Risk control (SYSC 7.1) | FCA Handbook

The FCA requires that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. This should include effective procedures for risk assessment and setting the level of risk tolerated by the firm. The responsibility for this function belongs at director, senior management or partner level.

What does this mean? The FCA would like firms to identify the risks that are present in the business and implement actions to mitigate these risks.

What is a risk?

Risk is the possibility of:

• loss;
• injury;
• disadvantage;
• destruction;
• danger;
• disaster;
• a person or thing considered as a potential hazard; and
• an unforeseen event.

Risk stands between you and the fulfilment of your business objectives. To succeed you will need to identify, evaluate and overcome risk in all its guises. Some examples of risks to your business may be:

Example 1

You have a large corporate client that currently represents 40% of your annual income from general insurance activities. This client’s policies are coming up for renewal. There have been a few issues in the last year and there is a risk that this client may take his business to one of your competitors, thus reducing your revenue considerably.

Example 2

You outsource your IT to a third party software house. If there was a disaster in the software house, you could lose your systems. This could impact your ability to continue to operate until systems are back on line.

Example 3

Your Compliance Officer is near to retirement and has often mentioned how he would like to retire early and live abroad. There is a risk that, if he has the opportunity to, he will leave to fulfil his dream.

Example 4

You rely on one insurer for the majority of your insurance placement. There is a risk that they could go into liquidation leaving you with no access to the insurance market. This would impact your ability to arrange insurance cover for your clients.

What is risk management?

Risk management is a process that allows you to reduce the impact that risks may have on your business. A risk management system should be in place that will allow you to identify, monitor and take action on risks to the business. The FCA also requires that the risk management process is responsive and proactive to enable changes to be made to a system or process if an issue presents itself. The governing body should approve and review any risk management strategy and processes that you have in place. The risk management process is a continual cycle, as illustrated in the following graphic:

1. Identify and evaluate risks e.g. risk assessment

Four easy steps to risk assessment

1. What could go wrong?
2. What would be the impact?
   a. financial;
   b. strategic;
   c. operational.
   Use a simple 1 to 5 definition (1 very low impact, 5 very high impact).
3. What is the likelihood of it happening? Again, use a simple 1 to 5 definition (1 very unlikely, 5 very likely).
4. Overall risk assessment is impact x likelihood. The higher the overall score the greater the risk to the firm.

2. Decide on appropriate response

Once you have assessed the risk you need to decide how you will respond. If the overall assessment of the risk is very low (e.g. likelihood of happening = 1, impact = 1, therefore overall assessment = 1), then you may decide to do nothing but continue to monitor.
If the likelihood or impact changes then you may wish to put in place mitigating actions.

If you have assessed a risk as very high (e.g. impact 5 and likelihood 5 therefore an overall value of 25), then you will probably need to put in place immediate actions to either eliminate the risk or mitigate the impact.

3. Implement mitigating actions

In example 2 above where you outsource IT to a software house and there may be a disaster, then if this has a high impact and high likelihood then you will need to put in place some actions. These could include:

• ensuring service level agreements are in place for the continuity of systems;
• ensuring that the software house has a disaster recovery plan in place and that this meets your needs;
• reviewing alternative methods for dealing with the IT function.

In example 3, the actions you may take are:

• succession planning – training someone who can take over from the Compliance Officer;
• reviewing recruitment policies to ensure you can get someone in quickly;
• taking out key person insurance;
• talking to the individual and continuing to discuss the possibility of them leaving in periodic reviews.

4. Monitor risks and actions

You should continually monitor your existing risks and actions to ensure that they are having the desired effect and to ensure that nothing has changed. You should also continually be identifying and evaluating all risks for the business. As the business changes new risks will appear and existing risks may disappear. Sample risk register is included in the template section at the end of this chapter (SYSC Template 7).

Key Person Risk

The loss of a key person can often be a major concern to smaller businesses, as these people tend to hold vital information or knowledge of the business or its processes. However, there are some easy steps that a firm can take to mitigate this risk including:

• training (so that the skills or knowledge of the key person can be spread more widely);
• storing copies of key documents at more than one location;
• encouraging key people to share their control and influence by introducing revolving roles or work shadowing; and
• regular testing of staff on their understanding of key areas of the business.

How to reduce risk in smaller firms

Keeping important documents can assist firms in reducing risks. These could include:
board minutes;

• business contingency plans;
• business plans, action logs and risk maps;
• strengths, weaknesses, opportunities and threats analysis; and
• comprehensive office manuals – giving step by step instructions on how, when and by whom each task is completed.