Risk management
We consider risk to be the combination of impact (the potential harm that could be caused) and probability (the likelihood of the particular issue or event occurring).
| In the FSA context, we combine these impact and probability factors to give us a measure of the overall risk posed to our statutory objectives. We then use this measure to prioritise risks and make decisions on what, if anything, our regulatory response should be. We also use it to set our strategic aims and outcomes and to allocate resources based on our regulatory priorities. | ||||
| Risk for the FSA | = | IMPACT of the problem if it occurs | x | PROBABILTY of the problem reoccuring |
ARROW is the framework we use to make risk-based regulation operational, providing the link between our statutory objectives and our regulatory activities. In short, it is designed to:
- identify the main risks to our objectives as they arise;
- measure the importance of the risk;
- monitor the progress of the risk; and
- mitigate risks.
This helps us to plan how we should address those risks and allocate resources based on our regulatory priorities.
Risk Identification
The first stage is to identify the risks to the statutory objectives. We do this through intelligence gathering form a variety of sources (e.g. this can be through visits to firms as part of our supervision or enforcement action; information provided by firms on request by firm's own initiative; monitoring of regulatory returns and similar data; transaction monitoring; sector and environmental analysis; project work etc).
We regularly consult a wide range of stakeholders, including market participants and the Consumer and Practitioner Panels, and also use information supplied by the Ombudsman on industry trends and problems revealed through complaints.
Risk measurement
The next stage is to measure the risks. This involves scoring the risk against several probability and impact factors. Both these are weighted as high, medium-high, medium-low or low. The probability factors relate to the likelihood of the event happening, and the impact factors indicate the scale and significance of the problem if it were to happen. Combining the probability and impact factors gives a measure of the overall risk posed to our objectives.
Risk Mitigation
Our measure of the overall risk will be used to prioritise the risks, help make decisions on the regulatory response and, together with an assessment of the costs and benefits of using alternative regulatory tools help us to determine resource allocation.
Risk Monitoring & Reporting
Risk management systems provide management with regular reports to give assurance that risks are being managed appropriately and that internal controls are adequate.