Business Risk Assessment
What doesn’t kill us only makes us stronger
One cylinder shut down due to a malfunctioning regulator and now my other regulator had started to malfunction, I realised that the situation was now extremely serious and the next decisions would be the most important of my life. As I drifted there at thirty eight meters, unlikely to successfully survive a dash to the surface I took a deep breath trying not to choke on the seawater as it came into my mouth, I focused on the task at hand and dismantled my switched off regulator and signalled to my buddy to put up a surface marker.
We all have to make decisions, the regulations force us to make decisions for the protection of our customers ourselves and our jurisdictions. We demonstrate this by risk assessments, an exercise that can be seen as pointless and only for the sake of the regulations. By engaging with the assessment process and thoroughly reviewing and demonstrating the potential areas of risk that we face we are able to understand, minimise and hopefully withstand potential events that may and will occur. It goes without saying that any risk assessment needs to be monitored and assessed regularly as environments and situations change, it also allows us to be more alert and able to detect and deal with new or unknown risks and risk areas as and when they arise.
I knew my focus was narrowing and it had become darker, my fingers replaced the membrane in the regulator and I screwed it together, I moved to the valve of my cylinder and slowly turned on the air, nothing happened and no air escaped. Slowly pressing down I purged the regulator it worked, thank God, and I put it in my mouth and tasted the sweet air. By no means was this a fix, more a patch as within seconds it started to leak again. I looked up to be greeted by two huge eyes of my dive buddy who had just released the surface marker, with a smile I signalled it was time to depart to the surface and I put my fingers round the line attached to the surface marker as we began our leisurely ascent.
At eighteen meters the patch was failing, at seventeen meters the regulator was finished and I put in to my mouth the other semi working regulator and felt air and cool salt water, at sixteen meters I could see the sun shimmering and new that the odds of them both working to a lifesaving capacity to the surface was not in my favour, it was time to change the plan to meet the situation and I signalled to my buddy. At fifteen meters with my buddy’s emergency octopus and air filling my lungs we gently continued our ascent to the surface. At the surface we were both smiling and greeted by our safety boat.
We had addressed the known risks by our planning and checks pre dive, during the dive we had calmly and successfully dealt with a worst case scenario, assessing the situation and assigning tasks to create a better situation. The ascent had been undertaken in a control manner avoiding the potential of the bends and though it had required a change to meet the situation we had accomplished the task successfully. The risk had morphed but we had successfully dealt with the new and unknown risk due to good training, assessment and management.
Risk assessments are not pointless or just for regulators or governing bodies to review and assess but are vital. Life and business is about risk, just make sure that you have realised and assessed them initially and then periodically, fate has a nasty habit of striking when you least expect it as history and the present time shows us, make sure you can survive.
When things go wrong review, understand, remediate and enhance, I know that is what I will be doing, it wont be pointless and will make me stronger.
Getting the right fit for the BRA
Being the holiday season its time to sit back relax and take stock of all that has happened in 2013. Time for any Compliance professional to take stock of the year and to review the key business documents of a licensee and assess if they remain fit for purpose or need to be enhanced.
One such document that requires to be reviewed at least annually is the Business Risk Assessment (BRA) to ensure it is fit for the regulatory framework and the Licensee. The BRA though is a document that licensees struggle with and the Guernsey Financial Services Commission (Commission) constantly find as deficient. What lessons can we learn that will allow our 2014 BRA’s to be fit for the licensee and for the rules and regulations?
Essentially the BRA is a high level overarching document that the Board of a licensee must have in place. It evidences what the business is about, identifies the risks associated with its products and services, clients and the jurisdictions that it undertakes business in or through. The Commission have commented on how these documents tend to fall short of the mark, being generic, over simplified and not representative of the licensee.
Whenever I re-draft or assist a licensee with a BRA I take the approach of creating a document that tells the story of the licensee ensuring that it flows into the policies, procedures and forms. I use the BRA to create the framework from which the licensee’s policies and the procedures enlarge upon and stipulate the full requirements of the licensee requirements and the regulatory framework.
My BRA’s look at what the licensee business plan is, the Money Laundering, Bribery and Corruption and Terrorist Financing (ML/BC/TF) risks that the business is exposed to from following its business plan. I then look at how the licensee will mitigate the risks by the implementation of its policies, periodic reviews and training. How it will differentiate its high risk’s from its low risk’s to ensure that a risk based approach can be applied successfully and cost effectively. My BRA’s look at how the Board will be kept informed of the ML/BC/TF risks and what their responsibilities are, from ensuring policies and staff are sufficient to how they will review the existing and new business.
Licensees often complain that I am stating the obvious in my BRA’s, that the BRA will not stop a criminal or terrorist and so add little to no value to a business. The BRA is not about stopping criminals but assisting in their identification and prevention of a licensee being an unwitting conduit for them, criminals will always seek to abuse the financial system to their own ends. Unfortunately though licensees will be unknowingly utilised by criminals and they, their clients and insurers may suffer reputation loss and in the worst cases material loss. A licensee can never negate these risks in all cases, though the BRA does allow a business to protect itself, and so adds value.
We live in a contentious and litigious society, it is now not the case that a crime has to have been committed, but has a licensee done enough to reduce the possibility of a crime occurring or to protect against being a conduit in a crime as required by the regulatory framework. The Commission whether on a regulatory visit or dare I say it, when things have gone wrong and Lawyers and Advocates are involved they will review the BRA intently to assess if a licensee has acted recklessly by not assessing or identifying the risks posed by their business. It goes without saying that a licensee who has considered in-depth the risks posed by the business activities and the preventative measures that they have employed (stating the obvious) is going to be treated more sympathetically than a business who did not evidence their consideration of the risks that they faced.
There have been numerous regulatory cases over the last few years that were not about ML/BC/TF having occurred but that licensee’s did not have suitable and sufficient policies or information at hand for the Board or the MLRO to consider and mitigate the risks posed and inherent in their business. If you need help in assessing or redrafting your BRA the Commission has guidance on what they deem are the minimum requirements. You can ask Consultants to review your BRA and provide suggestions if required. You can simply ask around your fellow peers to see if they can assist or provide guidance.
It must be remembered that the Board of a licensee must take full responsibility and can’t contract out of their responsibility for having a suitable BRA. The Board and the MLRO must ensure that the BRA is fit for purpose and identifies and mitigates the risks while evidencing the preventative measures, and most importantly meets the regulatory requirements. The Compliance professional is only there to suggest what they believe is suitable in how the Licensee has evidence the consideration of the risks that it faces.
Over the course of 2013 a licensee’s business, the risks posed by clients, products and services it offers inclusive of the jurisdiction that they are associated with or their clients are associated with will have changed. Now is the perfect time to take stock of the current status of the licensee, its future intentions and go forward in to 2014 with the risk duly considered and mitigated.
Merry Christmas one and all.