cosra / iarc conference cartagena, 2 september 2005 risk-based regulation in the uk joe traynor...

COSRA / IARC ConferenceCartagena, 2 September 2005

Risk-based regulation in the UK

Joe Traynor & Mike O’HaganFinance, Strategy & Risk Division, UK Financial Services Authority

2

Agenda

• What a risk-based approach means in theory

• Why a risk-based approach

• The UK FSA’s methodology– the “ARROW” risk framework

• Current developments in ARROW

• What a risk-based approach means in theory


4

Risk Management in the financial services industry

• Aims vary, but usually a combination of protecting reputation, brand, earnings or capital. Its Board will agree its risk appetite – (e.g. aggressive, conservative)

• The firm should identify the risks to their aims (e.g. to capital or profitability) and their causes – credit, market, operational, etc.

• It will use an agreed method of measuring that risk – loan grading, value at risk, etc.

• Primary risk managers are the business people who are closest to the risk – relationship managers, traders, settlement staff, etc.

• Information is produced to help monitor risks

• The level of risk taking is controlled – through limits, delegated authority, etc.

• Independent risk management provides challenge

5

WHAT WE ARE SEEKING TO ACHIEVEPrinciples of Risk Management in UK FSA• Primary aim is to achieve our statutory objectives.

• The Board agrees our risk appetite by approving our budget and our risk policies in respect of that budget

• We identify the risks to our statutory objectives and their causes – financial failure, misconduct, market abuse etc

• We use an agreed method of measuring that risk – impact and probability etc

• Our primary risk managers are the business people who are closest to the risk – firm relationship managers, operations, investment priority owners etc

• Information is produced to help management monitor risks

• The level of risk taking is controlled – through budgets, policies, delegated authority etc

• Independent risk management provides challenge

6

WHAT WE ARE SEEKING TO ACHIEVE

To deliver an integrated approach to risk and resource management that enables us to manage our portfolio of risk and our resources in a dynamic way, consistent with industry best practice.

Our Risk Management Mission

7

The “ARROW” framework

• “ARROW” is the framework that the FSA uses to measure risk and decide on appropriate responses. It not only provides the risk metrics, but also specifies the processes we use to identify, record, analyse and mitigate risks.

• It has two components:• the firm framework (used when assessing risks in

individual firms); in ARROW, we call this “vertical” supervision; and

• the consumer and industry-wide framework (used when assessing cross-cutting risks – those involving a number of firms, or relating to the market as a whole); we term this “thematic” or “horizontal” work.

8

Risk Management Stages

DecisionDecision to beto be

Risk BasedRisk Based

Set aSet aRiskRisk

ContextContext

Set RiskSet RiskAppetiteAppetite

RiskRiskMonitoringMonitoring

AndAndReportingReporting

RiskRiskIdentificationIdentification

Included in “ARROW”

RiskRiskMeasurementMeasurement

RiskRiskMitigationMitigation

RiskRiskControlControl

• Why use a risk-based approach?




10

Why use a risk-based approach?

• Finite resources available – never possible to do everything

• This leads to a non-zero failure approach (with a corresponding risk appetite)

• We therefore need a mechanism for prioritising our work:• focusing our efforts on the greatest risks• bear in mind tractability of issues (“biggest bang for

our buck”)

• Other factors made the risk-based approach necessary (but difficult to implement) in the UK FSA:

• variety of cultures / backgrounds (requires consistency of resource and action decisions)

• very broad scope of our regulatory remit (wide ranging statutory objectives and diversity of sectors regulated)



11

Why use a risk-based approach? (cont’d)

• Implications and benefits of the risk-based approach:• focus on risks to our objectives (and on relevant

outcomes)• sound, consistent basis for justifying our approach and

actions• Builds in a proportionate response.

– “peace dividend” for well-behaved areas/firms – so they see the benefit of compliance

• provides a measure of success in a not-for-profit enterprise – risk / harm to our objectives is our currency



12

Why use a risk-based approach? (cont’d)

• We believe that, in reality, every regulatory adopts a risk-based approach:

• none has infinite resource, so we all have to make choices about optimum deployment – this is essentially what risk-based regulation is all about;

• even those with a low tolerance for risk (e.g. visiting all firms every year) must still decide how intensive their response to each firm should be;

• at some level, these decisions will be based on the level of risk; the main difference between those who claim to be risk-based (like the FSA) and those that do not is the extent to which we attempt to apply an explicit, consistent framework to these decisions, and the level of pro-active work undertaken to prevent harm occurring before the event.



• Setting a risk context

Set aSet aRiskRisk

ContextContext


14

Risk context

• Need to define a concept of “harm” or failure.

• Risk is then comprised of the probability and size of the harm.

• More positively, there are also opportunities to improve on situations.

Set aSet aRiskRisk

ContextContext

15

The FSA context

• Risk is defined as risks to our four statutory objectives (set out in the act of parliament which established the FSA in 2000):

– maintaining confidence in the Financial System;

– promoting public understanding of the financial system;

– securing the appropriate degree of protection for consumers; and

– reducing the extent to which it is possible to commit financial crime.

• But these statutory objectives are too broad for effective day to day management, so a number of channels for risks have been identified.

Set aSet aRiskRisk

ContextContext

16

Risk channels

• External

· Financial failure of firms

· Misconduct and mismanagement by firms

· Consumer understanding

· Financial fraud

· Market abuse

· Money laundering

· Market quality

• Internal

· Delivery of FSA’s Strategic Priorities

· FSA’s reputation

· Economy and efficiency of FSA’s operations

Set aSet aRiskRisk

ContextContext

• Setting risk appetite



18

WHAT IS RISK APPETITE?

“Risk appetite, at the organisational level, is the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.” (“The Orange Book” HM Treasury, 2004)

It is underpinned by:• a concept of risk that is shared across the organisation

– bringing risk-based decision-making to individual processes;

• an agreed system of measuring risks across the risk universe

• genuine risk-based resourcing (whether measured in human, skill, technology or cash terms)

• accountability – clear articulation about the action that is to be taken and by whom once risk thresholds have been breached. This will result in risk being escalated (and accountability transferred up the organisation).


19

RISK APPETITE (FIRM RISKS)

• No Action• Baseline

monitoring

• Mitigation (justify inaction)

• Monitoring

High

MediumLow

Low

Low

MediumHigh

High Crystallised

Probability

Imp

act

MediumHigh


monitoring

• Thematic mitigation

• Baseline monitoring

• No mitigation

• “Close & Continuous” monitoring

• Justify mitigation

• Enhanced monitoring


• Watchlist• Upward

escalation

• Mitigation• High

intensity watchlist

• Upward escalation

MediumLow

• No action• Baseline

monitoring


• Monitoring

• Remediation

• High intensity watchlist


• Remediation

• Baseline monitoring


monitoring


monitoring


• Monitoring



escalation

• Mitigation• High

intensity watchlist


• Mitigation• Watchlist• Upward

escalation

• Remediation

• High intensity watchlist

• Upward escalation• Remediation


escalation


• Risk identification


21

Risk identification

• The first stage in the risk cycle• where risks enter our perceived portfolio

• Essentially intelligence-gathering (either through discrete actions or continuous monitoring)

• Many sources – see next slide

• Key issues around identification:• are the available sources sufficient? (gaps / overlaps)• do the different sources represent a coherent picture?• is the knowledge shared properly? (e.g. risks identified

in one area – say an individual firm – passed on to others – say a sector team); consistent recording mechanisms? consistent standards? (types / measures of risk)


22

Supervision of firms• Visits to firms (either as part of a

supervisory assessment, enforcement action, or other)

• Information provided by firms (either on FSA request or firms’ initiative)

• Monitoring of returns and similar data, and transaction monitoring

• Information provided by others (e.g. Financial Ombudsman, overseas regulators, external auditors)

Thematic work• Project work• Retail intelligence• Market monitoring• Other external sources (e.g.

press, other regulators, analysts, trade bodies and special-interest groups)

• FSA tools for identifying risk:


Risk identification (cont’d)


• Measuring Risk


24

Risk Measurement

• The Challenges facing Every Risk Manager• Wide range of types of risk

– external or internal • Different size “footprint” for risks

– widespread or local

– specific to one firm type or generalised

– short term or longer• Too many risks!

– how to prioritise; how to categorise consistently and avoid duplication


25

FSA response to the Size challenge RiskRiskMeasurementMeasurement

PRIORITYfor the FSA

IMPACTof the problem

if it occurs

PROBABILITYof the problem

occurring= x•Size of firm•No. of retail consumers•Perceived importance

•Business Risk•Control

Measures•Consumer risk

Factors may include:

Factors may include:

26

Impact and probability – FSA’s response

• Scoring of impact and probability is subjective – but subject to challenge and control (see later)

Impact

High

Medium-high

Medium-low

Low

Probability

Crystallised

High

Medium-high

Medium-low

Low


27

FSA: impact and probability scoring

• Advantages • flexible• quick to implement• draws on expertise• easily understood• not spuriously accurate

• Drawbacks• subjective• needs effective

challenge• dependent on good

experience• may not provide much

differentiation

Impact

Probability

Low Med. Low Med. High High Crystallised

High

Med. High

Med. Low

Low

Priority

risks


Relatively high-level scoring approach, based on supervisory judgement

28

Firm risk assessment – risk groups

Business risks• Strategy

• Market, credit, insurance and operational risk

• Financial soundness

• Nature of customers, products and services

Control risks• Treatment of

customers

• Organisation

• Systems and controls

• Board, management and staff

• Compliance culture


29

Firm risk assessment process

• Begins with requests for standard information from firm (e.g. internal audit and compliance reports)

• Analysis of this information, along with sectoral and environmental factors and previous experience of the firm, leads to work plan for on-site visit.

• Visit generally consists of a series of interviews with key staff and management. Very little review of documentation (e.g. client files).

• During visit, information gaps are filled, and issues identified during planning are followed up. Further issues may also be identified.

• The assessment is then written up, with both the individual issues identified and the whole firm being scored.


30

Financialfailure

Misconduct

/ mis-manageme

nt

Consumerunder-

standing

Fraud &dishonest

y

Market abuse

Moneylaunderin

g

Marketquality

Strategy

Market, Credit & Op

Financial soundness

Customers / products

TOTAL BUSINESS RISK

Treatment of customers

Organisation

Systems & controls

Board, Management

Culture

TOTAL CONTROL RISK

NET PROBABILITY

Marketconfidence

Consumerprotection

Publicawareness

Financialcrime

Firm risk assessment – results RiskRisk

MeasurementMeasurement


• Risk mitigation


32

Risk mitigation

• The most important stage in the risk cycle • the only one that actually makes any difference

to the outside world!• Identification and assessment stages are (only) means of

deciding whether and what mitigation to put in place (not ends in themselves)

• Reduction in risk may be by reduced impact or (more likely) reduced probability of harm; should have a target / acceptable level of risk

• Key issues around mitigation:• need to be clear about actions which actually

reduce risk (rather than giving us more information about risk)?

• actions must be proportionate and effective – use of both FSA resource and that of others (e.g. firms); should relate to the change in risk that can be achieved

• measuring effectiveness of mitigation


33

• FSA tools for mitigating risk:

Supervision of firms• Improvements in controls, or

reduction in business risk, or increased capital held, all in relation to an individual firm (either requested by supervisory team, or mandated through enforcement, or in cooperation with other regulators)

Thematic work• Improvements in controls,

business risk or capital in multiple firms (either requested through (e.g.) Dear CEO Letters or mandated through rule changes)

• Wider efforts to improve fin. markets (e.g. consumer education) – either FSA-only, or in cooperation with other bodies


Risk mitigation (cont’d)

34

From measurement to mitigation

• Risks are assessed from low to high

· low – no mitigation required

· medium-low – no mitigation expected, reason required if in place

· medium-high – mitigation expected, reason required if not in place

· high – mitigation required


35

Presentation of risks

High

Medium-low

Low

Low

Medium-high

High Crystallised

Target Level

Mitigation

Medium-high

Risk Today

Medium-low

Probability

Imp

act



• Monitoring and reporting risks



37

Risks: monitoring and reporting

• Regular reviews necessary to:• update list of identified issues and scoring• monitor progress on mitigation• allow FSA management to take strategic

decisions

• Balance between levels of detail• enough to assess effectiveness• ensure key facts and direction are clear



38

Presentation of risks

High

Medium-low

Low

Low

Medium-high

High Crystallised

Target Level

Medium-high

Initial Risk

Medium-low

Probability

Imp

act

RiskRiskMonitoring Monitoring

And And ReportingReporting

Risk Today

39

Classification of Risks

ENVIRONMENTAL RISK,

Economic Environment

Legislative/Political Risk

Competition Risk

Capital Market Efficiency

CUSTOMER/PRODUCT RISKS,

Type of Customer

Consumer Knowledge

Product/Service Characteristics

BUSINESS MODEL RISK,

Structure & Ownership

Nature of owners

Organisation structure

Relationship with the Rest of the Group

Operating risks,

Sources of Business and Distribution

Outsourcing

Operations

IT Systems

FINANCIAL RISK,

Credit Risk

Market Risk

Insurance Underwriting Risk

Operational Risk

Liquidity Risk

Litigation/Legal Risk

MARKET STRUCTURE/ CONDUCT CONTROLS,

Membership Arrangements

Market Cleanliness

Clearing and Settlement Arrangements

CUSTOMER/PRODUCT CONTROLS,

Accepting Customers

Client Classification

Terms of Business and Client Agreements

Client Identification (AML)

Sales Process,

New Product Development and Approval

Sales Force Training

Sales Force Remuneration

KYC

Suitability

Product Disclosure

Financial Promotions

Post Sale Handling of Customers,

Dealing and Managing

Reporting

Switching Products

Switching Providers

Complaints Handling

Security of Client Assets

CORPORATE CONTROLS,

Risk Management

Credit Risk

Market Risk

Insurance Risk

Operational Risk

Liquidity Risk

Legal Risk

Methodology

Resources

Independence

Compliance

Policy

Methodology

Resources

Independence

Training and Competence

Record Keeping

Monitoring

Conflicts of interest

Market surveillance

Transaction Monitoring

Suspicious Transaction Monitoring and Reporting

Structured Products

Internal Audit,

Methodology

Resources

Independence

Financial Control,

Accounting Policies and Procedures

Financial and Regulatory Reporting

Independence

Operating Controls,

Policies and Procedures and Controls

Human Resources Controls

IT Controls

Business Continuity

MANAGEMENT GOVERNANCE AND CULTURE,

Management,

Quality of Management

Quality of Strategy

Succession Planning

Business Culture

Management Information

Corporate Governance

Relationship with Regulators

Priority Delivery,

Treating Customers Fairly

Reforming regulation of the retail market

Financial Capability

Improving transparency

Developing our approach to Fraud

Getting the best out of our staff

making us easier to do business with

increasing the effectiveness and transparency of enforcement work

improving the implementation of our risk based approach

Sectoral Risk,

Banking

Insurance

Retail Intermediaries

Asset Management

Capital Markets

Financial Crime

Financial Stability

Business Continuity

Consumer

Internal Risk,

People

Skills

Quantity

Turnover

Retention

Recruitment

Processes (non-IS),

Inadequacy

Not followed

Not comprehensive

Processes (IS),

Inadequacy

Availability

Dependency

Information,

Not sufficient

Lost

Vulnerable

Finance,

Accounting Policies and Procedures

Financial and Regulatory Reporting

Independence

Policies and Procedures and Controls

Audit

Methodology

Resources

Independence

Compliance

Data Protection

Freedom of Information

Health & Safety

Personnel

Conflicts of interest

Suspicious Transaction Monitoring and Reporting

Legal

Management,

Quality of Management

Quality of Strategy

Succession Planning

Business Culture

Management Information

Corporate Governance

Political Risk

Reputational Risk

Risk Management

Identification

Measurement

Monitoring

Control

External risks

Priorities

Sectors

Internal risks

RiskRiskMonitoring Monitoring

And And ReportingReporting

40

Format of individual risk reportsRiskRisk

MonitoringMonitoringAndAnd

ReportingReporting


• Controlling the risk process


42

Risk controls

• Must be set in the context of the organisation

– for example, devolved to business units in FSA

• Clear responsibilities set out in a Risk Charter

• Policies and Procedures set out

• Compliance with those policies checked

• Integrated with budget and strategic planning ensures no gaps

• Independent challenge

• Transparent management information

• Provides assurance to all involved that decisions and process are fair


43

Challenge

• Assessment and risk mitigation programme are challenged by senior management

– for internal consistency

– for consistency with risk appetite

– against peer-groups


44

How risks are reported (simplified)

Ris

k I

den

tifi

cati

on

& A

ssessm

en

t u

sin

g

FS

A F

ram

ew

ork

sR

evie

w a

nd

ch

allen

ge a

t lo

cal b

usin

ess

un

it level

Local m

an

ag

em

en

t ag

ree d

escri

pti

on

an

d s

cori

ng

/pri

ori

tisati

on

of

risks

Cen

tral ri

sk o

vers

igh

t re

vie

w a

nd

ch

allen

ge r

isks a

nd

com

pile a

cro

ss-

FS

A r

isk m

ap

(“Th

e D

ash

board

”)

Every

3 m

on

ths,

FS

A s

en

ior

man

ag

em

en

t re

vie

w a

nd

ag

ree lis

t of

“Top

Ris

ks” a

nd

con

sid

er

if a

dd

itio

nal

resou

rces s

hou

ld b

e a

pp

lied

to c

han

ge

mit

igati

on

eff

ort

s o

r ti

mescale

s

FS

A B

oard

receiv

e r

eg

ula

r re

port

s o

n

“Top

10” r

isks a

nd

pro

gre

ss


45

Example of an existing riskRiskRisk

ControlControl

46

What have we learnt so far?

• Staff tend to be risk-averse; tendency to over-score impact and probability unless challenged.

• Requiring clearer ownership of risks imposes better accountability and discipline.

• The only way to track mitigation effectively is to describe the risk and target outcome very specifically.

• Relies on adequate risk management skills and experience among staff to work.



• Evaluating and improving ARROW

48

Evaluation

• We believe that ARROW is at the forefront of supervisory best practice

– requests for technical assistance are high– recent UK government reports such as

Hampton and Arculus have praised our approach (compared with other UK regulators)

• Effective risk management is a journey and not a destination, so it needs to evolve:

– as our experience grows– as our needs grow (e.g. from our recent

adoption of Mortgage & General Insurance regulation)

– as our expectations grow

49

Risk management vision

50

ARROW’s evolutionary path

Assessment models

Individualrisk-based methods

Portfoliorisk-based methods

Stress and scenariotesting

Outcome-basedmodels

RATE, FIBSPAM

ARROW

ARROW 2.0

ARROW 2.5

ARROW 3 ?

X

X Current position

51

Current improvements being implemented

• In implementing ARROW 2.0, we are making a variety of improvements to the risk framework and processes:

– making the processes less bureaucratic, and the supporting IT more user-friendly

– creating greater flexibility in how ARROW is applied (lighter approach to smaller risks / firms)

– facilitating greater knowledge-sharing (e.g. intelligence and analysis between front-line supervisors, sector analysts and experts on specific themes

– making the firm and thematic frameworks more integrated

– improving the communication to firms of our assessment (e.g. giving them more information about our rating of them, along with peer group data to provide context)

– updating the metrics we use, so that they better reflect the FSA’s current priorities and views of risk

– upgrading the training and guidance we give our staff

cosra / iarc conference cartagena, 2 september 2005 risk-based regulation in the uk joe traynor...

Documents

risk policies

risk impact

risk metrics

portfolio of risk

riskbased approach

risk management stagesdecision

risk relationship managers

strategy risk division