The FSA wants firms to use risk-based auditing to control risks. But what is it? Sue Copeman reports

In the words of Association of British Insurers (ABI) director general Mary Francis: "There is a fast-changing regulatory agenda facing the insurance industry in the UK."

The changes are spearheaded by the Financial Services Authority (FSA), which has effectively scrapped the old rules and is taking a radically different approach to regulation. The FSA knows it is both impossible and undesirable to remove all risk and failure from the financial system. But it is looking to create incentives for firms to manage their own risks better.

The FSA has already designed a new regulatory regime for Lloyd's and has moved responsibility for policy on prudential issues for all financial sectors (including insurance) into a new prudential standards division. It has also set up its own risk assessment division. FSA managing director of consumer, investment and insurance matters John Tiner heads the work of strengthening insurance regulation and will be reporting on progress in September.

So what's on the agenda? Planned projects include:

  • a review of prudential standards for life and general business, including solvency requirements, insurance risk management, legal risk, credit derivatives and liquidity
  • a re-examination of all relevant aspects of the regulatory processes, with particular emphasis on proactive risk identification and mitigation and the use of appropriate regulatory tools.

    These demonstrate the FSA's proactive, risk-based approach to regulation. It may well expect the organisations it regulates to respond with risk based auditing (RBA).

    Hitherto, there has been no precise UK definition of RBA. Jiwan Shourie, technical manager of the Institute of Internal Auditors, UK and Ireland (IIA) says it has been more a matter of people knowing what they mean by RBA and practising it according to their own definitions.

    This is set to change. The IIA is currently working on a project to explore leading working practices on this subject and to produce a working definition together with practical guidance. In the meantime, the IIA's professional issues committee agreed the following guide:

    "RBA is an approach that focuses on the response of the organisation to the risks it faces in achieving its goals and objectives.

    "Unlike other forms of audit it starts with risks rather than the need for controls. It aims to give independent assurance on the management of risks and to help with improvements where necessary. The scope of audit assignments undertaken and the priority given to them should be determined by risk, taking full account of the organisation's own view of risk."

    It is not a new concept says Keith Wade, head of CATS International, which provides training for internal auditors in a range of areas, including RBA. "The conventional approach to internal audit is system based, which means taking into account business objectives, risks, the environment and the controls needed. But the term risk based auditing has become popular because too many people in the past seemed to think control existed for its own sake. And RBA also allows for the possibility of other risk strategies."

    Wade says there are three elements:

  • auditors, in conjunction with senior management, look to risk to help them plan their work and decide what to audit
  • risk is identified and evaluated as part of the essential aspects of a conventional audit assignment
  • auditors become involved in risk management processes and projects. That involvement can take various forms, from pure audit of risk management arrangements to integration of the internal audit and risk management functions.

    Wade stresses that RBA is not just a matter of risk mitigation.

    "It recognises that risk management includes taking risks as well. In fact, a better term than risk based auditing is objectives based auditing. Risk is just the flip side of objectives," he says.

    More resources
    Many insurance companies have moved some way down this route. Prior to the FSA's requirement, Allianz Cornhill, which says it aims to take a risk-focused approach, set up a risk committee, the Allianz Cornhill governance and control group, which looks at all risks arising across the company.

    KPMG head of UK insurance practice Richard Bennison confirms some insurance groups are adding more resources and, in effect, raising the profile of their internal audit functions.

    However, he believes insurance groups generally are some way behind banking organisations in terms of RBA. "That applies to the quality of both the work and the understanding of risk and thereby their ability to contribute to the mitigation."

    While the FSA may not make internal RBA an absolute requirement for insurers, Bennison believes an insurer that takes this approach "would get a larger tick", and that the FSA might be more inclined to commission its own review in the absence of RBA.

    But it's not just a matter of FSA compliance. The essence of RBA is linking internal controls and risk management to achieving business objectives.

    The ultimate pay-off should be a better and more cost-effective risk management system, which itself will contribute to enhanced shareholder value.