RISK MANAGEMENT AND BUSINESS CONTINUANCE A FAIS Standard An AC Guidance Nte July 2010 Risk Management and Business Cntinuance - A FAIS standard The General Cde f cnduct deals in a number f ways with the general requirement f Risk Management The primary Risk management requirement falls under Part IX f the Cde. The sectin deals with 3 specific requirements, namely (and we will qute the sectin numbers); 11. Cntrls Measures
A prvider must at all times have and effectively emply the resurces, prcedures and apprpriate technlgical systems that can reasnable be expected t eliminate as far as reasnably pssible, the risk that clients, prduct suppliers and ther prviders r representatives will suffer financial lss thrugh theft, fraud, ther dishnest acts, pr administratin, negligence, prfessinal miscnduct r culpable missins. 12. Specific Cntrl Objectives A prvider, excluding a representative, must, withut limiting the generality f sectin 11, structure the internal cntrl prcedures cncerned s as t prvide reasnable assurance that The relevant business can be carried n in an rderly and efficient manner; Financial and ther infrmatin used r prvided by the prvider will be reliable; and All applicable laws are cmplied with. 13. Insurance A prvider, excluding a representative, must, if, and t the extent, required by the registrar maintain in frce suitable guarantees r prfessinal indemnity r fidelity insurance cver. As can be seen there is actually n reference t the wrds Risk Management ther than the heading, s all f the abve were adpted as Risk management FAIS style. S Risk Management included, but was nt limited t; Physical disaster recvery measures. These included; - Physical security - IT systems and cntrls (where apprpriate) e.g. Firewalls, Virus prtectin, back ups - Plans fr fire fld and the like - Apprpriate insurances t cver lss f assets and increased cst f wrking Quality cntrl i.e. hw well d yu d what yur systems and cntrls say yu d? Verificatin f data used i.e. infrmatin is nt given ut t clients r prduct prviders withut sme level f authenticatin and suitability, especially if it is t be used t advise clients Awareness and cntrls f ther legislative requirements fr the business Insurances Prfessinal Indemnity (nw cmpulsry), Fidelity guarantee (als cmpulsry in certain circumstances) and Guarantees (IGF fr the shrt term industry FSP s handling client funds als cmpulsry) All ultimately dcumented and cntrlled within a cmprehensive dcumented prcedures manual
All intended t prtect the business s the business culd cntinue t prtect the clients in the event f a disaster situatin within the FSP. The FSB s annual reprt has cnsistently asked abut the status f an FSP s Risk Management plans driven by the requirements f Parts 11, 12 & 13. The Questins is always in tw parts; Des the FSP have and effectively emply risk management resurces, prcedures, systems and cntrls as described in sectins 11 and 12 f the General Cde f Cnduct S it is nt enugh t have a generic dcument filed away that will enable a psitive tick t be applied t this questin. The key elements t yur plan, nt just ne fr the purpses f FAIS cmpliance, are; Effectively emply must be used and nt a chapter in a manual Prcedures what are yu actually ging t d if an event ccurs? Systems what tls are yu ging t be relying upn t achieve results? Cntrls wh and hw is the prcess ging t be managed? And the bjectives f these shuld be t enable the risks highlighted in the measures and bjectives listed abve. The secnd part f the questin is; Des the FSP have a dcumented Risk Management Plan? S it is nt enugh t knw what yu wuld d if smething happens but it must be written dwn and accessible t all thse affected by the plan remember the key individual - which may be yu may nt be there when disaster strikes. The need fr such measures was reinfrced by the amendment t the Cde f Cnduct in 2009 by virtue f the Determinatin f Fit & Prper Requirements fr Financial Services Prviders, 2008. These expanded the Operatinal Ability requirements f an FSP as riginally set ut in the Act itself. Amngst ther things these regulatins made use f the term Business Cntinuity which frm a pure risk management perspective is a term ften used as an alternative term fr Disaster Recvery and/r Risk Management, althugh nt always crrectly frm a risk managers perspective. There was n specific definitin f this new term and interestingly these new regulatins did nt replace the existing Cde f Cnduct requirements. The Operatinal Ability standards, which shuld be addressed in yur risk management plans, include the fllwing peratinal ability aspects; Access t Business premises Access t Cmmunicatin facilities Access t Strage and filing systems and yur existing recrds If yu utilise ffsite strage facilities, ensure that the 3 rd party has an effective risk management plan f their wn in place Internal cntrl f staff and IT requirements
D yu have security fr all persns that enter the premise (i.e. Staff and visitrs)? D yu have data security (i.e. Passwrd cntrls t restrict assess t certain staff)? D yu have Firewalls? D yu have a way f testing yur IT system and making sure that the results are crrect? (applicable where yu have a reliance n a system fr prcessing) D yu have IT recvery and back up prcedures in place? Are there measures in place t mnitr the use f systems? Are all financial and system cntrls recrded? Please nte that this is nt an exhaustive list. It merely indicates sme f the peratinal ability standards that need t be addressed. Whilst we d nt advcate, nr d the FSB, the use f ff the shelf Risk Management Plans where all yu d is add yur name t the dcument and believe yu have a plan, we have included examples f such plans t assist yu in develping yur wn. These examples fcus n all the key aspects f the physical risk management side f Risk management fairly well. These can be fund in sectins 2 f the PS draft administratin manual. Paragraph 12 (c) abve calls fr a reasnable assurance that; all applicable laws are cmplied with In simple terms, if this requirement can be seen as simple, asks that all laws that affect the running and maintenance f yur business are firstly understd and that there are prcedures in place t deal with the expsures t the business that may be presented by these laws where failure t cmply with them culd threaten the business either financially by way f fines and penalties r the ability t trade, by fr example by the lss f licences r ther sanctin by ther regulatrs. The vlume f legislative requirements is immense and grwing and/r being amended every year and it is becming increasingly difficult t manage these withut frmal cntrls being in place. These cntrls can be utsurced e.g. auditrs r human resurce specialists r managed internally but the cntrls all start with; awareness f what legislatin applies t yur business the pssible cnsequences f failure t cmply with the requirements understanding what cntrls yu have in place assessing the current effectiveness f these cntrls
We have supplied a tl in the PS administratin manual t assist with the abve prcess. This is nt a ne day task and mst certainly ne that needs t be revisited n a regular basis t cater fr changes t yur circumstances and/r the legislative envirnment. Thereafter imprvements and changes can be made t imprve the situatin. The regulatins and nging cntrl measures frm the FSB d hwever create a little cnfusin between Risk Management and Business Cntinuity within the cntext f FAIS. This arises by virtue f Part XII (sectin 20) f the General Cde f cnduct and mre specifically the questins asked in the FSB s annual cmpliance reprt arund this sectin where it asks; Des the FSP have a business cntinuity plan and prcedures in place t ensure that the client will be serviced if the business is terminated fr any reasn? This is a questin that has been cnsistently asked in all f the annual reprts t date and is in additin t the questin n Risk Management that is asked as a result f Part IX sectins 11, 12 & 13 dealt with abve. One has t assume that Business cntinuance, in the cntext f this questin, has t revlve arund the requirements f Part XII. S what are the requirements? Subject t the Act, and sectins 3(2) and (3) f this Cde (a) (i) a prvider must, subject t any cntractual bligatins, give immediate effect t a request f a client wh vluntarily seeks t terminate any agreement with the prvider r relating t a financial prduct r advice; (ii) Where the client makes the request n the advice f the prvider, the prvider must take reasnable steps t ensure that the client fully understands all the implicatins f the terminatin; (b) (c) a prvider, ther than a representative wh ceases t perate as such, must immediately ntify all affected clients accrdingly and take, where reasnable necessary r apprpriate in cnsultatin with the clients and prduct suppliers cncerned, reasnable steps t ensure that any utstanding business is cmpleted prmptly r transferred t anther prvider; and where a representative ceases t perate as a representative f a prvider, such prvider must immediately take, where reasnably necessary r apprpriate in cnsultatin with the clients and prduct suppliers cncerned, reasnable steps t ntify all affected clients accrdingly and ensure that utstanding business is cmpleted t transferred t such prvider r anther representative f that prvider. And these regulatins imprt tw ther sectins f the Cde, namely; 1. The need t keep recrds and be able t retrieve them
2. The need t keep infrmatin cnfidential The key aspects frm a Business Cntinuance perspective are; An FSP ceasing t perate as such. This culd arise frm a number f situatins; - Retirement if a sle trader - Death f the Key individual - again if a sle trader r where there is nly ne key individual within an FSP r nly ne key individual with respnsibility fr ne r mre categries f licence - Sale f the business t a third party (either the client base r the legal entity) - Suspensin r Withdrawal f the FAIS licence A representative ceasing t perate as such. This culd arise frm a number f situatins; - Death f the representative - Resignatin frm the emply f the FSP - Debarment f the representative - Failure t achieve the required educatinal standards Whilst nt specifically mentined within the regulatins there are a number f ther situatins that culd have an impact n the FSP and/r its representatives and these include; - Lss f primary prduct prvider (insurer) agency - Lss f delegated authrity frm a prduct prvider (insurer) - Lss f primary client accunt - Cmpetitin frm anther FSP/s in key market segments S Business Cntinuance means having plans t manage these situatins as an integral part f the FSP s verall Risk Management framewrk. These plans need t deal with, but shuld nt be limited t, the fllwing; Handling f all clients business affected by any f the abve, r ther similar, scenaris, including cmpletin f any utstanding business in an rderly manner with the interests f the client paramunt Ntificatin t all affected clients Ntificatin t all affected prduct prviders (insurers) These plans shuld deal with the pssible transfer f clients t anther suitable FSP It has t be remembered that these situatins, prbably mre s than with physical disaster events, are likely t be stressful situatins and may well mean the primary Key Individual, is nt arund t manage the situatin s the plans need t take this int accunt.
Whilst every FSP needs t be aware f and manage these expsures there are specific FSP prfiles that have an increased risk t these Cntinuance events; Sle traders FSP s with ne KI FSP s with specific licence categries with nly ne key individual respnsible fr them FSP s reliance n ne insurer (ver 60% f business with ne insurer) FSP s with reliance n ne client (ver 60% f incme emanating frm that ne client) FSP s with a high cmplaints and/r pr cmpliance standard i.e., increased risk f regulatry sanctin FSP s with pr segregatin f duties and respnsibilities i.e. increased risk frm the lss f key persnnel.