FSA Update and Project Risks January 2012 Carl Taylor IT and Data Security Risk Frameworks Prudential Business Unit Risk Specialists Division 1
Agenda 1.Regulatory Reform of the FSA 2.Project Risks 2
Carl Taylor FSA since March 2009 Certified Information Systems Auditor 9 years at PricewaterhouseCoopers - Global Risk Management Services, Senior Manager project implementation (ERP) project assurance security and controls assurance Senior assurance and management roles in financial services (Banking and L&P) and manufacturing 3
Regulatory Reform of the FSA 4
Regulatory Reform proposals Three regulatory bodies: The Financial Policy Committee (FPC): a committee of the Court of the Bank of England; Purpose: to protect financial stability (macro-prudential regulation, regulation of Clearing Houses and settlement systems) The Prudential Regulation Authority (PRA): a subsidiary of the Bank of England; Purpose: stable and prudent operation of deposit takers, insurers, and investment banks (micro-prudential regulation) The Financial Conduct Authority (FCA): an independent company Purposes: confidence in financial services and markets (will regulate exchanges and other trading platform providers, and market participants) Consumer protection and market integrity (regulating conduct of business for all firms) 5
Impact on Firms What does this actually mean? For authorised/recognised firms All except clearing and settlement institutions will be regulated by the FCA with some high impact firms also being regulated by the PRA (dual regulated firms) Clearing and settlement firms will be regulated by the Bank of England 6
Current Structure of the FSA Internal Twin Peaks 7
Internal Twin Peaks FSA in preparation for the split into the PRA and FCA has re-organised into separate Conduct and Prudential business units In April 2012 the FSA was split internally into 2 business units Conduct Business Unit (CBU) Prudential Business Unit (PBU) 8
Implications for Firms Since April 2012 dual-regulated firms have begun working with two separate, specialised regulators Those firms that are not high impact and market infrastructure providers continue to be subject to a single regulator The FSA will formally separate into the PRA and FCA in 2013 (known as legal cutover) 9
The PBU s and CBU s Objectives 10
Conduct and Prudential Business Units 11
Conduct Business Unit (CBU) 12
Prudential Business Unit (PBU) 13
PBU RSD Risk Infrastructure, Liquidity and Capital Charlotte Gerken HoD Jackie Bennison PA Nick Devereux Capital Management Team Lee Jones Asset Liability Management & Liquidity Risk Andrew Sheen Risk Infrastructure Thibaud de Barmon Change management Bastian Llibal Daniel Chapman Diederick Potgieter Prasanna Rengarajan Rosemarie Flanagan Rupak Dasgupta Shaun Brown Tim Pemberton David Samuel Camilla Stanhope Gergely Hamvas Iva Dropulic Iva Macanova Kumar Tangri Nehal Saghir Philip Lewis Ron Livingstone Carl Taylor Peter Hanney Farrukh Nazir Philip Umande Chyng-Lan Liang Khim Murphy Anirban Ghoshal Sajib Azad Paul Beech Karen Guiterrez Gamal Bemath Samuel Smith Stephen Reynolds Administrato r Shar Wallace Administrato r Tina Jarvis 14
Risk Frameworks IT & Data Security Transactions IT risk mgt Acquisitions Change in Control Disposals Model Reviews IT general controls CAD BIPRU market risk IMM Credit Risk Solvency II Risk Reviews IT general controls Outsourcing Strategic change projects RMP/follow-up support Recovery and Resolution Single Customer View - COMP Recovery and Resolution Planning Incidents Ad-hoc investigations S166/independent review scope 15
Developments at the FSA The next steps. 16
Time Table The Financial Services Act 2012 creates a new regulatory regime that: Puts the Bank of England clearly in charge of financial stability Provides for focussed prudential and conduct of business regulators (the Prudential Regulation Authority or PRA, and the Financial Conduct Authority, or FCA); and Places the judgement of expert supervisors at the heart of regulation The Act received Royal Assent in December 2012, and the new regime will be fully established on 1 April 2013 17
Legal Cut Over and the Handbook At LCO (1/4/2013) the FSA Handbook will be split between the FCA and PRA to form two new Handbooks; one for the PRA and one for the FCA. Most provisions in the FSA Handbook will be incorporated into the PRA s Handbook, the FCA s Handbook, or both, in line with each new regulator s set of responsibilities and objectives. 18
Approach Documents In October the CBU and PBU jointly published approach documents with the Bank The PRA s approach to banking and insurance supervision: http://www.fsa.gov.uk/static/pubs/other/pra-approach-banking.pdf http://www.fsa.gov.uk/static/pubs/other/pra-approach-insurance.pdf The CBU s approach to supervision: http://www.fsa.gov.uk/static/pubs/other/journey-to-the-fca-standard.pdf The approach documents set out: The FCA and PRA objectives Threshold conditions which are now different 19
Project Risks and Controls A regulatory view 20
First things first - What is a Project? Significant capital investment and revenue expenditure yielding future revenue benefits Significant change to the firm s business model or the operations/it infrastructure supporting the business model Outside of the normal business as usual day to day operations 21
Secondly - Why do we care? Enables the business' strategy - failure could inhibit the firm s business model (capital, liquidity) Operational disruption significant post implementation issues could disrupt the firm s business model (capital, liquidity, systemic impact) Reputational harm loss of revenue with potential prudential impacts (capital, liquidity) Write off of capital invested potential prudential issues (capital, liquidity) Significant additional costs to correct (capital, liquidity) Implications for regulatory capital 22
Danger signs indicators that all is not well Inexperienced project management Absence of a robust business case Absent or incomplete business requirements Lack of business engagement Absence of a baselined plan Overrunning costs and missed milestones Changes to scope - both increases and decreases in scope IT sponsored/lead project with significant business change Bleeding edge - e.g. Technology unproven in the UK Limited evidence of supplier or package due diligence Projects running for in excess of 12 months without delivering anything 23
Danger signs indicators that all is not well (continued) Extensive integration with legacy systems Heavy customisation of an off the shelf package In-house development of custom software Absence of an integration partner Firms with a poor history of delivering projects Major change portfolio of multiple projects using different technology solutions Limited engagement of the Board and Board level directors Absence of independent assurance to challenge project management Weak progress reporting 24
What might good look like Governance Board engagement Board level business sponsorship A methodology (it does not have to be vanilla Prince) An experienced project manager(s) Business case with ownership of benefits delivery Clear project structure (e.g. workstreams) and dependency management Effective status reporting The right skills and resources - an implementation partner may help manage the firm's risks Appropriate solution and vendor due diligence Independent assurance to verify the accuracy of programme management - operation and reporting Effective risk management and operational risk engagement Robust test execution including user acceptance and nonfunctional requirements testing 25
Questions carl.taylor@fsa.gov.uk 26