6 minute read

Potential harm analysis and risk management framework

potential harm analysis and risk management framework

Advertisement

by Anthony Ma

potential harm analysis and risk management framework

‘Risk of harm’ is a central concept in FCA’s Approach to Supervision, Guidance FG20/1, and various policy papers related to the new Investment Firm Prudential Regime (IFPR, or ‘MIFIDPRU’). Two questions would be of interest to risk managers in FCA solo-regulated firms: 1.) Is ‘risk of harm’ a new risk category in a firm’s risk taxonomy? 2.) What are the implications to a firm’s risk methodology? Conceptual clarity is crucial to risk assessment processes such as Pillar 2 or ICARA.

aligning with the FCA’s methodology

From the FCA’s perspective, ‘risk of harm’ means risk to FCA regulatory objectives due to the harmcaused by firms to their customers and the markets. Hence, the FCA will do business model analysis toidentify such risks and take actions when risks of harm materialize.

But the FCA also asks firms to identify risks of harm, especially for investment firms in their ICARAprocess. This does not mean there will be new risk categories in a firm’s risk taxonomy. But it will implysome adjustments to a firm’s own risk framework.

In practice, financial institutions usually view risks as uncertainties that will lead to negative variability totheir revenue and profits. Even conduct-related risks are ultimately focusing on the financial impact onthe firm due to conduct failures.

To embed the ‘risk of harm’ approach in the risk methodology, firms must explicitly identify the victims outside the firm. i.e., a potential harm analysis. The analysis requires consideration of the negative impact on these stakeholders and evaluation of the redress actions that the firm is expected to take. Effectively, this is a pervasive embedment of conduct outcome analysis in the risk management framework.

In addition, the risk of harm also includes risk of harm to the firm itself. Broadly speaking, this covers existing credit risk, market risk, liquidity risk etc. analyses. There is perhaps no harm to other stakeholders involved in this context. However, if these risks materialize and lead to significant capital depletion or liquidity difficulties, then the FCA would want to ensure there is an effective recovery, or an orderly winddown. It is understood that disorderly wind-down of a financial institution presents great deal of harm to customers and to the market.

Intelligent Risk - February 2022013

implications to the RCSA

There are several important implications to a firm’s risk framework. The first one is the need to remodel the Risk Control Self-Assessment (RCSA). Most firms will set up a pro forma and conduct workshops with various business areas to self-assess respective key risks and controls. The scoring mechanism and the difference between gross risk and net risk should be well-understood by most risk managers.

In light of the potential harm analysis, the RCSA must include additional elements: (a) the stakeholders who may be affected; (b) mitigations to limit the harm; (c) redress to correct the harm; (d) indicative cost drivers of such redress, including potential compensation and regulatory fines. Most RCSA would have a row for each risk item identified, so these additional elements would be arranged as additional columns in the RCSA. For firms that have a long list of risk items in the RCSA, it is certainly a sizable project to revisit them.

But more importantly, the mindset of the participants from different business areas in RCSA workshops must adapt. In the past, a lot of business areas were themselves profit centers or cost centers. So, a risk event can be linked to the performance of those. But the potential harm analysis requires people to extend their thinking to consider the perspective of wider stakeholders. Further training and a better tailored template for brainstorming in the workshops may be necessary in the subsequent RCSA cycles.

In addition, the Risk Appetite Statement (RAS) should also be suitably updated by defining some of the riskappetite by way of conduct outcome. This will help to create appropriate controls to mitigate the potentialharms.

other implications

FCA made quite clear that the potential harm analysis should be underpinned by scenario analyses. Traditionally, scenarios selected need to be severe but plausible, covering both idiosyncratic and market wide situations. Potential harm analysis refreshes the meaning of ‘severity’ in this context. When considering severity, one no longer just measures the financial losses to the firm in a particular scenario, it will have to take into account the harm to wider stakeholders.

Note that all these analyses should ultimately enable a credible calibration for regulatory capital. This would involve an objective measurement of harm. There is unfortunately no obvious way of quantifying ‘harm’, other than measuring it by way of the cost of redress, compensation, and fines. The task is even more challenging as there is no perfectly reliable data for such measurement. However, a reasonable estimate is possible by detailed research and consultation with the SMEs.

014 Intelligent Risk - February 2022

final remarks

No doubt the industry (especially the investment firms subject to IFPR) will continue to reflect how the ‘risk of harm’ approach can be properly incorporated in the risk frameworks. For banks, the PRA does not seem to be promulgating such an approach. But given banks are also supervised by the FCA with respect to conduct matters, so incorporating potential harm analysis in the risk framework should be seen as a sensible move.

references

FG20/1: Our framework: assessing adequate financial resources (fca.org.uk)

author Anthony Ma

Anthony Ma, Associate Director, Deloitte LLP, specializes in financial risk management and financial services regulations (FSRs). He is an ex-regulator with experience across several regulatory business areas (including prudential supervision and structural reform) and was the main author of the Wind-down Planning Guide (WDPG). In the private sector, he has advised numerous financial institutions with extensive experience in managing regulatory changes and prudential crises. His practice areas include prudential regimes implementation, recovery/wind-down/resolution planning, governance/remuneration/ESG and authorisations. In addition to the commercial practice, he retains strong interests in geopolitical risks and emerging risks due to artificial intelligence / machine learning.

Intelligent Risk - February 2022015

This article is from: