While FSPs need a risk management plan to comply with regulation, it also makes sound business sense to have one. This is especially relevant, considering the diverse and unknown risks the world has faced since the start of the COVID-19 pandemic.
Risks for FSPs can stem from a variety of sources. These include financial uncertainty, changes in regulatory and compliance requirements, legal liabilities, technology, strategic management errors, accidents, natural disasters and staffing uncertainties.
Our previous article, Part 1 of Risk Management, highlighted the risks to which FSPs are exposed through the business ‘ecosystem’. This article looks at additional risks and the key steps to draft a risk management plan for your business.
In simple terms, risk management planning is the process of identifying, assessing and controlling threats to a business. Importantly, this process enables you to identify the areas in your business that most require your attention and may cause the most harm if left unattended.
To draft a risk management plan is a two-step process. The first step is to identify all the risks to which your FSP might be exposed. Most of these risks can be broadly classified as strategic, operational, human resources, financial, marketing, advice, customer, technological and regulatory risks.
First, identify the risks
Strategic risks are the uncertainties and untapped opportunities embedded in the strategic objectives of your business plan and how well they are executed.
Strategic risks include:
- competitive and/or innovative risk – the risk of losing clients to an FSP that directly competes with you
- business risk – the risk of deviating from the strategy documented in your business plan
- economic risk – the risk of poor trading conditions and the impact of clients’ financial situations on your FSP
- ethical risk – the risk of breaching the code of ethics that underpins your FSP
- reputational risk – the damage to your image if client complaints are published in the media
- sustainability risk – being unable to meet business objectives
- intellectual property risk – competitors impersonating elements of your brand.
Operational risks are the risks of loss due to the inadequacy or failure of the processes set out in your operations manual, individuals or/and systems in your FSP.
Human Resources risks arise when you employ staff and representatives. These include ineffective monitoring of representatives, non-compliance with the ‘fit and proper’ requirements, lack of skill and/or training of staff, key staff resignations and negligent or dishonest acts.
Financial risks are those associated with the financial structure and transactions of your FSP. Profit / revenue / capital risk is the risk of an unexpected loss in the income your FSP generates. This could lead to cash flow problems and your FSP being unable to pay creditors on time.
Other financial risks may arise through:
- ineffective control of the management accounts – the risk of decisions made, based on incorrect financial information and/or where no monthly cash flow forecast and review process exist
- lack of resources to address risks or meet regulatory financial soundness (liquidity) requirements
- late submission of financial statements to the Financial Sector Conduct Authority (FSCA)
- late payment of levies to the FSCA
- unforeseen capital outlay due to Ombud complaints not being covered by personal indemnity cover.
Marketing risks are the risks associated with any marketing-related activity that can lead to variable and unpredictable income and result in financial success or loss. Types of risk include advertisements, a marketing plan, identifying your target market and lead generation.
Advice risks relate to providing financial advice. These include acting with due skill, care and diligence, gaining required information, conducting a suitable financial needs analysis and identifying financial products and/or providers to fulfill clients’ identified needs. They also entail detailing the advice process in the Record of Advice, all the while also demonstrating the principles of treating customers fairly.
Customer risks exist due to interaction with clients. Risks may include complaints, loss of clients who are dissatisfied, client retention and reviews of current clients.
Technological risks arise if you do not keep up to date with technological developments that support operational ability. They also include your FSP’s exposure to cybercrime.
Regulatory risks relate to not keeping up to date, implementing and integrating all legislation that is relevant for FSPs. This includes the FAIS Act, FAIS General Code of Conduct, Board Notices and the FIC Act and future regulatory changes such as the COFI Bill.
Depending on the specific circumstances of your FSP, other risks may also apply, while some of the abovementioned risks may not be applicable. Importantly, your risk management process should be proportionate, and therefore appropriate, to the size of your FSP and the nature, complexity and type of business.
Assess probability and impact
The second step in the risk management planning process is to assess the probability and impact of each identified risk on your FSP. Probability is the likelihood of that risk occurring, while impact refers to the potential negative impact if the risk occurs.
Once probability and impact have been established, you have a clear view of each risk. You can now consider the risk level or risk exposure, and select appropriate responses or controls to prevent the risk from occurring. If a risk is unavoidable, you can seek ways to either minimise the impact on your FSP or mitigate and manage the risk when it occurs.
Using your risk management plan
Once documented, your risk management plan must become an active document. It should be updated regularly as you follow the risk management process to actively monitor, manage and address the FSP’s risks and potential exposures.
Your risk management plan should also document how your FSP uses the plan to manage areas of non-compliance, weak oversight and failure of controls or lack of sufficient management. The Key Individual should monitor and implement all remedial actions identified in the plan and evidence the improvements.
Whether you are a sole proprietor or a larger FSP, a robust and well-drafted risk management plan will assist you to implement an internal process of risk-based compliance. If used correctly, your plan becomes a tool that helps you consider all the risks in your ecosystem, as well as the controls you have implemented to prevent or minimise the impact of these risks on your FSP.
Compliance
Having an effective risk management plan is also necessary to comply with regulation. Section 11 of the FAIS General Code of Conduct requires that FSPs must ‘ have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that clients, product suppliers, and other FSPs or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence, professional misconduct or culpable omissions’.
Section 12 of the FAIS General Code of Conduct further states that ‘a provider, excluding a representative, must, without limiting the generality of Section 11, structure the internal control procedures concerned to provide reasonable assurance that:
(a) the relevant business can be carried on in an orderly and efficient manner;
(b) financial and other information used or provided by the FSP will be reliable; and
(c) all applicable laws are complied with’.
In other words, your risk management plan should incorporate and address effectiveness and efficiency of operations, the safeguarding of assets and compliance with applicable laws and regulations. Furthermore, it should support business sustainability, encourage responsible behaviour toward your stakeholders and adhere to the principles of treating customers fairly.
Section 37 of Board Notice 194 of 2017 also sets out specific governance requirements for FSPs, requiring that the governance framework of an FSP must be proportionate to the nature, scale, risks and complexity of the business of the FSP. This includes having effective and adequate systems of corporate governance, risk management – including conduct risk management, and internal controls that include risk management policies, procedures and systems.
In the words of Alla Valente, senior analyst at Forrester Research, “We don’t manage risks so we can have no risk. We manage risks so we know which risks are worth taking, which ones will get us to our goal, which ones have enough of a payout to even take them.”
Managing risks will always be a part of FSPs’ governance framework and a documented and robust risk management plan is a vital aspect of remaining future fit in the industry.
If you need further guidance or assistance to document your risk management plan, please contact your Masthead Compliance Officer or Regional Office.