top of page

Risk Management and FCA rules...

Exploring the key FCA rules and expectations surrounding risk management arrangements


Following the financial crisis in 2008, regulators across the globe had a renewed effort to enhance firms’ risk management systems, resulting in a wave of regulatory reforms. The end-goal was to create a stable market which is sufficiently prepared and stress tested at all times, able to withstand turbulent times.

Coupled with 2020’s unprecedented challenges, the FCA are focusing their attention once more on the area of risk management. This time however, the FCA’s focus is on more qualitative areas such as fostering a culture that will promote ethical behaviour and appropriate risk taking. 

Business Meeting


Are you using an excel sheet as a risk assessment exercise? 


A short-read about scenario based risk assessment for firms...


The FCA is not prescriptive in how a regulated firm is to achieve satisfactory compliance. However, implementation and active use of a suitable risk management system and proactive reporting to senior management supported with internal policies and procedures can go a long way to demonstrating compliance – after all, the devil is in the details.


It is important to note, that the FCA’s cultural expectation exceeds “having a risk register”. All risk management arrangements must pass the “use test”, or in other words, be used by all relevant staff as integral part of day-to-day business (as opposed to a compliance “tick-box”).


Let’s explore some of the key rules surrounding risk management for FCA regulated firms.

Principles of Business - PRIN 3

A Firm should organise and control its affairs responsibly and effectively with adequate risk management systems.

Principle 3 of the FCA handbook

All Principles contained in the FCA Handbook are applicable to regulated firms, regardless of their size, location or type of products offered.

As a result it is paramount for firms to both achieve and maintain compliance at all times. Good examples of compliance can include:

  • Active tracking of risks and mitigating actions

  • Clearly assigned responsibilities for risk management

Effectiveness of any arrangement (therefore compliance with the rules) can be evidenced by the tracking of risk updates, resolution of risks and key risk ratings (via centralised platform, document or Board Meeting Minutes).

Let's have a look at some more detailed requirements now...

Senior Management Arrangements, Systems and Controls - SYSC 20

a firm must reverse stress test its business plan; that is, it must carry out stress tests and scenario analyses that test its business plan to failure. To that end, the firm must:

  • identify a range of adverse circumstances

  • prevent or mitigate that risk.


The FCA handbook provides some further clarification, by stating that firms must:

  • identify a range of adverse circumstances which would cause its business plan to become unviable and assess the likelihood that such events could crystallise; and

  • where those tests reveal a risk of business failure that is unacceptably high when considered against the firm's risk appetite or tolerance, adopt effective arrangements, processes, systems or other measures to prevent or mitigate that risk.

It is important to note that whilst these rules only capture "BIPRU" and "IFPRU" firms, the FCA has signalled that appropriate level of implementation is expected of every firm; as part of good culture.

But how could firms evidence compliance? 

Mostly through the use of risk impact assessments, which would document how a given risk is linked to the root risk identified, enabling the SMFs to identify key areas of vulnerability and effectiveness of mitigating actions.

Senior Management Arrangements, Systems and Controls - SYSC 6.1.2

A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.

SYSC 6.1.2

The rule explicitly confirms that the compliance regime must ensure that the firms obligations under both the FCA regulatory regime and the relevant financial crime legislation are met.

This means, firms who work with third party suppliers (such as ARs, TPAs), must maintain an oversight and risk management arrangements that captures such independent suppliers.

To evidence compliance, firms may wish to look beyond policies and procedures (to evidence ongoing risk management) and also consider the training of relevant staff. 

As a result, this rule has an impact on other aspects of FCA compliance, such as training and competency of employees.

Senior Management Arrangements, Systems and Controls - SYSC 7.1

A firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm’s activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.

SYSC 7.1

Whilst the rule to the left is not verbatim, it highlights the key requirement of firms setting a risk tolerance level. Compliance with this rule is a must for UCITS investment firms and operators of an electronic system in relation to lending, whilst other firms should take account of the risk management policies and procedures rule (SYSC 7.1.2 R) as if it were guidance.

Often, this is achieved by firms explicitly stating risk tolerance in a policy document (eg, Our risk tolerance is low.) as an overall statement or various risk tolerances for each business unit. 

One element that firms often overlook is where risk tolerance is set, the board of directors would be required to evaluate key business decisions against such levels. Where an individual manager were to deviate from such standards, the firm could use it as measurement of conduct (and therefore retain evidence of its conduct risk management).

Therefore, setting risk levels can be achieved through the ability to set risk appetite levels and identifying risks that are outside of tolerance via reporting tools.

Other key rules (SYSC)

SYSC 3.2.10 G

SYSC 3.2.16 G

SYSC 6.2

SYSC 7.1.6 R

The FCA is aware that the financial services sector is vastly diverse, both in terms of products and in terms of culture. Therefore, highly descriptive compliance rules would only hinder the development of healthy competition.

This regulatory approach is important to remember when reading these rules. All FCA regulated firms must consider the rules (and guidance text) and implement them according to their size, nature and risk profile. What it means in practice is, firms are able to devise their own compliance regime to meet compliance requirements.

To demonstrate compliance, some firms may choose to rely on live risk management systems, whilst others maintain a detailed risk register with supporting forms and reports.

About conduct risk...

Conduct risk continues to be a focus for the FCA. Despite it not being an FCA defined term, firms need to understand what it means and implement accordingly.


Under the current expectations, the FCA expects firms to develop their own conduct risk definition and strategies and put in place a tailored conduct risk framework to address the specific risks that their business is exposed to.


The 2019/20 Business Plan sets out the FCA’s overall objective of how to improve the way financial markets operate with respect to the protection of consumers, the integrity of markets and the promotion of competition. Among other things, the 5 Conduct Questions programme clearly supports their cross-sector efforts on firms’ culture and governance.

We will explore this topic in our next article. Sign-up to our newsletter now to receive a notification when published, along with other free resources.

They will find that business strategies and models must be reassessed in response to changed regulations more often than before. Perhaps most important, institutions will need to develop the flexibility to respond nimbly to the “new normal” risk management environment of unceasing regulatory change - —improving analytical capabilities, investing in risk data and information systems and fostering an ethical culture..”

Deloitte Global Risk Management survey

Verify your compliance today

Download our forward looking risk management policy and register and benefit from a free consultation to help implementing them; or why not commission a an expert review of your arrangements...

Risk Management Resources
bottom of page