1. COSRA Conference Meeting with the Colombian Securities Authority 2 September 2005 Integration of regulatory bodies Joe Traynor & Mike O’Hagan Finance, Strategy & Risk Division, UK Financial Services Authority (FSA)

2. 2 Agenda Key considerations (based on FSA’s experience of integration) Role of senior management Internal cultural / behavioural changes External expectations Organisational considerations Political considerations Systems and process matters

3. 3 The role of senior management For the risk-based approach (or indeed any unified approach) to be successful, the organisation’s senior management must buy into it: they must be “role models” for other staff, exhibiting the behaviour that they expect staff below them to follow; a non-zero failure approach means that front-line staff should not be blamed for legitimate risk decisions which lead to acceptable failures; they must actively use the risk data and information to manage the business – decisions should be transparent, and justified in terms of risk; senior management’s risk appetite and priorities must be clearly stated, communicated to front-line staff and embedded in the risk model adopted; they must be prepared to engage in the process, challenging decisions to ensure consistency and appropriateness.

4. 4 Internal cultural and behavioural change The level and difficulty of cultural change required for an organisation successfully to adopt a unified approach to risk management must not be underestimated: the adoption of a risk-based approach is not just the implementation of a technical model or an IT system; all training and communication to staff must emphasise the philosophy and approach being adopted, not just processes and systems; staff must be comfortable with key concepts: for FSA, these would include non-zero failure and the idea that we must reduce or stop some activities in order to focus on our priorities – we cannot do everything; staff must be prepared to accept oversight and challenge to their judgements – this is necessary to ensure consistency; the organisation must be prepared to allow risk genuinely to drive activity and resource allocation – and staff must accept that some behaviour will have to change as a result.

5. 5 External expectations The integration of different regulators will automatically create the expectation that firms will be dealt with in a coordinated fashion; they are likely expect: to deal with a single point of contact, even for complex groups, and that assessments of them will be logistically coordinated; to be subject to decisions and actions which are consistent across their operations, and with their peers. These expectations are difficult to meet unless a unified approach and processes are adopted.

6. 6 Organisational considerations In an integrated regulator, there are particular issues around how best to structure the organisation for risk-based regulation: initially when the FSA was formed, it was structured into divisions which corresponded to its constituent forerunner organisations; this led to very different versions of the risk- based approach being adopted in practice (often conforming to the old regulators’ previous practice); the new structure of the FSA (with two large supervisory business units) has, to some extent, helped ensure consistency; but the autonomy granted to these large BUs makes them resistant to oversight and challenge from the centre – so that, whilst practice within BUs is more consistent, there is divergence between BUs; so careful consideration is needed as to how consistency is to be achieved across the organisation (when so much will rely on subjective judgement); how will minimum standards be enforced, and how will risks in different areas be compared?

7. 7 Political considerations Whenever different organisations merge, the level of internal politics increases: people feel less secure in their positions, and seek to carve out their roles in the new organisation; different factions compete for control of areas of the merged organisation. This can be a problem for a risk-based regulator as: decisions which should be based on objective analysis become politicised – especially when resources are involved – so that evaluation of risk ends up back-fitted to meet a political resourcing decision; the organisation becomes paralysed – little / slow progress is made as everyone’s attention is focussed for a period on their own position rather than the organisation’s goals.

8. 8 Systems and processes When implementing new systems and processes across the organisation, the key is that they are fit-for-purpose: they must empower staff to take risk-based decisions (and must not make them feel that a ‘black box’ is constraining or controlling them; processes must not be overly bureaucratic – whilst appropriate controls must be in place, if these are too burdensome, staff will simply ignore them (e.g. by failing to record and report risks and actions); the risk model should not be overly complex – most models will rely on considerable judegement, so it is pointless to use a model that attempts a great level of accuracy; instead, the model should be capable of recording important judgements and decisions clearly (how serious are the problems we face, what is our view of the firms we regulate); IT systems used must be as user-friendly as possible – supporting the process rather than hindering it.