2011 Methodology

Click here to download a PDF version of this document (will open in new window)

Introduction

1. The FSC has been successfully applying a risk assessment methodology across all supervisory divisions since 2003. The FSC has re-engineered the assessment methodology by building on the experience of these past years, in order to deliver a more efficient and effective process through which the risks of a firm may be assessed and mitigated. This document represents the current methodology.

In arriving at the revised methodology, the FSC sought to concentrate on high level risks rather than regulatory compliance issues. The methodology is geared towards determining the ability and competence of a firm’s Senior Management when it comes to both identifying and mitigating risks, and implementing adequate systems of control to meet regulatory requirements. In doing so, the FSC will take into consideration how its regulatory objectives can be met, with special reference to protecting the public from suffering financial loss. The FSC’s regulatory objectives are stated in Section 7(2) of The Financial Services Commission Act 2007 and can be found at;

http://www.fsc.gi/firms/principles.htm

2. The intensity of the FSC’s interfacing with a firm will be completely dependent on the perceived risks that a firm poses to its customer base, and to the jurisdiction as a whole. The more a firm’s Senior Management does to address its risks, the less interfacing with the FSC it will have.

3. Those firms where Senior Management has shown little attention to the identification and mitigation of risks, or in meeting regulatory compliance requirements, will find it a very onerous experience. The FSC is seeking to make use of Reporting Accountants/Skilled Persons in order to verify regulatory compliance issues, where the FSC perceives there to be failings.

4. The methodology assesses firms based on two Risk Types (Business and Control) and six Risk Groups (Financial Soundness-Liquidity & Capital, Environment, Business Plan, Controls, Organisation and Management) as well as using an Impact Score as a multiplier. The Impact Score has been aligned across all divisions under the methodology.

Firm Type

5. The FSC is likely to determine a firm’s type, and tailor the risk assessment, under one of the following three types;

Prudential Firms	Conduct of Business Firms	Combination Approach
Banks (deposit business only) E-Money firms General Insurance Companies Occupational Pension Schemes	Audit firms CIS Administrators CIS Managers (Operators) Company Managers Insurance Intermediaries Insurance Managers Money Service Businesses Professional Trustees Statutory auditors	Banks (mainly MiFID Business) Funds Life Insurance Companies MiFID firms

Prudential Firms

Conduct of Business Firms

Combination Approach

Banks (deposit business only)

E-Money firms

General Insurance Companies

Occupational Pension Schemes

Audit firms

CIS Administrators

CIS Managers (Operators)

Company Managers

Insurance Intermediaries

Insurance Managers

Money Service Businesses

Professional Trustees

Statutory auditors

Banks (mainly MiFID Business)

Funds

Life Insurance Companies

MiFID firms

6. Each firm will be classified according to the main type of activity it conducts in order to determine the weighting of each Risk Group to its activities. In certain circumstances, a firm may be conducting multiple activities, and as such, will be classified using the combined approach. This will also establish the type of risk assessment to be conducted.

7. A Prudential risk assessment will focus on the financial standing of the firm, and whether its business is conducted in a sound and prudent manner by fit and proper persons. The actual on-site will focus on a firm’s corporate governance and, for example, how the board and senior management run the business, how decisions are arrived at and considered, how these are documented (by way of board minutes, management meeting minutes, etc), and whether management information systems and controls are in place and how these function in practice. It will also focus on the firm’s enterprise risk management approach.

8. A ‘conduct of business’ assessment will focus on a firm’s interaction with its customers, including how it meets its KYC obligations, the advice it provides, and how it handles client monies and assets. The actual on-site will focus on the client take-on process, how advice is provided to customers and whether appropriate disclosures are made, and how this is documented within client files and records of correspondence/meetings with the client. In addition, the handling of client monies and assets will receive special attention with the focus on whether a firm is in compliance with the relevant requirements.

9. A ‘combined’ assessment will cover areas in relation to both Prudential and Conduct of Business matters, as referred to above. A ‘combined’ on-site will include elements covering corporate governance issues, financial requirements and client interfacing issues, as described above.

Business Risks

10. The analysis of the business risk will be performed using the following risk groups: Financial Soundness-Liquidity & Capital, Environment and Business Plan (“FEB”). This review will comprise an analysis of the financial position of the firm, the firm's overall business and external environment, and its future strategy. This will facilitate a historical, current and forward-looking assessment of the firm's key business risks. The objectives behind the assessment of each of the Business Risk Groups are:

Financial Soundness, Liquidity and Capital - To determine the adequacy of capital, funding and insurance cover in light of the current and future business plans of the firm.
Environment - To determine what operational and other market risks the firm is subject to in carrying out its business plan.
Business Plan - To determine where the current and future risks lie in a firm’s business plan, products and strategy.

11. This analysis will be undertaken, for example, using Prudential data, annual accounts and information requested from the firm, together with information already held on the FSC's records.

Control Risks

12. In analysing the controls over the business, the FSC will undertake an assessment using another three risk groups: Controls, Organisation and Management (COM). As mentioned above, most of the information for this analysis will come from information already held on the FSC's records, including reporting accountants’ reports. The objectives of the Control Risk Group assessment are:

Controls - To determine the control environment of a firm and management’s ability to put into place proper oversight procedures.
Organisation - To determine if the legal ownership structure and/or passporting of services of the firm provide any impediments to the supervision of the firm.
Management - To determine if the firm’s corporate governance arrangements and management are adequate for the nature, size and complexity of the firm.

13. During the pre-assessment stage, the FSC will identify where there are information gaps, how to fill them and with whom the regulator needs to meet when carrying out on-site work.

Risk Groups and Elements

Figure 1 - Risk Types, Groups and Elements

Risk Profiling Scores

14. The FSC will be looking beyond the titles of each of the Risk Groups, and include a further level of detail, known as “Risk Elements”, to make a determination of perceived or actual risks materialising in any of these.

15. Each risk element is scored according to its weighted score, taking into consideration underlying constituents.

16. In arriving at the scoring above, the FSC will use the following guidelines;

Crystallised - If the risk has already materialised and the FSC might fail to achieve one of its regulatory objectives.
Perceptible – If it is highly likely that the risk element will result in the crystallisation of a significant risk to the firm in the next twelve months which could lead to the FSC failing to achieve one of its regulatory objectives.
Probable – If there is a 50% probability that the risk element will result in the crystallisation of a significant risk to the firm in the next twelve months which could lead to the FSC failing to achieve one of its regulatory objectives.
Possible – If there is a reasonable chance that the risk element will result in the crystallisation of a significant risk to the firm in the next two years which could lead to the FSC failing to achieve one of its regulatory objectives.
Negligible – If there is little likelihood that the risk element will result in the crystallisation of a significant risk to the firm in the next four years which could lead to the FSC failing to achieve one of its regulatory objectives.
Not applicable – If the risk element has no applicability to the firm or the sector in which it operates.

17. Each Risk Group has been weighted to reflect the FSC’s perceived importance of the Risk Type.

Risk Group	Prudential	Conduct of Business	Combined
Business Risks
Financial Soundness, Liquidity & Capital	60%	10%	40%
Environment	30%	20%	20%
Business Plan	10%	70%	40%
	100%	100%	100%
Control Risks
Controls	40%	60%	45%
Organisation	10%	10%	10%
Management	50%	30%	45%
	100%	100%	100%

18. Both scores (Business and Control Risks) are then multiplied by the Impact Score of the firm in question to provide a Business Risk Profile Score and a Control Risk Profile Score.

19. The Impact Score of firms is determined through the use of an impact guide, which takes into account key factors for that particular sector and some key components of the service provided by the firm, such as whether client assets are being held by the firm.

Outline of methodology

20. The methodology:

Ensures focus on the risk of financial loss to the public.
Takes account of other regulatory objectives.
Provides assessors with flexibility to test regulatory compliance as part of the overall risk assessment of a firm.
Allows differential weightings depending on the nature of the firm’s activities.

Methodology OUtline

Figure 2 - Outline of methodology

21. The following sections below describe each of the steps in greater detail.

Off-site

22. This is the main element of the FSC’s work programme, as it consists of pulling together information from a variety of different sources into the assessment. Some of the information is already existent within the FSC, but other information will be sought directly from the firm.

23. In reviewing the information already held by the FSC, the following source documents will be examined:

Correspondence. In order to identify major changes to the firm’s business plans, licensing requirements and compliance arrangements.
Appointments and Resignations. In order to take a view on the adequacy of the composition of the Board and Senior Management, as well as corporate governance arrangements.
Returns & Financial Statements. To view adequacy of capital and liquidity, both in terms of meeting the minimum regulatory prudential requirements, as well as to support current and future business needs.
Complaints. To determine if there are systemic failures in the management of the firm’s affairs.
Outsourced functions. To determine if a firm’s Head Office and Mind and Management requirements continue to be met.
Regulatory matters. To determine if there are any issues related to matters considered by the FSC.
Web-site(s). To determine if there are any products or services being offered which may not have been notified to the FSC, or which are inconsistent with the authorisations held by the firm.

24. Additionally, and at a very early stage of the risk-assessment process, the FSC will seek to obtain additional answers to risk specific or regulatory compliance matters through the use of a Risk Based Questionnaire.

25. The Questionnaire will follow a standard format. Assessors will add questions which are deemed relevant or where information is not already held on file.

26. Compliance specific questionnaires may also be issued by a division in order to ascertain regulatory compliance with a set of requirements (e.g. seeking to review the firm’s completion of the AML/CFT Compliance Report).

27. In most cases, the FSC will also seek to obtain up-to-date financial forecasts indicating, where appropriate, compliance with prudential requirements (e.g. capital adequacy, solvency margins, etc).

Profiling

28. The FSC seeks to obtain a risk profile of the firm through the assessment of six separate Risk Groups, which are classified as Business and Control Risks. The risk profile of the firm will determine the FSC’s approach to that firm.

29. During the preliminary stages, the FSC will make use of the information relating to a firm already available to the Commission in order to arrive at an initial assessment of potential risks. This will condition the Questionnaire to be completed by firms.

30. Through the initial profiling, the FSC will have identified those risk elements which it considers are most likely to contribute to the materialisation of an actual risk. Through the initial profiling stages, the FSC will have documented its reasons why it considers this to be the case.

On-Site

31. Through the on-site, the FSC seeks to validate its initial profiling, generally only for those risks which it has scored as “Probable”, “Perceptible” or “Crystallised. It will seek to identify the mitigation programmes already in place at a firm and gain first hand experience of a firm’s risk management, governance and compliance culture.

32. During the on-site visit, FSC staff will discuss these risks with Senior Management and members of staff directly involved with the risk in question. It is likely that FSC staff will verify processes put in place by the firms to mitigate these risks.

33. The on-site presents the firm with an opportunity to describe and the FSC to analyse processes or controls that may not have been clear from the documentation supplied.

34. Prior to carrying out an on-site the FSC will:

Determine the expected duration of the on-site visit
Arrange with the firm mutually convenient dates for the on-site to take effect
Provide the firm with a formal agenda which will:
List all the risks that it wishes to discuss with the firm’s Senior Management and the context for the discussion
Identify any individuals that the FSC wishes to speak with on any of the matters
Allow the firm’s Senior Management to invite to the meeting any other person it feels would contribute to the on-site
Provide a list of any additional document or information that it may wish to review on the firm’s premises, together with a list of any documents that it may wish to take copies of.

35. At the end of the on-site visit the assessors will:

Summarise the areas reviewed by the FSC team
Invite the Senior Management of the firm to provide input to the team on areas which they wish to add to the risk assessment
Invite the firm to provide any feedback on the process.

Final Profiling

The scoring by FSC staff of each of the elements is a vital constituent of the methodology.

36. For each Risk Group, the highest score of any risk element will determine the score for the entire group.

37. The FSC will document why it assigned a value for each risk element. This will also translate into items the FSC will consider important enough to raise with the firm. An element which is scored as “Negligible” or “Possible” will not generally feature in discussions with the firm, nor will it form part of the on-site process.

38. The scoring of each of the Risk Elements when multiplied by the Impact score produces two values that can be plotted on a simple chart to produce the risk profile of a firm.

Risk Chart

Figure 3 - Risk profile chart

39. By having obtained a preliminary risk profile, the FSC is able, at this stage, to decide upon the scope and intensity of its remaining work, including the on-site programme.

40. Firms will fall into one of the following risk profiles:

Low Monitoring &/or Remediation: Firms that have a strong control environment supported by good governance as well as stable business plans, and who generally are lower impact firms. These firms will have little contact with the FSC between risk assessments, other than the occasional Supervisory Meeting.
Low Monitoring & Medium Remediation: Firms that are making improvements to their control environment and regulatory compliance arrangements, but that are operating in a stable business environment. It is likely that these firms will be the subject of Focused Visits to validate the work being conducted by Senior Management. The FSC may also wish to conduct occasional Supervisory Meetings.
Medium Monitoring & Low Remediation: This could apply to start-up firms or those with quickly changing business plans. Although some changes to their control environment may be required, the FSC will want to maintain regular contact through Supervisory Meetings to keep abreast of developments.
Medium Monitoring & High Remediation: Firms where a remediation programme is necessary to improve their risk profile. It is likely that these firms will be the subject of Focused Visits or reporting accountants/skilled persons to validate the work being conducted by Senior Management. The FSC may also wish to conduct occasional Supervisory Meetings.
High Monitoring & Medium Remediation: This would apply to firms who are undergoing a change in both business and control environment, either as a result of the changing business plan, or to correct control deficiencies. It is likely that these firms will be the subject of Focused Visits or reporting accountants/skilled person’s reviews to validate the work being conducted by Senior Management. The FSC will also want to maintain regular contact through Supervisory Meetings to keep abreast of developments.
High Monitoring & High Remediation: These firms are the ones that the FSC will be most concerned about. The cause for the additional monitoring and/or remediation will be greater and magnified by the Impact Score of these firms. The FSC will be seeking to maintain very regular contact on both a formal and informal basis with Senior Management of the firms, as well as subjecting these firms to Focused Compliance Visits and/or reporting accountants/skilled person’s reviews.

41. In the description for each of the profiles, a number of terms have been used. It is useful to outline what each one of these means.

Focused Visit: These are performed by FSC staff and will focus on a specific area of regulatory compliance (e.g. AML/CFT processes, MiFID Compliance, Returns preparation, Corporate Governance, Outsourcing arrangements, etc). The firm will be reviewed for its compliance arrangements against specific regulatory requirements (be these in the form of regulations, administrative notices or guidance notes) which the firm should already have in place. These Focused Visits will be requested if the FSC knows or suspects that the firm is not addressing specific regulatory compliance matters. The number of FSC staff present to conduct such visits, and the amount of time that the team will spend on these visits, is dependant on the risk profile of the firm.
Supervisory Visit/Meeting: Also performed by FSC staff. The meetings will generally be held with the Senior Management of a firm, but we may also wish to interview other members of the firm’s staff. The meeting seeks to update the FSC with regard to developments in a firm’s business plan, operating environment or financial situation.
Reporting Accountants’/Skilled Persons’ Review/Report: This is, for the firm, one of the most onerous types of reporting that the FSC will impose as part of the risk assessment process. The FSC will use the powers under the Supervisory Acts to require a firm to appoint a Reporting Accountant or Skilled Person so that they can review the firm’s regulatory compliance arrangements with any aspect of the legislation, including regulations, administrative notices or guidance notes. In most cases, the cost of this type of review is borne by the firm. This type of review will be used by the FSC in the case of larger, more complex, firms, or where the FSC considers that it does not have the resources or expertise to look at a particular area.

42. It is clear from the descriptions given above that a firm’s Senior Management can, through pro-active risk management, reduce the regulatory burdens of an FSC risk assessment by taking appropriate action throughout its daily operations. By doing so, a firm may actively reduce its risk profile and therefore the intensity of any FSC interfacing.

43. The information gained from the process will be compiled and reviewed prior to making a final assessment.

44. The FSC will communicate its risk findings via a summary of risk findings letter which will be sent to the firm within four weeks of the conclusion of the on-site. The firm will be given three weeks to respond to the summary of risk findings in respect of factual inaccuracies that may be contained in the letter.

45. Once a final risk profile has been determined, the FSC will design a risk mitigation programme. The FSC will issue a risk mitigation programme letter within two weeks of receiving the firm’s views. The risk mitigation programme will:

Address the outstanding risks identified in the assessment. This will include specific mitigation that the firm is to carry out to address these issues, and this may take the form of action required to be taken, or a recommendation that it be carried out. Where a firm is required to take action, specific outcomes, milestones and target dates will be set by the FSC.
Set out the interfacing between the FSC and the firm, including expected numbers and scope of Supervisory Meetings and Focused Visits planned to be carried out, and likely timescales for these.
Identify any areas to be covered by a reporting accountants’/skilled persons’ review, and the timescales by which these should be carried out.
Provide the firm with its Risk Profile. The firm will be prohibited from sharing this profile with any party outside the senior management, board, controllers and auditors of the firm and may not use this profile to promote or market itself or its products.
Establish the length of the supervisory cycle, which will commence on the date that the FSC issues the risk mitigation programme letter.

Interfacing and Risk Mitigation

46. The FSC will rely on a firm’s Senior Management to carry out the risk mitigation programme. The FSC will seek to verify that the action plan is followed by communicating with Senior Management.

47. Failure by a firm to give effect to any aspect of the risk mitigation programme will have serious consequences for a firm. This may include conducting Focused Visits, imposing conditions or directions, commissioning reporting accountants/skilled person’s reviews, etc. In certain circumstances, the withdrawal of authorisation may be considered by the FSC.

Feedback

48. The FSC will seek feedback from all firms that have been assessed. This feedback is submitted anonymously.