The FAIS Supervision Department of the FSB follows a risk-based approach in supervising financial services providers (FSPs). Licenced entities are categorised in five sectors, ranging from high impact to small FSPs, with the latter being regarded as the least likely to cause major loss to their clients. This does not, of course, mean that you are less liable to manage risk in your business.
All FSPs are required, by law, to safeguard their businesses against risk, and are required to have a documented risk management plan in place.
Section 11 of the General Code of Conduct states:
“A provider must at all times have, and effectively employ, the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence, professional misconduct or culpable omissions.”
This is quite a hefty obligation.
The FSB published a guide to assist FSPs with drawing up such a plan (see link below). It defines the process of risk management as “…the process of analysing and assessing your exposure to risk and determining how to best manage your exposure to limit or even eliminate the risks. Risk management involves the identification, assessment, prioritisation of the risks and the application of resources to minimise, monitor and control the probability and/or impact of the negative occurrences.”
We copy below 4 steps from the FSB guide which one should follow to ensure that risk is addressed properly. While these steps are functional for those who still have to create such a plan, it can also serve two other purposes:
- You are legally obliged to review your risk management plan at least once a year, as indicated in step 4 below. Follow these steps to ensure you are still on track.
- If you make use of an external compliance officer, you may want to review what he or she has put in place. Remember that the responsibility, and accountability, for non-compliance is yours, not that of your compliance officer.
Step 1: Identify the specific risks to your FSP
Think of all the risks that your FSP may be faced with. You should not limit risks to laws and regulations, for instance the risks of non-compliance with the FAIS and FICA legislation, but think of other risks such as computer crashes, a fire in the building, extended leave for the key individual etc. When identifying the risks that are specific to your FSP you need to ask yourself “what could happen?” The guide then provides a list of 13 potential risk areas which you need to consider with specific reference to your business.
Step 2: Analyse, evaluate and prioritise the risks identified
When you prioritise risks you need to look at the impact/seriousness of the risk on your business and the probability of the risk actually occurring. You need to have a thorough understanding of the risks identified and understand their causes and consequences. Ask yourself the following questions:
- What is the probability of the risk occurring?
- How serious will the impact of such an occurrence be?
Step 3: Determine how you will manage the risks
You should ask yourself the following questions:
- How will I reduce/eliminate the probability of risk occurring?
- How will I reduce/eliminate the impact/seriousness of the risk if it occurred?
You should ask yourself the above questions for all the risks identified and your response to the questions should be your strategy for reducing or eliminating the risk. Your strategy should then be noted in your risk management plan.
Step 4: Monitor and review the risks
You should review your risk management plan from time to time to avoid it becoming irrelevant and not reflective of actual potential risks. You may review your risks and risk management plan every year or as various situations arise.
But wait – that’s not all
To get back to the old hobby horses called outcomes-based regulation and Treating Clients Fairly – there is also an ethical element attached to risk management.
“…the object of the FAIS legislation is to prescribe the manner in which financial services should be rendered to members of the public. Ethical conduct of all FSPs will ensure that the risks within a FSP are lowered. When interacting with prospective clients and existing clients, FSPs should always act in good faith to the benefit of themselves and others.”
We suggest that you download the FSB guide on Risk Management and review your current plan at the hand of its contents, and also review it from an ethics perspective.