Andrew Sheen February 3, 2021

Don't Tell Your Regulator....

"We don’t capture all our key risks"

kristina-flour-BcjdbyKWquw-unsplash

This blog is one of series designed to identify common mistakes made by firms and explains why the mistake is damaging and could lead to regulatory sanction, a capital-add on and even a skilled persons review (S166).

A surprising number of firms either do not have a comprehensive framework to identify the key risks they face, or even worse, they have no risk identification framework at all. Risk identification is one of the cornerstones for any risk management framework and the absence of this starting point renders the remainder of the framework effectively null and void. The risk cycle clearly shows that if the identification of risks is missing, or not sufficiently comprehensive, the assessment, management and reporting processes can have no value.

Risk circle

In many cases firm’s risk assessment processes are incomplete as they either fail to capture top-down risks, or bottom up risk exposure and/or fail to horizon scan for new and emerging risks, the pandemic for example. To be effective and comprehensive the risk identification process must seek to capture all of a firm’s key risks, whatever their origin. In the UK, under the Senior Management and Certification Regime, the Chief Risk Officer and the Head of the Board Risk Committee could potentially be exposed to regulatory concern and sanction if a risk management framework fails to capture a firm’s risk exposure.

Nevertheless, many firms struggle with the resources required for establishing a risk management framework that captures all the risks the firm faces. One solution is to ensure that only key risks are comprehensively identified and assessed. The Risk and Control Self Assessment process provides one mechanism for ensuring that only key risks are subject to comprehensive review. After all, if a risk is considered to have low inherent risk, it can be argued there is no need to subject the risk to a comprehensive review process.

There are of course some firms, and even some regulators, who argue that there is no need to assess inherent risk. I have never understood this approach as it prevents a firm from understanding its potential risk exposure when controls fail. In addition, the transition from inherent to residual risk must imply something about the quality of the controls established by the firm. If a firm has very high inherent risk, considers its controls to be effective and yet has a very high residual risk, the quality of the control assessment must be questioned.

We hope you find this blog helpful. For a full overview of our approach to framework improvements, please contact us.