COSRA / IARC Conference

Cartagena, 2 September 2005

Risk-based regulation in the UK

Joe Traynor & Mike OHagan

Finance, Strategy & Risk Division,
UK Financial Services Authority

Agenda

What a risk-based approach means in theory

Why a risk-based approach
The UK FSAs methodology the ARROW risk framework
Current developments in ARROW

Risk-based regulation in the UK

What a risk-based approach
means in theory

Risk Management in the financial services industry

Aims vary, but usually a combination of protecting reputation,
brand, earnings or capital. Its Board will agree its risk appetite
(e.g. aggressive, conservative)
The firm should identify the risks to their aims (e.g. to capital or
profitability) and their causes credit, market, operational, etc.
It will use an agreed method of measuring that risk loan grading,
value at risk, etc.
Primary risk managers are the business people who are closest to
the risk relationship managers, traders, settlement staff, etc.
Information is produced to help monitor risks
The level of risk taking is controlled through limits, delegated
authority, etc.
Independent risk management provides challenge
4

WHAT WE ARE SEEKING TO ACHIEVE

Principles of Risk Management in UK FSA
Primary aim is to achieve our statutory objectives.
The Board agrees our risk appetite by approving our budget and
our risk policies in respect of that budget
We identify the risks to our statutory objectives and their
causes financial failure, misconduct, market abuse etc
We use an agreed method of measuring that risk impact and
probability etc
Our primary risk managers are the business people who are
closest to the risk firm relationship managers, operations,
investment priority owners etc
Information is produced to help management monitor risks
The level of risk taking is controlled through budgets, policies,
delegated authority etc
Independent risk management provides challenge

WHAT WE ARE SEEKING TO ACHIEVE

Our Risk Management Mission
To deliver an integrated approach to risk and resource management that
enables us to manage our portfolio of risk and our resources in a dynamic
way, consistent with industry best practice.

The ARROW framework

ARROW is the framework that the FSA uses to measure risk and
decide on appropriate responses. It not only provides the risk
metrics, but also specifies the processes we use to identify, record,
analyse and mitigate risks.
It has two components:
the firm framework (used when assessing risks in individual
firms); in ARROW, we call this vertical supervision; and
the consumer and industry-wide framework (used when
assessing cross-cutting risks those involving a number of firms,
or relating to the market as a whole); we term this thematic
or horizontal work.

Risk Management Stages

Decision
to be
Risk Based

Risk
Monitoring
And
Reporting

Set a
Risk
Context

Set Risk
Appetite

Risk
Control

Risk
Identification
Risk
Mitigation
Risk
Measurement

Included in ARROW

Decision
to be
Risk Based

Risk-based regulation in the UK

Why use a risk-based approach?

Why use a risk-based approach?

Decision
to be
Risk Based

Finite resources available never possible to do everything

This leads to a non-zero failure approach (with a corresponding risk
appetite)
We therefore need a mechanism for prioritising our work:
focusing our efforts on the greatest risks
bear in mind tractability of issues (biggest bang for our buck)
Other factors made the risk-based approach necessary (but difficult
to implement) in the UK FSA:
variety of cultures / backgrounds (requires consistency of
resource and action decisions)
very broad scope of our regulatory remit (wide ranging
statutory objectives and diversity of sectors regulated)
10

Why use a risk-based approach? (contd)

Decision
to be
Risk Based

Implications and benefits of the risk-based approach:

focus on risks to our objectives (and on relevant outcomes)
sound, consistent basis for justifying our approach and actions
Builds in a proportionate response.
peace dividend for well-behaved areas/firms so they
see the benefit of compliance
provides a measure of success in a not-for-profit enterprise
risk / harm to our objectives is our currency

11

Why use a risk-based approach? (contd)

Decision
to be
Risk Based

We believe that, in reality, every regulatory adopts a risk-based

approach:
none has infinite resource, so we all have to make choices
about optimum deployment this is essentially what risk-based
regulation is all about;
even those with a low tolerance for risk (e.g. visiting all firms
every year) must still decide how intensive their response to
each firm should be;
at some level, these decisions will be based on the level of risk;
the main difference between those who claim to be risk-based
(like the FSA) and those that do not is the extent to which we
attempt to apply an explicit, consistent framework to these
decisions, and the level of pro-active work undertaken to
prevent harm occurring before the event.

12

Set a
Risk
Context

Risk-based regulation in the UK

Setting a risk context

Risk context

Set a
Risk
Context

Need to define a concept of harm or failure.

Risk is then comprised of the probability and size of
the harm.
More positively, there are also opportunities to
improve on situations.

14

The FSA context

Set a
Risk
Context

Risk is defined as risks to our four statutory objectives (set out

in the act of parliament which established the FSA in 2000):
maintaining confidence in the Financial System;
promoting public understanding of the financial system;
securing the appropriate degree of protection for
consumers; and
reducing the extent to which it is possible to commit
financial crime.
But these statutory objectives are too broad for effective day to
day management, so a number of channels for risks have been
identified.
15

Risk channels

Set a
Risk
Context

External
Financial failure of firms
Misconduct and mismanagement by firms
Consumer understanding
Financial fraud
Market abuse
Money laundering
Market quality
Internal
Delivery of FSAs Strategic Priorities
FSAs reputation
Economy and efficiency of FSAs operations

16

Set Risk
Appetite

Risk-based regulation in the UK

Setting risk appetite

WHAT IS RISK APPETITE?

Set Risk
Appetite

Risk appetite, at the organisational level, is the amount

of risk that an organisation is prepared to accept, tolerate,
or be exposed to at any point in time.
(The Orange Book HM Treasury, 2004)
It is underpinned by:
a concept of risk that is shared across the organisation
bringing risk-based decision-making to individual processes;
an agreed system of measuring risks across the risk universe
genuine risk-based resourcing (whether measured in human,
skill, technology or cash terms)
accountability clear articulation about the action that is to be
taken and by whom once risk thresholds have been breached.
This will result in risk being escalated (and accountability
transferred up the organisation).
18

Impact

High

Medium
High

Medium
Low

Low

No
mitigation
Close &
Continuous
monitoring

Justify
mitigation
Enhanced
monitoring

Mitigation
(justify
inaction)
Watchlist
Upward
escalation

Mitigation
High
intensity
watchlist
Upward
escalation

Remediation
High
intensity
watchlist
Upward
escalation

No action
Baseline
monitoring

Justify
mitigation
Monitoring

Mitigation
(justify
inaction)
Watchlist
Upward
escalation

Mitigation
High
intensity
watchlist
Upward
escalation

Remediation
High
intensity
watchlist
Upward
escalation

No Action
Baseline
monitoring

Justify
mitigation
Monitoring

Mitigation
(justify
inaction)
Monitoring

Mitigation
Watchlist
Upward
escalation

Remediation
Watchlist
Upward
escalation

No Action
Baseline
monitoring

No Action
Baseline
monitoring

No Action
Baseline
monitoring

Thematic
mitigation
Baseline
monitoring

Remediation
Baseline
monitoring

Low

Medium
Low

High

Crystallised

RISK APPETITE
(FIRM RISKS)

Medium
High

Probability

19

Risk
Identification

Risk-based regulation in the UK

Risk identification

Risk identification

Risk
Identification

The first stage in the risk cycle

where risks enter our perceived portfolio
Essentially intelligence-gathering (either through discrete actions or
continuous monitoring)
Many sources see next slide
Key issues around identification:
are the available sources sufficient? (gaps / overlaps)
do the different sources represent a coherent picture?
is the knowledge shared properly? (e.g. risks identified in one
area say an individual firm passed on to others say a sector
team); consistent recording mechanisms? consistent standards?
(types / measures of risk)

21

Risk identification (contd)

Risk
Identification

FSA tools for identifying risk:

Supervision of firms
Visits to firms (either as part of a
supervisory assessment, enforcement
action, or other)
Information provided by firms (either on
FSA request or firms initiative)
Monitoring of returns and similar data,
and transaction monitoring
Information provided by others (e.g.
Financial Ombudsman, overseas
regulators, external auditors)

Thematic work
Project work
Retail intelligence
Market monitoring
Other external sources (e.g. press,
other regulators, analysts, trade bodies
and special-interest groups)

22

Risk
Measurement

Risk-based regulation in the UK

Measuring Risk

Risk Measurement

Risk
Measurement

The Challenges facing Every Risk Manager

Wide range of types of risk
external or internal
Different size footprint for risks
widespread or local
specific to one firm type or generalised
short term or longer
Too many risks!
how to prioritise; how to categorise
consistently and avoid duplication
24

FSA response to the Size challenge

PRIORITY
for the FSA

IMPACT
of the problem
if it occurs

Risk
Measurement

PROBABILITY
of the problem
occurring

Factors may include:

Factors may include:

Size of firm
No. of retail consumers
Perceived importance

Business Risk
Control Measures
Consumer risk
25

Impact and probability FSAs response

Risk
Measurement

Scoring of impact and probability is subjective

but subject to challenge and control (see later)
Impact

Probability

High

Crystallised

Medium-high

High

Medium-low

Medium-high

Low

Medium-low
Low

26

FSA: impact and probability scoring

Risk
Measurement

Relatively high-level scoring approach,

based on supervisory judgement
Advantages
flexible
quick to implement
draws on expertise
easily understood
not spuriously accurate
Drawbacks
subjective
needs effective challenge
dependent on good
experience
may not provide much
differentiation

Impact
Priority
risks

High
Med.
High
Med.
Low
Low

Low Med. Low Med. High High Crystallised

Probability
27

Firm risk assessment risk groups

Business risks

Control risks

Strategy
Market, credit,
insurance and
operational risk
Financial soundness

Treatment of customers
Organisation

Nature of customers,
products and services

Risk
Measurement

Systems and controls

Board, management
and staff
Compliance culture

28

Firm risk assessment process

Risk
Measurement

Begins with requests for standard information from firm (e.g.

internal audit and compliance reports)
Analysis of this information, along with sectoral and
environmental factors and previous experience of the firm,
leads to work plan for on-site visit.
Visit generally consists of a series of interviews with key staff
and management. Very little review of documentation (e.g.
client files).
During visit, information gaps are filled, and issues identified
during planning are followed up. Further issues may also be
identified.
The assessment is then written up, with both the individual
issues identified and the whole firm being scored.

29

Risk
Measurement

Firm risk assessment results

Financial
failure

Misconduct
/ mismanagement

Consumer
understanding

Fraud &
dishonesty

Market
abuse

Money
laundering

Market
quality

Strategy
Market, Credit & Op
Financial soundness
Customers / products
TOTAL BUSINESS RISK
Treatment of customers
Organisation
Systems & controls
Board, Management
Culture
TOTAL CONTROL RISK

NET PROBABILITY

Market
Consumer
confidence protection

Public
awareness

Financial
crime

30

Risk
Mitigation

Risk-based regulation in the UK

Risk mitigation

Risk mitigation

Risk
Mitigation

The most important stage in the risk cycle

the only one that actually makes any difference
to
the outside world!
Identification and assessment stages are (only) means of deciding
whether and what mitigation to put in place (not ends in
themselves)
Reduction in risk may be by reduced impact or (more likely)
reduced probability of harm; should have a target / acceptable
level of risk
Key issues around mitigation:
need to be clear about actions which actually reduce risk
(rather than giving us more information about risk)?
actions must be proportionate and effective use of both FSA
resource and that of others (e.g. firms); should relate to the
change in risk that can be achieved
measuring effectiveness of mitigation

32

Risk mitigation (contd)

Risk
Mitigation

FSA tools for mitigating risk:

Supervision of firms

Thematic work

Improvements in controls, or reduction Improvements in controls, business risk

in business risk, or increased capital
or capital in multiple firms (either
held, all in relation to an individual firm
requested through (e.g.) Dear CEO
(either requested by supervisory team,
Letters or mandated through rule
or mandated through enforcement, or
changes)
Wider efforts to improve fin. markets
in cooperation with other regulators)
(e.g. consumer education) either FSAonly, or in cooperation with other bodies

33

From measurement to mitigation

Risk
Mitigation

Risks are assessed from low to high

low no mitigation required
medium-low no mitigation
expected, reason required if in place
medium-high mitigation expected,
reason required if not in place
high mitigation required

34

Presentation of risks

Risk Today

High

Impact

Risk
Mitigation

Mediumhigh

Mitigation

Mediumlow

Target Level

Low

Low

Mediumlow

Mediumhigh

High

Probability

Crystallised

35

Risk
Monitoring
And
Reporting

Risk-based regulation in the UK

Monitoring and reporting risks

Risks: monitoring and reporting

Risk
Monitoring
And
Reporting

Regular reviews necessary to:

update list of identified issues and scoring
monitor progress on mitigation
allow FSA management to take strategic decisions
Balance between levels of detail
enough to assess effectiveness
ensure key facts and direction are clear

37

Presentation of risks

Initial Risk

High

Impact

Risk
Monitoring
And
Reporting

Mediumhigh

Mediumlow

Risk Today
Target Level

Low

Low

Mediumlow

Mediumhigh

High

Probability

Crystallised

38

Risk
Monitoring
And
Reporting

Classification of Risks
Succession Planning

ENVIRONMENTAL RISK,

CUSTOMER/PRODUCT CONTROLS, Compliance

Economic Environment

Accepting Customers

Policy

Legislative/Political Risk

Client Classification

Methodology

Competition Risk

Terms of Business and Client

Agreements

Resources

Client Identification (AML)

Training and Competence

Sales Process,

Record Keeping

New Product Development and

Approval

Monitoring

Reforming regulation of the

retail market

Conflicts of interest

Financial Capability

Market surveillance

Improving transparency

Transaction Monitoring

Developing our approach to

Fraud

Capital Market Efficiency

CUSTOMER/PRODUCT RISKS,
Type of Customer
Consumer Knowledge
Product/Service Characteristics
BUSINESS MODEL RISK,
Structure & Ownership
Nature of owners
Organisation structure
Relationship with the Rest of the
Group
Operating risks,
Sources of Business and Distribution
Outsourcing
Operations
IT Systems
FINANCIAL RISK,
Credit Risk
Market Risk
Insurance Underwriting Risk
Operational Risk
Liquidity Risk
Litigation/Legal Risk
MARKET STRUCTURE/ CONDUCT
CONTROLS,

Sales Force Training

Sales Force Remuneration
KYC

Independence

Suitability

Suspicious Transaction
Monitoring and Reporting

Product Disclosure

Structured Products

Financial Promotions

Internal Audit,
Post Sale Handling of Customers, Methodology
Dealing and Managing
Resources
Reporting

Independence

Switching Products

Financial Control,

Switching Providers

Accounting Policies and

Procedures

Complaints Handling
Security of Client Assets
CORPORATE CONTROLS,
Risk Management
Credit Risk

Financial and Regulatory

Reporting
Independence
Operating Controls,

Business Culture
Management Information
Corporate Governance
Relationship with Regulators
Priority Delivery,
Treating Customers Fairly

Retention
Recruitment
Processes (non-IS),
Inadequacy
Not followed
Not comprehensive
Processes (IS),
Inadequacy
Availability
Dependency
Information,
Not sufficient

Getting the best out of our staff

Lost

making us easier to do business

with

Vulnerable

increasing the effectiveness and

transparency of enforcement
work
improving the implementation of
our risk based approach
Sectoral Risk,
Banking
Insurance
Retail Intermediaries
Asset Management
Capital Markets

Market Risk

Policies and Procedures and

Controls

Insurance Risk

Human Resources Controls

Financial Stability

Operational Risk

IT Controls

Business Continuity

Liquidity Risk

Business Continuity

Consumer

Financial Crime

Finance,

Quality of Management
Quality of Strategy
Succession Planning
Business Culture
Management Information
Corporate Governance
Political Risk
Reputational Risk
Risk Management
Identification
Measurement
Monitoring
Control

Accounting Policies and

Procedures
Financial and Regulatory
Reporting

External risks

Independence
Policies and Procedures and
Controls
Audit

Priorities

Methodology
Resources
Independence

Sectors

Compliance
Data Protection
Freedom of Information
Health & Safety

Membership Arrangements

Legal Risk

Market Cleanliness

Methodology

MANAGEMENT GOVERNANCE
AND CULTURE,

Internal Risk,

Clearing and Settlement

Arrangements

Resources

Management,

Skills

Independence

Quality of Management

Quantity

Suspicious Transaction
Monitoring and Reporting

Quality of Strategy

Turnover

Legal

People

Management,

Internal risks

Personnel
Conflicts of interest

39

Format of individual risk reports

Risk
Monitoring
And
Reporting

40

Risk
Control

Risk-based regulation in the UK

Controlling the risk process

Risk controls

Risk
Control

Must be set in the context of the organisation

for example, devolved to business units in FSA
Clear responsibilities set out in a Risk Charter
Policies and Procedures set out
Compliance with those policies checked
Integrated with budget and strategic planning ensures no gaps
Independent challenge
Transparent management information
Provides assurance to all involved that decisions and process are fair

42

Challenge

Risk
Control

Assessment and risk mitigation programme

are challenged by senior management
for internal consistency
for consistency with risk appetite
against peer-groups

43

How risks are reported (simplified)

Risk Identification & Assessment using
FSA Frameworks

Risk
Control

Review and challenge at local business

unit level
Local management agree description
and scoring/prioritisation of risks

Central risk oversight review and

challenge risks and compile a crossFSA risk map (The Dashboard)

Every 3 months, FSA senior

management review and agree list of
Top Risks and consider if additional
resources should be applied to change
mitigation efforts or timescales

FSA Board receive regular reports on

Top 10 risks and progress
44

Example of an existing risk

Risk
Control

45

What have we learnt so far?

Risk
Control

Staff tend to be risk-averse; tendency to overscore impact and probability unless challenged.
Requiring clearer ownership of risks imposes
better accountability and discipline.
The only way to track mitigation effectively is
to describe the risk and target outcome very
specifically.
Relies on adequate risk management skills and
experience among staff to work.

46

Risk-based regulation in the UK

Evaluating and improving ARROW

Evaluation
We believe that ARROW is at the forefront of supervisory
best practice
requests for technical assistance are high
recent UK government reports such as Hampton
and Arculus have praised our approach (compared
with other UK regulators)
Effective risk management is a journey and not a
destination, so it needs to evolve:
as our experience grows
as our needs grow (e.g. from our recent adoption
of Mortgage & General Insurance regulation)
as our expectations grow
48

Risk management vision

49

ARROWs evolutionary path

ARROW 3 ?
ARROW 2.5
ARROW 2.0

ARROW
RATE,
FIBSPAM

Outcome-based
models

Stress and scenario

testing
Portfolio
risk-based methods

Individual
risk-based methods
Assessment
models
X Current position
50

Current improvements being implemented

In implementing ARROW 2.0, we are making a variety of
improvements to the risk framework and processes:
making the processes less bureaucratic, and the supporting IT
more user-friendly
creating greater flexibility in how ARROW is applied (lighter
approach to smaller risks / firms)
facilitating greater knowledge-sharing (e.g. intelligence and
analysis between front-line supervisors, sector analysts and
experts on specific themes
making the firm and thematic frameworks more integrated
improving the communication to firms of our assessment
(e.g. giving them more information about our rating of them,
along with peer group data to provide context)
updating the metrics we use, so that they better reflect the
FSAs current priorities and views of risk
upgrading the training and guidance we give our staff
51