The rationalisation of formerly separate regulators under one body has ensured a broad mandate for the Financial Services Authority (FSA).
However, the FSA's embrace has widened further, to include firms who may never have expected to enjoy the regulator's attention. Recently, firms such as those selling insurance as a complement to their primary product have been brought into the fold (for example, relocation companies offering insurance of household possessions in transit and storage). Depending on the arrangements, organisations offering a credit facility via affinity cards may also be included. As risk manager for a firm in this newly regulated position, what are the challenges and what approach should you take to meeting them?
The challenge
In becoming regulated you are exposed to a new regulatory approach which has two main tenets. Firstly, the FSA takes a risk-based approach to determining the degree of supervisory attention you receive; higher risk firms will receive closer attention. The risk rating is mainly based on two factors: the degree of risk intrinsic to the nature of your regulated business, and the prudence with which you conduct that business. Non-financial firms selling insurance as a secondary activity will not generally be judged high risk, so that factor of your risk rating will be low. However, poor corporate governance and weak systems of internal control can drive the other risk-rating factor high. Here is your first challenge as risk manager: your ability to demonstrate a sound, risk-based control culture will have a key influence on how your firm fares with the regulator.
The FSA's second tenet is to state their expectations mainly in terms of guidance, rather than take a black and white, rules-based approach.
In other words they are not going to tell you precisely what you have to do and then simply check you are doing it. You must interpret the guidance to determine which approach is best for your business, while also demonstrating compliance. Here lies your second challenge: to ensure compliance is a natural by-product of good risk management, and not the primary driver.
Meeting the challenge - where do I start?
For a previously unregulated firm, some changes in process and company culture will inevitably be required to achieve, demonstrate and maintain compliance. Seek the board's support for this change project. To get a clear understanding of just what changes are required, start with a gap analysis between the regulator's statements of rules or guidance and your current practices. The goal is to map each regulatory requirement applicable to those policies, procedures and controls that currently exist in your organisation and which help to achieve compliance with that requirement.
If no such policies, procedures or controls currently exist, or if in their current form they are not adequate, then you have found a regulatory gap. You now know where change is required, but not what change is required.
The next step is to take each gap in turn and work with the business to determine precisely how existing policies, procedures or controls must be modified, or which must be created for the first time in order to close the gap. Modifying what already exists is preferable. This minimises disruption and encourages compliance-facing checks and balances to become embedded into the way you currently do business, rather than being imposed upon it. However, some regulatory concepts and their respective processes will be entirely new to your organisation. We have now moved from a set of known regulatory gaps to a clear set of actions, which the business has agreed it needs to take in order to put the firm in a demonstrably compliant position. These actions are essentially the implementation requirements which your change project must satisfy.
This upfront analysis is critical; without it, your regulatory change project will not have a clear target to shoot at. Requirements imprecision is the most common cause for project failure. Importantly, you will be able to justify the actions you are taking to gear up for compliance explicitly in terms of the regulator's originating statements of rules and guidance.
Your case will be watertight.
Within the regulatory change project the implementation requirements will need to be allocated to the owners of the various business processes affected by the regulation. For example, in insurance and mortgage intermediaries, the list of owners will include the sales director, who as guardian of the insurance sales process must ensure compliance with all of the rules and guidance relating to the FSA principle that the 'firm must pay due regard to the information needs of its clients, and communicate information to them in a way which is clear, fair and not misleading'.
All requirements relating to the FSA principle that: 'A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems' will most likely come your way as risk manager. Typical risk management gaps you may need to close are:
- the absence of a fully documented, board-sponsored risk management policy
- the failure to clearly define the firm's risk appetite or tolerance in specific areas of potential exposure
- the failure to delegate clear responsibilities for managing risk within that appetite to senior management
- confusion around the existence, composition, mandate and effectiveness of risk management committees
- difficulties in collecting, analysing and reporting-risk related management information
- the lack of any process for management to self-assess and report on the adequacy and effectiveness of the controls to manage risks in their area.
Listed companies which must comply with the Combined Code, or those which are required to comply with the Sarbanes-Oxley Act 2003, should naturally have a head start as they are able to exploit existing risk and compliance processes. Others may have to develop a response to the regulation from a relatively sparse start position.
You are not alone
Now you are regulated (or soon to be) there may be a new kid on the block: the compliance officer. You are both key sources of assurance to the board; you both need to develop policy from the centre and roll it out; you both need to go out into the business to monitor and review. You should work together to share data and co-ordinate your monitoring activities to avoid over-burdening the business. One joined-up approach is best.
There will be other newcomers: approved persons. One or more of your senior colleagues will be registered as individuals with the FSA, and hold personal responsibilities and liabilities for conducting business in a compliant manner. They need your support. Can you provide the approved persons with a clear, up to date assessment of the risks associated with any corporate objective or business process, the controls or other treatments in place, how they are working and whether action is required? Can you provide them with breaking news or early warning indicators so that preventative action can be taken? Delivering this will make the value of your risk management function clear. It is critical to business. It will give the regulator confidence.
Your 'to do' list
- Get board support for your regulatory change programme.
- Establish a clear requirements baseline for the project.
- Seek solutions to the regulatory gaps which are 'fit for your business', not designed for the regulator.
- Work with the compliance officer and the approved persons to develop a joined-up approach.
- Make sure that you are organised about collecting, analysing and reporting risk and compliance data; the regulator will seek evidential data and audit trails.
- Enjoy the challenge!
Brian Hardwick is risk practice leader, financial markets group, Grant Thornton UK LLP, Tel: 0870 991 2658, E-mail: Brian.G.Hardwick@gtuk.comMOST RISK MANAGERS TO STAY OUTSIDE REGULATION
While authorisation will be essential for some companies, the FSA has agreed that many may be exempt. At least two thirds of UK risk managers will not be regulated when new rules for intermediaries come into force next year, following concessions made by the FSA in its discussions with AIRMIC. Outside three sectors where special circumstances apply - financial services, construction and property - only a handful of companies expect their risk managers to be regulated.
According to a survey of AIRMIC members, 66% of companies will not apply for authorisation in January, 21% have done so or plan to do so and 13% are undecided. Most risk managers who expect to be regulated are in firms whose business includes selling insurance to third parties for a commission.
The findings also show how several companies that originally decided to apply to be authorised changed course as a result of discussions between AIRMIC and the FSA. In July, the FSA accepted the main points of a legal opinion acquired by AIRMIC, which contested the basis for risk manager regulation under the EU's Insurance Mediation Directive (IMD).
In a letter to AIRMIC, the FSA wrote: 'We are grateful to you for sharing this opinion with us, which has assisted us in our further analysis...
We have throughout recognised the force of the policy arguments which you and others have made on behalf of group risk managers and we are pleased that we have also now identified a possible legal basis for deciding that authorisation may not be necessary."
Since then there has been further progress with the FSA on outstanding issues such as the status of joint ventures.
"These returns show that group risk managers who only seek to be reimbursed for the administrative costs of buying insurance have, with very few exceptions, decided they do not need to be regulated," said AIRMIC executive director David Gamble. "We always knew that some risk managers would be affected by the IMD, but we have achieved most of what we wanted when we started the campaign against regulation." He added: "Whereas many insurers and brokers were saying back in June that they would be reluctant to do business with unauthorised risk managers, they now all seem pretty relaxed about doing so."