Risk
Mitigation
• Risks are assessed from low to high
· low – no mitigation required
· medium-low – no mitigation
expected, reason required if in place
· medium-high – mitigation expected,
reason required if not in place
· high – mitigation required
34
Presentation of risks
Risk Today
High
Impact
Risk
Mitigation
Mediumhigh
Mitigation
Mediumlow
Target Level
Low
Low
Mediumlow
Mediumhigh
Probability
High
Crystallised
35
Risk
Monitoring
And
Reporting
Risk-based regulation in the UK
• Monitoring and reporting risks
Risks: monitoring and reporting
Risk
Monitoring
And
Reporting
• Regular reviews necessary to:
• update list of identified issues and scoring
• monitor progress on mitigation
• allow FSA management to take strategic decisions
• Balance between levels of detail
• enough to assess effectiveness
• ensure key facts and direction are clear
37
Presentation of risks
Initial Risk
High
Impact
Risk
Monitoring
And
Reporting
Mediumhigh
Mediumlow
Risk Today
Target Level
Low
Low
Mediumlow
Mediumhigh
Probability
High
Crystallised
38
Risk
Monitoring
And
Reporting
Classification of Risks
Succession Planning
ENVIRONMENTAL RISK,
CUSTOMER/PRODUCT CONTROLS,Compliance
Economic Environment
Accepting Customers
Policy
Legislative/Political Risk
Client Classification
Methodology
Competition Risk
Terms of Business and Client
Agreements
Resources
Client Identification (AML)
Training and Competence
Sales Process,
Record Keeping
New Product Development and
Approval
Monitoring
Reforming regulation of the
retail market
Conflicts of interest
Financial Capability
Market surveillance
Improving transparency
Transaction Monitoring
Developing our approach to
Fraud
Capital Market Efficiency
CUSTOMER/PRODUCT RISKS,
Type of Customer
Consumer Knowledge
Product/Service Characteristics
BUSINESS MODEL RISK,
Structure & Ownership
Nature of owners
Organisation structure
Relationship with the Rest of the
Group
Operating risks,
Sources of Business and Distribution
Outsourcing
Operations
IT Systems
FINANCIAL RISK,
Credit Risk
Market Risk
Insurance Underwriting Risk
Operational Risk
Sales Force Training
Sales Force Remuneration
KYC
Independence
Suitability
Suspicious Transaction
Monitoring and Reporting
Product Disclosure
Structured Products
Financial Promotions
Internal Audit,
Post Sale Handling of Customers, Methodology
Dealing and Managing
Resources
Business Culture
Management Information
Corporate Governance
Relationship with Regulators
Priority Delivery,
Treating Customers Fairly
increasing the effectiveness and
transparency of enforcement
work
Switching Providers
Accounting Policies and
Procedures
Sectoral Risk,
Financial and Regulatory
Reporting
Insurance
Credit Risk
Independence
Operating Controls,
Not followed
Not comprehensive
Processes (IS),
Inadequacy
Availability
Dependency
Information,
Not sufficient
Vulnerable
Financial Control,
Risk Management
Inadequacy
making us easier to do business
with
Switching Products
CORPORATE CONTROLS,
Processes (non-IS),
Lost
Independence
Security of Client Assets
Recruitment
Getting the best out of our staff
Reporting
Complaints Handling
Retention
improving the implementation
of our risk based approach
Banking
Retail Intermediaries
Asset Management
Capital Markets
Finance,
Financial and Regulatory
Reporting
Policies and Procedures and
Controls
Audit
Independence
Human Resources Controls
Financial Stability
IT Controls
Business Continuity
Liquidity Risk
Business Continuity
Consumer
Membership Arrangements
Legal Risk
Internal Risk,
Market Cleanliness
Methodology
MANAGEMENT GOVERNANCE
AND CULTURE,
Resources
Management,
Skills
Independence
Quality of Management
Quantity
Suspicious Transaction
Monitoring and Reporting
Quality of Strategy
Turnover
Legal
Clearing and Settlement
Arrangements
People
Business Culture
Management Information
Corporate Governance
Political Risk
Reputational Risk
Risk Management
Identification
Measurement
Monitoring
Control
External risks
Priorities
Resources
Operational Risk
MARKET STRUCTURE/ CONDUCT
CONTROLS,
Succession Planning
Methodology
Insurance Risk
Litigation/Legal Risk
Quality of Strategy
Independence
Policies and Procedures and
Controls
Liquidity Risk
Quality of Management
Accounting Policies and
Procedures
Market Risk
Financial Crime
Management,
Compliance
Sectors
Data Protection
Freedom of Information
Health & Safety
Internal risks
Personnel
Conflicts of interest
39
Format of individual risk reports
Risk
Monitoring
And
Reporting
40
Risk
Control
Risk-based regulation in the UK
• Controlling the risk process
Risk controls
Risk
Control
• Must be set in the context of the organisation
– for example, devolved to business units in FSA
• Clear responsibilities set out in a Risk Charter
• Policies and Procedures set out
• Compliance with those policies checked
• Integrated with budget and strategic planning ensures no gaps
• Independent challenge
• Transparent management information
• Provides assurance to all involved that decisions and process are fair
42
Challenge
Risk
Control
• Assessment and risk mitigation programme
are challenged by senior management
– for internal consistency
– for consistency with risk appetite
– against peer-groups
43
How risks are reported (simplified)
Risk Identification & Assessment using
FSA Frameworks
Risk
Control
Review and challenge at local business
unit level
Local management agree description
and scoring/prioritisation of risks
Central risk oversight review and
challenge risks and compile a crossFSA risk map (“The Dashboard”)
Every 3 months, FSA senior
management review and agree list of
“Top Risks” and consider if additional
resources should be applied to change
mitigation efforts or timescales
FSA Board receive regular reports on
“Top 10” risks and progress
44
Example of an existing risk
Risk
Control
45
What have we learnt so far?
Risk
Control
• Staff tend to be risk-averse; tendency to overscore impact and probability unless challenged.
• Requiring clearer ownership of risks imposes
better accountability and discipline.
• The only way to track mitigation effectively is
to describe the risk and target outcome very
specifically.
• Relies on adequate risk management skills and
experience among staff to work.
46
Risk-based regulation in the UK
• Evaluating and improving ARROW
Evaluation
• We believe that ARROW is at the forefront of
supervisory best practice
– requests for technical assistance are high
– recent UK government reports such as Hampton
and Arculus have praised our approach (compared
with other UK regulators)
• Effective risk management is a journey and not a
destination, so it needs to evolve:
– as our experience grows
– as our needs grow (e.g. from our recent adoption
of Mortgage & General Insurance regulation)
– as our expectations grow
48
Risk management vision
49
ARROW’s evolutionary path
ARROW 3 ?
ARROW 2.5
ARROW 2.0
X
ARROW
RATE,
FIBSPAM
Outcome-based
models
Stress and scenario
testing
Portfolio
risk-based methods
Individual
risk-based methods
Assessment
models
X Current position
50
Current improvements being implemented
• In implementing ARROW 2.0, we are making a variety of
improvements to the risk framework and processes:
– making the processes less bureaucratic, and the supporting IT
more user-friendly
– creating greater flexibility in how ARROW is applied (lighter
approach to smaller risks / firms)
– facilitating greater knowledge-sharing (e.g. intelligence and
analysis between front-line supervisors, sector analysts and
experts on specific themes
– making the firm and thematic frameworks more integrated
– improving the communication to firms of our assessment
(e.g. giving them more information about our rating of them,
along with peer group data to provide context)
– updating the metrics we use, so that they better reflect the
FSA’s current priorities and views of risk
– upgrading the training and guidance we give our staff
51
Related documents
Task Hazard Analysis Worksheet
Task Hazard Analysis Worksheet
Innovation Storyboard
Innovation Storyboard
RISK ANALYSIS
RISK ANALYSIS
Jacksonville BRT North Corridor - Attachments 1-7_12-01-14
Jacksonville BRT North Corridor - Attachments 1-7_12-01-14
15A NCAC 07M .0704 POLICY STATEMENTS (a) The following
15A NCAC 07M .0704 POLICY STATEMENTS (a) The following
Policy Title: Information Security Risk Management
Policy Title: Information Security Risk Management
Florida Standards Assessment
Florida Standards Assessment
Promoting a Risk-Aware Culture Without Creating a Risk Adverse
Promoting a Risk-Aware Culture Without Creating a Risk Adverse
Download
advertisement