Notes Old site

Risk identification

It goes without saying that risk identification is vital for effective risk management. In order to manage your risks effectively, you have to know what they are. The really important thing during risk identification is not to miss any risks out. You can decide to ignore some of them at a later stage, after you have assessed them, but they all be included at this stage.

There are a number of different techniques that can be used. The ideal is probably to use a combination, and work with outsiders as well as people who are involved in the business and know it well. That way you can make good use of people’s expertise while reaping the benefits of a fresh viewpoint. Useful techniques include various brainstorming methods as well as systematic inspections and process analysis.

Whatever technique (or techniques) you use, it is important to provide an audit trail so that you can be sure of what happened and that no risks were omitted.

Notes Old site

The FSA and risk based capital

The FSA has published proposals for a new framework for risk-based capital rquirements for both life and non-life insurers. Although the details of the calulations differ, the overall structure is the same for both types. The proposals were issued in July and August 2003; the consulation period ends on 30th November 2003.

General framework

Insurers will be required to hold the higher of:

Minimum Capital Requirement (MCR)
as set out in EU directives
Enhanced Capital Requirement (ECR)
a more risk sensitive calculation specified by the FSA

The ECR calculations are obviously different for life and non-life insurers. However, for both types the calculations make various industry-wide assumptions that may not be met by individual firms, whose risk profiles may be different from the average. The FSA proposes to take these differences into account through the Individual Capital Adequacy Standards (ICAS) mechanism. They say that ICAS will

  • mean that firms will hold capital more appropriate to their business and control risks
  • emphasise the responsibility of senior management for ensuring that firms have adequate financial resources
  • Provide incentives for better risk management

ICAS will operate through Individual Capital Guidance (ICG). The ICG will usually be at or above ECR, and will be affected by whether firms’ risk assessment processes follow all the FSA’s guidance. The ARROW assessments will be a major input.

Although ICG is only guidance, firms will be expected to notify the FSA if capital falls below the ICG level. In addition, firm that fail to meeet the ICG will be expected to set out a plan to restore adequate capital.

Notes Old site

Risk indicators

A risk indicator is a piece of information that is a proxy for risk. The idea is that risk indicators should provide a good indication of the level of underlying risk, while being readily available or easily calculated. However, with modern technology there are many sophisticated indicators that count as being easily calculated.

Risk indicators can be used for any type of risk, and at any level of the organisation. They needn’t be totally accurate measures of risk (and indeed are unlikely to be, if they are readily available). Examples of risk indicators include:

  • Exposure to a single counterparty, used for several types of credit risk
  • Value at Risk, used for many types of risk in the banking industry and elsewhere
  • Stock betas, for market risk
  • Numbers of transactions, volumes of trades, values of transactions etc, for operational risk

Risk indicators are used for both monitoring and control. In monitoring, values are tracked over time, and significant changes are taken as indicating a change in the underlying risk level. For control, limits are placed on the values of indicators; activities are constrained in order not to breach the limits.


The following external links are relevant:

Notes Old site

Risk maps

The purpose of a risk map is to help you decide what to do about your risks. I’ve seen the term applied to several different things; this note sets out what my understanding of the topic.

The important properties of a risk map are:

  • Includes all the relevant risks;
  • Includes some sort of ranking or assessment of each risk;
  • Each risk is mapped back to the organisational structure in some useful way.

Another term often used in this context is risk profile. If the properties listed above seem a bit vague, that’s because risk maps can be used in all sorts of different situations, and being any more specific would rule some of them out.

We can consider a couple of simple examples to make things a bit clearer.

FSA risk assessment matrix

The risk assessment matrix produced by the FSA as part of its ARROW risk assessment framework is a risk map. (The matrix is available in both The firm risk assessment framework and Building the new regulator: Progress report 2 — see below.)

It includes all the risks that the FSA are interested in, they are each given a probability score, and the risks are mapped on to the risks to the FSA’s objectives. The completed matrix is used by the FSA to decide on any remedial actions that should be taken by the firm being assessed.

Internal risk management

An organisation’s internal risk management processes might also make use of a risk map.

The risks included in the map would be decided during the identification stage; it’s important to make sure that all the risks that the organisation faces are included.

A simple method of assessment is to assign to each risk a qualitative value for impact or consequences and one for frequency or probability. In each case, a simple low/medium/high classification is often used.

A simple matrix can then be used to assign a single grade to each risk: for example, a high impact/high frequency risk might be ranked as avoid while a low/low risk might be ranked as ignore. Other possibilities include insure, control, and transfer.

A structure that is frequently found is for risks to be grouped by functional area. Relating them to the organisational structure in this way helps to decide how to control them.

Notes Old site

Future regulation of insurance briefing

The FSA held a half-day briefing on The future regulation of insurance on 4th December 2002. Nearly 200 people attended, from a variety of organisations: insurance companies, banks, building societies, solicitors, accountants and other consultants.

The main points concerning risk management to emerge from the briefing were:

  • Risk Management Framework
  • Senior Management Responsibility
  • Proportionality

See below for further details.

The briefing was chaired by John Tiner, recovering from a bout of flu. Instead of giving a presentation, he confined himself to introducing the speakers and responding to points made by them and from the floor. There were five speakers, whose topics and main points were:

David Strachan
Director of the Insurance Firms Division at the FSA
What does the Tiner Project mean for you?
If insurance firms have not yet done so, they should urgently review their operations, systems and controls. Proportionality is important: although their risk management processes and framework should be comprehensive, their complexity should depend on the size and complexity of the firm and the risks it faces. The ultimate responsibility of senior management cannot be delegated, whether within the firm or through outsourcing arrangements.
Richard Harvey
Group Chief Executive, Aviva plc
An insurer’s perspective
Things have changed a lot since pre-FSA days. There is a big learning curve for both the regulated and the regulator. There are enormous demands on management time: about 70 or 80 senior management meetings a year. The hope is that the confidence and trust built up will lead to a lower level of intervention in the future. There are a number of issues about the relationship between the FSA and the regulated firms that must be resolved.
Bill Lowe
Prudential Standards Division, FSA
The Role of the Risk Review Team
The risk review department supports all the regulatory and supervisory teams in the FSA. In particular it is heavily involved in visits to regulated firms, both the general discovery (ARROW) visits and themed visits. Several areas of concern have been identified from the visits undertaken so far, including outsourcing, documentation, delegation by senior management, business continuity planning and stress and scenario testing.
Andrew Campbell-Hart
Grey Panther, FSA
Emerging risks in the industry
Grey panthers are apparently not predators, but are there to build bridges between industry and the FSA, and between the promulgation and application of policy. They also support the line supervisors, and provide international contacts and experience. There are four economic drivers that will result in major challenges of the next decade, and appropriate regulation can help to balance the forces.
Mary Francis
Director General, ABI
The future regulation of insurance: considerations for firms
The FSA has a huge task, integrating nine regulators and their rulebooks during the worst market conditions for a quarter of a century and as international developments are changing rapidly (Basel, IAS, EU). It is important that regulatory creep is minimised: don’t go too far towards protecting people from risk rather than educating them to understand it and take responsibility for themselves.

Risk Management Framework

• If insurance firms haven’t started already, they should urgently review their operations.
• However elaborate the risk management framework (see proportionality), it must be comprehensive. It must cover the full range of risks in an integrated manner, not just insurance risk.
• The risk assessments that have been performed so far have shown some examples of good practice, but overall there are some significant question marks. Risk management frameworks have not always been integrated over the whole firm, or presented a coherenct picture, even when some risks have been identified.
• Good controls and compliance culture should lead to less crystalisation of risk and hence less regulatory intervention.
• Risk assessment should be integrated over the whole firm. Operational risk are currently handled poorly, with not enough data collection.
• There is a definite trade-off: good controls will lead to less intrusive regulation, but firms must deliver on their side of the bargain.

Senior Management Responsibility

• Senior management must take responsibility for risk management.
• Boards and senior management should read the report, The future regulation of insurance: A progress report, which sets out the regulatory agenda for the next few years.
• Management responsibilities should be clearly defined and documented, not only for risk issues but for other responsibilities too. There should be a clear view of the risk appetite of the firm, which should be communicated to all levels.
• Outsourcing is a key issue. Senior management remains responsible and should ensure that they get the requisite information from the outsourcer.
• In the risk assessment exercise, the FSA can tell a great deal by looking at the risk pack that goes to members of the board: Is there one? Does it cover key risks in an accessible manner?
• The inability to demonstrate proper control of outsourcing, and poor disciplines over delegation, are major areas of concern. Senior management cannot opt out of their regulatory obligations.


• Insurance firms themselves must implement a more efficient approach to managing risk. Costs must outweigh benefits.
• Firms needn’t necessarily have an elaborate framework for risk management. It should depend on the size and complexity of the firm and the risks they face.
• There should be a genuinely risk-based approach to internal audit: higher risk areas should be looked at more frequently.
Notes Old site

Financial Services Authority

The Financial Services Authority is the single statutory regulator in the UK responsible for regulating deposit-taking, insurance and investment business. It assumed its full powers on 2nd December 2001 (N2).

The FSA practices risk-based regulation. It has four statutory objectives, and tries to manage the risk to those objectives. The objectives are:

Market confidence
Maintaining confidence in the financial system;
Public awareness
Promoting public understanding of the financial system;
Consumer protection
Securing the appropriate degree of protection for consumers;
Reduction of financial crime
Reducing the extent to which it is possible for a business carried on by a regulated person to be used for a purpose connected with financial crime.

Regulated firms are expected to have frameworks in place to manage the risks to the FSA’s objectives. They may manage other risks too, of course, such as risks to shareholder value.

The FSA assesses the risk category of its regulated firms by looking at impact (essentially measured by the size of the firm) and the probability of a risk crystalising, based on its risk management framework, compliance culture, and systems and controls. The level of supervision depends on a combination of these two factors, of which impact appears to have the greater effect: the smallest firms will not receive heavy supervision however bad their practices.

The FSA emphasises that the aim is not a zero-failure regime. The belief is that a small number of low impact failures will not materially affect the statutory objectives: a single high impact failure would be much more significant.


The following external links are relevant:

Notes Old site

Risk classification

There have been many different attempts to classify risks, from the simple to the extremely complex. At the simple end of the spectrum is the basic breakdown of banking risk into credit risk, market risk and operational risk. More complex classification systems are intended for use as the basis of Enterprise Risk Management or other comprehensive risk management exercises.

The rationale for attempting to classify risks is that in order to manage your risks effectively you have to know what they are, and a risk classification system is necessary in order to do this. It can provide a basis for both identification and control, two essential parts of the risk management process.

A comprehensive risk classification system can provide an overall framework for risk identification: simply go through each risk, one by one, and work out where and how it can arise in your organisation. Sometimes there are problems of definition, in that it is not clear exactly how to classify a particular risk that you identify, but having a comprehensive system helps to ensure that you don’t double count any risks.

Control and mitigation can also be helped because risks that are classified in the same way are often susceptible to similar control and mitigation techniques.

Notes Old site

Enterprise risk management

The Casualty Actuarial Society defines Enterprise Risk Management (ERM) as "the process by which organizations in all industries assess, control, exploit, finance, and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to its shareholders". This seems to be as useful a definition as any. ERM is essentially a risk management perspective on management.

ERM is very fashionable as a management technique at the moment. It provides a framework based on analysing risks and opportunities, with an ultimate objective of creating value for the shareholders. It is sometime linked with Total Quality Management.

Note that ERM is not entirely consistent with the FSA’s view of risk. The FSA wants the firms that it regulates to have good processes in place to handle the risks to its (ie, the FSA’s) statutory objectives. ERM concentrates on risks to shareholder value.

Notes Old site

Risk management process

Risk management processes are receiving greater emphasis now than ever before, for a number of reasons.

There is a new regulatory emphasis on risk management, as evidenced by the Turnbull report, the Basel 2 regulations for banks, and, especially, the risk-based approach to regulation adopted by the FSA. Both Turnbull and the FSA are particularly strong on the process of risk management, while Basel perhaps places more emphasis on measurement (after all, Basel is all about risk-based capital requirements).

In addition there is a trend towards Enterprise Risk Management as an overall management technique, an example of the fact that risk management is currently very fashionable in management circles. Of course, this and the regulatory emphasis are probably not disconnected.

A good risk management process is typically a control cycle, including at least the following stages:

  • Establishing context
  • Identification
  • Assessment
  • Control and mitigation
  • Monitoring
  • Review
Notes Old site

Operational Risk

Operational risk is gaining an increasingly high profile. In the UK, the Turnbull report recommended that listed companies should manage their operational risk explicitly; and the FSA includes operational risk in its new ARROW framework for risk assessment.

Historically (though the history is admittedly rather short), operational risk has received most attention from the banking industry. This is still evident in much of the published literature; often the authors simply assume that the industry in question is banking, without explicitly saying so. This can be confusing.


The FSA, following Basel, defines operational risk:

Operational risk is the risk of loss, resulting from inadequate or failed internal processes, people and systems or from external events.

This definition gives a reasonable idea of operational risk, but is not detailed enough for operational use. For purposes of risk identification, assessment, control and mitigation the definition must be refined so that it is a clearcut decision as to which risks are included and which are not.

In addition, the final phrase or from external events must be interpreted appropriately for the organization in question. For example, for a general insurance company the losses due to paying out claims for an earthquake should not be counted as an operational loss, whereas the losses due to the destruction of head office by the same earthquake should.


The following external links are relevant: