ARROWARROW

An OverviewAn Overview

Dr John HedgesDr John Hedges

OverviewOverview

FrameworkFramework RecordingRecording Some HistorySome History The ARROW processThe ARROW process ARROW 2 importance of governanceARROW 2 importance of governance Objectives-no surprisesObjectives-no surprises PreparationPreparation The VisitThe Visit An ongoing processAn ongoing process

Importance of FrameworksImportance of Frameworks

A place to put facts/impressions and A place to put facts/impressions and assists with analysis of and an assists with analysis of and an understanding of the factsunderstanding of the facts

Assists with a common languageAssists with a common language Provides continuity when reviewing an Provides continuity when reviewing an

issueissue Can be developed as knowledge of Can be developed as knowledge of

the issues improvesthe issues improves

The Importance of Frameworks The Importance of Frameworks cont.cont.

Can be used as predictor and Can be used as predictor and effectiveness and may be subject to effectiveness and may be subject to back testingback testing

Danger: too rigid a view and facts Danger: too rigid a view and facts may be ignored if they apparently do may be ignored if they apparently do not fit frameworknot fit framework

More overall points: More overall points: RecordingRecording

Why record?Why record? Reflects thinking process at the timeReflects thinking process at the time Reflects what appears reasonable at the timeReflects what appears reasonable at the time Reference point for the futureReference point for the future Clarifies assumptions madeClarifies assumptions made Explains reasons for action made at the timeExplains reasons for action made at the time For example; why did we think these risks For example; why did we think these risks

were more important than those when we were more important than those when we carried out the risk assessment?carried out the risk assessment?

Some Risk Profiling HistorySome Risk Profiling History

Growing need for regulators to Growing need for regulators to account for their actionsaccount for their actions

They need to explain why they look at They need to explain why they look at certain issues and not otherscertain issues and not others

Resource constraints: cannot look at Resource constraints: cannot look at everythingeverything

Important to have an audit trail Important to have an audit trail reflecting decision making processreflecting decision making process

Some Risk Profiling History Some Risk Profiling History cont.cont.

SFA’s experience and how risk profiling SFA’s experience and how risk profiling grewgrew

My group of 500 odd firms; which one to My group of 500 odd firms; which one to visit next and what was the ranking of visit next and what was the ranking of their importance in relation to their their importance in relation to their potential to damage the securities potential to damage the securities sector?sector?

The Bank of England’s RATE system The Bank of England’s RATE system developed post Baringsdeveloped post Barings

Common denominators in Risk Common denominators in Risk Assessment systemsAssessment systems

CapitalCapital LiquidityLiquidity Systems and controlsSystems and controls ManagementManagement

Focus very much on mitigation of business risk Focus very much on mitigation of business risk and little analysis of types of business risk taken and little analysis of types of business risk taken on by the industry and therefore a need to on by the industry and therefore a need to understand and select appropriate mitigation.understand and select appropriate mitigation.

But an important start and industry is receptive to But an important start and industry is receptive to the risk based approachthe risk based approach

Implications of risk based Implications of risk based assessmentsassessments

Moves away from the tick box mentalityMoves away from the tick box mentality Moves away from “carpet bombing”Moves away from “carpet bombing” But it is risk based and the assessment of But it is risk based and the assessment of

risk can be incorrect; that something that risk can be incorrect; that something that was abandoned in the interest of an issue was abandoned in the interest of an issue that was deemed to be important at the that was deemed to be important at the time could “get up and bite”.time could “get up and bite”.

Hence the importance of developing a Hence the importance of developing a robust framework that records the robust framework that records the decision making process.decision making process.

What do you wish to get out of What do you wish to get out of the ARROW Assessmentthe ARROW Assessment

Survival with as little inconvenience as Survival with as little inconvenience as possible?possible?

Reassurance that the business is running as Reassurance that the business is running as expected?expected?

Check that management focus is in the Check that management focus is in the right place?right place?

The control infrastructure is effective in The control infrastructure is effective in supporting the business in a safe way?supporting the business in a safe way?

Our view of our Firm’s risk profile is the Our view of our Firm’s risk profile is the same as FSA’s?same as FSA’s?

Arrow 2 Arrow 2

A2 takes an holistic view of the firmA2 takes an holistic view of the firm Not issue focussedNot issue focussed Places an issue in the context of the Places an issue in the context of the

business and its control infrastructurebusiness and its control infrastructure Asks two fundamental questionsAsks two fundamental questions

How likely is it that the issue will How likely is it that the issue will materialise?materialise?

What would be the significance if it did?What would be the significance if it did?

““an issue”an issue”

Mismarking has occurredMismarking has occurred Types of sub issues to considerTypes of sub issues to consider Size of mismarkSize of mismark Transparency: OTCTransparency: OTC Discovered by?Discovered by? Trader experience?Trader experience? Does this issue compromise whole Does this issue compromise whole

trading operation of the firm?trading operation of the firm?

ARROW 2 GridARROW 2 Grid

A2 grid tries to mirror the organisation of a A2 grid tries to mirror the organisation of a firmfirm

Risk is analysed by Risk is analysed by Front Office (Customer, Products, Markets)Front Office (Customer, Products, Markets) Back Office (Business process)Back Office (Business process) Prudential Prudential Complemented by controls specific to these issuesComplemented by controls specific to these issues Plus overall controls plus capital and liquidityPlus overall controls plus capital and liquidity Generating net riskGenerating net risk

ARROW 2 MethodologyARROW 2 Methodology

The concept of net riskThe concept of net risk Focus on inherent business risk to get some Focus on inherent business risk to get some

idea of the gross risk and then an idea of the gross risk and then an assessment of the controls to offset that riskassessment of the controls to offset that risk

The overall controls of The overall controls of GovernanceGovernance ComplianceCompliance Risk managementRisk management Internal AuditInternal Audit Clarity on the role of capitalClarity on the role of capital

GovernanceGovernance

A big driver of the risk score and a subject I A big driver of the risk score and a subject I shall be speaking to in anther one of these shall be speaking to in anther one of these sessionssessions

What makes for effective governance?What makes for effective governance? A methodology I want to talk about in A methodology I want to talk about in

December December Correct mix of structure, process, management Correct mix of structure, process, management

information and culture to produce effective information and culture to produce effective controls, legal entity integrity the minimisation of controls, legal entity integrity the minimisation of client risk etcclient risk etc

Important to have a framework that provides Important to have a framework that provides meaningful feedback to the industry. meaningful feedback to the industry.

ComplianceCompliance

Profile within businessProfile within business Appropriate resourcingAppropriate resourcing Span of operationSpan of operation

AdvisoryAdvisory SurveillanceSurveillance Spectrum of legal (advisory) compliance Spectrum of legal (advisory) compliance

(surveillance) and internal audit(surveillance) and internal audit

Internal AuditInternal Audit

Profile within the organisationProfile within the organisation Career progression or dead end?Career progression or dead end? Resourcing- adequate skills baseResourcing- adequate skills base Risk based approachRisk based approach Liaison with external auditors and Liaison with external auditors and

extent to which they rely on Internal extent to which they rely on Internal AuditAudit

Role of Capital and LiquidityRole of Capital and Liquidity

Capital cannot replace effective systems and Capital cannot replace effective systems and controlscontrols

Can only be a cushion until issues are resolvedCan only be a cushion until issues are resolved Is a reserve to meet expected and unexpected Is a reserve to meet expected and unexpected

movements in risks faced by the business, movements in risks faced by the business, including market, credit and operational.including market, credit and operational.

LiquidityLiquidity Liquidity management is now and always was Liquidity management is now and always was

of prime importance and this is reflected in of prime importance and this is reflected in ongoing assessments.ongoing assessments.

Put Yourself in the shoes of the Put Yourself in the shoes of the FSA and ask the followingFSA and ask the following

What are their core statutory What are their core statutory responsibilitiesresponsibilities

How would you relate your firm to How would you relate your firm to thesethese

How would you go about a risk How would you go about a risk assessment of your firm if you were assessment of your firm if you were the FSAthe FSA

What conclusions would you arrive atWhat conclusions would you arrive at How would you mitigate identified risksHow would you mitigate identified risks

Importance of preparationImportance of preparation

FSA personnel busy and will welcome FSA personnel busy and will welcome information that isinformation that is Pertinent and clearPertinent and clear You know your firm best and in a good position to You know your firm best and in a good position to

supply relevant informationsupply relevant information Clarify from FSA exactly what is required when and Clarify from FSA exactly what is required when and

in what format. Be specific and as focussed as in what format. Be specific and as focussed as possible; try and be proactive rather than reactivepossible; try and be proactive rather than reactive

FSA will also gather information from other divisions FSA will also gather information from other divisions within FSA so it is worth while reviewing the total within FSA so it is worth while reviewing the total exposure of the firm to FSA.exposure of the firm to FSA.

The VisitThe Visit

The discovery conceptThe discovery concept The importance of meetings (CEO, heads The importance of meetings (CEO, heads

of business and control heads)of business and control heads) Agenda is clear between Firm and FSAAgenda is clear between Firm and FSA Appropriate people to attend meetingsAppropriate people to attend meetings Avoid back to back meetingsAvoid back to back meetings Importance of summing up the main Importance of summing up the main

points after each meeting.points after each meeting.

The Close Out MeetingThe Close Out Meeting

Understand and agree issues raised; clarify in Understand and agree issues raised; clarify in a constructive way. The controls are weak; a constructive way. The controls are weak; which controls and why are they weakwhich controls and why are they weak

Issues raised should give contouring to the Issues raised should give contouring to the risk profile; are they a surprise or not. Avoid risk profile; are they a surprise or not. Avoid talking about risk profiles without concrete talking about risk profiles without concrete examples.examples.

Above all it is important that there is a Above all it is important that there is a convergence of views if the firm is to get convergence of views if the firm is to get anything out of ARROWanything out of ARROW

The Risk Mitigation The Risk Mitigation ProgrammeProgramme

Each risk mitigation will be analysed and Each risk mitigation will be analysed and recorded as followsrecorded as follows Issue; intended outcome; action to accomplish thisIssue; intended outcome; action to accomplish this The concept of tools and the tool boxThe concept of tools and the tool box Use of Firm’s resources to conduct the workUse of Firm’s resources to conduct the work Be clear on scope and what constitutes an Be clear on scope and what constitutes an

effective outcomeeffective outcome Clear on resource commitment from FSA and FirmClear on resource commitment from FSA and Firm Clear on time frameClear on time frame

OutputOutput

Draft letter- chance to correct factual Draft letter- chance to correct factual errors but overall message remains the errors but overall message remains the same if not affected by factual errorsame if not affected by factual error

If the close out meeting is successful the If the close out meeting is successful the draft letter should contain no surprisesdraft letter should contain no surprises

Letter formatLetter format Addressed to?Addressed to? Main message clearly understood?Main message clearly understood? Scores and their roleScores and their role RMP clear and related to the main message?RMP clear and related to the main message?

Ongoing ProcessOngoing Process

Thank god it is all over?Thank god it is all over? ARROW should be a live process and not ARROW should be a live process and not

cast in stone but subject to alteration as cast in stone but subject to alteration as firm’s profile changes.firm’s profile changes.

What changes profileWhat changes profile Change in business activityChange in business activity Rapid expansion causing control and Rapid expansion causing control and

management stretchmanagement stretch It pays to keep FSA informed so that in the It pays to keep FSA informed so that in the

next ARROW the firm’s risk profile does not next ARROW the firm’s risk profile does not have to be built up from the ground againhave to be built up from the ground again

Staying in touchStaying in touch

It pays to stay in touch and keep the It pays to stay in touch and keep the FSA abreast of strategic developments FSA abreast of strategic developments and how these will be supported by an and how these will be supported by an effective control infrastructureeffective control infrastructure

Try and avoid springing surprises on Try and avoid springing surprises on the FSA; discuss potential problems the FSA; discuss potential problems and think through effective mitigation and think through effective mitigation well before the issue crystalliseswell before the issue crystallises