The FCA requires that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. This should include effective procedures for risk assessment and setting the level of risk tolerated by the firm. The responsibility for this function belongs at director, senior management, or partner level.
What does this mean?
The FCA would like firms to identify the risks that are present in the business and implement actions to mitigate these risks.
What is a risk?
Risk is the possibility of:
- a person or thing considered as a potential hazard;
- an unforeseen event
What is risk management?
Risk management is a process that allows you to reduce the impact that risks may have on your business. A risk management system should be in place that will allow you to identify, monitor and act on risks to the business. The FCA also requires that the risk management process be responsive and proactive to enable changes to be made to a system or process if an issue presents itself.
The FCA Handbook sets out the rules and guidance relating to appropriate risk management, at a basic level the regulator expects firms to understand the principles of enterprise risk management. Section SYSC 7.1 of the FCA Handbook requires a firm to have effective processes to identify, manage, monitor, and report the risks it is, or might be exposed to.
The FCA have, over recent years tested firm’s compliance, they have used online surveys, telephoned based interviews and face to face reviews.
Peak Consultants provide an online risk log and procedures to ensure that risks are documented, measures applied, and mitigation agreed. This process and the supporting documentation allow firms to provide evidence to the FCA that they are complying with this important requirement.
The risk management process is a continual cycle.
- Exercise Professional Skepticism
- Risk Management Protects Value
- Manage risks with Objectivity
- Adapt to the Situation
- Risk Management Must Be Proactive
Transform IT risk into business-relevant risk metrics that can be shared with key stakeholders to drive awareness, accountability, and action
Visualise current risk exposure and analyze historical trends to illustrate how your IT risk program systematically reduces risks to the business over time
Prioritize remediation efforts based on business risk rather than technical severity
Work with key business stakeholders to make consistent plans for better security practices and monitor progress against these plans on an ongoing basis