Callum McCarthy

Related information

Callum McCarthy

Biography

Download photos

 

Speech by Callum McCarthy, Chairman, FSA
ASIC
13 February 2006

I should start by apologising for not being present in person. I was very tempted by the invitation to come to join you – not only because of the prospect of exchanging, however briefly, the English winter for Australian summer – and am sorry that I couldn't do so. I will be in Australia next month, and I didn't think I could make the journey twice within just over a fortnight. One consequence of this physical absence is that this is the first time in my life I have given a serious talk, as distinct from an after dinner speech, at 9.30 in the evening, my time; the first time to people for whom it's really breakfast time; and the first time to people 10,586 miles away. We'll see how it goes.

I have been asked to describe the FSA's approach to risk based regulation. I want to discuss what we mean by a risk based approach; why we have adopted a risk based approach; what it means in practice and – putting the same idea another way – how we implement it in practice; and last, but important, I want to discuss some of the problems we have wrestled with in making risk based regulation work in practice – essentially a report as work in progress on how to improve our processes. I should also say at the outset that my talk will focus most on our risk-based approach to supervising firms. In the FSA we operate an integrated risk management framework which considers all of our risks from whatever source. I'll leave time for questions – on the assumption that the technology allows them.

By way of introduction and context, I should summarise the responsibilities of the FSA, so you understand the institution whose approach to regulation I will describe. We were established as an independent regulator, governed by a board, by the Financial Services and Markets Act 2001, which brought together 10 previous regulators. The Act gave us four statutory objectives:

  1. maintaining confidence in the financial system;
  2. promoting public understanding of the financial system;
  3. securing the appropriate degree of protection for consumers;
  4. reducing the extent to which it is possible to commit financial crime.

Note that this in two respects makes the FSA an integrated financial regulator par excellence. First, the duties cover both prudential issues and consumer protection issues, whereas in many countries prudential responsibilities fall to one regulator, and consumer protection (and typically conduct of business) to a second and separate regulator. Second, the FSA has responsibilities which span banking, insurance and securities, whereas in many countries those are split between three separate regulators. In France, for example, there is the Commission Bancaire for banking, the Autorité des Marchés Financiers for securities, and the Autorité de Contrôle des Assurances et des Mutuelles (ACAM) for insurance. I will tease out later some of the implications of these responsibilities for the practicalities of risk based regulation.

What is risk based regulation – the theory?

So much by way of background. Let me set out what is involved in a risk based approach. I'll start not with the FSA, but with a financial firm, and look at what is involved in the risk management of a financial firm. The essential features are:

  1. defining the risks the firm is prepared to take – a process often loosely described as setting the firm's risk appetite, something which may be done implicitly or explicitly;
  2. identifying the risks which it runs – to capital, to reputation, to earnings, to brand, and the activities or events which can give rise to those risks: credit risk, market risk, operational risk, event risk;
  3. agreeing methods of measuring those risks – loan grading for credit risk, value at risk for market and associated credit and operational risk, stress testing for event risk. Each of these presents a host of technical problems; correlations, "fat tail" distributions, the validity of continuing model relationships in times of liquidity pressure, the absence of any clear intellectually justified basis for deciding how much stress to test against;
  4. designing and installing systems to produce the information to enable those risks to be measured;
  5. setting and operating controls to manage those risks – typically through limits (on VAR, or credit exposure, or other dimensions) or through delegated authorities;
  6. allocating responsibility to managers for managing the risk. This has two components, the business managers who run individual businesses or functions who have the primary responsibility within a firm for managing the business including keeping its risks within previously agreed levels; and independent risk managers whose task it is to provide challenge as to how risk is being identified, measured and controlled.

I am conscious that in describing the essential risk management approach in a firm I have chosen not to discuss the practical issues involved in making any of these steps real. I am also conscious that for each of these steps there are important and difficult issues which need to be thought – and worked – through. None of these steps I have described is easy in practice – and I'll say more about the practical realities when I describe how we actually implement a risk based approach for the FSA.

The theory or risk management at the FSA is very close to that of risk management in a financial firm, in that there are the same elements of setting aims (in our case attaining our statutory objectives rather than a financial objective), establishing our risk appetite, identifying risks to our statutory objectives, establishing an agreed measure of risk, monitoring those risks, and managing them through both those with direct responsibility and those who provide challenge. At a reasonably high level of generality, the process of risk management in the FSA and in a financial firm are the same. And at a very high level of abstraction, they are the same: a cycle of risk identification, measurement, mitigation, control and monitoring. But, as I said, I'll come back later from the simplicity and clarity of the theory to the rather more measured realities of life in practice.

Why did we choose to be risk based at the FSA?

Now, the FSA did not adopt a risk based approach to regulation on the basis that we should adopt the same policies as the firms we regulate, but rather for more fundamental reasons.

First, we have as a guiding principle the explicit objective of a non zero failure approach – that is, we do not try to prevent the failure of all financial institutions we regulate, but believe it both unavoidable and indeed desirable that some should fail – unavoidable because no regulator can control all those he regulates, so that accidents will occur; and undesirable because reward and risk are linked, and an attempt to control risk to the extent of preventing all financial failure would unreasonably constrain financial institutions. But clearly we are not indifferent to significant failures, which could set at risk the discharge of our objectives. So we need some means of distinguishing what matters – the essence of risk based regulation.

Second, we are conscious of the scale of our responsibilities: 29,759 firms, 165,544 individuals, 5 per cent of the UK's GDP. We manifestly cannot do everything, and need a mechanism for prioritising our work. There are, for example, 63 building societies in the UK subject to FSA regulation, but 22 (35% by number) account for 95% of building society loans; the largest building society is more than 5,000 times the size of the smallest. We do not believe it sensible to attach the same weight to all, but to discriminate, with the size of the institution being an important criterion – or, as I'll explain in a moment in more detail, size is a proxy for an important criterion.

Third, when establishing the FSA we needed to create a common basis of analysis and approach, rather than merely bringing together various approaches – from the SFA, from SIB, from the Bank of England for bank supervision, from the DTI and HM Treasury in respect of insurance, from the Building Societies Commission for building societies – each of which had its own methodology, explicit or implicit, and its own practices. A common approach was needed, which is why the FSA very explicitly set out a risk based approach.

I would add that, while we at the FSA explicitly set out to be risk based, I believe that in practice all regulators, whatever their stated beliefs, must in practice incorporate elements of risk based regulation, in the sense that they are likely to spend more time on large firms than on small; and to respond more fully to large past disasters rather than small ones. In that sense, just as Molière's M Jourdain discovered he had long spoken prose, all regulators have some elements of risk assessment in their work. I believe there are advantages in making this explicit.

What does this mean in practice at the FSA?

There are, however, aspects of our very explicit risk based regulation which go significantly beyond the implicit approach to risk which is prevalent. Let me set out what we do, both in concept, and then with some of the practical implications.

Let me remind you of the cycle of risk identification, measurement, mitigation, control and monitoring which I mentioned to you a moment ago. I'll deal with each stage in terms of what it means for the FSA.

First, and a fundamental point, the risks about which we are concerned are risks to the FSA's four statutory objectives: maintaining public confidence in the financial system, promoting public understanding of the financial system, appropriate consumer protection, combating financial crime. Note that these are different from, though they may be related to, the risks about which the management of the firm will be concerned: the FSA, for example, has no interest in the share price, or the prospect of takeover, of a firm unless these affect our statutory duties (which can clearly occur).

In practice, these statutory objectives are so broad that we need narrow and more focused means of managing risks, so we look at particular risk channels, both firm based and more general.

a) Largely firm based

  1. Financial Failure
  2. Misconduct and mismanagement
  3. Financial Fraud
  4. Market Abuse
  5. Money Laundering
  6. Reducing Market Quality

b) Largely non-firm based

  1. Consumer Understanding
  2. Failure to Deliver on Strategic Priorities
  3. Damage to the FSA’s Reputation
  4. Failure to be Economic & Efficient with our resources

These are the observables which we seek to influence – the practical issues derived from our four statutory objectives.

Against these channels, we set out to identify risk: the point when risks enter our perceived portfolio, and a critical set of judgments, since if we fail to identify a risk it escapes all subsequent processes. This process involves both significant judgment, and much intelligence gathering. We seek to make the process of judgment transparent, by each year publishing in January the Financial Risk Outlook, an appraisal of the main risks which we see over the next 18 months. We do this both to raise awareness of those risks among both providers and users of financial services, and to expose our assumptions to comment and criticism: are we right, for example, in our view that hedge funds per se are not a major threat to our financial stability objective, but that we should be concerned about a range of operational and valuation issues affecting complex credit derivatives? Our intelligence gathering uses a wide variety of methods, both specific to firms and more general. It is designed to be forward looking: to anticipate what issues may become important risks, not simply or principally to react to those already apparent.

Once a risk has been identified, we set out to measure it. Our basic approach is to establish how important any risk to the FSA is by considering both impact and probability of occurrence. Both these are weighted as high, medium-high, medium-low or low.

For probability of risk there is a further category – namely risk which has crystallised, where the probability has become 100%! Inevitably, both impact and probability are subjective criteria, and these assessments need to be done consistently across the FSA. We therefore have a system of challenge to the individual assessments, either of firms or of issuers.

We are conscious that both require judgment.

The purpose of this work is, of course, risk mitigation. This is the most important stage in the risk cycle, since it is the only stage at which we directly affect the real world. All other parts of the process are just that – process designed to produce a better result in the real world: identification, measurement and monitoring are only means of deciding whether to do something to actually reduce risk, and if so what. Reducing risk may involve reducing the impact of a risk (for example, we are much concerned to reduce the impact of a major corporate failure on the credit derivatives market by improving a number of operational and legal problems; a very significant and successful effort over decades has resulted in greater resilience in payment systems to particular bank failures). It may involve reducing the probability of the risk (much work on improved systems and controls within firms is designed to make it less likely that limits will be breached; work on better market monitoring systems is partly motivated by the expectation that the greater probability of market abuse being detected and punished will deter it). But on either dimension, risk mitigation needs to be clearly addressed at actually reducing risks; it must be proportionate in the use of the resources of both the FSA and those we regulate; and it should, if possible, have a measurable impact.

The actual tools available to the FSA are many, ranging from specific enforcement action against firms or individuals to general advice. We act both specifically and generally, through a combination of horizontal and vertical measures.

The monitoring and reporting of risks is done through regular reviews, both of firms and of general issues. We have various reports: a watch list of acute issues (mainly firm specific); an FSA wide assessment of risks, both external and internal, known as the dashboard; individual reports on market, credit, legal, operational risk as they affect, for example, the wholesale sector. In all instances, our aim is to identify where the overall risk is – crystallised, high, medium high, medium low, or low – and how it has changed since the last assessment – is our risk mitigation having any effect?

Finally, we have our own risk controls, the transfer to individual business units or business managers within the FSA of the responsibility for taking action, to establish allocation and re-allocation of resources to match our changing views of risk. Over an extended period, for example, we have substantially increased the resources devoted to insurance relative to banking; more recently, we have increased our resources devoted to hedge funds, and – on another dimension – to work on financial capability.

So to summarise, the FSA's processes follow five steps:

  1. Step 1 – risk identification
  2. Step 2 – risk management
  3. Step 3 – portfolio allocation
  4. Step 4 – prioritisation
  5. Step 5 – risk mitigation and monitoring

In these steps we move from the assessment of the whole world with which we are concerned to defined sets of risks, allocated to specific parts of the FSA, with clear and measured responsibilities. It is, of course, a model representation.

Let me move from the model to reality. What does this risk based theory lead to in practice? I'll pull out some of the implications. First, it determines our approach to firms. We categorise firms in terms of their potential impact – for which size is a proxy – into four categories, High, Medium High, Medium Low and Low and give them very different attention, varying from at one extreme what we call "close and continuous" supervision of the firm (essentially a small dedicated team monitoring a major institution such as HSBC or the UK activities of Bank Santander) to at the other extreme reliance on thematic studies, statistical analysis and occasional sampling (so that, for general insurance brokers, we collect data which enables us to understand the type of business any broker does, and to analyse the total population of brokers – but we do not, in the normal course of business, expect to visit or inspect any of the brokers). In total, the FSA supervises 29,759 firms, which are broken down as follows:


Impact Number Supervision style
High 87 Close & continuous
Medium High 423 Regular cycle of visits
Medium Low 900 Occasional visits on extended cycle
Low 28,349 Statistical/Thematic

 

The result of this is that, for some 90% of the firms we supervise, we plan in the normal course of business never to visit them. We have adopted a comparable approach to hedge fund managers, of which there are (depending on definition) over 300 in the UK. We concentrate our information gathering and supervision on some 27 - less than 10% in number of the total – as the best means of managing the risks in the sector.

Second, it provides us with a common approach to how we translate risk assessment into risk mitigation. We have rules of thumb which dictate how we respond to different levels of risk: when we will decide to act to mitigate risk and when not. These are:

  1. low - no mitigation required
  2. medium-low - no mitigation expected, reason required if in place
  3. medium-high - mitigation expected, reason required if not in place
  4. high - mitigation required

Note that this allows for judgment: there may be medium low risks where, contrary to the norm, we choose to take action, or conversely medium high risks where, again contrary to the norm, we choose not to take action – but in both cases there would be challenge and a need for explanation. In practice, our analysis is slightly more complex and detailed, and distinguishes between different levels of impact and probability. But the central principle, that a consistent assessment of risk and the application of consistent decision rules determine whether we act to mitigate risk, is clear. Our risk based approach determines how we act.

Third, we use our risk based approach to translate what can often simply be a slogan – namely reference to "risk appetite" – into reality. In our work as a listing authority, for example, we have changed our internal vetting processes to reflect our risk assessment of prospectuses and circulars. Our assessment of risk is based on a broad range of easily understood factors that focus on the type and complexity of the transaction, the size and profile of the issuer and other relevant factors. The risk level that results then determines the depth of our document review and the amount of resource we commit to the vetting process. The result is that we focus our resources on genuine areas of risk. A document at the low end of the risk scale will receive a limited scope review, and at the higher end of the risk scale will receive a full review by our most experienced members of staff. Or in our response to financial problems we have tailored our actions in the light of our risk assessment – for example, in determining our policy towards the marketing of venture capital trusts, where a shift in the way these instruments were marketed and increased popularity caused us to engage the industry to improve the balance in adverts that were being used.

In these, and other ways, we seek to implement effective and practical risk based regulation.

What can we do better?

Let me turn to what are the problems in implementing our approach – and what we are doing to overcome them. First, there is a political problem associated with an explicit non zero failure policy. Although ex ante there may be an acknowledgement of the logic of this policy, this only too easily evaporates after the event, when the fact of a failure is seized upon, without any consideration of what would have been involved in total costs in the regulator being in a position to have taken action to prevent any occurrence of the type of failure which has occurred. It is difficult for the regulator, when criticised for a failure which has had direct and adverse impact on consumers, to answer that he or she had judged it not worth seeking to prevent the failure – yet that argument has on occasions to be made. Internally, as well, a robust attitude is needed, so that FSA staff understand that they need to choose not to act (and to take the consequences) as well as to act. A decision to do nothing, in the knowledge that some bad consequences may occur, is not necessarily a wrong decision. But it is certainly an uncomfortable decision, and those making the decision need support from their senior management.

Second, we need to recognise the substantial elements of judgment which are inescapable in our processes. There is no algorithm which enables us to input data and decide whether the FSA should spend a marginal £5 million on improving its capability to police market abuse, or on improving financial capability among the population as a whole, or on better management information systems within the FSA, or any of the other potential claims on our resources. All these decisions require judgments – judgments informed by our analysis of risks, to be sure, and using the best information sources we have, but in the last respect judgments. We have, for example, increased the FSA's annual expenditure on financial capability from £2 million two years ago to a planned expenditure of £10 million next year – something which we believe justified by the risk to several of our objectives arising from the low level of financial capability which presently exists, but which represents a judgment. We can improve our data gathering and information processes, but they will always remain inputs into a final judgment which will remain subjective – an inescapable result of the widely differing statutory objectives given to the FSA.

Third, much of the FSA's data and market intelligence has been based on the supervisory relationship with individual firms. While this gives us considerable insights, it provides information in a disaggregated form, with the result that too often there has been a tendency to consider a series of individual problems without identifying the underlying pattern or theme which may unite them. On joining the FSA, for example, I was stuck both by the care with which the plight of various IFA networks were being dealt with, and by the relatively little attention being paid to the general effects of a significant legal and regulatory change affecting the distribution of financial products, namely depolarisation. To overcome this imbalance, we have established sector teams (for example, for banking, asset management, insurance, accounting issues) designed to improve our systematic understanding of the economic drivers of the businesses we regulate. They should help correct the balance between detailed knowledge of a specific firm and much less well developed knowledge of the general issues affecting a sector.

Last in my list of problems, we need to improve the flexibility of the FSA to respond to new identification and assessment of risks. We do shift resources over time to reflect new risk assessments, but this tends to occur slowly – in part because we are better at adding new tasks than we are in closing existing ones, and in part because staff are not sufficiently transferable. We need to increase the speed with which we can respond to new identification and prioritisation of risks. We have in hand a number of improvements to training designed to improve the mobility of our staff; and our management information is being improved to make our resource allocation clearer.

All these are aspects of risk based regulation where we have work in progress aimed at improving our processes. You should not be surprised that we have identified areas for improvement; you should have been shocked if I regarded our processes as needing no changes. But these are all aimed at building a better risk based process, not in replacing it. We are firmly wedded to a risk based approach, and are heartened by the endorsement of risk based regulation which has been given by those in the UK who have been charged with critically examining regulation, notably David Arculus and Philip Hampton.

Conclusion

I have been concerned to explain what we mean by a risk based approach – the cycle of risk identification, measurement, mitigation, monitoring and reporting. I have sketched the background as to why we in the FSA have adopted this approach explicitly (and hinted that I believe some element of implicit risk based approach is adopted by all regulators: I am clear that an explicit approach has advantages). I have explained how we at the FSA have implemented the various stages of the risk cycle, stressing that the risks with which we are concerned are the risks to our four statutory objectives, and I have given some examples of what this means in practice, notably the fact that some 90% of the firms we regulate will never be visited by the FSA. Finally, I have indicated four aspects of our risk based approach which are, in different ways, problematic, and have indicated how we are attempting to tackle those problems.

I would – technology permitting – be happy to answer your questions.

Back to topBack to top

More Speeches: