PRU 1.4 1Prudential risk management and associated systems and controls

PRU 1.4 sets out some rules and guidance on the establishment and maintenance of systems and controls for the management of a firm's prudential risks. A firm's prudential risks are those that can reduce the adequacy of its financial resources, and as a result may adversely affect confidence in the financial system or prejudice consumers. Some key prudential risks are credit, market, liquidity, operational, insurance and group risk.

The purpose of PRU 1.4 is to serve the FSA's regulatory objectives of consumer protection and market confidence. In particular, this section aims to reduce the risk that a firm may pose a threat to these regulatory objectives, either because it is not prudently managed, or because it has inadequate systems to permit appropriate senior management oversight and control of its business.

Both adequate financial resources and adequate systems and controls are necessary for the effective management of prudential risks. A firm may hold financial resources to help alleviate the financial consequences of minor weaknesses in its systems and controls (to reflect possible impairments in the accuracy or timing of its identification, measurement, monitoring and control of certain risks, for example). However, financial resources cannot adequately compensate for significant weaknesses in a firm's systems and controls that could fundamentally undermine its ability to control its affairs effectively.

PRU 1.4 is designed to amplify Principle 3 (Management and control) which requires that a firm take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. PRU 1.4 is also designed to be complementary to SYSC 2, SYSC 3 and SYSC 3A in that it contains some additional rules and guidance on senior management arrangements and associated systems and controls for firms that could have a significant impact on the FSA's objectives in a prudential context.

In addition to supporting PRIN and SYSC, PRU 1.4 lays the foundations for the more specific rules and guidance on the management of credit, market, liquidity, operational, insurance and group risks that are in PRU 3.1, PRU 4.1, PRU 5.1, PRU 6.1, PRU 7.1 and PRU 8.1 respectively. Many of the elements raised here in general terms are expanded upon in these sections.

Appropriate systems and controls for the management of prudential risk will vary from firm to firm. Therefore most of the material in PRU 1.4 is guidance. In interpreting this guidance, a firm should have regard to its own particular circumstances. Following from SYSC 3.1.2 G, this should include considering the nature, scale and complexity of its business, which may be influenced by factors such as:

1. (1)

   the diversity of its operations, including geographical diversity;

2. (2)

   the volume and size of its transactions; and

3. (3)

   the degree of risk associated with each area of its operation.

The guidance contained within this section is not designed to be exhaustive. When establishing and maintaining its systems and controls a firm should have regard not only to other parts of the Handbook, but also to material that is issued by other industry or regulatory bodies.

In a prudential context, a firm's systems and controls should provide its senior management with an adequate means of managing the firm. As such, they should be designed and maintained to ensure that senior management is able to make and implement integrated business planning and risk management decisions on the basis of accurate information about the risks that the firm faces and the financial resources that it has.

Ultimate responsibility for the management of prudential risks rests with a firm's governing body and relevant senior managers, and in particular with those individuals that undertake the firm's governing functions and the apportionment and oversight function. In particular, these responsibilities should include:

1. (1)

   overseeing the establishment of an appropriate business plan and risk management strategy;

2. (2)

   overseeing the development of appropriate systems for the management of prudential risks;

3. (3)

   establishing adequate internal controls; and

4. (4)

   ensuring that the firm maintains adequate financial resources.

Although authority for the management of a firm's prudential risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

Where delegation does occur, a firm should ensure that appropriate systems and controls are in place to allow its governing body and relevant senior managers to participate in and control its prudential risk management activities. The governing body and relevant senior managers should approve and periodically review these systems and controls to ensure that delegated duties are being performed correctly.

Some firms organise the management of their prudential risks on a stand-alone basis. In some cases, however, the management of a firm's prudential risks may be entirely or largely subsumed within a whole group or sub-group basis.

1. (1)

   The latter arrangement may still comply with the FSA's prudential policy on systems and controls if the firm's governing body formally delegates the functions that are to be carried out in this way to the persons or bodies that are to carry them out. Before doing so, however, the firm's governing body should have explicitly considered the arrangement and decided that it is appropriate and that it enables the firm to meet the FSA's prudential policy on systems and controls. The firm should notify the FSA if the management of its prudential risks is to be carried out in this way.

2. (2)

   Where the management of a firm's prudential risks is largely, but not entirely, subsumed within a whole group or sub-group basis, the firm should ensure that any prudential issues that are specific to the firm are:

   1. (a)

      identified and adequately covered by those to whom it has delegated certain prudential risk management tasks; or

   2. (b)

      dealt with by the firm itself.

Any delegation of the management of prudential risks to another part of a firm's group does not relieve it of responsibility for complying with the FSA's prudential policy on systems and controls. A firm cannot absolve itself of such a responsibility by claiming that any breach of the FSA's prudential policy on systems and controls is effected by the actions of a third party firm to whom the firm has delegated tasks. The risk management arrangements are still those of the firm, even though personnel elsewhere in the firm's group are carrying out these functions on its behalf. Thus any references in PRU to what a firm, its personnel and its management should and should not do still apply, and do not need any adjustment to cover the situation in which risk management functions are carried out on a group-wide basis.

Where it is stated in PRU that a particular task in relation to a firm's systems and controls should be carried out by a firm's governing body this task should not be delegated to another part of its group. Furthermore, even where the management of a firm's prudential risks is delegated as described in PRU 1.4.14 G, responsibility for its effectiveness and for ensuring that it remains appropriate remains with the firm's governing body. The firm's governing body should therefore keep any delegation under review to ensure that delegated duties are being performed correctly.

Business planning and risk management are closely related activities. In particular, the forward-looking assessment of a firm's financial resources needs, and of how business plans may affect the risks that it faces, are important elements of prudential risk management. A firm's business planning should also involve the creation of specific risk policies which will normally outline a firm's strategy and objectives for, as appropriate, the management of its market, credit, liquidity, operational, insurance and group risks and the processes that it intends to adopt to achieve these objectives. PRU 1.4.18 R to PRU 1.4.25 G set out some rules and guidance relating to business planning and risk management in a prudential context (see also SYSC 3.2.17 G, which states that a firm should plan its business appropriately).

The prudential risk management systems referred to in PRU 1.4.18 R and PRU 1.4.19 R are the means by which a firm is able to:

1. (1)

   identify the prudential risks that are inherent in its business plan, operating environment and objectives, and determine its appetite or tolerance for these risks;

2. (2)

   measure or assess its prudential risks;

3. (3)

   monitor its prudential risks; and

4. (4)

   control or mitigate its prudential risks.

PRU 5.1.78 E is an evidential provision relating to PRU 1.4.18 R concerning risk management systems in respect of liquidity risk arising from substantial exposures in foreign currencies.

A firm should consider the relationship between its business plan, risk policies and the financial resources that it has available (or can readily access), recognising that decisions made in respect of one element may have consequences for the other two.

A firm's business plan and risk management systems should be:

1. (1)

   effectively communicated so that all employees and contractors understand and adhere to the procedures related to their own responsibilities;

2. (2)

   regularly updated and revised, in particular when there is significant new information or when actual practice or performance differs materially from the documented strategy, policy or systems.

The level of detail in a firm's business plan and its approach to the design of its risk management systems should be appropriate to the scale and complexity of its operations, and the nature and degree of risk that it faces.

A firm's business plan and systems documentation should be accessible to the firm's management in line with their respective responsibilities and, upon request, to the FSA.

PRU 1.4.19 R (5) requires a firm to document its financial projections and the results of its stress testing and scenario analysis. Such financial projections, stress tests and scenario analysis should be used by a firm's governing body and relevant senior managers when deciding upon how much risk the firm is willing to accept in pursuit of its business objectives and how risk limits should be set. Further rules and guidance on stress testing and scenario analysis are outlined in PRU 1.2 (Adequacy of financial resources) and PRU 5.1 (Liquidity risk systems and controls).

Internal controls should provide a firm with reasonable assurance that it will not be hindered in achieving its objectives, or in the orderly and legitimate conduct of its business, by events that may reasonably be foreseen. More specifically in a prudential context, internal controls should be concerned with ensuring that a firm's business plan and risk management systems are operating as expected and are being implemented as intended. The following rule (PRU 1.4.27 R) reflects the importance of internal controls in a prudential context.

The precise role and organisation of internal controls can vary from firm to firm. However, a firm's internal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:

1. (1)

   safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;

2. (2)

   maintaining the efficiency and effectiveness of its operations;

3. (3)

   ensuring the reliability and completeness of all accounting, financial and management information; and

4. (4)

   ensuring compliance with its internal policies and procedures as well as all applicable laws and regulations.

When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in PRU 1.4.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:

1. (1)

   the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);

2. (2)

   how the delegation or contracting of functions or activities to employees, appointed representatives or other third parties (for example outsourcing) is to be monitored and controlled (see SYSC 3.2.3 G to SYSC 3.2.4 G, PRU 1.4.12 G to PRU 1.4.16 G and PRU 1.4.33 G; additional guidance on the management of outsourcing arrangements is also provided in SYSC 3A.9);

3. (3)

   the risk that a firm's employees or contractors might accidentally or deliberately breach a firm's policies and procedures (see SYSC 3A.6.3 G);

4. (4)

   the need for adequate segregation of duties (see SYSC 3.2.5 G and PRU 1.4.30 G to PRU 1.4.33 G);

5. (5)

   the establishment and control of risk management committees (see PRU 1.4.34 G to PRU 1.4.37 G);

6. (6)

   the need for risk assessment and the establishment of a risk assessment function (see SYSC 3.2.10 G and PRU 1.4.38 G to PRU 1.4.41 G); and

7. (7)

   the need for internal audit and the establishment of an internal audit function and audit committee (see SYSC 3.2.15 G to SYSC 3.2.16 G and PRU 1.4.42 G to PRU 1.4.45 G).

The effective segregation of duties is an important internal control in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm's governing body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems. In this regard, a firm should ensure that there is adequate segregation of duties between employees involved in:

1. (1)

   taking on or controlling risk (which could include risk mitigation);

2. (2)

   risk assessment (which includes the identification and analysis of risk); and

3. (3)

   internal audit.

In addition, a firm should normally ensure that no single individual has unrestricted authority to do all of the following:

1. (1)

   initiate a transaction;

2. (2)

   bind the firm;

3. (3)

   make payments; and

4. (4)

   account for it.

Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers).

Where a firm outsources a controlled function, such as internal audit, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm's external auditors provided that:

1. (1)

   the work is carried out under the supervision and management of the firm's own internal staff; and

2. (2)

   potential conflicts of interest between the provision of external audit services and the provision of controlled functions are properly managed.

In many firms, especially if there are multiple business lines, it is common for the governing body to delegate some tasks related to risk control and management to committees such as asset and liability committees (ALCO), credit risk committees and market risk committees.

Where a firm decides to create one or more risk management committee(s), adequate internal controls should be put in place to ensure that these committees are effective and that their actions are consistent with the objectives outlined in PRU 1.4.28 G. This should normally include consideration of the following:

1. (1)

   setting clear terms of reference, including membership, reporting lines and responsibilities of each committee;

2. (2)

   setting limits on their authority;

3. (3)

   agreeing routine reporting and non-routine escalation procedures;

4. (4)

   agreeing the minimum frequency of committee meetings; and

5. (5)

   reviewing the performance of these risk management committees.

The decision to delegate risk management tasks, along with the terms of reference of the committees and their performance, should be reviewed periodically by the firm's governing body and revised as appropriate.

The effective use of risk management committees can help to enhance a firm's internal controls. In establishing and maintaining its risk management committees, a firm should consider:

1. (1)

   their membership, which should normally include relevant senior managers (such as the head of group risk, head of legal, and the heads of market, credit, liquidity and operational risk, etc.), business line managers, risk management personnel and other appropriately skilled people, for example, actuaries, lawyers, accountants, IT specialists, etc.;

2. (2)

   using these committees to:

   1. (i)

      inform the decisions made by a firm's governing body regarding its appetite or tolerance for risk taking;

   2. (ii)

      highlight risk management issues that may require attention by the governing body;

   3. (iii)

      consider risk at the firm-wide level and, within delegated limits, to determine the allocation of risk limits and financial resources across business lines;

   4. (iv)

      consider how exposures may be unwound, hedged, or otherwise mitigated, as appropriate.

Risk assessment is the process through which a firm identifies and analyses (using both qualitative and quantitative methodologies) the risks that it faces. A firm's risk assessment activities should normally include consideration of:

1. (1)

   its total exposure to risk at the firm-wide level (that is, its exposure across business lines and risk categories);

2. (2)

   capital allocation and the need to calculate risk weighted returns for different business lines;

3. (3)

   the potential correlations that can exist between the risks in different business lines; this should also include looking for risks to which a firm's business plan is particularly sensitive, such as interest rate risk, or multiple dealings with the same counterparty;

4. (4)

   the use of stress tests and scenario analysis;

5. (5)

   whether there are risks inherent in the firm's business that are not being addressed adequately;

6. (6)

   the risk adjusted return that the firm is achieving; and

7. (7)

   the adequacy and timeliness of management information on market, credit, insurance, liquidity, operational and group risks from the business lines, including risk limit utilisation.

In accordance with SYSC 3.2.10 G a firm should consider whether it needs to set up a separate risk assessment function (or functions) that is responsible for assessing the risks that the firm faces and advising its governing body and senior managers on them.

Where a firm does decide that it needs a separate risk assessment function, the employees or contractors that carry out this function should not normally be involved in risk taking activities such as business line management (see PRU 1.4.30 G to PRU 1.4.33 G on the segregation of duties).

A summary of the results of the analysis undertaken by a firm's risk assessment function (including, where necessary, an explanation of any assumptions that were adopted) should normally be reported to relevant senior managers as well as to the firm's governing body.

A firm should ensure that it has appropriate mechanisms in place to assess and monitor the appropriateness and effectiveness of its systems and controls. This should normally include consideration of:

1. (1)

   adherence to and effectiveness of, as appropriate, its market, credit, liquidity, operational, insurance, and group risk policies;

2. (2)

   whether departures and variances from its documented systems and controls and risk policies have been adequately documented and appropriately reported, including whether appropriate pre-clearance authorisation has been sought for material departures and variances;

3. (3)

   adherence to and effectiveness of its accounting policies, and whether accounting records are complete and accurate;

4. (4)

   adherence to and effectiveness of its management reporting arrangements, including the timeliness of reporting, and whether information is comprehensive and accurate; and

5. (5)

   adherence to FSA rules and regulatory prudential standards.

In accordance with SYSC 3.2.15 G and SYSC 3.2.16 G, a firm should consider whether it needs to set up a dedicated internal audit function.

Where a firm decides to set up an internal audit function, this function should provide independent assurance to its governing body, audit committee or an appropriate senior manager of the integrity and effectiveness of its systems and controls.

In forming its judgements, the person performing the internal audit function should test the practical operation of a firm's systems and controls as well as its accounting and risk policies. This should include examining the adequacy of supporting records.

Many individuals, at various levels of a firm, need management information relating to their activities. However, PRU 1.4.47 G to PRU 1.4.50 G concentrates on the management information that should be available to those at the highest level of a firm, that is, the firm's governing body and relevant senior managers. In so doing PRU 1.4.47 G to PRU 1.4.50 G amplifies SYSC 3.2.11 G to SYSC 3.2.12 G (which outlines the FSA's high level policy on senior management information) by providing some additional guidance on the management information that should be available in a prudential context.

The role of management information should be to help a firm's governing body and senior managers to understand risk at a firm-wide level. In so doing, it should help them to:

1. (1)

   determine whether a firm is prudently managed with adequate financial resources;

2. (2)

   make the decisions that fall within their ambit (for example, the high level business plans, strategy and risk tolerances of the firm); and

3. (3)

   oversee the execution of tasks for which they are responsible.

A firm should consider what information needs to be made available to its governing body and senior managers. Some possible examples include:

1. (1)

   firm-wide information such as the overall profitability and value of a firm and its total exposure to risk;

2. (2)

   reports from committees to which the governing body has delegated risk management tasks, if applicable;

3. (3)

   reports from a firm's internal audit and risk assessment functions, if applicable, including exception reports, where risk limits and policies have been breached or systems circumvented;

4. (4)

   financial projections under expected and abnormal (that is, stressed) conditions;

5. (5)

   reconciliation of actual profit and loss to previous financial projections and an analysis of any significant variances;

6. (6)

   matters which require a decision from the governing body or senior managers, for example a significant variation to a business plan, amendments to risk limits, the creation of a new business line, etc;

7. (7)

   compliance with FSA rules and regulatory prudential standards;

8. (8)

   risk weighted returns; and

9. (9)

   liquidity and funding requirements.

The management information that is provided to a firm's governing body and senior managers should have the following characteristics:

1. (1)

   it should be timely, its frequency being determined by factors such as:

   1. (a)

      the volatility of the business in which the firm is engaged (that is, the speed at which its risks can change);

   2. (b)

      any time constraints on when action needs to be taken; and

   3. (c)

      the level of risk that the firm is exposed to, compared to its available financial resources and tolerance for risk;

2. (2)

   it should be reliable, having regard to the fact that it may be necessary to sacrifice a degree of accuracy for timeliness; and

3. (3)

   it should be presented in a manner that highlights any relevant issues on which those undertaking governing functions should focus particular attention.

The production of management and other information may require the collation of data from a variety of separate manual and automated systems. In such cases, responsibility for the integrity of the information may be spread amongst a number of operational areas. A firm should ensure that it has appropriate processes to validate the integrity of its information.

SYSC 3.2.20 R requires a firm to take reasonable care to make and retain adequate records. The following policy on record keeping supplements SYSC 3.2.20 R by providing some additional rules and guidance on record keeping in a prudential context. The purpose of this policy is to:

1. (1)

   facilitate the prudential supervision of a firm by ensuring that adequate information is available regarding its past/current financial situation and business activities (which includes the design and implementation of systems and controls); and

2. (2)

   help the FSA to satisfy itself that a firm is operating in a prudent manner and is not prejudicing the interests of its customers or market confidence.

In addition to the record keeping requirements in PRU, a firm should remember that it may be obliged, under other applicable laws or regulations, to keep similar or additional records.

A firm should be able to make available the records described in PRU 1.4.53 R within a reasonable timeframe when requested to do so by the FSA.

The FSA recognises that not all records are specific to a particular point in time. As such, while it may be appropriate to update some records on a daily or continuous basis, for example expenditure and details of certain transactions, it may not be appropriate to update other records as regularly as this, for example those relating to its business plan and risk policies. A firm should decide how regularly it should update particular records.

A firm should decide which records it needs to hold, noting that compliance with PRU 1.4.53 R does not require it to hold records on every single aspect of its activities. Some specific guidance on the types of records that a firm should hold is set out in each of the risk specific sections on systems and controls (see PRU 3.1, PRU 4.1, PRU 5.1, PRU 6.1, PRU 7.1 and PRU 8.1).

In deciding which records to hold, a firm should also take into account that failure to keep adequate records could make it harder for it to satisfy the FSA that it is compliant with the rules in PRU, and to defend any enforcement action taken against it.

A firm should keep the records required in PRU in an appropriate format and language (in terms of format this could include holding them on paper or in electronic or some other form). However, whatever format or language a firm chooses, SYSC 3.2.20 R requires that records be capable of being reproduced on paper and in English (except where they relate to business carried on from an establishment situated in a country where English is not an official language).

In accordance with SYSC 3.2.20 R, a firm should retain the records that it needs to comply with PRU 1.4.53 R for as long as they are relevant for the purposes for which they were made.

Where a firm outsources the storage of some or all of its records to a third party service provider, it should ensure that these records are readily accessible and can be reproduced within a reasonable time period. The firm should also ensure that these records are stored in compliance with the rules and guidance on record keeping in PRU. Additional guidance on the management of outsourcing agreements is provided in SYSC 3A.

A firm may rely on records that have been produced by a third party (for example, another group company or an external agent, such as an outsource service provider). However where the firm does so it should ensure that these records are readily accessible and can be reproduced within a reasonable time period. The firm should also ensure that these records comply with the rules and guidance on record keeping in PRU.

In accordance with SYSC 3.2.21 G, a firm should have adequate systems and controls for maintaining the security of its records so that they are reasonably safeguarded against loss, unauthorised access, alteration or destruction.