Post on 22-Jan-2016
description
transcript
COSRA / IARC ConferenceCartagena, 2 September 2005
Risk-based regulation in the UK
Joe Traynor & Mike O’HaganFinance, Strategy & Risk Division, UK Financial Services Authority
2
Agenda
• What a risk-based approach means in theory
• Why a risk-based approach
• The UK FSA’s methodology– the “ARROW” risk framework
• Current developments in ARROW
• What a risk-based approach means in theory
Risk-based regulation in the UK
4
Risk Management in the financial services industry
• Aims vary, but usually a combination of protecting reputation, brand, earnings or capital. Its Board will agree its risk appetite – (e.g. aggressive, conservative)
• The firm should identify the risks to their aims (e.g. to capital or profitability) and their causes – credit, market, operational, etc.
• It will use an agreed method of measuring that risk – loan grading, value at risk, etc.
• Primary risk managers are the business people who are closest to the risk – relationship managers, traders, settlement staff, etc.
• Information is produced to help monitor risks
• The level of risk taking is controlled – through limits, delegated authority, etc.
• Independent risk management provides challenge
5
WHAT WE ARE SEEKING TO ACHIEVEPrinciples of Risk Management in UK FSA• Primary aim is to achieve our statutory objectives.
• The Board agrees our risk appetite by approving our budget and our risk policies in respect of that budget
• We identify the risks to our statutory objectives and their causes – financial failure, misconduct, market abuse etc
• We use an agreed method of measuring that risk – impact and probability etc
• Our primary risk managers are the business people who are closest to the risk – firm relationship managers, operations, investment priority owners etc
• Information is produced to help management monitor risks
• The level of risk taking is controlled – through budgets, policies, delegated authority etc
• Independent risk management provides challenge
6
WHAT WE ARE SEEKING TO ACHIEVE
To deliver an integrated approach to risk and resource management that enables us to manage our portfolio of risk and our resources in a dynamic way, consistent with industry best practice.
Our Risk Management Mission
7
The “ARROW” framework
• “ARROW” is the framework that the FSA uses to measure risk and decide on appropriate responses. It not only provides the risk metrics, but also specifies the processes we use to identify, record, analyse and mitigate risks.
• It has two components:• the firm framework (used when assessing risks in
individual firms); in ARROW, we call this “vertical” supervision; and
• the consumer and industry-wide framework (used when assessing cross-cutting risks – those involving a number of firms, or relating to the market as a whole); we term this “thematic” or “horizontal” work.
8
Risk Management Stages
DecisionDecision to beto be
Risk BasedRisk Based
Set aSet aRiskRisk
ContextContext
Set RiskSet RiskAppetiteAppetite
RiskRiskMonitoringMonitoring
AndAndReportingReporting
RiskRiskIdentificationIdentification
Included in “ARROW”
RiskRiskMeasurementMeasurement
RiskRiskMitigationMitigation
RiskRiskControlControl
• Why use a risk-based approach?
DecisionDecision to beto be
Risk BasedRisk Based
Risk-based regulation in the UK
10
Why use a risk-based approach?
• Finite resources available – never possible to do everything
• This leads to a non-zero failure approach (with a corresponding risk appetite)
• We therefore need a mechanism for prioritising our work:• focusing our efforts on the greatest risks• bear in mind tractability of issues (“biggest bang for
our buck”)
• Other factors made the risk-based approach necessary (but difficult to implement) in the UK FSA:
• variety of cultures / backgrounds (requires consistency of resource and action decisions)
• very broad scope of our regulatory remit (wide ranging statutory objectives and diversity of sectors regulated)
DecisionDecision to beto be
Risk BasedRisk Based
11
Why use a risk-based approach? (cont’d)
• Implications and benefits of the risk-based approach:• focus on risks to our objectives (and on relevant
outcomes)• sound, consistent basis for justifying our approach and
actions• Builds in a proportionate response.
– “peace dividend” for well-behaved areas/firms – so they see the benefit of compliance
• provides a measure of success in a not-for-profit enterprise – risk / harm to our objectives is our currency
DecisionDecision to beto be
Risk BasedRisk Based
12
Why use a risk-based approach? (cont’d)
• We believe that, in reality, every regulatory adopts a risk-based approach:
• none has infinite resource, so we all have to make choices about optimum deployment – this is essentially what risk-based regulation is all about;
• even those with a low tolerance for risk (e.g. visiting all firms every year) must still decide how intensive their response to each firm should be;
• at some level, these decisions will be based on the level of risk; the main difference between those who claim to be risk-based (like the FSA) and those that do not is the extent to which we attempt to apply an explicit, consistent framework to these decisions, and the level of pro-active work undertaken to prevent harm occurring before the event.
DecisionDecision to beto be
Risk BasedRisk Based
• Setting a risk context
Set aSet aRiskRisk
ContextContext
Risk-based regulation in the UK
14
Risk context
• Need to define a concept of “harm” or failure.
• Risk is then comprised of the probability and size of the harm.
• More positively, there are also opportunities to improve on situations.
Set aSet aRiskRisk
ContextContext
15
The FSA context
• Risk is defined as risks to our four statutory objectives (set out in the act of parliament which established the FSA in 2000):
– maintaining confidence in the Financial System;
– promoting public understanding of the financial system;
– securing the appropriate degree of protection for consumers; and
– reducing the extent to which it is possible to commit financial crime.
• But these statutory objectives are too broad for effective day to day management, so a number of channels for risks have been identified.
Set aSet aRiskRisk
ContextContext
16
Risk channels
• External
· Financial failure of firms
· Misconduct and mismanagement by firms
· Consumer understanding
· Financial fraud
· Market abuse
· Money laundering
· Market quality
• Internal
· Delivery of FSA’s Strategic Priorities
· FSA’s reputation
· Economy and efficiency of FSA’s operations
Set aSet aRiskRisk
ContextContext
• Setting risk appetite
Set RiskSet RiskAppetiteAppetite
Risk-based regulation in the UK
18
WHAT IS RISK APPETITE?
“Risk appetite, at the organisational level, is the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.” (“The Orange Book” HM Treasury, 2004)
It is underpinned by:• a concept of risk that is shared across the organisation
– bringing risk-based decision-making to individual processes;
• an agreed system of measuring risks across the risk universe
• genuine risk-based resourcing (whether measured in human, skill, technology or cash terms)
• accountability – clear articulation about the action that is to be taken and by whom once risk thresholds have been breached. This will result in risk being escalated (and accountability transferred up the organisation).
Set RiskSet RiskAppetiteAppetite
19
RISK APPETITE (FIRM RISKS)
• No Action• Baseline
monitoring
• Mitigation (justify inaction)
• Monitoring
High
MediumLow
Low
Low
MediumHigh
High Crystallised
Probability
Imp
act
MediumHigh
• No Action• Baseline
monitoring
• Thematic mitigation
• Baseline monitoring
• No mitigation
• “Close & Continuous” monitoring
• Justify mitigation
• Enhanced monitoring
• Mitigation (justify inaction)
• Watchlist• Upward
escalation
• Mitigation• High
intensity watchlist
• Upward escalation
MediumLow
• No action• Baseline
monitoring
• Justify mitigation
• Monitoring
• Remediation
• High intensity watchlist
• Upward escalation
• Remediation
• Baseline monitoring
• No Action• Baseline
monitoring
• No Action• Baseline
monitoring
• Justify mitigation
• Monitoring
• Mitigation (justify inaction)
• Watchlist• Upward
escalation
• Mitigation• High
intensity watchlist
• Upward escalation
• Mitigation• Watchlist• Upward
escalation
• Remediation
• High intensity watchlist
• Upward escalation• Remediation
• Watchlist• Upward
escalation
Risk-based regulation in the UK
• Risk identification
RiskRiskIdentificationIdentification
21
Risk identification
• The first stage in the risk cycle• where risks enter our perceived portfolio
• Essentially intelligence-gathering (either through discrete actions or continuous monitoring)
• Many sources – see next slide
• Key issues around identification:• are the available sources sufficient? (gaps / overlaps)• do the different sources represent a coherent picture?• is the knowledge shared properly? (e.g. risks identified
in one area – say an individual firm – passed on to others – say a sector team); consistent recording mechanisms? consistent standards? (types / measures of risk)
RiskRiskIdentificationIdentification
22
Supervision of firms• Visits to firms (either as part of a
supervisory assessment, enforcement action, or other)
• Information provided by firms (either on FSA request or firms’ initiative)
• Monitoring of returns and similar data, and transaction monitoring
• Information provided by others (e.g. Financial Ombudsman, overseas regulators, external auditors)
Thematic work• Project work• Retail intelligence• Market monitoring• Other external sources (e.g.
press, other regulators, analysts, trade bodies and special-interest groups)
• FSA tools for identifying risk:
RiskRiskIdentificationIdentification
Risk identification (cont’d)
Risk-based regulation in the UK
• Measuring Risk
RiskRiskMeasurementMeasurement
24
Risk Measurement
• The Challenges facing Every Risk Manager• Wide range of types of risk
– external or internal • Different size “footprint” for risks
– widespread or local
– specific to one firm type or generalised
– short term or longer• Too many risks!
– how to prioritise; how to categorise consistently and avoid duplication
RiskRiskMeasurementMeasurement
25
FSA response to the Size challenge RiskRiskMeasurementMeasurement
PRIORITYfor the FSA
IMPACTof the problem
if it occurs
PROBABILITYof the problem
occurring= x•Size of firm•No. of retail consumers•Perceived importance
•Business Risk•Control
Measures•Consumer risk
Factors may include:
Factors may include:
26
Impact and probability – FSA’s response
• Scoring of impact and probability is subjective – but subject to challenge and control (see later)
Impact
High
Medium-high
Medium-low
Low
Probability
Crystallised
High
Medium-high
Medium-low
Low
RiskRiskMeasurementMeasurement
27
FSA: impact and probability scoring
• Advantages • flexible• quick to implement• draws on expertise• easily understood• not spuriously accurate
• Drawbacks• subjective• needs effective
challenge• dependent on good
experience• may not provide much
differentiation
Impact
Probability
Low Med. Low Med. High High Crystallised
High
Med. High
Med. Low
Low
Priority
risks
RiskRiskMeasurementMeasurement
Relatively high-level scoring approach, based on supervisory judgement
28
Firm risk assessment – risk groups
Business risks• Strategy
• Market, credit, insurance and operational risk
• Financial soundness
• Nature of customers, products and services
Control risks• Treatment of
customers
• Organisation
• Systems and controls
• Board, management and staff
• Compliance culture
RiskRiskMeasurementMeasurement
29
Firm risk assessment process
• Begins with requests for standard information from firm (e.g. internal audit and compliance reports)
• Analysis of this information, along with sectoral and environmental factors and previous experience of the firm, leads to work plan for on-site visit.
• Visit generally consists of a series of interviews with key staff and management. Very little review of documentation (e.g. client files).
• During visit, information gaps are filled, and issues identified during planning are followed up. Further issues may also be identified.
• The assessment is then written up, with both the individual issues identified and the whole firm being scored.
RiskRiskMeasurementMeasurement
30
Financialfailure
Misconduct
/ mis-manageme
nt
Consumerunder-
standing
Fraud &dishonest
y
Market abuse
Moneylaunderin
g
Marketquality
Strategy
Market, Credit & Op
Financial soundness
Customers / products
TOTAL BUSINESS RISK
Treatment of customers
Organisation
Systems & controls
Board, Management
Culture
TOTAL CONTROL RISK
NET PROBABILITY
Marketconfidence
Consumerprotection
Publicawareness
Financialcrime
Firm risk assessment – results RiskRisk
MeasurementMeasurement
Risk-based regulation in the UK
• Risk mitigation
RiskRiskMitigationMitigation
32
Risk mitigation
• The most important stage in the risk cycle • the only one that actually makes any difference
to the outside world!• Identification and assessment stages are (only) means of
deciding whether and what mitigation to put in place (not ends in themselves)
• Reduction in risk may be by reduced impact or (more likely) reduced probability of harm; should have a target / acceptable level of risk
• Key issues around mitigation:• need to be clear about actions which actually
reduce risk (rather than giving us more information about risk)?
• actions must be proportionate and effective – use of both FSA resource and that of others (e.g. firms); should relate to the change in risk that can be achieved
• measuring effectiveness of mitigation
RiskRiskMitigationMitigation
33
• FSA tools for mitigating risk:
Supervision of firms• Improvements in controls, or
reduction in business risk, or increased capital held, all in relation to an individual firm (either requested by supervisory team, or mandated through enforcement, or in cooperation with other regulators)
Thematic work• Improvements in controls,
business risk or capital in multiple firms (either requested through (e.g.) Dear CEO Letters or mandated through rule changes)
• Wider efforts to improve fin. markets (e.g. consumer education) – either FSA-only, or in cooperation with other bodies
RiskRiskMitigationMitigation
Risk mitigation (cont’d)
34
From measurement to mitigation
• Risks are assessed from low to high
· low – no mitigation required
· medium-low – no mitigation expected, reason required if in place
· medium-high – mitigation expected, reason required if not in place
· high – mitigation required
RiskRiskMitigationMitigation
35
Presentation of risks
High
Medium-low
Low
Low
Medium-high
High Crystallised
Target Level
Mitigation
Medium-high
Risk Today
Medium-low
Probability
Imp
act
RiskRiskMitigationMitigation
Risk-based regulation in the UK
• Monitoring and reporting risks
RiskRiskMonitoringMonitoring
AndAndReportingReporting
37
Risks: monitoring and reporting
• Regular reviews necessary to:• update list of identified issues and scoring• monitor progress on mitigation• allow FSA management to take strategic
decisions
• Balance between levels of detail• enough to assess effectiveness• ensure key facts and direction are clear
RiskRiskMonitoringMonitoring
AndAndReportingReporting
38
Presentation of risks
High
Medium-low
Low
Low
Medium-high
High Crystallised
Target Level
Medium-high
Initial Risk
Medium-low
Probability
Imp
act
RiskRiskMonitoring Monitoring
And And ReportingReporting
Risk Today
39
Classification of Risks
ENVIRONMENTAL RISK,
Economic Environment
Legislative/Political Risk
Competition Risk
Capital Market Efficiency
CUSTOMER/PRODUCT RISKS,
Type of Customer
Consumer Knowledge
Product/Service Characteristics
BUSINESS MODEL RISK,
Structure & Ownership
Nature of owners
Organisation structure
Relationship with the Rest of the Group
Operating risks,
Sources of Business and Distribution
Outsourcing
Operations
IT Systems
FINANCIAL RISK,
Credit Risk
Market Risk
Insurance Underwriting Risk
Operational Risk
Liquidity Risk
Litigation/Legal Risk
MARKET STRUCTURE/ CONDUCT CONTROLS,
Membership Arrangements
Market Cleanliness
Clearing and Settlement Arrangements
CUSTOMER/PRODUCT CONTROLS,
Accepting Customers
Client Classification
Terms of Business and Client Agreements
Client Identification (AML)
Sales Process,
New Product Development and Approval
Sales Force Training
Sales Force Remuneration
KYC
Suitability
Product Disclosure
Financial Promotions
Post Sale Handling of Customers,
Dealing and Managing
Reporting
Switching Products
Switching Providers
Complaints Handling
Security of Client Assets
CORPORATE CONTROLS,
Risk Management
Credit Risk
Market Risk
Insurance Risk
Operational Risk
Liquidity Risk
Legal Risk
Methodology
Resources
Independence
Compliance
Policy
Methodology
Resources
Independence
Training and Competence
Record Keeping
Monitoring
Conflicts of interest
Market surveillance
Transaction Monitoring
Suspicious Transaction Monitoring and Reporting
Structured Products
Internal Audit,
Methodology
Resources
Independence
Financial Control,
Accounting Policies and Procedures
Financial and Regulatory Reporting
Independence
Operating Controls,
Policies and Procedures and Controls
Human Resources Controls
IT Controls
Business Continuity
MANAGEMENT GOVERNANCE AND CULTURE,
Management,
Quality of Management
Quality of Strategy
Succession Planning
Business Culture
Management Information
Corporate Governance
Relationship with Regulators
Priority Delivery,
Treating Customers Fairly
Reforming regulation of the retail market
Financial Capability
Improving transparency
Developing our approach to Fraud
Getting the best out of our staff
making us easier to do business with
increasing the effectiveness and transparency of enforcement work
improving the implementation of our risk based approach
Sectoral Risk,
Banking
Insurance
Retail Intermediaries
Asset Management
Capital Markets
Financial Crime
Financial Stability
Business Continuity
Consumer
Internal Risk,
People
Skills
Quantity
Turnover
Retention
Recruitment
Processes (non-IS),
Inadequacy
Not followed
Not comprehensive
Processes (IS),
Inadequacy
Availability
Dependency
Information,
Not sufficient
Lost
Vulnerable
Finance,
Accounting Policies and Procedures
Financial and Regulatory Reporting
Independence
Policies and Procedures and Controls
Audit
Methodology
Resources
Independence
Compliance
Data Protection
Freedom of Information
Health & Safety
Personnel
Conflicts of interest
Suspicious Transaction Monitoring and Reporting
Legal
Management,
Quality of Management
Quality of Strategy
Succession Planning
Business Culture
Management Information
Corporate Governance
Political Risk
Reputational Risk
Risk Management
Identification
Measurement
Monitoring
Control
External risks
Priorities
Sectors
Internal risks
RiskRiskMonitoring Monitoring
And And ReportingReporting
40
Format of individual risk reportsRiskRisk
MonitoringMonitoringAndAnd
ReportingReporting
Risk-based regulation in the UK
• Controlling the risk process
RiskRiskControlControl
42
Risk controls
• Must be set in the context of the organisation
– for example, devolved to business units in FSA
• Clear responsibilities set out in a Risk Charter
• Policies and Procedures set out
• Compliance with those policies checked
• Integrated with budget and strategic planning ensures no gaps
• Independent challenge
• Transparent management information
• Provides assurance to all involved that decisions and process are fair
RiskRiskControlControl
43
Challenge
• Assessment and risk mitigation programme are challenged by senior management
– for internal consistency
– for consistency with risk appetite
– against peer-groups
RiskRiskControlControl
44
How risks are reported (simplified)
Ris
k I
den
tifi
cati
on
& A
ssessm
en
t u
sin
g
FS
A F
ram
ew
ork
sR
evie
w a
nd
ch
allen
ge a
t lo
cal b
usin
ess
un
it level
Local m
an
ag
em
en
t ag
ree d
escri
pti
on
an
d s
cori
ng
/pri
ori
tisati
on
of
risks
Cen
tral ri
sk o
vers
igh
t re
vie
w a
nd
ch
allen
ge r
isks a
nd
com
pile a
cro
ss-
FS
A r
isk m
ap
(“Th
e D
ash
board
”)
Every
3 m
on
ths,
FS
A s
en
ior
man
ag
em
en
t re
vie
w a
nd
ag
ree lis
t of
“Top
Ris
ks” a
nd
con
sid
er
if a
dd
itio
nal
resou
rces s
hou
ld b
e a
pp
lied
to c
han
ge
mit
igati
on
eff
ort
s o
r ti
mescale
s
FS
A B
oard
receiv
e r
eg
ula
r re
port
s o
n
“Top
10” r
isks a
nd
pro
gre
ss
RiskRiskControlControl
45
Example of an existing riskRiskRisk
ControlControl
46
What have we learnt so far?
• Staff tend to be risk-averse; tendency to over-score impact and probability unless challenged.
• Requiring clearer ownership of risks imposes better accountability and discipline.
• The only way to track mitigation effectively is to describe the risk and target outcome very specifically.
• Relies on adequate risk management skills and experience among staff to work.
RiskRiskControlControl
Risk-based regulation in the UK
• Evaluating and improving ARROW
48
Evaluation
• We believe that ARROW is at the forefront of supervisory best practice
– requests for technical assistance are high– recent UK government reports such as
Hampton and Arculus have praised our approach (compared with other UK regulators)
• Effective risk management is a journey and not a destination, so it needs to evolve:
– as our experience grows– as our needs grow (e.g. from our recent
adoption of Mortgage & General Insurance regulation)
– as our expectations grow
49
Risk management vision
50
ARROW’s evolutionary path
Assessment models
Individualrisk-based methods
Portfoliorisk-based methods
Stress and scenariotesting
Outcome-basedmodels
RATE, FIBSPAM
ARROW
ARROW 2.0
ARROW 2.5
ARROW 3 ?
X
X Current position
51
Current improvements being implemented
• In implementing ARROW 2.0, we are making a variety of improvements to the risk framework and processes:
– making the processes less bureaucratic, and the supporting IT more user-friendly
– creating greater flexibility in how ARROW is applied (lighter approach to smaller risks / firms)
– facilitating greater knowledge-sharing (e.g. intelligence and analysis between front-line supervisors, sector analysts and experts on specific themes
– making the firm and thematic frameworks more integrated
– improving the communication to firms of our assessment (e.g. giving them more information about our rating of them, along with peer group data to provide context)
– updating the metrics we use, so that they better reflect the FSA’s current priorities and views of risk
– upgrading the training and guidance we give our staff