1

1

The FSC’s Revised Risk-based Approach to SupervisionAssessing the risk of financial loss to the public presented by each regulated firm

3

What made us change?

� Need to identify the risks to the system more holistically

� Addressing the human failings of the previous methodology

� Lessons learnt from use of previous system� Independent review post Gibland/Marrache� Concentration towards lowest risk profile

due to previous scoring� Wanting greater differentiation to identify

higher risk firms

2

4

Reducing the burden of being regulated

Risk Management

Compliance Monitoring

5

The Risk Assessment Process

Off-site

Initial Profile

On-SiteFinal Profiling

Interfacing & Risk Mitigation

3

6

Off-site

7

Initial Profile

4

8

The FSC’s Regulatory Objectives

9

Risks to Objectives

5

10

What risks does a firm present to the FSC’s Regulatory Objectives?

11

Type of Firm

Prudential

Combination

Conduct of Business

6

12

What firm type are you?

Division\Type Prudential Conduct of Business

Combined approach

Auditors Audit Firms

Auditors

Banking & Investment

Services

BanksE-Money

MSBs MiFID Firms

Banks - MiFID

Fiduciary

Company Managers

Trustees

Funds and Pensions

Pension Schemes

CIS Managers (operators)

Funds

Insurance General

Insurance Companies

IMD firmsInsurance Managers

Life Insurance Companies

13

Prudential Risk Assessment

Prudential Requirements

Returns, Audited

Financial Statements,

MIS

Capital, Solvency, Liquidity, Financial

Performance

7

14

Conduct of Business Risk Assessment

Conduct of Business

Requirements

On-site testing/File Reviews

Mifid & IMD Obligations, AML/CFT, Advice & Services

15

Combined Risk Assessment

Prudential Requirements

Conduct of Business

Requirements

Combination Approach

8

16

Scoring Objective

OBJECTIVE : To determine the adequacy of the capital, funding and insurance cover in light of the current and future business plans of the firm.

17

Business RisksFinancial• To determine the

adequacy of the capital, funding and insurance cover in light of the current and future business plans of the firm.

Environment• To determine

what operational and other market risks the firm is subjecting itself in carrying out its business plan.

Business• To determine

where the current and future risks lie in a firm’s business plan, products and strategy.

9

18

Business RisksFinancial• Capital• Liquidity• Earnings• Insurance

Environment• Group• Legal• Operational• Market• Underwriting• Credit

Business• Strategy• Customers• Sources &

Distribution• Products &

Services

19

Control RisksControls• To determine the

control environment of a firm and management’s ability to put into place proper oversight procedures.

Organisation• To determine if the

legal ownership structure and/or passporting of services of the firm provides any impediments to the supervision of the firm.

Management• To determine if the

firm’s corporate governance arrangements and management are adequate for the nature, size and complexity of the firm.

10

20

Control RisksControls• Compliance,

Audit & Risk Management

• Conduct of Business

• Operations• Control

Environment

Organisation• Multiple Activity

Groups• Branches &

Subsidiaries• Ownership

Management• Quality of

Management• Corporate

Governance

21

Risks to Objectives

Financial Failure (FF)

The risk to the market confidence, systemic risk, p rotection of the good reputation of Gibraltar and protection of consumers objectives arising from the insolvency or illiquidity of a firm. For high impact firms this may also include financial losses that, whilst short of causing failure, can still adversely affect market confidence. This can also lead to direct financial loss to the public.

Misconduct and /or mismanagement (MM)

The risk to the protection of the good reputation o f Gibraltar, protection of consumers and market confidence objectives of mis-selling or mishandling of products/services by firms, of inappropriate behaviour by firms or mismanagement of their operations. This can also lead to direct financial loss to the public.

Consumer understanding (CU)

The risk to the protection of consumers and public awareness objectives arising from possible lack of understanding by consumers of products/services bought from or provided by firms. This can also lead to direct financial loss to the public.

Fraud or dishonesty (F)

The risk to the protection of the good reputation o f Gibraltar, reduction of financial crime and market confidence objectives of the incidence of fraud or dishonesty – either within firms, or by external parties defrauding firms. This can also lead to direct financial loss to the public.

Market Abuse (MA)

The risk to the protection of the good reputation o f Gibraltar , reduction of financial crime, protection of consumers and market confidence objectives of market abuse conducted by firms or by clients through firms.

Money laundering/ Terrorist Financing (ML)

The risk to the protection of the good reputation o f Gibraltar, reduction of financial crime and market confidence objectives of money laundering/terrorist financing conducted through firms.

11

22

FF MM CU F MA ML

Financial Soundness, Liquidity and Capital

Adequacy of Capital ���� ���� ����

Liquidity ���� ����

Earning ���� ����

Insurance ����

EnvironmentCredit Risk ���� ����

Insurance Underwriting Risk ���� ���� ����

Market Risk ���� ���� ����

Operational Risk ���� ���� ���� ����

Legal Risk ���� ���� ���� ����

Group Risk ���� ����

Business PlanStrategy ���� ���� ����

Types of Customer ���� ���� ���� ����

Types of Products/Services ���� ���� ���� ����

Sources of Business & Distribution ���� ���� ���� ���� ����

23

FF MM CU F MA ML

Controls

Human Resources ���� ���� ���� ���� ����

IT ���� ���� ���� ����

Management Information Systems ���� ���� ���� ����

Business Continuity ����

Internal Audit ���� ���� ����

Outsourcing ���� ���� ���� ���� ����

Acceptance of and Disclosure to Customers ���� ���� ���� ����

Advising, Dealing and Managing ���� ���� ����

Security of customer monies/assets ���� ����

Compliance Arrangements ���� ���� ���� ���� ����

Anti-Money Laundering Controls ���� ���� ����

Risk Management ���� ���� ���� ���� ����

External Auditors ����

Actuaries ���� ����

Organisation

Ownership ����

External Branches & Subsidiaries ���� ���� ����

Multiple Activity Groups ���� ���� ���� ����

Management

Quality of Management ���� ���� ���� ���� ���� ����

Corporate Governance ���� ���� ���� ���� ���� ����

12

24

Scoring Risk Elements

Perceptiblehighly likely in 12 months

Probable50% probability

Possiblereasonable chance

Negligiblelittle likelihood

Score

5.0

3.0

1.75

1.0

Not Applicable

Crystallised

25

Maxing Out

Risk Element Scoring

1.75

5.00

3.00

N/a

Max Score = 5.00

13

28

How risk types are weighted according to type of firm

Risk Type\ Firm Type Prudential Conduct of Business

Combined approach

60% 10% 40%

30% 20% 20%

10% 70% 40%

40% 60% 45%

10% 10% 10%

50% 30% 45%

Financial

Environment

BusinessBus

ines

s R

isks

Controls

Organisation

ManagementCon

trol

Ris

ksWeights are representative of the major risk types applicable to the firm type.

35

Obtaining a Risk Profile

Max Score Weight % Weighted Score

1.75 10% 0.175

5.0 20% 1.000

3.0 70% 2.100

Total 3.275

Max Score Weight % Weighted Score

5.0 60% 3.000

1.0 10% 0.100

1.0 30% 0.300

Total 4.300

Impact

X 2.90 = 9.4975 Business Risk Score

X 2.90 = 12.470 Control Risk Score

Financial

Environment

Business

Bus

ines

s R

isks

Controls

Organisation

Management

Con

trol

Ris

ks

14

31

Impact

50%

20%

15%

15%

Impact Weighting

Size Experience Product Types Client Monies/Assets Held

34

Impact

High (5) Medium High (3)

Medium Low (1.75)

Low (1) ImportanceWeighting Value Score

Size High Medium High

Medium Low Low 50% 3 1.50

Customer Experience

General Public

Mixed -Professional / Captive /

Experienced20% 1 0.20

Product Types

Investment / Banking

FiduciaryFund

Adminis-trator

Protection / Other 15% 3 0.45

Client Assets / Monies

held

Controlling - Holding None 15% 5 0.75

Impact Score 2.90

15

36

What we have changed

37

A risk profile

Bu

sin

ess R

isk

s

Control Risks

10 15 20 25

10

15

20

25

Low

Monitoring

&/or

Remediation

Low Monitoring

& Medium

Remediation

Medium

Monitoring &

High

Remediation

High

Monitoring &

High

RemediationHigh Monitoring

& Medium

Remediation

Medium

Monitoring &

Low

Remediation

Bu

sin

ess R

isk

s

Control Risks

10 15 20 25

10

15

20

25

Low

Monitoring

&/or

Remediation

Low Monitoring

& Medium

Remediation

Medium

Monitoring &

High

Remediation

High

Monitoring &

High

RemediationHigh Monitoring

& Medium

Remediation

Medium

Monitoring &

Low

Remediation

9.4975

12.47

16

38

When a risk is crystallised

Bu

sin

ess R

isk

s

Control Risks

10 15 20 25

10

15

20

25

Low

Monitoring

&/or

Remediation

Low Monitoring

& Medium

Remediation

Medium

Monitoring &

High

Remediation

High

Monitoring &

High

RemediationHigh Monitoring

& Medium

Remediation

Medium

Monitoring &

Low

Remediation

Bu

sin

ess R

isk

s

Control Risks

10 15 20 25

10

15

20

25

Low

Monitoring

&/or

Remediation

Low Monitoring

& Medium

Remediation

Medium

Monitoring &

High

Remediation

High

Monitoring &

High

RemediationHigh Monitoring

& Medium

Remediation

Medium

Monitoring &

Low

Remediation

When a risk element is scored as CRYSTALISED, • the Total Business

or Control Risk is multiplied by 3 and

• capped to 25 after impact

In this example say a Business Risk Element is scored as Crystallised;9.4975X3=28.4925Capped = 25

39

On-site

17

40

Prior to an on-site

Determine the expected duration of the on-site visit

Arrange with the firm mutually convenient dates for the on-site to take effect

Provide the firm with a formal agenda which will: • List all the risks that it wishes to discuss• Identify any individuals that the FSC wishes to speak with on any of the matters • Allow the firm’s Senior Management to invite to the meeting any other person it

feels would contribute to the on-site • Provide a list of any additional document or information that it may wish to

review

41

Post on-site

Summarise the areas reviewed by the FSC team

Invite the Senior Management of the firm to provide input to the team on areas which they wish to add to the risk assessment

Invite the firm to provide any feedback on the process

18

42

Final Profiling

43

Risk Mitigation-Fit for Purpose

19

44

Mitigation Tools

Bu

sin

ess R

isk

s

Control Risks

Bu

sin

ess R

isk

s

Control Risks

Control Risk Score

Supervisory Visit

Focused Visit

Skilled Persons

Branch Visit

45

To avoid seeing more of the FSC

Bu

sin

ess R

isk

s

Control Risks

Bu

sin

ess R

isk

s

Control Risks

Bus

ines

s R

isk

Sco

re

Frequency of FSC

Prudential & Other

Interfacing

20

46

Formal Feedback

Address the outstanding risks identified in the assessment.

• Including Identify any areas to be covered by a reporting accountants’/skilled persons’ review, and the timescales by which these should be carried out.

Set out the interfacing between the FSC and the firm

Provide the firm with its Risk Profile.

Establish the length of the supervisory cycle

47

Helping yourselves to an easier life

� Mitigate the risks most likely to lead to a higher risk score

� Lower your impact score by changing your profile� Avoid having risks that crystallise

21

48

Same firms, new scores

49

New Distribution of Risk Profiles