Conducting a risk assessment is vital for FSA regulation. But don't be worried about it, says Andy Homer
As part of our preparation for FSA regulation, The Folgate Partnership has been developing its risk assessment framework to ensure compliance with Consultation Paper 142, Opera-tional risk systems and controls.
Risk analysis is not a complicated activity, but for global businesses and banks there can be good reasons for developing highly structured methods of analysis - actuarial models that run hundreds of thousands of scenarios on powerful computers using complex mathematics. Business risk management has become an industry in itself, but has a reputation of being exclusive to trained specialists. For the rest of us, who have to rely on our own resources, developing a risk assessment methodology should still not be anything to be unduly worried about.
So what would our advice be? Firstly, for all but the largest brokers, the KISS principle (Keep It Simple, Stupid) is a prerequisite. For predominantly commercial brokers like ourselves, a 'practice what we preach' approach to our clients is a good start. A business contingency plan (or 'disaster recovery plan') is a given, which should consider not only a major IT failure, but include contingency plans for other types of disaster as well.
Outside your business contingency plan, a different approach is required to help manage firm-threatening risks (financial, legal, people, etc). A risk-assessment on these threats is not so much a case of having a glossy disaster plan ready to hand, but in reducing the probability of them occurring in the first place, and importantly, taking prior steps to reduce their impact should the unexpected strike.
First you need to take a structured approach to identifying the risks that could damage your business. For each firm-threatening risk, consider the control objectives necessary to reduce the probability and impact of that risk.
This sounds complicated, but really it is just common sense. Taking a simple example in the area of finance. One risk is that of a significant adverse variance in year-end profits, and one control would be creating an annual budget. There will be several other risks to consider under the heading of finance, together with a portfolio of matching controls. All that is required is a systematic approach to identifying those risks, and applying sensible controls, or making sensible contingencies, to manage them at a reasonable level.
Involving others is also useful and you may well be surprised to reveal risks that you have overlooked in your day-to-day running of the business. At its simplest level, therefore, an effective methodology could be limited to a formal but systematic review with your management team of the key risks which face your business, such as failure to meet FSA authorisation requirements, and construction of controls to manage that risk, for example, appointing an individual responsible for compliance and building an action plan.
My last piece of advice is to avoid building a statue. I've seen risk analysis models that have taken many months to build, only to be quietly forgotten about with nothing to show for it other than a few fancy diagrams and an expensive manual. It looks great but does nothing. To keep a risk assessment model alive, and to avoid it being a 'done once and forgotten about' management initiative, risks and associated controls should be subject to periodic review.
Andy Homer is chief executive of the Folgate Partnership