Risk Assessment Methodology

2009 Methodology

Adobe IconClick here to download a PDF version of this document (will open in new window)

Introduction

1.         The FSC has been successfully applying a risk assessment methodology across all supervisory divisions since 2003.  In 2005 the FSC revised the basis of profiling firms. 
2.         The FSC has re-engineered the assessment methodology building on the experience of these past years to deliver a more efficient and effective process through which the risks of a firm are assessed and mitigated.
3.         In arriving at the revised methodology the FSC is seeking to concentrate on high level risks rather than regulatory compliance issues.  The focus of attention of the revised methodology is to arrive at a conclusion as to the ability and competence of a firm’s senior management to identify and mitigate risks as well as to put into place adequate systems of control to meet regulatory requirements.
4.         The intensity of the FSC’s interfacing with a firm will be completely dependent on the perceived risks that a firm poses to its customer base and the jurisdiction.   The more a firm’s senior management does to address its risks, the less interfacing with the FSC it will have.
5.         Those firms in which senior management has shown little attention to the identification and mitigation of risks or in meeting regulatory compliance requirements will find it a very onerous experience.  The FSC is seeking to make greater use of the Reporting Accountants Regime (Skilled Persons under the Insurance legislation) in order verify to regulatory compliance issues where the FSC perceives there to be failings.
6.         The revised methodology will continue to assess firms based on two Risk Types (Business and Control) and six Risk Groups (Financial Soundness & Capital, Environment, Business Plan, Controls, Organisation & Management) as well as using an Impact Score as a multiplier.  The Impact Score has been aligned across all divisions under the revised methodology.

Outline of 2009 methodology

7.         The revised methodology has changed from the previous version to the following;

Outline

Figure 1 - Outline of methodology

8.         The main difference of approach is the earlier profiling of a firm.  This is necessary in order for the intensity of the on-site to be proportionate to the FSC perception of the risks it faces and the impact the firm has on the jurisdiction. 
9.         The following sections describe each of the steps in greater detail;

Off-site

10.       This is the main element of the FSC’s work programme as it consists of pulling together information from a variety of different sources into the assessment.  Some of the information is already existent within the FSC but other information will be sought directly from the firm.
11.       In reviewing the information already held by the FSC the following source documents will be examined:

12.       Additionally, the FSC will seek to obtain at a very early stage of the risk-assessment process additional answers to risk specific or regulatory compliance matters through the use of questionnaires. 
13.       Examples of these generic questionnaires are included in this document but may be varied for a given firm or sector.  Additional questionnaires may, from time to time also be issued.
14.       Compliance specific questionnaires may also be issued by a division in order to ascertain regulatory compliance with a set of requirements (e.g. seeking to review the firm’s completion of the AML/CFT Compliance Report).
15.       In most cases the FSC will also seek to obtain up to date financial forecasts for the following three years indicating, where appropriate, compliance with prudential requirements (e.g. capital adequacy, solvency margins, etc).

Profiling

16.       The FSC seeks to obtain a risk profile of the firm through the assessment of six separate Risk Groups.  The risk profile of the firm will determine the FSC’s approach to that firm. 
17.       During the preliminary stages, the FSC will use its available information of a firm to arrive at a risk profile.  This may change once the FSC has effected its on-site work.

Business risks

18.       The analysis of the business risk will be performed using the following risk groups: Financial Soundness & Capital, Environment and Business Plan (“FEB”). This review will comprise an analysis of the financial position of the firm, the firm's overall business and external environment and its future strategy. This will facilitate a historical, current and forward-looking assessment of the firm's key business risks.   The objectives behind each of the Business Risk Groups assessment are:

19.       This analysis will be undertaken, for example, using prudential data, annual accounts, and information requested from the firm together with information already held on the FSC's files.

Control risks

20.       In analysing the controls over the business, the FSC will undertake an assessment using another three risk groups: Controls, Organisation and Management (COM). As mentioned above, most of the information for this analysis will come from information already held on the FSC's files, including reporting accountants’ reports.   The objectives of the Control Risk Group assessment are:

21.       During the pre-assessment stage, the FSC will identify where there are information gaps, how to fill them and with whom the regulator needs to meet when carrying out on-site work.

Combining scores

22.       The FSC will be looking beyond the titles of each of the Risk Groups to a further level of details known as Risk Elements to make a determination of perceived or actual risks materialising in any of these.
23.       Each risk element is scored according to its weighted score, taking into consideration underlying constituents, which are scored as either:

  • Negligible
1.0
  • Possible  
1.75
  • Probable 
3.0
  • Perceptible
5.0

24.       Each Risk group is also weighted to reflect its relative importance to the Risk Type as follows;

Business Risks
  Financial Soundness & Capital 40%
  Environment 30%
  Business Plan 30%
Control Risks
  Controls 45%
  Organisation 10%
  Management 45%

25.       Both scores (Business and Control Risks) are then multiplied by the Impact Score of the firm in question to provide a Business Risk Profile Score and a Control Risk Profile Score.
26.       The impact scores of firms is determined through the use of an impact matrix which takes into account a number of environmental and jurisdictional issues and their relative weightings.  All firms, across the supervisory divisions of the FSC are subjected to the same impact assessment.
27.       The basis upon which a firm will be impact scored is shown in Appendix 2.

Risk types, groups and elements

Figure 2 - Risk Types, Groups and Elements

28.       The scoring by FSC staff of each of the elements is a vital constituent of the revised methodology as previously the FSC only scored at the higher level of Risk Group.  The previous method showed some distortions in the scoring and this new approach seeks to provide greater consistency of approach.
29.       The weighting of each of the risk elements and risk groups has been carefully considered by the Executive of the Commission based on the experience of the Heads of Division and previous risk assessments.
30.       A pro-forma spreadsheet on the scoring of a firms risk elements and effect of the impact score can be found in Appendix 1.
31.       The FSC will, for each Risk Element, document why it assigned such a value to it.  This will also translate into what items the FSC will consider important enough to raise with the firm going forward.  Therefore an element which is scored as “Negligible” or “Possible” will not generally feature in discussions with the firm nor as part of the on-site verification process.
32.       The scoring of each of the Risk Elements when multiplied by the Impact score   produces two values that can be plotted on a simple chart to produce the risk profile of a firm;

Risk Profile Chart

Figure 3 - Risk profile chart

33.       By having obtained a preliminary risk profile the FSC is able, at this stage, to decide upon the scope and intensity of its remaining work, including the on-site verification programme.
 
34.       Firms will fall into one of the following risk profiles;

35.       In the description for each of the profiles, a number of terms have been used.  It is useful to outline what each one of these means.

36.       It is clear from the descriptions given above that a firm’s senior management can, through pro-active risk management, reduce the regulatory burdens of an FSC risk assessment by taking appropriate action throughout its daily operations.  By doing so a firm may actively reduce its risk profile and therefore the intensity of any FSC interfacing.

Initial risk profile

37.       By having arrived at an initial risk-profile of a firm the FSC will set its general tone for the rest of the risk-assessment process.  Therefore firms with an initial profile of Low Monitoring and Low Remediation will not require an intensive on-site verification programme.  Conversely those with an initial High Monitoring & High Remediation profile will require greater allocation of resources to the next stages of the assessment.

Risk Assessment On-Site

38.       Through the on-site the FSC seeks to validate its initial profiling, to identify the mitigation programmes already in place at a firm as well as being able to gain first hand experience of a firm’s senior management and compliance culture.
39.       Through the initial profiling, the FSC will have identified those risk elements which it considers are most likely to contribute to the materialisation of an actual risk.  Through the initial profiling stages, the FSC will have documented its reasons why it considers this to be the case.
40.       As mentioned above the FSC will only seek to validate its findings for those risk elements which it has scored as Probable or Perceptible.
41.       The on-site visit effected by FSC staff will seek to discuss these matters with senior management as well as those members of staff directly involved with the risk element in question. It is likely that the FSC staff will undertake some verification of processes put in place by the firms to mitigate these risks.
42.       The on-site presents the firm with an opportunity to describe processes or mitigations that may not have been clear from the documentation supplied through practical engagement of the FSC team. Again, the more co-operative a firm’s senior management is with the FSC the shorter the duration of the on-site element is expected to be.
43.       Throughout the on-site, the FSC team will be seeking to make a judgement on the senior management’s approach towards regulatory compliance matters generally and although the on-site will not seek to carry out specific testing of regulatory compliance matters the on-site will determine if focused visits or reporting accountants reports should form part of the risk mitigation stage.
44.       Prior to carrying out an on-site the FSC will:

45.       The on-site will end with a close-out meeting.  This close-out meeting will seek to:

Final Profiling

46.       All of the information gained from the process to date are compiled and reviewed prior to making a final assessment.
47.       The FSC will look through its initial profile and document where, if any, amendments to the profiling or impact score are required based on the information gleaned from the on-site work and subsequent review.
48.       Once a final profile has been obtained the FSC will, based on the risk profile of firm, design a risk mitigation programme:

49.       The FSC will communicate its findings, most of which should have been raised at the close-out meeting, via a draft feedback letter which will be sent to the firm within four weeks of the conclusion of the on-site.
50.       The firm will be given two weeks to respond to the draft feedback letter in respect of factual inaccuracies that may be contained in the letter but not to discuss the risk mitigation programme elements described in the letter.
51.       The FSC will formally finalise the feedback letter in writing within two weeks of receiving the firm’s views.

Interfacing and Risk Mitigation

52.       Once the risk mitigation programme is agreed with the firm the risk mitigation programme is set into action. 
53.       For the most part the FSC will rely on a firm’s senior management to carry out the risk mitigation programme established in the feedback letter.  The FSC will seek to verify that the action plan is being complied with through ad-hoc communications with the senior management or more formal Prudential Visits that have already been planned.
54.       Failure by a firm to give effect to any aspect of the risk mitigation programme will have serious consequences for a firm ranging from conducting focused visits and the imposition of formal conditions or directions, the commissioning of reporting accountant’s reports up to the imposition of penalty fees.  In certain circumstances, the withdrawal of authorisation may also be considered by the FSC.

Feedback

55.       The FSC has, through the adoption of the ISO9001:2000 Quality Management Standard, sought feedback from firms on the risk assessment process.  The FSC will continue to seek this feedback from all firms that have been assessed.  This feedback will continue to be submitted anonymously.

Appendix 1 – Risk Profiling of a Firm

Business Risks

 

Importance

Risk Element

 

5

Types of products & Services

4

Sources of business and distribution

7

Types of customer

7

Strategy

 

Business Plan

30%

2

Legal Risk

10

Operational Risk

10

Market Risk

6

Group Risk

 

10

Underwriting risk

7

Credit Risk

 

Environmental

30%

3

Insurance

5

Earnings

10

Liquidity

10

Adequacy of Capital

 

Financial Soundness & Capital

40%

 

 

 

Control Risks

 

5

Corporate Governance

10

Quality of Management

 

Management

45%

5

Ownership

8

External Branches & Subsidiaries

10

Multiple Activity Groups

 

 Organisation

10%

10

Risk Management

6

AML Controls

4

Compliance

6

Reporting to customers

10

Security of customer assets

8

Advising, Dealing and Managing

5

Acceptance of and disclosure to customers

10

Outsourcing

4

Internal Audit

10

External Auditors

7

Actuaries

8

Management Information Systems

 

5

Business Continuity

 

6

IT

 

8

Human Resources

 

 

Controls

45%

Appendix 2 – Impact Scores

Impact Scoring High Medium Low Importance
Customer Base        
Number of Customers Large Medium Small 7
Experience General Public Mixed Professional/ Capitve/ Experienced 10
Financial Base        
Client Assets at risk Significant Insignificant None 10
Product Base        
Deposit/Investment/Claims Protection Arrangements No Yes (some exclusions) Yes (mostly covered) 5

Product Types

 Investment/ Banking Protection/ Retail Protection/ Corporate/ Other 4
Jurisdiction Impact        
Home/Host Regulator Home Host   4
Risk of Contagion High Medium Low 9
Reputational Impact High Medium Low 5
Number of employees >30 >5 <30 <=5 2

Appendix 3 – Risk Elements & their constituents