Risk Management and Controls

The requirement for firms to make risk-based decisions in every aspect of running the business is the long-standing priority for UK regulators. Organisations need to update and evolve their risk framework and controls to remain compliant and improve performance. There’s a shift in emphasis towards organisations’ ability to pre-empt (as well as identify and mitigate) risks to their business model. This  includes their approach to delivering fair outcomes and preventing the risk of serious harm to consumers and markets. 

Reducing and preventing serious harm is one of three key areas of focus for the FCA and work is underway to remove problem firms with inadequate harm prevention, market abuse and financial crime controls. Financial resilience is an explicit focus of the PRA and an organisation’s ability to do this relies on having a robust risk culture and strong risk management practices in place. The PRA and FCA have both prioritised improving the data they receive from firms. This is a key part of delivering their strategies and organisations need to have effective risk governance frameworks, risk analysis and reporting capabilities. 

Organisations that recognise the value of having effective controls that work across all three lines of defence are able to assess how emerging risks are managed through the business improving their agility and resilience. Risk management is most effective when the essential components are aligned and supportive: the Risk Appetite is consistent with overall strategy, the EWRA/BWRA clearly indicates compliance with the Risk Appetite and areas for Board attention, the EWRA/BWRA is supported by detailed and consistent detailed assessments such as the RCSA.

Our Approach

We have significant experience in assessing organisations’ controls and risk management frameworks against industry best practice and relevant regulatory requirements and guidelines. Our diverse team of industry experts from banking, insurance, regulation, compliance, operations, psychology and law bring a relevant wider context to our work. Risk management and internal controls are specific to each organisation, our team will make sure that any outcomes are appropriate and sustainable.

Our Services

We help clients to manage their risk in three areas.

Risk Management Framework Review and Assessment

Risk management and controls cover every aspect of the organisation and are underpinned by a firm’s strong risk culture.

Our review work covers all types of financial and non-financial risk including, but not limited to, operational risk, financial crime risk, outsourcing arrangements, credit risk, liquidity risk, climate risk, people risk, conduct risk and reputational risk management.

We have experience of the ICAAP/ILAAP and ICARA processes, and Model Risk Management ("MRM").

Examples include:

  • Enterprise or Business Wide Risk Assessment (EWRA/BWRA) - reviewing scope and definition, alignment with risk appetite, governance and process for monitoring and oversight, overall effectiveness and sustainability.
  • Assessment of Risk Appetite Statement - checking for alignment with strategy, suitability as both a Board/NED information source and executive risk function reference, alignment with EWRA/BWRA and facilitation of risk appetite setting discussions at Board and Executive Committee levels in line with strategy.
  • Financial Crime Customer Risk Assessment ("CRA") - developing and improving the methodology, policy and procedures as part of the overall customer lifecycle including CRA models for various customer types for all relevant risk areas (customer risk, geography risk, product risk, transaction risk, channel risk).
  • Risk and Control Self Assessment ("RCSA") -  benchmarking and reviewing frameworks against peers based on our industry knowledge and experience.
  • Three lines of defence model - reviewing the effectiveness and the process for documenting, analysing and reporting risk information. We also consider risk management as part of the culture of the organisation and how it informs decision-making within the business to deliver fair outcomes for customers and safety and soundness of the market.
  • Future proofing - identifying whether existing systems and controls are sufficient to meet the future needs of the organisation and to enhance the firm’s capability to self-identify potential harm to consumers and markets.

Risk Remediation Programmes

We work with organisations to help them remediate findings and recommendations or implement programmes of change as a result of skilled person reviews or other reviews, like internal audit.

Our approach is collaborative and we offer clients solutions that are tailored to their business models and designed to be sustainable. At all times, our work is compliant with best practice standards and UK regulations and guidance.

Independent Regulator Mandated Reviews (Skilled Person Reports) and Preparation / Remediation

We are on the following FCA/PRA Skilled Person Panel Lots:

  • Client Assets and Safeguarding
  • Governance, accountability, strategy and culture
  • Conduct of Business
  • Financial Crime
  • Prudential - Adequate Financial Resources for FCA solo-regulated firms

Although we aren’t on the Controls and Risk Management Frameworks Lot, we can be commissioned by firms for reports relating to this Lot. When chosen by firms, we have been approved by the relevant regulator.

We help firms prepare for an upcoming review or provide an independent review to the standard of a Skilled Person review. We also undertake independent Risk Management Framework reviews for international regulators.