An update on risk-based regulation Securities & Investment Institute Risk management and regulation conference 10 th November 2005 Joe Traynor Finance, Strategy & Risk Division, Financial Services Authority (FSA)

2 Agenda Introduction background and recap of ARROW rationale for our risk-based approach Improving our risk-based approach history of the ARROW Project aims of the Project and changes being introduced our new risk model Questions

Background and recap of ARROW

4 History The UK Financial Services Authority (FSA) started life as 10 different organisations with 10 different approaches to regulation –not all of these approaches were risk-based –and they related to different legislative frameworks. Our current risk-based approach was put in place in 1999 / 2000, when the 10 organisations were merged.

5 Why do we use a risk-based approach? Finite resources available – never possible to do everything This leads to a non-zero failure approach (with a corresponding risk appetite) We therefore need a mechanism for prioritising our work: focusing our efforts on the greatest risks bear in mind tractability of issues (“biggest bang for our buck”) Other factors made the risk-based approach necessary (but difficult to implement) in the FSA: variety of cultures / backgrounds (requires consistency of resource and action decisions) very broad scope of our regulatory remit (wide ranging statutory objectives and diversity of sectors regulated)

6 Implications and benefits of a risk-based approach Benefits for the regulator: optimises use of resources: targeting greatest risks (bearing in mind also the tractability of issues) should lead to “biggest bang for our buck” and greatest overall benefit to our objectives focus on risks to our objectives (and on relevant outcomes); so reduces wasted or inappropriate effort sound, consistent basis for justifying our approach and actions; so links senior management priorities and risk appetite with decisions and actions on the ground provides a measure of success in a not-for-profit enterprise – risk / harm to our objectives is our currency

7 Benefits for regulated firms: firms see a direct result of good behaviour and control of their risks; lowering their risks to the FSA’s objectives should mean that they are subject to less intensive supervision – a regulatory “peace dividend”; they should also get a transparent explanation for the actions that the FSA takes; these actions should be proportionate to the risks, and consistent between firms in similar circumstances; a pro-active approach to managing risks is generally preferable for firms to a reactive approach, based on punitive enforcement action after problems have occurred. Implications and benefits of a risk-based approach (continued)

8 The ARROW framework “ARROW” is the name we give to our application of the risk-based approach to front-line supervision at a micro level (as opposed to the macro level application of the approach to managing our entire portfolio of risk, including internal risk). It stands for the Advanced Risk-Responsive Operating frameWork. It not only provides the risk metrics, but also specifies the processes we use to identify, record, analyse and mitigate risks. It has two components: the firm framework (used when assessing risks in individual firms); in ARROW, we call this “vertical” supervision; and the consumer and industry-wide framework (used when assessing cross-cutting risks – those involving a number of firms, or relating to the market as a whole); we term this “thematic” or “horizontal” work.

9 How FSA measures risk PRIORITY for the FSA IMPACT of the problem if it occurs PROBABILITY of the problem occurring = x Size of firm No. of retail consumers Perceived importance Business Risk Control Measures Consumer risk Factors may include:

10 How FSA measures risk (continued) Scoring is subjective – but subject to challenge and control. Impact High Medium-high Medium-low Low Probability Crystallised * High Medium-high Medium-low Low * crystallised risks are those that have already occurred – so probability is 100%

11 Scoring approach Advantages flexible quick to implement draws on expertise easily understood not spuriously accurate Drawbacks subjective needs effective challenge dependent on good experience may not provide much differentiation Impact Probability Low Med. Low Med. High High Crystallised High Med. High Med. Low Low Priority risks Relatively high-level scoring approach, based on supervisory judgement

12 Changing shape of the FSA c10,000 firmsc25,000 firms Charts below show proportion of firms by impact – the M&GI regime brought a major change in the population of regulated firms

Improving our risk-based approach

14 History of the ARROW Project The FSA recognised the need to review the operation of ARROW in its first few years, and in the light of the very substantial increase in the number of smaller firms that occurred when we took on the regulation of mortgage and general insurance business. In 2003 the Business Improvement Programme (“BIP”) undertook a review of the use of the process to date. We conducted a massive consultation exercise, including 250 interviews with users (at all levels) and discussions with a cross-section of firms and industry bodies. The BIP identified a number of areas for potential improvement, reflecting experience of use, as well as our increased ambition to fully embed the risk-based approach in everything we do. The ARROW Project was therefore set up (in 2004) with full senior management support, to establish the detailed causes of the issues identified, and design and implement solutions.

15 Aims of the Project To achieve greater proportionality and consistency in response to risks, applying our resources where they will make most difference To improve communication with firms on our assessment of them and involve them more fully in the process To improve the skills and knowledge of supervisory staff through better training and more effective IS To achieve greater efficiency and effectiveness on our management of risk making better use and sharing of the knowledge that we have

16 Desired outcomeChanges being made Greater proportionality and consistency in response to risks – applying our resources where they will make the most difference Better controls over the supervisory process to ensure a more consistent approach. Input from senior staff at an earlier stage in the assessment process, challenging and validating the planning / scope of assessments. A major overhaul to our risk framework, to allow better comparison of risks in different areas (so that we can more reliably devote our resources to the areas of greatest risk). A risk model that allows our supervisors more accurately to reflect their views of risk, and which integrates the capital assessment (see later). Reduced scope assessments for lower-risk firms (focussing on core areas and specific risks. We will also be exploring and testing options for placing greater reliance on well-controlled firms in our assessment work, allowing for a lighter touch in these cases (as well as a more informed assessment, that makes better use of firms’ own knowledge of the risks). Aims of the Project (continued)

17 Desired outcomeChanges being made Better communication with firms on our assessment of them ARROW assessment letters extensively revised, to add more value to the process: more focus on the main issues and what we expect firms to do about them; more helpful explanation of our views of the risks, and how we view individual firms in the context of their peer group. More consistently good communication of our findings in ‘close-out’ discussions after ARROW assessment visits. Firms provided with draft copies of ARROW letters, to allow correction of factual inaccuracies and misunderstandings, and prevent ‘surprises’ in the final letters. Aims of the Project (continued)

18 Desired outcomeChanges being made Improved skills and knowledge of supervisory staff Building on our current training and development provision, institution of a comprehensive ‘Regulatory Curriculum’ for all regulatory staff, which: specifies the knowledge and skills required for each role, focussing on the practical implementation of risk-based regulation; operates like the syllabus for a professional qualification (with modules that are either mandatory for all, or elective / role-specific); and leverages as far as possible the industry’s own training programmes, and builds on our extensive use of secondments. Extensive (5 days’) training on (new) ARROW for all our staff (existing and new) from March Much more effective and comprehensive support and guidance for supervisors, that fully equips them to assess and mitigate the key risks we face. Aims of the Project (continued)

19 Desired outcomeChanges being made Greater efficiency and effectiveness More and better use of thematic working: enhanced processes to identify those risks within firms that would be better dealt with through thematic work, including specialist staff; tools to allow firm supervisors to leverage off the knowledge of the wider organisation, such as the work of specialist sector teams and the experience gained from supervising similar firms. Improved capacity to undertake sector intelligence and analysis work, so that the organisation is better informed of emerging risks and other trends in the industry. Streamlined processes and improved IT support, cutting down wasted time, and allowing supervisors to focus on the risks that matter. Aims of the Project (continued)

20 New risk model (assessing probability in firms) Key features: 9 high-level ‘risk groups’ (with underlying ‘risk elements’) – plus capital / liquidity combination of inherent business risks, specific controls and overarching governance controls capital / liquidity has a specific role in mitigating prudential risk (only)

21 New risk model (continued) Each risk group is broken down into its underlying elements The scoring system uses the following inputs: generic (sectoral) assessment specific issues identified by the supervisor the supervisor’s own overall view

22 New risk model (continued) Supervisors will also be provided with guidance on how to assess each area of risk. This guidance will be structured along the same lines as the risk model itself. For example, the Product Risk Framework gives supervisors guidance on assessing product characteristics – describing the factors they should consider (performance risk, liquidity risk, complexity)

23 Relationship between ARROW and capital assessment The new version of ARROW will fully integrate the capital assessment – including Basel 2 and ICAS, where relevant to the firm. The conceptual relationship is as follows: The prudential business risk group / elements in the risk model grid are driven by the Pillar 1 and Pillar 2 assessments of risk / required capital. The assessment of controls (including high-level controls – quality of senior management oversight) is made in the normal way under ARROW. The combination of these two drives the individual capital requirement for the firm. The amount of capital held, relative to that required, drives the score against the capital / liquidity risk group; this in turn reduces (or increases) the overall level of prudential risk.

24 Relationship between ARROW and capital assessment (continued) In terms of the practicality of the processes: This integration will not be fully in place until 2007 (when Basel 2 is implemented). However, we will be piloting the combined approach during We will be encouraging supervisors, where possible, to coordinate the capital and full ARROW assessments so that they are performed at the same time (and results reported to the firm in a single letter). The approach is not dependent on this being the case, though, and circumstances may lead to the two being conducted separately (in which case the later would update the earlier).

25 Current status The design of this next generation of ARROW (“ARROW 2.0”) is virtually complete. We are currently completing our piloting of the new risk model, processes and IT; this has been successful, and we started to roll out ARROW 2.0 in September 2005; most changes will be in place by March The new IT system will take longer to build – we expect that it will be in place in late 2006 / early 2007.

26 ARROW’s evolutionary path Assessment models Individual risk-based methods Supports portfolio risk-based methods Stress and scenario testing Outcome-based models RATE, FIBSPAM ARROW ARROW 2.0 ARROW 2.5 ARROW 3 ? X X Current position

Questions