Global FINEX – Operational Risk Solutions
This article reflects on some of the key components of the incoming Investment Firms Prudential Regime (IFPR), specifically the Internal Capital and Risk Assessment (ICARA), and proposes the new regulations present an opportunity for Investment Firms to reassess their approach to risk management.
The IFPR, due to be implemented in January 20221, will have wide-reaching implications for many investment firms, although firms classified as ‘small and non-interconnected investment firms’ (SNIs) and ‘non-SNI’s’ will have some differing rules applied. The focus of this article is non-SNIs. Central to the regulation is the replacement of the Internal Capital Adequacy Assessment Process (ICAAP) with the ICARA2, with heighted focus on risk framework and governance procedures.
The incoming regulation presents an opportunity for non-SNI’s to evaluate current ICAAP processes to understand what action is required to conform to the ICARA, whilst further assessing areas for improvement. A risk framework that accurately reflects a firm’s risk profile places a firm in a better position to manage and reduce exposures. Within this article we suggest firms consider the following actions:
Businesses do not operate in silo and whilst it is important to consider direct impacts to the firm’s own operations, consideration should also be given to the impact on clients and the wider system in which the firm operates. To address this the IFPR has introduced a new capital requirement, the K-factor approach (KFR) for non-SNIs, where impacts of risks are broken down into three core categories; Risk to Client (RtC), Risk to Market (RtM) and Risk to Firm (RtF).
Considering the linkage between clients, the market and the firm, firms need to take a systematic approach to risk management, understanding how their activities are both impacted by, and impact, wider market environmental, social and governance factors.
Once risks have been identified, firms should sufficiently contemplate the range of harms that certain events could cause and clearly document the relevant controls for each. For instance, if a firm were to experience a data breach event in which customer’s accounts details were subject to unauthorised access, whilst there is a financial impact to the firm to rectify compromised security systems and potential client compensation, harm to clients could moreover be caused through confidential information leakage.
Through taking a broader view, the IFPR aims to enhance protection for the entire ecosystem. For firms with a mature risk framework the modelling work already undertaken for Risk to Firm could be expanded to incorporate Risk to Client and Risk to Market.
To best approach the new risk categories of RtC, RtM and RtF, the firm should go ‘back to basics’ in terms of implementing mitigants and control measures. The four simple actions of accept, avoid, reduce or transfer should form the basis of decisions.
Mitigants and controls probability and impact
The IFPR encourages firms to assess the adequacy of current mitigants and to identify any gaps in protection. Mature financial institutions have for several years considered the financial impact of risk transfer through insurance on their operational risk exposure and this is set to continue. For firms who are not currently considering the mitigating impact of insurance we recommend the following actions:
Further to enhanced areas of focus outlined above, the ICARA puts a greater spotlight on risk appetite. Whilst within separate FCA guidance, titled ‘FG 20/1 Our framework: assessing adequate financial resources’, the regulator remarks that “firms should have a clear and quantified risk appetite which is communicated, understood and followed across the firm3", in our experience risk appetite statements are often of insufficient maturity. For many, there is inadequate understanding of the firm’s risk profile to happily settle on a risk appetite value.
The previous approach taken by many, of using only qualitative or low-level functional risk appetites will no longer be sufficient. However, through refining the risk assessment and scenarios processes with a more-encompassing framework and methodology within ICARA, firms will be in a better position to evaluate the level of risk they are prepared to accept and regularly monitor changes.
Ensuring risk appetite statements are well-considered is fundamental to ensure investments in controls and risk transfer are both delivering the best financial value to the firm and supporting long-term stability.
When assessing risks, the ICARA outlines the need for firms to consider risks of relevance to the business model and core business activities/operations.
In capturing the principal exposures, firms should broaden the lens of identification. Data is central to this, as it enables a firm to demonstrate their understanding of numerous risk exposures. We recommend firms utilise a variety of data sources, to include:
Analysing varied sources of data will enable a firm to assess current exposures but moreover future exposures, through influencing the creation of plausible worst-case scenarios. Scenario development is pivotal to developing a forward-looking approach and consideration of future threats is a key requirement for building adequate preparedness and operational resiliency.
Through supplementing internal data with external data, Investment Firms can broaden their horizon of risk exposures and form appropriate strategies to mitigate - either through controls or insurance.
Willis Towers Watson’s Operational Risk Solutions team helps firms of all sizes to enhance their operational risk framework and manages projects that include operational risk assessment, risk gap analysis, insurability analysis, statistical modelling and model validation.
1 Further information on the Investment Firms Prudential Regime (IFPR): https://www.fca.org.uk/firms/investment-firms-prudential-regime-ifpr
2 Under the new IFPR, “The ICARA process is the centrepiece of firms’ risk management processes” (p.35): https://www.fca.org.uk/publication/consultation/cp21-7.pdf
3 FG 20/1 Our framework: assessing adequate financial resources (p.15): https://www.fca.org.uk/publication/finalised-guidance/fg20-1.pdf
The Willis Towers Watson Insurance Claims Database is comprised of over 40,000 insurance notifications made to FINEX Global. Our claims analysis, whilst maintaining confidentiality, illustrates important details about the nature, trends, causes and cost breakdown of loss events impacting global financial institutions.
This publication offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. It is not intended to be, and should not be, used to replace specific advice relating to individual situations and we do not offer, and this should not be seen as, legal, accounting or tax advice. If you intend to take any action or make any decision on the basis of the content of this publication you should first seek specific advice from an appropriate professional. Some of the information in this publication may be compiled from third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of Willis Towers Watson. Copyright Willis Limited 2021. All rights reserved.
Willis Towers Watson offers insurance-related services through its appropriately licensed and authorised companies in each country in which Willis Towers Watson operates, for example:
In the United Kingdom, Willis Limited, registered number: 181116 England and Wales. Registered address: 51 Lime Street, London, EC3M7DQ. A Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority for its general insurance mediation activities only; and
Willis Towers Watson SA/NV, Quai des Vennes, 4020, Liège, Belgium (0415.981.986 RPM Liège) (registered as a branch in the UK at 51Lime Street, London, EC3M 7DQ UK Branch Number BR021056) in relation to all EEA-regulated business. Authorised by the Financial Services and Markets Authority (FSMA) Belgium, and authorised and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our authorisation and regulation by the Financial Conduct Authority are available from us on request.
For further authorisation and regulatory details about our Willis Towers Watson legal entities, operating in your country, please refer to our Willis Towers Watson website.
It is a regulatory requirement for us to consider our local licensing requirements prior to establishing any contractual agreement with our clients.
