orangeblock
Menu

Risk management-but not as we know it!

01 November 2008 | Magazine Archives FAnews & FAnuus | Short Term | Gareth Stokes, FAnews

What do the regulators mean when they tell financial service providers to manage risk?

There are many ways to interpret the term risk management. A generic definition is the process of assessing risks and taking steps to either eliminate or to reduce them, as far as is reasonably practicable, by introducing specific control measures. At FAnews we're interested in how the concept of risk management, as introduced in various pieces of financial services legislation, applies to finance intermediaries.

The reality

A recent survey conducted by the Financial Services Board (FSB) among a selection of financial practices revealed that most respondents had no idea what the FSB expected from them where risk management was concerned. A number of brokers responded to the question on whether they had implemented appropriate risk management resources, procedures, systems and controls to comply with section 11 and 12 of the GCC by asking "Implemented the what…?"

The legislation

What do the Financial Advisory and Intermediary Services Act 2002 (FAIS Act) and the General Code of Conduct for Authorised Financial Services Providers (GCC) mean when they refer to risk management? Are they talking about the steps you should take to eliminate business and environmental threats? Will they be happy if you take measures to prevent accidents to persons, loss or damage to property by fire, storm, theft or other perils; or financial loss to your business as a result of business interruption? Absolutely not!

The primacy force behind these and other financial services interventions is the client or customer. And that means the risk management referred to in the legislation is the action you need to take to prevent the direct or indirect loss of a client's funds.

Let's take a look at the wordings contained in the FAIS Act and GCC. If we turn to Part IX (Risk Management) in the GCC, section 11, 12 and 13 read as follows:

11. Control measures: a provider must at all times have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence, professional misconduct or culpable omissions.

12. Specific control objectives: a provider, excluding a representative, must, without limiting the generality of section 11, structure the internal control procedures concerned so as to provide reasonable assurance that:

a) The relevant business can be carried on in an orderly and efficient manner;
b) Financial and other information used or provided by the provider will be reliable; and
c) All applicable laws are complied with.

13. Insurance: a provider, excluding a representative, must, if, and to the extent, required by the registrar maintain in force suitable guarantees, professional indemnity or fidelity insurance cover.


Implications for advisors

It's clear from these provisions that the onus on financial service providers is to implement systems which will protect client funds in any event. As per section 17(3) of the FAIS Act: "An authorised financial services provider must establish and maintain procedures to be followed by the provider and any representative concerned, in order to ensure compliance with this Act." And legislators expect this 'protection' function to be addressed by the financial service providers' compliance officer. Section 5 of the Regulations issued in terms of Section (35)(1)(c) of the FAIS Act is quite explicit on this point. It stipulates that the "compliance function exists or is established as part of the risk management framework of the business, supervised by an approved compliance officer."

Currently professional indemnity cover need only be in place where legally required, but the new Fit and Proper requirements will in all likelihood make it compulsory for new entrants into the market as well as Category II license holders.

In practical terms

The FSB's feedback after visits to broker practices provides a number of indicators as to how they interpret the issue of risk management in practical terms. The regulator's concern lies with ensuring that there is protection and continuity in respect of the client, and not the welfare of the broker.

While incorrectly consider risk management as a "nice-to-have" option, the FSB disagrees, saying: "Another common finding was that most of the FSPs did not have a documented risk management plan to address all potential risks that could impact on the day-to-day business operations as required under section 11 of the General Code of Conduct. The risk management plan must spell out all the potential risks faced by the institution, and must also prescribe the procedures to be followed in order to mitigate or manage them."

Other issues highlighted include –

* Failure to store copies of client records off-premises
* Failure to keep client records in electronic format
* Failure to have a written succession plan
* Failure to prevent unauthorised access to client data


The role of compliance

The compliance officer and the tasks performed by the compliance officer are therefore an integral part of the risk management function required by the legislation. The lawmakers believe that full compliance with the law will ensure that all and any risks to the clients are taken care of. It is also important to understand that FSPs who do not need to appoint a compliance officer in terms of the FAIS Act are still are required to ensure compliance with the FAIS Act.

Concerning the matter of implementing a compliance function, the FSB was quite clear on what they require: "Another common observation is that there were FSPs, especially from the low risk impact, who still did not have a compliance function envisaged under section 17 of FAIS. There was an incorrect perception on their part that since they were not required to appoint a compliance officer, there was no need on their part to establish and maintain a compliance framework. Failure to establish a compliance function as part of the risk management framework can lead to withdrawal of authorisation to act as an FSP."

Where to start

The FSB' website contains six FAIS newsletters which provide FSPs with very clear practical guidelines on what the Act requires them to do. If you do not have the resources to employ an outsourced, independent compliance function, at least read the relevant legislation, which includes the Act and sub-ordinate regulations, as well as these newsletters to gauge the extent to which your practice is compliant and what else needs to be done to safeguard your interests and that of your clients.

quick poll
Question

If you had to hazard a guess, when do you reckon the COFI Bill will be signed into law?

Answer
View the Results arrow
FAnews April 2026
THE LATEST EDITION FANEWS MAGAZINE
  • Geopolitical risk: the rising threat to global trade and insurance markets
  • The regulatory tightrope: achieving consumer protection without overregulation
  • Liability disclaimers and consumer protection: key lessons from recent case law
  • From promise to payout: the real test for employee benefits
  • Retirement planning: when the maths doesn’t math
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations