Skilled Person
Lot C – Controls and Risk Management Frameworks
Risk management can be subjective. To assess whether a framework and controls are proportionate requires significant experience of what “good” looks like.
Firm’s subject to a Skilled Person review under Lot C will have the following aspects of their Compliance framework reviewed:
An assessment of whether a firm has the requisite control arrangements in place to: pre-empt; identify; and mitigate risks in their business model - including their approach to and execution of outsourcing arrangements. A review may consider all types of enterprise-wide risk. Underpinning this assessment is establishing the soundness of a firm’s risk-based approach in delivering fair outcomes and minimising the risk of harm to consumers and markets.
A review will consider whether a firms controls across the three lines of defence work effectively and in conjunction. The assessment of risk controls can be across all aspects of risk, including but not limited to operational risk; credit risk; traded risk; liquidity risk; compliance/legal risk; conduct risk; climate risk; valuation risk; and reputational risk management.
The review will assess how emerging and or crystallised risks are escalated and managed through a firm’s risk governance framework by reviewing operating models, risk management tools and the use of management information to identify and react to risks within the business.
“Effective risk-management and controls ensure that the business strategy is delivered in a well-governed and controlled manner and protects the interests of all stakeholders.“
— PRA Regulatory Expectations 2022
Considerations for firms
-
Risk appetite
For some firms, their risk appetite statement is a document which is updated once a year, rather than being used to assess whether business strategy and risk management remain well aligned.
Getting the right blend of quantitative and qualitative measures is key to driving the right outcomes.
-
Governance and culture
A successful Governance framework isn’t just a neatly constructed set of committees with accompanying risk packs, MI and minutes. It is evidencing “why” firms make decisions in a transparent way which demonstrate a balance between commercial success and compliant behaviours to deliver effective risk management solutions.
-
Outsourcing
Firms can come unstuck where they outsource parts of their risk management control framework to third parties if proper oversight and monitoring of the outsourcer is not in place. The FCA and PRA fines relating for Raphaels and Stonebridge outsourcing highlight the costly outcome of not maintaining a firm handle on outsourced risk functions.
-
Risk identification, monitoring and reporting
Being able to effectively identify, monitor and report emerging or crystalised risks requires a well-functioning overall framework. It’s a balance ensuring your framework to be effective (coverage, depth, forward looking) and suitably proportionate to the nature, scale and complexity of your business. Ultimately it needs to support well informed decision making.
-
Second and third line oversight
Firms with mature and well-functioning second and third lines work with the first line to establish and implement risk management strategies and controls which are proportionate and sufficiently robust.
It’s tricky to balance which activities sit in the first or second line and aligning actual activities with broader statements of ownership of risk.