Transcript FSA’s Risk Architecture
An update on risk-based regulation
Securities & Investment Institute Risk management and regulation conference 10
th
November 2005
Joe Traynor
Finance, Strategy & Risk Division, Financial Services Authority (FSA)
Agenda
• Introduction • background and recap of ARROW • rationale for our risk-based approach • Improving our risk-based approach • history of the ARROW Project • aims of the Project and changes being introduced • our new risk model • Questions 2
Background and recap of ARROW
History
• The UK Financial Services Authority (FSA) started life as • 10 different organisations • with 10 different approaches to regulation – not all of these approaches were risk-based – and they related to different legislative frameworks.
• Our current risk-based approach was put in place in 1999 / 2000, when the 10 organisations were merged.
4
Why do we use a risk-based approach?
• Finite resources
available – never possible to do everything • This leads to a
non-zero failure risk appetite
) approach (with a corresponding • We therefore need a mechanism for prioritising our work: • focusing our efforts on the
greatest risks
• bear in mind
tractability
of issues (“biggest bang for our buck”) • Other factors made the risk-based approach necessary (but difficult to implement) in the FSA:
• variety of cultures
resource and action decisions) • very
broad scope
/ backgrounds (requires consistency of of our regulatory remit (wide ranging statutory objectives and diversity of sectors regulated) 5
Implications and benefits of a risk-based approach
• Benefits for the regulator:
• optimises use of resources
: targeting greatest risks (bearing in mind also the tractability of issues) should lead to
“biggest bang for our buck”
and greatest overall benefit to our objectives
• focus
on risks to our objectives (and on relevant outcomes); so reduces wasted or inappropriate effort • sound,
consistent basis
for justifying our approach and actions; so links senior management
priorities
and
risk appetite
with decisions and actions on the ground • provides a
measure of success
in a not-for-profit enterprise – risk / harm to our objectives is our currency 6
Implications and benefits of a risk-based approach (continued)
• Benefits for regulated firms: • firms see a
direct result of good behaviour
and control of their risks; lowering their risks to the FSA’s objectives should mean that they are subject to less intensive supervision – a
regulatory “peace dividend”
; • they should also get a
transparent
explanation for the actions that the FSA takes; these actions should be
proportionate
to the risks, and
consistent
between firms in similar circumstances; • a
pro-active
for firms to a reactive approach, based on punitive enforcement action
after
approach to managing risks is generally preferable problems have occurred. 7
The ARROW framework
• “ARROW” is the name we give to our application of the risk-based approach to
front-line supervision at a micro level
(as opposed to the macro level application of the approach to managing our entire portfolio of risk, including internal risk). It stands for the
A
dvanced
R
isk-
R
esponsive
O
perating frame
W
ork.
• It not only provides the
risk metrics
, but also specifies the
processes
we use to identify, record, analyse and mitigate risks.
• It has two components: • the
firm framework
(used when assessing risks in individual firms); in ARROW, we call this “
vertical
” supervision; and • the
consumer and industry-wide framework
(used when assessing cross-cutting risks – those involving a number of firms, or relating to the market as a whole); we term this “
thematic
” or “
horizontal
” work.
8
How FSA measures risk
PRIORITY for the FSA
=
IMPACT of the problem if it occurs
x
PROBABILITY of the problem occurring
Factors may include: • Size of firm • No. of retail consumers • Perceived importance Factors may include: • Business Risk • Control Measures • Consumer risk 9
How FSA measures risk (continued)
• Scoring is
subjective and control
.
– but
subject to challenge Impact
High Medium-high Medium-low Low
Probability
Crystallised
*
High Medium-high Medium-low Low
*
crystallised risks are those that have already occurred – so probability is 100% 10
Scoring approach
Relatively high-level scoring approach, based on supervisory judgement • Advantages • flexible • quick to implement • draws on expertise • easily understood • not spuriously accurate
Impact High Med. High Med. Low
• Drawbacks • subjective • needs effective challenge • dependent on good experience • may not provide much differentiation
Low Priority risks Low Med. Low Med. High High Crystallised Probability
11
Changing shape of the FSA
• Charts below show proportion of firms by impact – the M&GI regime brought a major change in the population of regulated firms
2004 2005
Med Low 15% Med High High 4% 1% Med High 1.3% Med Low 5.8% High 0.3%
c10,000 firms
Low 80% Low 92.6%
c25,000 firms
12
Improving our risk-based approach
History of the ARROW Project
• The FSA recognised the need to review the operation of ARROW in its first few years, and in the light of the very substantial increase in the number of smaller firms that occurred when we took on the regulation of mortgage and general insurance business.
• In 2003 the
Business Improvement Programme
review of the use of the process to date. We conducted a massive consultation exercise, including (“BIP”) undertook a
250 interviews with users
(at all levels) and discussions with a
cross-section of firms and industry bodies
.
• The BIP identified a number of areas for potential improvement, reflecting
experience of use
, as well as our
increased ambition
to fully embed the risk-based approach in everything we do.
• The ARROW Project was therefore set up (in 2004) with full senior management support, to establish the
detailed causes
of the issues identified, and
design and implement solutions
.
14
Aims of the Project
• To achieve
greater proportionality and consistency
in response to risks, applying our resources where they will make most difference • To
improve communication with firms
involve them more fully in the process on our assessment of them and • To
improve the skills and knowledge of supervisory staff
better training and more effective IS through • To achieve greater efficiency and effectiveness on our management of risk making
better use and sharing of the knowledge
that we have 15
Aims of the Project (continued)
Desired outcome
Greater proportionality and consistency in response to risks – applying our resources where they will make the most difference
Changes being made Better controls
over the supervisory process to ensure a more consistent approach. Input from senior staff at an earlier stage in the assessment process, challenging and validating the planning / scope of assessments.
A major
overhaul to our risk framework
, to allow better comparison of risks in different areas (so that we can more reliably devote our resources to the areas of greatest risk). A risk model that allows our supervisors more accurately to reflect their views of risk, and which integrates the capital assessment (
see later
).
Reduced scope assessments for lower-risk firms
(focussing on core areas and specific risks.
We will also be exploring and testing options for placing
greater reliance on well-controlled firms
in our assessment work, allowing for a lighter touch in these cases (as well as a more informed assessment, that makes better use of firms’ own knowledge of the risks).
16
Aims of the Project (continued)
Desired outcome Changes being made
Better communication with firms on our assessment of them
ARROW assessment letters
extensively revised, to add more value to the process: • more
focus on the main issues
expect firms to do about them; and what we • more helpful
explanation of our views of the risks
, and how we view individual firms in the context of their
peer group
.
More consistently good communication of our findings in
‘close-out’ discussions
after ARROW assessment visits. Firms provided with
draft copies of ARROW letters
, to allow correction of factual inaccuracies and misunderstandings, and prevent ‘surprises’ in the final letters. 17
Aims of the Project (continued)
Desired outcome
Improved skills and knowledge of supervisory staff
Changes being made
Building on our current training and development provision, institution of a comprehensive ‘
Regulatory Curriculum
’ for all regulatory staff, which: • specifies the knowledge and skills required for each role, focussing on the practical implementation of risk-based regulation; • operates like the syllabus for a professional qualification (with modules that are either mandatory for all, or elective / role-specific); and • leverages as far as possible the industry’s own training programmes, and builds on our extensive use of secondments.
Extensive (5 days’) training on (new) ARROW for all our staff (existing and new) from March 2006. Much more effective and comprehensive support and guidance for supervisors, that fully equips them to assess and mitigate the key risks we face.
18
Aims of the Project (continued)
Desired outcome
Greater efficiency and effectiveness
Changes being made
More and better use of
thematic
working: • enhanced processes to identify those risks within firms that would be better dealt with through thematic work, including specialist staff; • tools to allow firm supervisors to leverage off the knowledge of the wider organisation, such as the work of specialist
sector teams
and the experience gained from supervising similar firms.
Improved capacity to undertake
sector intelligence
and analysis work, so that the organisation is better informed of emerging risks and other trends in the industry.
Streamlined processes and improved IT support
, cutting down wasted time, and allowing supervisors to focus on the risks that matter. 19
New risk model (assessing probability in firms)
Environmental Business Model Customers, Products & Markets Controls Customer, Product & Market Controls Business Process Financial & Operating Controls Oversight & Governance Mitigants Net Risks Customer Treatment & Market Conduct
NA
Operating Prudential Business Risks
NA
Prudential Risk Controls Controls
NA
Oversight & Governance
NA
Capital/Liquidity
NA
Financial Soundness
NA
Total
NA
Key features: • 9 high-level ‘risk groups’ (with underlying ‘risk elements’) – plus capital / liquidity • combination of inherent business risks, specific controls and overarching governance controls • capital / liquidity has a specific role in mitigating prudential risk (only) 20
New risk model (continued)
Risk Group Risk Elements Customers, Products Customer/Market Characteristics Product Characteristics & Markets Distribution Channels
Each risk group is broken down into its underlying elements
Sub sector Issues Super visor
Suggestion
Customers, Products & Markets Risk Group Narrative
The scoring system uses the following inputs:
• generic (sectoral) assessment • specific issues identified by the supervisor • the supervisor’s own overall view 21
New risk model (continued)
Environmental Business Model Customers, Products & Markets Controls Customer, Product & Market Controls Business Process Prudential Business Risks
NA
Risk Group Risk Elements Customers, Products Customer/Market Characteristics Product Characteristics & Markets Distribution Channels Financial & Operating Controls Oversight & Governance Mitigants Net Risks Customer Treatment & Market Conduct
NA
Operating Prudential Risk Controls Capital/Liquidity
NA
Financial Soundness
NA
Controls Oversight & Governance
NA
Sub sector Issues Super visor
Suggestion
NA
Customers, Products & Markets Risk Group Narrative Total
NA Supervisors will also be provided with guidance on how to assess each area of risk. This guidance will be structured along the same lines as the risk model itself. For example, the Product Risk Framework gives supervisors guidance on assessing product characteristics – describing the factors they should consider (performance risk, liquidity risk, complexity)
22
Relationship between ARROW and capital assessment
• The new version of ARROW will fully integrate the capital assessment – including
Basel 2
and
ICAS
, where relevant to the firm.
• The conceptual relationship is as follows: • The
prudential business risk group / elements
grid are driven by the Pillar 1 and Pillar 2 assessments of risk / required capital.
in the risk model • The assessment of of senior management oversight) is made in the normal way under ARROW.
controls
(including high-level controls – quality • The
combination
of these two drives the individual capital requirement for the firm.
• The amount of capital held, relative to that required, drives the score against the
capital / liquidity risk group
; this in turn reduces (or increases) the overall level of prudential risk.
23
Relationship between ARROW and capital assessment (continued)
• In terms of the practicality of the processes: • This integration will not be fully in place until 2007 (when Basel 2 is implemented).
• However, we will be piloting the combined approach during 2006.
• We will be encouraging supervisors, where possible, to coordinate the capital and full ARROW assessments so that they are performed at the same time (and results reported to the firm in a single letter). • The approach is not dependent on this being the case, though, and circumstances may lead to the two being conducted separately (in which case the later would update the earlier).
24
Current status
• The design of this next generation of ARROW (
“ARROW 2.0”
) is virtually complete.
• We are
currently completing our piloting
processes and IT; this has been successful, and we started to roll out ARROW 2.0 in
September 2005
of the new risk model, ; most changes will be in place by
March 2006
.
• The
new IT system will take longer
in place in
late 2006 / early 2007
.
to build – we expect that it will be 25
ARROW’s evolutionary path
RATE, FIBSPAM ARROW 3 ?
Outcome-based models ARROW 2.5
ARROW ARROW 2.0
X
Supports portfolio risk-based methods Individual risk-based methods Stress and scenario testing Assessment models
X
Current position 26