No two businesses are the same and therefore, by definition, no two firms will run exactly the same risks. Part of the art, as opposed to the science, of risk management is the identification of all pertinent risks and then the building of a risk and control infrastructure which is tailored precisely to the individual nature of the firm, its business activities and the specific risks arising. One of the reasons that the risk, compliance and control functions need to keep the risk and control infrastructure under constant review is that as the business moves and develops, so the risks change and the control mechanisms need to be adjusted to remain fit for purpose.
While the detailed risks run by firms are unique, there are a series of high-level risks which all financial services firms, no matter what their sector or geography, need to consider. The detailed practical effect of how the risks affect each firm and the precise risk mitigation approach required will vary but the high-level risks remain relevant.
In no particular order there are five high-level significant risks which all firms need to consider:
Volume of changes
The sheer volume and range of changes aimed at reforming financial services is unprecedented. The changes are not limited to just the rulebooks but encompass the regulatory bodies, required structural changes (to banks, in particular), the identification of and creation of additional rules for systemic financial services firms and, last but not least, changes to the regulatory perimeter.
Where there are conflicts between jurisdictions in terms of requirements, or even in terms of the timescales of the same or similar requirements, the firm needs to consider its strategic options, agree on an appropriate way forward and then discuss its plans with all relevant regulators to gain agreement. Where there is a conflict on timescale of a similar or the same rule then the firm may choose to be an early adopter in certain jurisdictions to ensure that it does not have to change IT systems and procedures twice. Depending on the jurisdiction this approach may require regulatory approval or dispensation.
Anecdotally, many firms are finding that their entire IT change capacity is being used by the need to keep pace with changing regulatory requirements. This has left some firms with extremely limited capacity to undertake the business driven change programmes, merging of old legacy systems and removal of manual work-arounds. Firms may find it useful to take a stand back view of all the essential, regulatory and indeed "nice to have" IT changes and wherever possible try to integrate projects wherever feasible. Practical examples of this could include merging Foreign Account Tax Compliance Act (FATCA) implementation (with its obligation to be able to identify U.S. citizens) with upgrades to the "know your customer" and anti-money laundering (AML) requirements.
Other examples include seeking to centralize the compliance and risk databases for monitoring, management information and report generation and regulatory relationship management so that each group office is not replicating effort.
Complexity is not inherently a bad thing and only becomes an issue when the risk and control infrastructure is insufficiently well designed or resourced to manage the complexity itself and the risks arising.
The UK has recognized the risks associated with unmanaged complexity and is to take an increasingly strong stance with regard to complex business models and the challenges it presents to the supervisors of firms. Earlier this year the UK formed two new regulators of firms. The Financial Conduct Authority will be the regulator for all market and conduct of business activities for financial services firms. The Prudential Regulation Authority will regulate deposit-takers, insurance companies and large investment firms with a key statutory objective to promote the safety and soundness of firms by seeking to avoid adverse effects on financial stability, and in particular to seek to minimise adverse effects resulting from the failure or malpractice of a firm. The PRA will not seek to impose a zero failure regime but rather to ensure that when firm failures do occur they do not result in significant disruption to the supply of critical financial services, including depositors' ability to make payments.
Building on the PRA's statutory objective of financial stability, new threshold conditions have been set out to frame the minimum requirements that firms will need to meet in order to remain safe and sound. The new conditions will require firms to have an appropriate amount and quality of capital and liquidity, to have appropriate resources to measure, monitor and manage risk, to be fit and proper, and to conduct their business prudently. Critically, the conditions include a requirement for a firm to be capable of being effectively supervised — a clear indicator that complex, opaque activity or structures and indeed any perceived barriers to effective supervision will be frowned upon. The PRA has made plain that it will expect firms to keep the maintenance of safety and soundness in mind at all times even when this will require firms to act more prudently than they might otherwise choose. In other words, firms must not allow themselves to become unmanageably complex.