SUP 1.3 The FSA's risk based approach to supervision
Purpose
The purpose of taking a risk-based approach to supervision is to focus the FSA's resources on the mitigation of risks to the regulatory objectives, and to have regard to the need to use the FSA's resources in the most efficient and economic way. The approach to risk assessment of firms is based on the extent to which they pose risks to the FSA meeting the regulatory objectives. This extent encompasses both the impact of such risks were they to crystallise and the probability of their doing so. The probability of risks crystallising depends on the inherent risks run by firms, the environment within which they operate and the internal systems and controls designed to mitigate such risks. This approach permits a matching of the intensity of the FSA's supervisory effort with the degree of risk posed by firms to meeting the regulatory objectives.
Impact and probability assessment
The impact of a firm is assessed by reference to a range of factors derived from the regulatory objectives, including:
- (1)
the degree to which risks related to the firm, were they to materialise, would damage market confidence;
- (2)
the extent to which the firm may pose risks to the achievement of the objective of promoting public understanding;2
2 - (3)
the extent to which consumers may be adversely affected either directly or indirectly by the firm as a result of prudential failure, misconduct, market malfunction, market manipulation or the need to contribute to the financial reconstitution of compensation schemes;
- (4)
the incidence and materiality of any financial crime which may be perpetrated through or by the firm.
The probability of a firm posing a risk to meeting the regulatory objectives is, where applicable, assessed in terms of "risk groups". These are discrete sources of risks to meeting the regulatory objectives which arise from:
- (1)
the firm's strategy;
- (2)
the firm's business risk: those risks (such as credit, market and operational risk) which are inherent in the business;
- (3)
the financial soundness of the firm;
- (4)
the nature of the firm's customers and the products and services it offers;
- (5)
the internal systems and controls and the compliance culture of the firm; and
- (6)
the organisation of the firm and the role played by its governing body, management and staff in effectively mitigating risk.
The impact and probability assessments are combined to give an overall judgment as to the firm's priority for the FSA and therefore the nature of the relationship which the FSA will seek to have with the firm (see 'A new regulator for the new millennium' and 'Building the new regulator, Progress report 1').
In addition to assessing the firm in terms of these impact and probability factors, the FSA takes into account three further factors which may affect the choice of supervisory approach and activities:
- (1)
the level of confidence in the information on which the risk assessment is based;
- (2)
the quality of the home regulatory regime (for firms with their head office overseas); and
- (3)
any anticipated material change in impact and probability factors.
The scope of the risk assessment process for firms
The main steps in the risk assessment process are:
- (1)
preliminary assessment of a firm's potential impact on the regulatory objectives;
- (2)
probability assessment - the level of detail depends on the impact rating and the complexity of the firm (in the case of low impact firms, the firm-specific probability analysis will be minimal);
- (3)
for a sample of firms, validation panel for peer review of risk grading and resource allocation;
- (4)
letter to firm regarding risk assessment and any remedial actions (see SUP 1.3.10 G); and
- (5)
continuing review of risk assessment as necessary.
The FSA intends to communicate the outcomes of its risk assessment to the firm. In the case of firms in which risks have been identified which could have a material bearing on the FSA meeting the regulatory objectives, the FSA will also outline a programme intended to address these. The FSA considers that it would generally be inappropriate for the firm to disclose the FSA risk assessment to third parties, except those who have a right to be aware of it, for example external auditors. The assessment is directed towards a very specific purpose - to illustrate the risk posed by the firm to the regulatory objectives and to enable the FSA to allocate its resources accordingly. Using it for any other purpose might well be misleading. The FSA therefore discourages firms from disclosing their assessments.
The nature of the FSA's relationship with firms
The FSA's relationship with firms has five main elements:
- (1)
Determining satisfaction of the threshold conditions: in order to carry on regulated activities, a firm must demonstrate that it can satisfy, initially and on a continuing basis, the threshold conditions (see COND) (for example, the need to maintain adequate resources).
- (2)
Baseline monitoring which is designed to ensure that firms comply, on a continuing basis, with the regulatory requirements which apply to them (see SUP 1.1.2 G): the FSA collects and analyses data supplied by firms (see for example SUP 16) and by third parties such as the Financial Ombudsman Service Limited, consumers, and by other regulators.
- (3)
Sectoral reviews and thematic work which will be used, for example, to validate information provided by a firm and to collect up to date information on a particular sector, in order to assess whether a firm meets required standards: thematic work is carried out to assess the risks posed by a particular issue (rather than by a sector or group of firms). The issues selected for such work are likely to be broader and proportionately more significant to the FSA's regulatory objectives.
- (4)
Programmes designed to mitigate specific risks in individual firms these programmes depend on the firm's priority for the FSA (see SUP 1.3.5 G).
- (5)
Work undertaken after particular risks have escalated or crystallised: once the FSA has identified an issue, it will need to use its regulatory judgment to determine how it should respond, if at all.
The exact mixture of elements will thus vary with the firm's risk categorisation. Moreover, the elements being used at a particular time will depend on the firm's circumstances - for example, whether it is applying for permission to conduct other regulated activities, or is being investigated by the FSA.