Why risk management should be a top priority for adviser firms
Recently it is becoming more obvious that the regulator is taking a tougher stance when it comes to compliance checking retail firms. The regulator has also expressed the commitment to greater intrusive regulation when the FCA is borne out of the current practices.
Back in 2010 Park Row (http://www.fsa.gov.uk/static/pubs/final/park_row.pdf) received a customer redress ruling which clearly reinforced the FSA’s stricter position as well as the importance of adhering to governance, risk management and compliance (GRC). The former Royal Liver-owned distribution business was ordered to redress up to £7.8m to customers after the company reduced the number of cases it checked for compliance in 2008 by 28% to only 25% of cases checked, despite multiple warnings from the FSA. Clearly the reduction was to implement cost savings.
If you consider the activity of the regulator since January 2010 to End of June 2012 they have:
- published 260 final notices;
- imposed penalties in excess of £248m, including £29m on individuals;
- prohibited 129 individuals from the industry;
- obtained redress in excess of £290m (not including PPI) for customers of regulated firms;
- secured criminal convictions against several individuals for insider dealing
- they have fought 22 disciplinary cases in the tribunal and succeeded in 16 (we await decisions in 5 others);
- they have published 16 Decision Notices using the power given to them in 2010;
- they have dealt with almost 2,000 requests for assistance from overseas authorities; and
- they have also taken action, in several ways, to tackle the threats presented by unauthorised business
“…enforcement needs to get further up the chain of command – to look increasingly at those in senior management who fail to recognise and manage the risks their firm is running” Tracey McDermott, acting director of the Enforcement and Financial Crime Division at the FSA Enforcement Conference 2nd July 2012
If you put this into the mix of the nationwide regional Business Risk Awareness Workshops that the FSA have been running, there is a growing requirement for firm to invest some time in ensuring that their GRC is robust and effective using the right management information. Perhaps more importantly, as advisers firms migrate from commission to fees, and attempt to control their costs, they identify, evaluate and test their inherent risk and controls.
The advance of GRC
As operational risk management travels further up intermediaries’ agendas and compliance costs continue to rise, advisers are looking for ways to cut costs through automated systems and by improving administrative processes, particularly smaller firms that may not have the manpower to oversee effective compliance internally.
Stephen Young in 2010, chief operating officer at Sesame Bankhall, quite rightly said “It is difficult for small firms to have the knowledge and resources to run a robust risk management team. To minimise risk they need to either join a network, which will assume responsibility for compliance and risk management or outsource to a quality compliance outfit.”
Quite apart from the debate has flared about the effectiveness of networks’ in their own governance and compliance checking criteria, with rumours that some networks check as few as 10% of files, the networks were a potentially good bet for advisers who were happy to pay for that service.
The RDR effect
With RDR just around the corner, adviser business models have changed substantially in the last two years and many adviser firms in considering their changeover, many have invested in better and more flexible back office and customer relationship systems as well as having spent huge amounts of time making sure their qualifications were adequate for the new world post 31st December 2012.
The main problem with risk management, operational and business risks particularly is that they are often dealt with as they arise, and many think that this is acceptable and part of the normal “business as usual” running of a business. What these people don't fully take on-board are the benefits of an operational risk system.
So what is this risk?
The definition from Solvency II is "The risk of loss arising from inadequate or failed internal processes, or from personnel and systems, or from external events."
Risk management is now key to how a firm handles the issues of compliance, training and competence, and the procedures involved More importantly, this all needs to be documented, followed, and monitored.
After years of prescriptive rules, since MiFID the FSA have moved to adopt a ‘risk based’ approach under which each firm must establish and maintain systems and controls as are appropriate to its’ business. Whilst this approach must be seen as an improvement, it encompasses all aspects of a firm’s processes and cannot be taken too lightly.
This is demonstrated in SYSC 4.1.1R "A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems."
Senior management within each firm is now required to assess carefully each of their processes and identify what could go wrong, how this could affect the firm and what measures can be put in place to help minimise the possibility of such issues arising.
In addition, although the responsibility clearly lies with the senior management, it is something which relates to, and should concern, everyone in the firm. A well planned, maintained and documented risk management system will lead to a compliant future.
A robust, auditable and organic operational risk management system can save them time and money with;
- Reduction of operational loss.
- Lower compliance/auditing costs.
- Early detection of unlawful activities.
- Reduced exposure to future risks.
Additionally, with lower fixed costs and the subsequent risk capital reduction associated with that is also the fact that PI insurance can also be impacted with being able to demonstrate the clarity of your system. Large organisations have the ratings agencies visit them and probe in all their systems, specifically the risk management processes, so that they can maintain their ratings and reduce their regulatory risk capital to a workable level.
What system to use?
The choice of the best system is not an easy one to make, and so often it is so easy to look for a software solution, imagining that technology has an answer. Research conducted recently has identified well over 100 Governance, Risk and Compliance vendors that cover operational risk management projects. Due to the diverse nature of business models, software has several major problems;
- There are often user or other licence costs that are ongoing and add to your fixed costs
- You usually need staff to be trained to operate the systems
- The companies hold you to emotional ransom when they upgrade the system with new whistles and bells
If you Google "Risk Management system" you will be presented with hundreds of pages of books, courses, blogs and software trials that are generally provided for the larger organisations. This would be software that may have 20% applicability to most IFAs, who are generally not large enough to warrant such extravagant expenditure for what is effectively unused functionality.
If you Google something a little more specific and pertinent to IFAs such as "IFA Risk Management system UK small" you will see that there are better options available, including simple risk management models.
What is obvious from the regulators speeches and behaviours is that risk management is a key area for concern and one that will be focussed on quite significantly in the future.
Martin Wheatley - CEO Designate of the FCA at the FSA Enforcement Conference in July highlighted three important points about the FCA and its enforcement plans;
- “Firstly, I’ve already given you my commitment to continuing our credible deterrence strategy, which has proven very successful over the last few years.
- Secondly, we will continue to use the full range of our existing enforcement tools, which include pursuing criminal prosecutions where appropriate. Where we see examples of bad practices we will continue to look across a range of firms and sectors to identify and deal with problems, as we have done in recent years with incidents of mortgage fraud, for example.
- There will, however, be some changes to the way we will deliver our activities as the FCA. So the third point I’d like to highlight is that we will be more prepared to use formal tools including enforcement actions to support the FCA’s emphasis on intervening earlier to stop problems from occurring. Members of our Enforcement Division will get involved in supervisory decisions at an earlier stage, and provide specialist support and expertise to our supervisors. We will take action earlier to tackle root causes – like poor remuneration arrangements – rather than waiting for the risks to crystallise.”
Although rigorous risk and compliance management is not cheap and some firms may resent it as yet another fruitless imposition, by having an effective risk management system that is fully auditable, flexible enough to meet your business model's need and keeps all the issues in one place provides a demonstration of maturity in business that many of your peers may often lack.
If you can adopt a system with the previous benefits that is also used on simple office type programs (so there is no additional software to buy) archived and retrieved easily, provides an overall picture to be seen and is simple enough to be managed by one person, surely that would be enough to satisfy regulators, PI insurers, auditors and stakeholders as well?
Lee Werrell is owner of CEI Compliance and writes in the IFA Magazine as the "Compliance Doctor" as well as having published several technical publications on financial services targeted for retail firms.
Please share this page to LinkedIn
Please click here to retweet this on Twitter
Author: Lee Werrell
Posted: Saturday, August 18, 2012 | 4:27:20 PM