Embed Size (px)
Citation preview
1
1Putting you in the driver’s seat
2
Workshop objectives
Understand the Risk Assessment MethodologyThinking like the FSCHow individual scores influence outcomes of the whole programme Concentrating on what matters the most
2
3
Format for the morning
Some background, theoryCase Study - Critique in groupsPresentation of findingsSome maths and spread sheetsRisk mitigation IdentificationProgramme designConclusions
4
Reducing the burden of being regulated
Risk Management
Compliance Monitoring
3
5
The Risk Assessment Process
Off-site
Initial Profile
On-SiteFinal Profiling
Interfacing & Risk Mitigation
6
Off-site
4
7
Initial Profile
8
The FSC’s Regulatory Objectives
5
9
Risks to Objectives
10
Type of Firm
Prudential
Combination
Conduct of Business
6
11
What firm type are you?
Division\Type Prudential Conduct of Business
Combined approach
Auditors Audit Firms
Auditors Banking & Investment
Services
BanksE-Money
MSBs MiFID Firms
Banks - MiFID
Fiduciary Company Managers
Trustees
Funds and Pensions
Pension Schemes
CIS Managers (operators) Funds
Insurance General
Insurance Companies
IMD firmsInsurance Managers
Life Insurance Companies
12
Prudential Risk Assessment
Prudential Requirements
Returns, Audited
Financial Statements,
MIS
Capital, Solvency, Liquidity, Financial
Performance
7
13
Conduct of Business Risk Assessment
Conduct of Business
Requirements
On-site testing/File Reviews
Mifid & IMD Obligations, AML/CFT, Advice & Services
14
Combined Risk Assessment
Prudential Requirements
Conduct of Business
RequirementsCombination
Approach
8
15
Business RisksFinancial• To determine the
adequacy of the capital, funding and insurance cover in light of the current and future business plans of the firm.
Environment• To determine
what operational and other market risks the firm is subjecting itself in carrying out its business plan.
Business• To determine
where the current and future risks lie in a firm’s business plan, products and strategy.
16
Business RisksFinancial• Capital• Liquidity• Earnings• Insurance
Environment• Group• Legal• Operational• Market• Underwriting• Credit
Business• Strategy• Customers• Sources &
Distribution• Products &
Services
9
17
Control RisksControls• To determine the
control environment of a firm and management’s ability to put into place proper oversight procedures.
Organisation• To determine if the
legal ownership structure and/or passporting of services of the firm provides any impediments to the supervision of the firm.
Management• To determine if the
firm’s corporate governance arrangements and management are adequate for the nature, size and complexity of the firm.
18
Control RisksControls• Compliance,
Audit & Risk Management
• Conduct of Business
• Operations• Control
Environment
Organisation• Multiple Activity
Groups• Branches &
Subsidiaries• Ownership
Management• Quality of
Management• Corporate
Governance
10
19
Scoring Risk Elements
Perceptiblehighly likely in 12 months
Probable50% probability
Possiblereasonable chance
Negligiblelittle likelihood
Score
5.0
3.0
1.75
1.0
Not Applicable
Crystallised
20
Workshop Session 1 - Critique
After having examined the Case Study read through the preliminary Risk Assessment carried out by a member of your team. As a group;
Critique the work undertaken making notes ofAreas that are not importantAreas that have been missed outScores that you would assign to each of the elements
Present your group’s findings to the workshop
11
21
Workshop Presentation
22
Maxing Out
Risk Element Scoring
1.75
5.00
3.00
N/a
Max Score = 5.00
12
23
How risk types are weighted according to type of firm
Risk Type\ Firm Type Prudential Conduct of Business
Combined approach
60% 10% 40%30% 20% 20%10% 70% 40%40% 60% 45%10% 10% 10%50% 30% 45%
Financial
Environment
BusinessBusi
ness
Ris
ks
Controls
Organisation
ManagementCon
trol R
isks
Weights are representative of the major risk types applicable to the firm type.
24
Obtaining a Risk Profile
Max Score Weight % Weighted Score
TotalMax Score Weight % Weighted
Score
Total
Impact
X Impact Score
= Business Risk Score
X Impact Score
= Control Risk Score
Financial
Environment
Business
Busi
ness
Ris
ks
Controls
Organisation
Management
Con
trol R
isks
13
25
Obtaining a Risk Profile
Max Score Weight % Weighted Score
1.75 10% 0.175
5.0 20% 1.000
3.0 70% 2.100
Total 3.275Max Score Weight % Weighted
Score
5.0 60% 3.000
1.0 10% 0.100
1.0 30% 0.300
Total 4.300
Impact
X Impact Score
= Business Risk Score
X Impact Score
= Control Risk Score
Financial
Environment
Business
Busi
ness
Ris
ks
Controls
Organisation
Management
Con
trol R
isks
Conduct of Business Weights!
26
Impact
14
27
Impact
High (5) Medium High (3)
Medium Low (1.75) Low (1) Importance
Weighting
Size High Medium High Medium Low Low 50%
Customer Experience
General Public Mixed -
Professional / Captive /
Experienced20%
Product Types
Investment / Banking Fiduciary Fund
AdministratorProtection /
Other 15%
Client Assets /
Monies heldHolding - Controlling None 15%
28
Impact
High (5) Medium High (3)
Medium Low (1.75) Low (1) Importance
Weighting Value Score
Size High Medium High Medium Low Low 50%
Customer Experience
General Public Mixed -
Professional / Captive /
Experienced20%
Product Types
Investment / Banking Fiduciary
Fund Adminis-
trator
Protection / Other 15%
Client Assets / Monies
held
Controlling - Holding None 15%
Impact Score
Determines that Conduct of Business weighting needs to be used!
15
29
Impact
High (5) Medium High (3)
Medium Low (1.75) Low (1) Importance
Weighting Value Score
Size High Medium High Medium Low Low 50% 3 1.50
Customer Experience
General Public Mixed -
Professional / Captive /
Experienced20% 1 0.20
Product Types
Investment / Banking Fiduciary
Fund Adminis-
trator
Protection / Other 15% 3 0.45
Client Assets / Monies
held
Controlling - Holding None 15% 5 0.75
Impact Score 2.90
30
Obtaining a Risk Profile
Max Score Weight % Weighted Score
1.75 10% 0.175
5.0 20% 1.000
3.0 70% 2.100
Total 3.275Max Score Weight % Weighted
Score
5.0 60% 3.000
1.0 10% 0.100
1.0 30% 0.300
Total 4.300
Impact
X 2.90 = 9.4975 Business Risk Score
X 2.90 = 12.470 Control Risk Score
Financial
Environment
Business
Busi
ness
Ris
ks
Controls
Organisation
Management
Con
trol R
isks
16
31
What your score means
32
A risk profile
Busin
ess R
isks
1015
2025
Busin
ess R
isks
1015
2025
9.4975
12.47
17
33
When a risk is crystallised
Busin
ess R
isks
1015
2025
Busin
ess R
isks
1015
2025
When a risk element is scored as CRYSTALISED, • the Total Business
or Control Risk is multiplied by 3 and
• capped to 25 after impact
In this example say a Business Risk Element is scored as Crystallised;9.4975X3=28.4925Capped = 25
34
Our case study scoresWidgets Financial Services Ltd
Risk basis PRU COMBI COB
WeightScore x
weight WeightScore x
weight WeightScore x
weight
Business Risk (before Impact) 2.83 3.55 4.15 A
Possible 1.75Adequacy of Capital
Not applicable 0 Liquidity
Probable 3 Earnings
Not applicable 0 Insurance
Enter max 3.00 Financial Soundness and Capital 60% 1.8 40% 1.2 10% 0.3
Not applicable 0 Credit Risk
Not applicable 0Insurance Underwriting Risk
Possible 1.75Market Risk
Negligible 1 Operational Risk
Negligible 1 Legal Risk
Not applicable 0 Group Risk
Enter max 1.75 Environment 30% 0.525 20% 0.35 20% 0.35
Probable 3 Strategy
Possible 1.75Types of Customer
Probable 3Types of Products and Services
Perceptible 5 Sources of Business and Distribution
Enter max 5.00 Business Plan 10% 0.5 40% 2 70% 3.5
Control Risk (before Impact) 3.18 3.34 3.83 B
Negligible 1Human Resources
Negligible 1 Information Technology
Negligible 1 Management Information Systems
Probable 3 Business Continuity
Score not enteredInternal Audit
Possible 1.75Outsourcing
Perceptible 5 Acceptance of and Disclosure to Customers
Perceptible 5 Advising, Dealing and Managing
Negligible 1 Security of Customer Monies and Assets
Perceptible 5Compliance Arrangements
Probable 3Anti-Money Laundering Controls
Probable 3Risk Management
Possible 1.75 External Auditors
Not applicable 0 Actuaries
Enter max 5.00 Controls 40% 2 45% 2.25 60% 3
Probable 3 Ownership
18
35
On-site
36
Prior to an on-site
Determine the expected duration of the on-site visit
Arrange with the firm mutually convenient dates for the on-site to take effect
Provide the firm with a formal agenda which will: • List all the risks that it wishes to discuss• Identify any individuals that the FSC wishes to speak with on any of the matters • Allow the firm’s Senior Management to invite to the meeting any other person it
feels would contribute to the on-site • Provide a list of any additional document or information that it may wish to
review
19
37
Post on-site
Summarise the areas reviewed by the FSC team
Invite the Senior Management of the firm to provide input to the team on areas which they wish to add to the risk assessment
Invite the firm to provide any feedback on the process
38
Final Profiling
20
39
Workshop 2 – Risk Identification
Having received your risk profile;Identify what risks the firm is exposed to?Why is this risk important?What are the objectives of the mitigation?
40
Risk Mitigation-Fit for Purpose
21
41
Mitigation Tools
Busin
ess R
isks
Control Risks
Busin
ess R
isks
Control Risks
Control Risk Score
Supervisory Visit
Focused Visit
Skilled Persons
Branch Visit
42
To avoid seeing more of the FSC
Busin
ess R
isks
Control Risks
Busin
ess R
isks
Control Risks
Bus
ines
s R
isk
Sco
re
Frequency of FSC
Prudential & Other
Interfacing
22
43
Workshop 3 - Interfacing
With your final profile in hand, design the nature and scope of how you will interface with the firm?
Risk Assessment Workshop Widgets Financial Services Ltd (WFS) Background : Widget Advice is a regulated activity requiring those authorised to advise, intermediate or market such products to be licensed under the Financial Services (Widgets) Act (FSWA). Such providers are required to maintain adequate liquidity, capitalisation, PII, solvency as well as meet stringent requirements relating to customer acceptance practices and agreements. There are no investor compensation arrangements in place for Widget Advice.
WFS was licensed by the FSC six years ago to provide Widget Advice to the general public. You are required to conduct a risk assessment and prepare an on-site plan for WFS. This is the second risk assessment conducted on the
firm. The first risk assessment of the firm produced the following risk
profile; “Low/Medium Monitoring & Medium Remediation Required” The main items affecting the Business Risks were;
Rapidly developing customer base
Minimum amount of
capital injected at licensing stage
Falling capital/reserves caused by start-up losses financed by lending from
shareholders
Own positions being taken in trading
The control risks were primarily influenced by;
Bespoke IT solution for CRM and trading platform
Lack of compliant customer agreements and disclosure arrangements
Poor internal risk management
Issues relating to corporate governance (adequacy of senior management)
During the previous risk assessment cycle one prudential visit was effected to the firm to discuss the growth of the customer base. Additionally a focused visit on compliance with the FSWA was conducted. No issues of concern were found in
either of these. Recent correspondence with the firm has been with Mike Blogg (MB) who is the firm’s compliance officer and also one of the four eyes. However, market
rumour is that he is planning on moving to Dubai very shortly. The other pair of four eyes (Sue Ellen) appears not to be in Gibraltar very often and when she is, spends a lot of her time with her other business interests. All new clients are
Bu
sin
ess R
isks
Control Risks
18
8
8 18
High Monitoring &
High Remediation
Required
Medium Monitoring
& Low/Medium Remediation Required
Low/Medium Monitoring &
Medium Remediation Required
Low
Monitoring &
Remediation
sourced from introductions of the shareholders. With little suitability or due diligence being conducted other than the shareholder’s introduction. All
documentation, however, was found to be in order when the focused visit was conducted. All client interfacing is conducted via VOIP or secure internet portal. WFS employs 10 staff at Ocean Village mainly in the customer interfacing role.
IT is outsourced to IBM in Sevilla which is where their servers are based and maintained. All customer reporting takes place from an administrative office in Luxembourg which is owned by one of the three shareholders in the firm. The FSC approved the outsourcing arrangements at licensing stage.
Some of the key financial are outlined below (taken from the Audited Financial Statements of the firm audited by a small Austrian audit firm based in Vienna); 2011 2010 2009
Capital 1,000,000 1,000,000 1,000,000 Accumulated Profit/Loss (50,000) (30,000) -
Capital & Reserves 950,000 970,000 1,000,000 Shareholders Loans 1,000,000 1,000,000 500,000 Creditors 75,000 1,050,000 90,000
Turnover 2,500,000 3,000,000 1,000,000 Gross Profit 750,000 500,000 250,000 Operating Expenses (770,000) (530,000) (250,000)
Net Profit (20,000) (30,000) 0
Active Customers 1,000 1,500 750 Widgets under management/advice 200,000,000 450,000,000 30,000,000 Note : The FSWA requires a minimum capital of 1,000,000 or 6 X the quarterly operating expenses (calculated over the latest available reporting period) to be maintained at all times, whichever is the highest of the two.
A file review of the firm shows a couple of web-feedback/complaints against the firm made using the FSC’s web-site as well as a press cutting of legal action being taken by a former customer against the firm for improper advice and seeking restitution to the tune of £10M which is what the client considers was
the worth of the widgets which was mis-managed by the firm. The case is expected to be heard next year.
Ownership of the firm rests with four individuals, two of which own their shares through trust structures and the other two via holding companies. All four beneficial owners have other interests both in financial services and other commercial activities including a private plane charter operation based in Jersey
which is made available to the firm’s clients at reduced rates. F&P checks on them did not find anything of interest other than they appear to be very affluent, one of them being a “has been” ageing obscure film producer having a young A-list trophy wife, the other made his money from the dotcom boom, the
third is linked to middle east royalty (probably Syria or Saudi Arabia) and the fourth has family links to a major Russian Oligarch. There is no obvious connection between the four. All four shareholders are also directors of the firm and meet at least once a year in Gibraltar. All other board meetings are
held via web-conference.
The firm is wanting to expand into Israel (branch) and Italy through a
passported branch under FSWA. This expansion is anticipated to take place in the coming 12-18 months with all the necessary notifications to the FSC having already been submitted. The Israeli connection seems to be linked to the software development of their in-house CRM & trading platform which is where
the software developers are based. The software development expected to take place (this came out from the prudential meeting) will enable to link WFS trading platform to Major International Private Bank SA (MIPB) one so that trading, reconciliations and reporting will be straight through processing MIPB
acts as the custodian and clearing agent for WFS).
Workshop 1 agenda: In your given groups;
1. Four eyes the Risk Template that has been prepared by one of your team. 2. Critique each part of the Template and prepare your corrections/views
a. Consider whether the assessor has correctly identified the risks,
amend as necessary b. Consider the scores given in light of your review and amend the
scores accordingly.
When scoring, please use the following scores;
Perceptible
highly likely in 12 months
Probable
50% probability
Possible reasonable chance
Negligible
little likelihood
Score
5.0
3.0
1.75
1.0
Not Applicable
1
Risk Assessment Form
Name of authorised firm: Widgets Financial Services Ltd Address of authorised firm: Leisure Island – between the Casino & the Irish Pub
Section 1 Off-site Assessment
a. Review of existing documents Examine each of the following and highlight (by exception) areas that need to be considered in the initial risk profiling.
Item looked at Issues arising
Correspondence, e-mails, faxes, etc
This is the second risk assessment conducted on the firm. The first risk assessment of the firm produced the following risk profile; “Low/Medium Monitoring & Medium Remediation Required” The main items affecting the Business Risks were; • Rapidly developing customer base • Minimum amount of capital injected at licensing stage • Falling capital/reserves caused by start-up losses financed
by lending from shareholders • Own positions being taken in trading The control risks were primarily influenced by; • Bespoke IT solution for CRM and trading platform • Lack of compliant customer agreements and disclosure
arrangements • Poor internal risk management • Issues relating to corporate governance (adequacy of
senior management) During the previous risk assessment cycle one prudential visit was effected to the firm to discuss the growth of the customer base. Additionally a focused visit on compliance with the FSWA was conducted. No issues of concern were found in either of these.
Appointments & Resignations
Mike Bloggs might be leaving the firm (he acts as compliance officer and one of the four eyes) – Market Rumour
Returns & Financial Statements
Have made a loss over last two years (£20K and £30 respectively), have reserves of £950K
Complaints received
Complaints received from two customers complaining about poor advice.
2
Outsourced Functions and SLAs
No changes since the firm was licensed
Previous risk assessment Growing client based. Minimum Capital being met. Poor documentation of new customers (agreements and disclosures). Corporate governance.
Previous Focused visits, prudential meetings or reporting accountants
Focused visit on compliance with requirements of the Act, nothing adverse found.
b. Pre assessment questionnaire From areas outlined above, highlight what areas you consider should be answered by the firm in the pre-assessment questionnaire?
Issue Provide an explanation of why this is an issue?
Outsourcing Arrangements Appears to be too much happening outside of Gib.
Access to capital Firm might soon need additional capital and therefore necessary to determine where the firm will access this
Disaster Recovery Need to establish what arrangements are in place for business continuity of IT systems in event of a failure of systems locally
Have you tailored the pre-assessment questionnaire to address the concerns above and have
you removed any questions that are not relevant to this assessment ? YES
If you have added questions to the pre-assessment questionnaire have you sought consent
from your Head of Division ? Not applicable
List all the ADDITIONAL documents that you will be requesting from the firm and why these are important for the pre-assessment?
Document Provide an explanation of why this is required?
Service Level Agreements with all outsouring providers
To determine if there have been any changes to the originally submitted documents.
Management Accounts To determine current financial position
Have you formally notified the firm that you will be conducting a risk assessment? YES
Notice of intention to conduct risk assessment:
Yes
Questionnaire due by:
4 weeks from whatever date….. assume that there was nothing new in the questionnaire’s responses.
3
Questionnaire received:
Section 2 Initial Profiling Score each of the risk elements below having first considered each of the constituents that makes it up (see appendices of FSC Risk Methodology if your require prompts). For each risk element provide your justification for this score.
Scoring
a. Financial Soundness & Capital
Risk Element Score
Justification/Explanation for score giving underlying reasons.
Adequacy of
Capital Possible
Minimum capital is being maintained, might need to seek additional capital in the near future.
Liquidity
NA
No liquidity requirements
Earnings
Probable
Poor performance leading to losses in last two years
Insurance NA
No insurance requirements
b. Environment
Risk Element Score
Justification/Explanation for score giving underlying reasons.
Credit Risk NA
No credit exposures
Insurance Underwriting Risk
NA
Market Risk Possible
Some own trading activity might take place
Operational Risk
Negligible
Legal Risk Negligible
Group Risk
NA
Not part of a group
4
c. Business Plan
Risk Element Score
Justification/Explanation for score giving underlying reasons.
Strategy
Probable
No clearly defined growth for the future, too dependent on shareholders.
Types of
Customer Possible
Clients are ultra-HNWIs
Types of
Products/Services Probable
Widgets are very volatile in the current market
Sources of
Business &
Distribution Perceptible
Business is solely reliant on shareholders bringing in new clients
d. Controls
Risk Element Score
Justification/Explanation for score giving underlying reasons.
Human
Resources Negligible
IT
Negligible
We need to have a look at how the Seville operations are run.
Management
Information
Systems Negligible
Business
Continuity Probable
No information on the firm’s BCP
Internal Audit
Outsourcing
Possible
Many outsourced functions.
Acceptance of
and Disclosure
to Customers Perceptible
Issues identified at previous risk assessment.
Advising,
Dealing and
Managing Perceptible
Issues identified at previous risk assessment.
Security of
customer
monies/assets Negligible
5
Compliance
Arrangements
Probable
CO might be moving on to Dubai
Anti-Money
Laundering
Controls Probable
Customers being introduced by shareholders with little or no due diligence.
Risk
Management Probable
The firm has a simple risk based approach to CDD/KYC in place
External
Auditors Possible
Actuaries
e. Organisation
Risk Element Score
Justification/Explanation for score giving underlying reasons.
Ownership Probable
Russian/Saudi ownerships
External Branches & Subsidiaries
Negligible
The firm has no branches or subsidiaries but is considering establishing them.
Multiple Activity Groups
f. Management
Risk Element Score
Justification/Explanation for score giving underlying reasons.
Quality of
Management Negligible
Corporate
Governance Possible
g. Impact Score Based on the information already before you and taking into account the tables shown in Appendix 2 of the FSC Risk Methodology what impact score should be assigned to this firm?
Score Explanation for score giving underlying reasons.
Impact Score
4
Medium/High Size. General Public, Investment type products, Holding Customer Monies
6
Initial Profile Feed the above scores into the risk profiling system and enter the final values into the table below;
Business Risks Score Weight Control Risks Score Weight
Financial Soundness &
Capital
3 60% 1.8 Controls 1.11 40% 2.0
Environment
1.75 30% 0.525 Organisation 0.18 10% 0.3
Business Plan
5 10% 0.5 Management 0.56 50% 0.85
Totals
2.825 1.85 3.18
X Impact Score
4 4 4
Business Risk Profile Score
11.3
Control Risk Profile Score
7.4 12.7
Plotting the Business Risk Profile Score and the Control Risk Profile Score on the following chart, what Risk Profile does the firm present;
Chart Profile of firm
Bu
sin
ess R
isks
Control Risks
22
13
6
6 13 22
High Monitoring & High
Remediation Required
Mediu
m M
onito
ring &
Rem
edia
tion R
equire
d
Med/High Monitoring
Some Remediation
Required
Medium Monitoring
Low Remediation
Required
Low
/Mediu
m
Monito
ring &
Som
e R
em
edia
tion
Require
d
Low
Monitoring &
Remediation
Medium Monitoring & Remediation
7
Section 3 Risk Assessment On-site
a. On-site issues Only for any Risk Element that has been scored Probable or Perceptible highlight the underlying constituent(s) that gave rise to this score and provide your explanations as to why it should be raised at the on-site and how the matter s to be addressed.
Risk Element Underlying constituent(s)
Why should this be raised at the on-site and how is the matter going to be addressed at the on-site
Market Risk Portfolio
Characteristics
To determine extent of own trading. Look through trading records, open positions, margin calls, etc.
Strategy Implications of strategy for key
areas
Speak to senior management about future plans of the firm.
Business
Continuity Quality of Plan
To determine arrangements for IT disaster recovery. Speak to IT personnel to find out what would happen.
Acceptance of
and Disclosure
to Customers Disclosure
Look at customer files to see if disclosure compliance is being adhered to.
Stage 4 – Risk Mitigation Letter including: interface & supervisory cycle Risk Element Material Finding Risk Finding
{Why is the finding is so important] Required Outcome & Timeframe [What we want and by when]
Interfacing Based on the risk profile of the firm, how will the FSC interface with this firm?
Type of
interface
When/What Frequency To look at/verify what?
Supervisory Meetings
Skilled Persons Report
Focused Visit
Supervisory cycle
