January 28, 2021
Enhanced Risk Management responsibilities for Company Service Providers
The MFSA has been working extensively since 2019 to bring about wholesale changes to the Company Service Providers (CSPs) regulatory regime. The recently published CSP (Amendment) Act, 2020 (‘Act’) marks the first step in implementing this reform. As part of its efforts to reform the sector, the Authority has launched an updated Rulebook for consultation, which is fully aligned with the Act and which establishes detailed rules on the governance systems, core functions and capital requirements expected of CSPs. In essence, this translates into higher expectations from CSPs to strengthen their governance structures and upgrade their systems, policies and procedures.
The Risk Management Function
As stated in the MFSA’s Vison 2021, the governance, culture and conduct of all market players in the financial services industry directly impacts the integrity and stability of the financial market. Upon launching the new Rulebook, the MFSA issued an additional Consultation Document focused primarily on three areas which have been put forward for the industry’s consideration. Taking center stage is the Risk Management Function. In a previously issued feedback statement, the Authority confirmed that it would be requiring CSPs to enhance their risk management framework. This would involve establishing a Risk Management Function which implements adequate risk management policies and procedures; identifies risks relating to the CSP’s activities, processes and systems; and sets the level of risk tolerated by the CSP.
Designing a Risk Management Framework
An effective risk management framework seeks to provide the foundations and organizational arrangements necessary for creating, implementing, monitoring, reviewing and continually improving a company’s risk management function. The framework should ensure that risk-related information derived from the risk management process is adequately reported and is used as the basis for decision making at all levels of the company’s organizational structure. A typical framework should identify risks the company is exposed to or could potentially be exposed to; analyze and then evaluate the identified risks; manage risks through the establishment of remedial actions; and monitor risks and the effectiveness of remedial actions.
It is crucial that license holders are able to identify a broad and representative set of risks which the company may face when conducting its operations. Whilst exposures to money laundering and terrorism financing are universally acknowledged, this is but one of the many risks CSPs should be cognisant of. It is therefore crucial that CSPs invest in the necessary framework which will enable them to take a holistic approach to enterprise risk identification.
Risk management involves analyzing and developing an understanding of a company’s risk exposures from a qualitative and quantitative perspective. The risk management framework must therefore consist of a weighted analysis of each risk and the corresponding mitigation measures.
Once a company has identified and quantified its risks, it should use such outcomes to assist it in prioritizing certain management actions, as well as determining which risks need to be managed above all others. Companies should endeavor to form a reasonable and defensible judgement of the magnitude of any risk with respect to both the impact it could have on the company, and the probability that such an event will occur. In addition, the Board and senior management are to collectively determine the company’s risk appetite, based on an assessment of the losses the company can afford to sustain in the event a given scenario materializes.
Having assessed its risks and determined its appetite, a company should take proactive steps to manage and control such risks. Action plans should be prepared, at least annually, recommending the implementation of countermeasures aimed at mitigating risks. When considering countermeasures, risk officers should take into account the company’s attitude towards risk and recommend these to the Board.
Ongoing monitoring is the final but vital aspect of any risk management function. It involves the periodic or ad hoc reassessment of risks identified and should be a key feature of any Company’s governance culture
The introduction and success of any risk management plan will hinge on the Board and the risk function’s sustained commitment, as well as strategic and rigorous planning to ensure that an effective risk management sentiment is present across all levels of the organization.
This article was written by Seed Senior Consultant Daniel Attard and was first published in The Sunday Times.