Is risk management taking a back seat to compliance? Risk management frameworks are often seen as a lower priority than the specific activities associated with compliance.
In a busy commercial environment, it is easy to focus on complying with rules rather than implementing effective risk management. It is also easy to focus on a headline, and not read the the whole article. Not reading the whole article can lead to surprises later on.
We observed this phenomenon recently in the FCA’s “safeguarding customers’ funds” short consultation of May 22nd. The consultation was as much about having an effective risk management framework as it was about safeguarding customers’ funds. There was a whole section on Prudential Risk Management.
Did the headline detract attention from the wider risk management message?
Perhaps it did. The FCA are constantly reminding firms that they must have effective risk management in place. If the compliance message is always the headline, firms will focus their attention on the compliance requirement rather than implementing effective risk management.
There has been much more activity from regulators on prudential risk management recently. Is this because the FCA believe that firms need reminding?
On June 11th, the FCA published some finalised guidance with the headline “assessing adequate financial resources”.
The whole guidance paper is about implementing effective risk management.
The finalised guidance provides clarification on what the FCA expects firms to do, and have documented in relation to effective risk management.
The FCA discuss risk management activities that may have been overlooked by firms in the past, such as “Reverse Stress Testing” and “Wind Down Planning”.
The finalised guidance FG 20/1 “Our framework: assessing adequate financial resources” is a short and informative read
Since the beginning of 2020, the FCA have been busy gathering information from firms, publishing guidance, and clarifying their expectations. Is this because firms were only reading the headlines and looking for the minimum requirements?
We have all been asked at some point: “just send me a one pager on this”.
Recent events have exposed weaknesses in governance, risk management systems and controls and, in certain cases, a firm’s business model itself.
FG 20/1 may also be a precursor for a consultation paper on the new prudential regime for investment firms (or “IFR”) – a subject that we will writing about later this week.
With respect to FG 20/1: what are the questions you should ask now?
- Does your firm have a risk management framework which includes a clear risk appetite?
- Does your firm appropriately and adequately identify the risks to which it is exposed?
- How material is each risk?
- How adequate are systems and controls in place?
- Has adequate use been made of stress testing in the risk assessment?
- Does the risk assessment process meet the “use test” i.e. is it used day-to-day and for decision making?
Crucially, and based on the answers above:
- Does your firm have adequate financial resources based on the risks to which it is exposed?