Risk management is not only a regulatory requirement, but forms part of sound business principles. It needn't be an insurmountable obstacle to a small FSP, says Billy Seyffert, head of Compliance at Celestis.
For Financial Service Providers (FSP's) with a February financial year-end, another Compliance Report to the Financial Services Board will be due by 31 October 2007 for the reporting period of 1 September 2006 to 31 August 2007.
Risk management and a risk management plan for FSP's are a major focus area of the regulator, but is unfortunately an area that, due to time constraints and the structure of your everyday FSP, is often overlooked.
As many FSP's are sole proprietorships or small Close Corporations, the role of risk manager is not defined and the concepts and details of risk management are foreign to them. This needn't be the case and the completion of your Compliance report will provide you with the ideal opportunity to identify, rate, monitor and manage the risks in your business.
Identifying the risks
The format prescribed by the FSB breaks down the sections of the Act and Codes of Conduct and describes what is required of an FSP regarding every section. Identifying the areas of risk can be as simple as referring to the report.
Rate your risks
What you need to do next is rate your risks. A good guideline would be to rate each risk in terms of severity and probability. Severity is the impact that non-compliance with a specific requirement will have on the FSP, e.g. on operational ability, civil liability or on the reputation of the FSP.
Probability refers to the likelihood that non-compliance with a specific requirement can occur. Probability of non-compliance is dependant on the effectiveness of the processes and procedures that are in place, the effectiveness of the people responsible for various functions and the quality of systems and technology being used. Rate these factors on a scale from 1 to 10 in terms of severity and probability. It is then easy to prioritise the risks accordingly.
Monitoring
The final step is to monitor the risks facing the FSP. In any monitoring process role players have to be identified to take responsibility for the monitoring of specific issues. Certain matters, e.g. those relevant to the advice process, will have to be accounted for by the Key Individual(s). However, the monitoring of many aspects can be delegated to administrative personnel after ensuring that the checks that need to be put in place have been set up.
Monitoring should take place on a continuous basis. As areas of repeated non-compliance are identified, these must be managed. Review processes and procedures that are being followed and adapt these, if necessary, to ensure compliance. An example would be to change the new business submission procedure by holding back submission of applications until the relevant party has obtained outstanding information. It could also result in you identifying an area where further training of staff is required (e.g. on FICA requirements).
Once the guidelines are established it can become second nature to everybody involved in the operation of your business.