Risk Management and Controls
The requirement for firms to make risk-based decisions in every aspect of running the business is the long-standing priority for UK regulators. Organisations need to update and evolve their risk framework and controls to remain compliant and improve performance. There’s a shift in emphasis towards organisations’ ability to pre-empt (as well as identify and mitigate) risks to their business model. This includes their approach to delivering fair outcomes and preventing the risk of serious harm to consumers and markets.
Reducing and preventing serious harm is one of three key areas of focus for the FCA and work is underway to remove problem firms with inadequate harm prevention, market abuse and financial crime controls. Financial resilience is an explicit focus of the PRA and an organisation’s ability to do this relies on having a robust risk culture and strong risk management practices in place. The PRA and FCA have both prioritised improving the data they receive from firms. This is a key part of delivering their strategies and organisations need to have effective risk governance frameworks, risk analysis and reporting capabilities.
Organisations that recognise the value of having effective controls that work across all three lines of defence are able to assess how emerging risks are managed through the business improving their agility and resilience. Risk management is most effective when the essential components are aligned and supportive: the Risk Appetite is consistent with overall strategy, the EWRA/BWRA clearly indicates compliance with the Risk Appetite and areas for Board attention, the EWRA/BWRA is supported by detailed and consistent detailed assessments such as the RCSA.
Our ServicesWe help clients to manage their risk in three areas. Risk management framework review and assessment Risk management and controls cover every aspect of the organisation and are underpinned by a firm’s strong risk culture. Our review work covers all types of financial and non-financial risk including, but not limited to, operational risk, financial crime risk, outsourcing arrangements, credit risk, liquidity risk, climate risk, people risk, conduct risk and reputational risk management. Examples include:
- Enterprise or Business Wide Risk Assessment (EWRA/BWRA) - reviewing scope and definition, alignment with risk appetite, governance and process for monitoring and oversight, overall effectiveness and sustainability.
- Assessment of Risk Appetite Statement - checking for alignment with strategy, suitability as both a Board/NED information source and executive risk function reference, alignment with EWRA/BWRA and facilitation of risk appetite setting discussions at Board and Executive Committee levels in line with strategy.
- Financial Crime Customer Risk Assessment (CRA) - developing and improving the methodology, policy and procedures as part of the overall customer lifecycle including CRA models for various customer types for all relevant risk areas (customer risk, geography risk, product risk, transaction risk, channel risk).
- Risk and Control Self Assessment (RCSA) - benchmarking and reviewing frameworks against peers based on our industry knowledge and experience.
- Three lines of defence model - reviewing the effectiveness and the process for documenting, analysing and reporting risk information. We also consider risk management as part of the culture of the organisation and how it informs decision-making within the business to deliver fair outcomes for customers and safety and soundness of the market.
- Future proofing - identifying whether existing systems and controls are sufficient to meet the future needs of the organisation and to enhance the firm’s capability to self-identify potential harm to consumers and markets.
- Client Assets and Safeguarding
- Governance, accountability, strategy and culture
- Conduct of Business
- Financial Crime
- Prudential - Adequate Financial Resources for FCA solo-regulated firms