Notes Old site

The FSA and operational risk

The FSA has produced several documents that are concerned with operational risk, and others that are concerned with systems and controls.

The FSA sometimes distinguishes between operational risk (as part of business risk) and control risk and sometimes doesn’t. For example, the guidance was originally intended to be part of a separate module, PROR, and was presented as such in CP97. However, the guidance was completely rewritten, and moved into the systems and controls module (SYSC), in CP142.

Further guidance on operational risk is contained in PS97_115, a policy statement issued after feedback on CP97 and CP115, and in PS140, a policy statement issued after feedback on CP140. PS140 applies to insurers, friendly societies, and Lloyd’s.

Operational risk is also mentioned in several of the documents in the “Building a New Regulator” series. These documents set out the overall approach of the FSA, and describe their risk framework and regulatory processes.

A report on how firms are going about the business of introducing operational risk management systems, “Building a framework for operational risk management: the FSA’s observations”, was published in July 2003. It contains useful information on good practices.

The FSA’s new structure for capital requirements, based on the calculated ECR (Enhanced Capital Requirement) which is then modified by the ICG (Individual Capital Guidance), as discussed in CP190 and CP195, means that operational risk will affect the capital that firms need. This will be through the ICG, which although it takes the ECR into account is also influenced by the systems and controls that firms have in place. The FSA say:

The more firms are able to demonstrate that their risk assessment processes capture and quantify all of the issues in our guidance, then the lower we are likely to assess their ICG (and vice versa). This provides an incentive for good risk management.


The following external links are relevant: