Risk-based Supervision in Guernsey

Version 1.0 February 2016 Based on “PRISM Explained” first published by the Central Bank of Ireland in November 2011, amended and revised for use by the Guernsey Financial Services Commission Risk Based Supervision in Guernsey How the Guernsey Financial Services Commission regulates the finance sector within the Bailiwick February 2016

2 February 2016 Why risk based supervision The Commission is committed to exercising ‘good and effective’ regulation. By this we mean that we will work to ensure that we deliver high quality prudential, financial crime and conduct supervision within the Bailiwick of Guernsey. Supervisors are asked to form judgements about the risks which the firms we regulate present to the Bailiwick and seek to mitigate those we find unacceptable. We see systematic risk based supervision as offering the best route to that goal. Under risk based supervision, the most significant firms - those with the ability to have the greatest impact on financial stability and the consumer - will receive a higher level of attention under structured engagement plans, leading to early interventions to mitigate potential risks. Conversely, those firms which have the lowest potential adverse impact will be supervised reactively or through thematic assessments. The methodology explicitly recognises that we can only have a finite number of supervisors and that we must deploy them where they can make the greatest difference. PRISM and online services are the vehicles we use to assist us to put the theory of risk based supervision into practice. PRISM is both a supervisory framework and a software application. It is designed to be scalable and suitable for effective supervision of the Bailiwick’s regulated firms. Our online services are designed to ensure our systems are populated with good quality data which in turn ensures our supervisors have accurate and timely information to assist in the risk assessment process. By adopting a risk-based approach, we do not pretend that we can or should prevent all firms failing. A properly functioning market economy requires a degree of risk taking to secure economic reward. Some firms will and must be allowed to fail to maintain market disciplines. Attempting to eliminate this risk is not a proper public policy; would incur prohibitive costs and prove ultimately futile. PRISM provides a toolkit to aid our supervisors to focus attention on the firms with the highest impact, making it materially less likely that they will fail in a disorderly fashion. We have moved to a regulatory framework which encourages supervisors to concentrate on the issues which really count and to address them effectively. Such issues are much broader than solely compliance with rules and encompass both prudential and conduct risks. As such, it underpins our commitment to maintain financial stability, protect consumers and combat financial crime. Cees Schrauwers Chairman

3 February 2016 What is risk based supervision? One of the lessons from the 2008 global financial crisis was that it is always vital to have sufficient knowledge about significant financial services firms because they have a greater capacity to affect the economy adversely. Risk based supervision starts with the premise that not all firms are equally important and that a regulator can deliver most value through focusing its energies on the ones which are most significant and on the risks that pose the greatest threat to financial stability and consumers. A risk based methodology provides a systematic and structured means of assessing different types of risk, ensuring that idiosyncratic approaches to firm supervision are avoided and that potential risks are analysed for the higher impact firms using a common framework. At its core, risk based supervision accepts the premise that resources are finite, that there is no unlimited pool of public or industry funding on which to draw and that every regulator has to make choices about what it will do and what it will not do. It makes no prior judgement on what the right level of resources should be but seeks to deploy the available resources in the most efficient fashion. At the Commission, risk based supervision means that we have a lower appetite for significant issues at higher impact firms relative to issues at lower impact firms. For high impact firms, the avoidance of failure is our top priority. For this type of firm, if there is to be failure, it is important that this does not entail taxpayer support or occur in a disorderly way as this would have a detrimental impact on financial stability and the consumer. Risks which are likely to give rise to such outcomes will, once detected, be rigorously mitigated. For our low impact firms, we aim to regulate to avoid sector-wide issues - such as widespread mis-selling by intermediaries - but we will not seek to prevent individual failure. Rather, we will supervise these firms reactively, which may include assisting in the appointment of an administrator or liquidator when they fail so that there is an orderly revocation of authorisation and winding-up in accordance with insolvency legislation, with the rights of customers appropriately protected according to the law. The Commission’s adoption of PRISM In late 2011 we initiated a project to deliver a risk management framework for the Commission, harmonising our approach to industry/licensee risk across divisions within an overarching structured and consistent framework. The aim was to inform the Commission of potential risks and to enable us to direct its resources effectively. The project also supported the IMF recommendation to analyse risk across sectors.

4 February 2016 In June 2013 Commissioners agreed to proceed with the purchase of a licence for PRISM (Probability Risk and Impact SysteM), and to the associated development work to tailor PRISM for the Bailiwick. PRISM is both a supervisory methodology and a software application, and was originally developed by the Central Bank of Ireland after the Euro financial crisis to provide a structured framework for firm supervision. A version of PRISM has subsequently been adopted by the European Central Bank. By July 2014, the system and framework were fully implemented across all of the regulatory divisions, with additional functionality such as automated impact calculations, key risk indicators and thematic review introduced in July 2015. PRISM provides an engagement model for the supervision of regulated firms and tools to facilitate a detailed probability risk assessment of these firms. The framework requires supervisors to challenge firms, to form judgements about the risks each firm presents and then to develop appropriate outcome focused risk mitigation programmes to reduce unacceptable risks to an acceptable level, with those risk mitigation programmes subject to appropriate quality control mechanisms. PRISM enables supervisors and their managers to see the risks posed by firms in any sector at any point, facilitating frequent review of the evolving financial risks at the micro level, allowing high quality risk based resource allocation and risk mitigation decisions to be taken, as well as clear communication to firms of our views of their risk profiles and our expectations. It also provides senior management with additional information which can assist the assessment of macro prudential risks both within and across sectors. In summary, PRISM is designed to support our:-  adopting a consistent way of thinking about risk across all supervised firms;  allocating resources based on impact and probability;  undertaking a sufficient level of engagement with all higher impact firms;  assessing firm risks in a systematic and structured fashion;  ensuring that action is taken to mitigate unacceptable risks in firms;  providing firms with clarity around our view of the risks they pose;  operating a risk based supervisory framework similar to that operated by significant financial regulators such as OSFI in Canada, APRA in Australia, the US Federal Reserve, The European Central Bank, and the Prudential Regulation Authority in the UK;  using quality control mechanisms to encourage challenge and sharpen our supervisory approach;  analysing better management information about the risk profiles of the firms and sectors we supervise;  providing a tool for supervisors continually to challenge themselves and their firms to safeguard financial stability and protect consumers; and  providing supervisors with a consistent way of thinking about risk whilst ensuring a minimum level of engagement for firms.

5 February 2016 How does risk based supervision work? Supervisory Process Impact To be properly risk based one has to know where risks lie. Impact is a major component as it indicates the degree of damage a firm could cause to the financial system, economy and citizens were it to fail. The framework categorises firms based on impact so that supervisors can spend their time where it will be most effective. A popular perception that a large firm has a strong board and good profits will not lead to us ceasing to allocate significant resources to understanding it and its risks. The 2008 financial crisis showed that several regulators made mistakes in not putting enough resource into scrutinising large, profitable and politically well-connected firms. Changes in firm size and, by implication, impact will be tracked, based on returns submitted by firms. For example, in one quarter a bank might have a certain impact score categorising it as medium high impact. The next quarter, having purchased a substantial book of business from another bank, it might have a materially larger balance sheet. When the bank submits its regulatory returns, the PRISM system will automatically detect that it has grown and by calculating a new impact score the bank may be re-categorised as high impact – automatically triggering a higher level of supervision because its metrics have increased. Engagement We engage with firms to understand what they are doing and whether what they are doing poses a threat to financial stability or consumers. Firms in each impact category are supervised through the completion of engagement tasks. We engage with all firms at a level that corresponds to their impact category; the higher the impact category, the higher the level of engagement. This engagement consists of a variety of reviews, assessments and meetings. It is our means of obtaining sound information about a firm in order to assess accurately the risks that it poses.

6 February 2016 A specific set of engagement tasks will be conducted on high impact firms, whereas a less intense set of engagement tasks will be conducted on medium high impact firms and less again on medium low impact firms. Some of these visits will be tailored to the type of firm being examined – clearly underwriting concentration is more pertinent to an insurer whilst liquidity risk is generally more pertinent to a bank. In addition, some inspections, such as those reviewing governance and business models, will apply to all high impact firms. Medium high impact firms will see full risk assessments conducted every two to four years. These will look at the full spectrum of risks a firm is likely to face. Medium low impact firms will experience a full risk assessment approximately every five years. International banking and insurance regulation may also lead to further involved engagements with lower impact banks and insurers on prudential matters. There is also a regular programme of interaction with the directors and senior management of such firms to ensure that supervisors can understand strategic developments and emerging risks at such firms. We deploy a relatively small number of supervisors to deal with a very high number of low impact firms, which they supervise on a partially reactive basis with thematic work utilised to assess key sectoral issues. In taking this approach we are making a conscious choice to focus our finite supervisory staff on our most important firms because those are the ones which we do not wish to see fail in a disorderly manner. To support this risk based model, for lower impact (i.e. smaller) firms, reactive supervision will be paired with effective enforcement. If firms do not comply with regulatory requirements and expectations, they should assume that we will use our enforcement powers to uphold the law. The Commission is using technology to supervise firms in an efficient way: by investing in our online submissions system to automate receipt and analysis of financial returns – minimising the time spent on processing. For example, we have the capability to send supervisors automatic alerts when a low impact firm fails key financial health checks. The Financial Crime Division also carries out a series of supervisory engagements which will include inspections, meetings with individuals in a firm’s compliance and risk management functions, and thematic exercises across a variety of firms in all sectors which are selected (or targeted) on the basis of risk rather than impact. Enforcement action is taken against firms that are failing to meet appropriate prudential, financial crime and consumer protection standards. We have dedicated resources in this area to deal appropriately with significant poor practice and behaviour. Throughout all supervisory engagement, our supervisors will challenge the staff and leadership of the firms they supervise, adopting an inquisitive and searching attitude, placing a premium on understanding the important issues a firm faces as opposed to conducting process audits.

7 February 2016 Thematic supervision We undertake consumer, financial crime and prudentially focused thematic work across firms in all impact categories. By looking at a specific issue across a range of firms, we can analyse concerns across a sector. We can use thematic work to determine whether overall standards in an industry are at or near the level where we would expect them to be or whether there appears to be an industry wide issue which may require policy changes, widespread “moral suasion” or an intense enforcement action to secure appropriate change. For example, we undertook a thematic study reviewing data security across a range of fiduciary firms to analyse whether the firms were handling sensitive data appropriately. The results were published in April 2014. Under the PRISM framework, we continue to use thematic visits as our principal tool for understanding consumer conduct risk. PRISM is also used to assist our financial crime work and, separately, to ensure that we maintain and improve our prudential understanding of sectors – such as funds and intermediaries – where a large proportion of the firms are low impact. We take into account the differences between sectors (e.g. funds and intermediaries) and the different risks they present when deciding on the subjects to focus on and the thematic resource to be devoted to each sector. Thematic reviews may lead to enforcement action against specific firms where contraventions are identified.

8 February 2016 Judging probability During the engagement tasks on high, medium high and medium low impact firms, supervisors will form judgements on the risks posed by them. Probability is the risk or likelihood that a firm will fail and, as such, is distinct from impact. Whereas impact represents the degree of damage the failure of a firm might cause, probability is an indication of the likelihood of a firm failing, regardless of the damage such a failure might cause. Supervisors assess a firm’s risk probability in a number of categories and sub categories such as credit risk, operational risk, governance risk etc. The probability categories are set out in Appendix B. Supervisors form judgements on the risk probability posed by the firm in relation to each category. PRISM is a judgement based system in that supervisors of higher impact firms are required to make a conscious choice about the riskiness of a firm at each level in each category. Simplified procedures apply for supervisors of medium low impact firms. All firms, including those that are low impact, are probability assessed for the financial crime risk each poses by a dedicated team of AML/CFT supervisors within the Commission. We implemented such a system because we believe that judgements based on good quality quantitative and qualitative analysis are likely to be materially more reliable than the alternative – a black box system based on complex equations. The experience of investment banks during the financial crisis was that such black box systems were understood by few (and bitter experience indicates that even those few had limited understanding) and thus were not subject to adequate challenge. Furthermore, even the best black box systems contain a number of simplifying assumptions embedded within the mathematical coding of their guiding equations. Such simplifying assumptions may or may not be appropriate for a specific firm or issue but, because they are embedded deep within the code and are known to only a few, it is very difficult to subject them to appropriate scrutiny. Our supervisors are required to provide a written rationale for their judgements within PRISM. This allows their logic to be easily reviewed by others in the Commission before actions are taken on the basis of their judgements. Supervisors are required to consider all probability categories to arrive at a balanced judgement about the overall risk probability posed by a firm. Particular emphasis, in response to lessons learned during the financial crisis, is being placed on a thorough analysis of governance and business models as poor governance and a weak business model are good leading indicators that problems at a firm are likely to emerge.

9 February 2016 In making judgements on probability, supervisors are assisted by:-  the information and insights they have acquired through engagement tasks. Some engagement tasks will have a significant quantitative element, while others will be more qualitative;  key risk indicators – key ratios and data drawn from the regulatory returns submitted to the Commission and processed by PRISM (which will highlight unusual changes).  risk guidance materials on each risk category, prepared and kept up to date by subject matter experts within the Commission. These materials also provide links to in depth guidance published by other regulatory bodies to assist a supervisor undertaking a thorough analysis of a risk category;  alerts generated by PRISM to draw a supervisor’s attention to significant changes in key risk indicator or impact data; and  peer group intelligence – firms supervised by the Commission are placed in peer groups. PRISM provides supervisors with the ability to access pertinent quantitative and qualitative information about other firms in their peer group which will allow for easy comparison of key quantitative risk indicators. Mitigating risk Our risk based framework is judgement based and outcome focused. This means that supervisors are required to focus not only on analysing and identifying risks but also on ensuring that appropriate and achievable mitigating actions are taken to address any risks deemed unacceptable. For example, if a supervisor discovered that Firm A could plausibly lose £10 million on a derivatives product it had sold to a client and the firm only had £8 million capital, he or she might require it to raise more capital or to hedge the risk with another firm. Supervisors, having judged probability for each risk category on a scale of low, medium low, medium high or high probability, work with the firm to agree actions to reduce those risks which are too high for us to accept. This is not about our trying to stop firms taking commercial risks. We appreciate that firms need to take risks in order to succeed and make an economic return on capital. Rather, it is about the Commission seeking to mitigate risks which pose an unacceptable threat to financial stability, financial crime or consumer protection. Any risk category which is probability rated as medium high or high must be mitigated. If a supervisor rates a firm medium high or high probability in any risk category, he or she is prompted by PRISM to open a Risk Mitigation Programme (RMP) issue, explaining the nature of the risk. Having opened the issue, the supervisor will construct one or more outcome-focused actions to reduce the risk to an acceptable level by a given deadline.

10 February 2016 Examples of outcome focused actions include requiring a firm to raise more capital, cease an activity or strengthen the control framework around a business line. On occasion, we may suggest to a firm’s directors that the staff running a particular business line or support function lack the requisite skills and need help to obtain them or alternative management action. Firms have an opportunity to suggest alternative actions to ensure our risk mitigation outcomes are achieved in the most expeditious fashion. We will not raise RMP actions for every risk we perceive at a firm. We will endeavour to focus our activities on the more significant risks, bearing in mind the old adage that “a stitch in time saves nine”. Many RMP actions will require mitigation action to be undertaken by the regulated firm. When the firm has completed such an RMP action, it will provide appropriate information to the supervisor. The supervisor will evaluate the quality of the improvement and consider whether the RMP action has successfully obtained the outcome we sought – namely reducing the risk to financial stability, financial crime, or consumers to an acceptable level. If the required outcome has been achieved, the RMP action will be closed. If the supervisor, in consultation with supervisory management, considers that the RMP action has not mitigated the risk, he or she will construct a further RMP action to mitigate the risk. The nature of that RMP action will take into account the degree to which the firm has engaged in a constructive manner to reduce the risk materially during the course of completing the previous RMP action. If the Commission considers that there has been wilful non-compliance with an RMP action this will be taken seriously.

11 February 2016 Quality assurance Any system for evaluating risk has potential weaknesses. We have adopted a methodology which requires supervisors to make judgements having evaluated appropriate quantitative and qualitative information. In order to mitigate the risk that a firm could be exposed to inappropriate judgements by a single supervisor, the framework incorporates a number of quality assurance processes to ensure that high quality judgements are made and that appropriate outcome focused RMP actions are constructed based on those judgements:- Risk Governance Panels - We have been operating firm focused panels since late 2013. They bring together senior staff and risk advisors outside the supervisory chain of command to scrutinise a supervision team’s strategy, judgements and risk mitigation programme for a given firm. Such meetings are normally held directly after a significant inspection visit, giving the members of the panel an opportunity to review the probability judgements and draft RMP actions prior to these being sent to a firm. We also hold panels to review findings following significant pieces of thematic work. Panels give the supervisor an opportunity to debate their findings with a wider audience who are likely to have had extensive experience of supervising firms. Normally, such panels will help calibrate the judgements of the supervisory team and may suggest amendments to RMP actions deemed too robust or not sufficiently demanding of the firm in question. Management oversight - RMP issues which are not scrutinised by a regular Risk Governance Panel will be reviewed and approved by a member of the supervisor’s divisional management team prior to being sent to a firm. Firm review of draft actions - When doing so does not conflict with timely or effective risk mitigation, we aim to share draft RMPs with firms to enable them to highlight factual flaws in our descriptions of the issues giving rise to the RMP actions. Management information - PRISM delivers regular, focused, qualitative and quantitative information on firms and supervisors’ activity to the Commission’s management team. This management information is increasingly allowing us to review trends in different financial sectors, impact changes, probability rating changes, risk mitigation programme success rates and engagement task completion rates. We are able to use such information to ask questions about outlying probability ratings or, indeed, about probability ratings which appear inappropriately clustered together. We are also able to review easily RMP actions relating to different probability categories and see the comparative progress of different types of mitigation actions.

12 February 2016 Risk appetite Will risk based supervision prevent failures of regulated firms? A “No Failure” approach is not compatible with a dynamic market economy. Nevertheless, we want to minimise the impact of failure on financial stability and the citizen. While failure of firms is expected, for higher impact firms we will seek to manage actively key issues to prevent disorderly failure and to protect the taxpayer. For the lower impact firms, we will not generally be actively involved prior to a failure but we will still wish to see an orderly sale or winding down of operations. Our engagement model has been designed to provide different levels of assurance about firms of different importance. The higher the impact, the greater the extent and frequency of the engagement. For low impact firms, the engagement will be limited. Low impact firms will potentially fail more often but the impact on the economy or consumers will be several orders of magnitude less than the impact of a high impact firm failing. To be clear, we are conscious that the media, politicians and other key figures in society are likely to be critical of us when firms, even small firms, fail and ask why we did not prevent it. It is right and proper that we should be held up to such public scrutiny but that does not make it appropriate for us to redirect resources from the most important firms to smaller firms in response to failings where there is a very limited impact on financial stability, the integrity of financial services and the consumer. By way of analogy, Guernsey Law Enforcement does not take detectives from its Financial Investigations Unit to patrol shops after every case of shop lifting that is reported. Neither will we take resources from our most important firms to supervise closely economically insignificant firms. Clearly, if there is a spate of “shoplifting” in an area, we will undertake appropriate investigation (as any police force would) and may reform our working practices/enforcement appetite to deal with the issue robustly to deter other firms from tolerating similar failings. Nevertheless, it would be inappropriate to pour more resources into low impact firms when doing so would deprive us of our ability to supervise higher impact firms appropriately. Alternatively, we could reduce our risk appetite by “promoting” large numbers of firms out of the lower impact category and significantly increasing our resources. However, these additional costs would need to be borne by industry and we have no plans to augment our staffing significantly at present.

13 February 2016 Appendix A How will the Commission engage with firms? This table lists some of the tasks which will feature in our engagement programme. Our engagement programme will differ by impact category so not every engagement task set out below will affect every firm. Business Model Analysis Supervisors gain an understanding of how the firm organises itself, manages itself, manufactures and delivers its product to market on a profitable basis while minimising the risk of business failure. A firm should understand how it makes money and the risks it takes to do so. Governance Supervisors seek an understanding of how the firm is governed. Good corporate governance acts as a control mechanism providing confidence to stakeholders that the institution is managed in a sound and prudent manner. Supervision looks at the governance structure, the quality of the individuals and how the structures operate in practice. Financial Risk Each firm has major risks that it encounters in carrying on its business. These vary between sectors e.g. banks face credit risk, market risk, liquidity risk etc. as its main risks while insurance companies face underwriting risk, reserving, reinsurance risk etc. These risks are reviewed to ensure that the firm is not taking excessive risks, that these risks are understood and that there are appropriate policies and systems in place to actively manage and control the risks. Financial Crime Risk Our AML/CFT supervisors assess the inherent financial crime risks within a firm which are posed by the type of customers it has and the products and services it offers against the quality of its controls to identify and manage those risks. Supervisors are seeking assurance that a firm understands the financial crime risks to which it is exposed and that the firm has taken appropriate steps to implement effective measures such as compliance monitoring and training programmes, to mitigate those risks.

14 February 2016 Stress Testing1 Benign market conditions can mask latent problems in the nature of a firm’s business which only become apparent in a downturn. It is important that firms understand what changes would destabilise their business. Supervisors will want to be satisfied that realistic stress testing scenarios are used appropriately by firms and that boards are mitigating unacceptable risks which stress tests highlight. Review of the Firm’s Capital Adequacy Assessment (SREP or ORSA2 ) Regulated firms have an obligation to maintain adequate levels of capital to support their activities. We undertake reviews to ensure that the capital amount, as determined by the firm, is adequate, taking into account findings from the other engagement tasks undertaken. Full Risk Assessment Supervisors, following a desk based review of the information they have requested from a firm better to understand key issues, hold a series of meetings with key personnel at different levels within a firm to obtain an overview of governance, strategy and key financial risks. They also undertake an in￾depth examination of key aspects of a firm which give rise to concern. Where appropriate, such full risk assessments will incorporate the SREP/ORSA reviews discussed above. Regular meetings with:- • Chairman • Non-Executive Directors • Head of Compliance • MLRO • Chief Risk Officer • Senior Management • Internal Auditor Meetings are an integral part of the programme and will often take place in the course of other engagement tasks. Meetings are likely to cover matters such as the strategic direction of the firm, strengths and vulnerabilities, issues of governance, and risk profile. They also provide supervisors with a view on the suitability and competence of a firm’s leadership.

1 Banks and Insurers only 2 Supervisory Review and Evaluation Process (banks) & Own Risk and Solvency Assessment (insurers)

15 February 2016 Appendix B Risk probability structure & explanation As stated previously within this document, risk probability is the probability or likelihood that a firm will fail and, as such, is distinct from impact. Probability is an indication of the likelihood of a firm failing, regardless of the damage such a failure might cause. We assess the same risk probability categories in medium low to high impact supervised firms, with the understanding that firms in different sectors face the same risks - sometimes in different ways or to varying degrees. Assessment is performed at up to three levels, namely: overall, category and sub-category. The categories are outlined in high level terms below. Capital risk Capital is required to act as a cushion to absorb losses arising from business operations and allow an entity to remain solvent under challenging conditions. Capital risk arises mainly as a result of the quality or quantity of capital available, the sensitivity of a firm’s exposures to external shocks and/or the level of capital planning and management process. Capital risk could potentially impair a firm’s ability to meets its obligations to customers (depositors, policyholders, investors, etc.) and senior creditors in an adverse situation. The way in which groups are structured, the nature, extent and size of transactions and/or commitments between them, and the degree of reliance of a firm on parts of its group can have a significant potential impact on the capital position of a firm. In addition, group arrangements/structures may create or enhance imbalances in the levels of capital held at an entity level with the risks assumed by those entities. Conduct risk Conduct risk is the risk the firm poses to its customers from its direct interaction with them. A firm should observe high standards of integrity and fair dealing in the conduct of its business. Furthermore a firm should act with due skill, care and diligence towards its customers and communicate with them in a way which is not misleading. In assessing conduct risk consideration is given to the level of risk attached to the products offered to the customer by the firm and the ease in which the product can be explained to the customer.

16 February 2016 Credit risk Credit risk is the risk of financial loss arising from an obligor, borrower, issuer, surety, guarantor or counterparty who fails to meet its obligations in accordance with agreed terms. Such risks arise anytime firm funds are extended, committed, invested or otherwise exposed. Firms should mitigate against such loss by having sufficient understanding and appropriate controls to manage the adequacy of their capital and loan loss reserve at any given time. They should also demonstrate a thorough knowledge of customers and their associated credit risks. Environmental risk The environment in which firms operate exposes them to risk in a number of ways. Macro￾economic risk factors make themselves felt through domestic and international developments. Sector specific considerations must also be assessed as different industries and subsets of firms face a similar macro environment but different industry dynamics. Financial crime risk The Bailiwick, by virtue of being an international finance centre, is particularly vulnerable to financial crime through the products and services the financial and professional services sectors offer to a largely international client base. Firms run the risk of being implicated in or facilitating financial crimes such as money laundering, terrorist financing, bribery and corruption, fraud and tax evasion. Should such a risk crystallise it could have a detrimental impact upon the reputation of the Bailiwick. The level of a firm’s overall financial crime risk is determined by the profile of its clients and the types of products and services it offers, and the extent to which those risks are mitigated by arrangements the firm has developed to control them. Firms with a significant proportion of high risk relationships for whom they manage or administer complex high value structures will have high inherent financial crime risk, whereas a firm with a local client base providing certain insurance, investment or saving products funded by regular contributions will not. Firms are expected to have developed policies, procedures and controls which are sufficiently robust to mitigate the inherent financial crime risks within their business. Governance risk Governance covers the overall oversight and control mechanisms which a firm has in place to ensure that it is soundly and prudently managed. It refers in particular to the processes, structures and information flows which are used to allow the board and senior management to satisfy themselves that effective control mechanisms are in place to protect all stakeholders (i.e. depositors, policyholders, investors, shareholders, employees, etc.) and contribute to the overall stability of the financial system. The effectiveness of the board in carrying out its governance role and oversight is a critical component in the overall regulatory framework.

17 February 2016 There are a range of areas that require assessment in order to rate a firm’s policy, culture, procedures and practical approach to corporate governance, which include its risk management approach, the composition and quality of executive and non-executive board members, committee structures and remuneration policies. Other key areas for consideration are the complexity of group structures which might impact on how supervisors can evaluate firms under their supervision and whether, and how, boards evaluate their own performance. Insurance risk Insurance risk relates to the uncertainty regarding the occurrence, amount or timing of claims, payments or liabilities (technical provisions). The nature and extent of insurance risk depends on a number of factors and the quality of insurance risk controls encompass both the design and effectiveness of the implementation of controls relating to the firms core activities. When assessing the insurance risk facing a firm, supervisors will set out to understand the extent to which they impact on the overall insurance risk, the extent to which they are related, and how the firm mitigates the risks involved. Insurance risk, to a lesser degree, can apply to non-insurance firms which place reliance on insurance contracts, e.g. to mitigate their business exposure to certain catastrophe, public liability, fiduciary, professional indemnity, key man, property and other generally insurable risks. Liquidity risk Liquidity risk is the risk that a firm will not be able to fund its cash outflows as they fall due. A firm can be illiquid even if it is solvent. Liquidity risk may stem from (i) a loss or reduction in the value of existing funding; (ii) off balance sheet commitments being called; (iii) new lending, investments or acquisitions that require new funding; (iv) timing mismatches between asset maturities/realisation and liability cash flows; and (v) problems arising from holding difficult to sell assets to meet current liabilities. Market risk Market risk reflects the uncertainty of an assets future price and includes both direct and indirect factors. Such factors include the health of the balance sheet, strength of the management team, stock prices, interest rates, foreign exchange rates, commodity prices, and changes in real or implied volatility. In assessing market risk, supervisors are mindful of the controls for setting risk appetites and limits, how they are communicated and subsequently identified, measured, monitored and managed within a firm.

18 February 2016 Operational risk Operational risk is the risk of loss resulting from inadequate or failed internal processes, people/personnel and systems or from external events. Operational risk can stem from the nature of the firm’s business, the appropriateness and effectiveness of the controls in place to minimise the risk. Examples of operational risks include: hardware or software failures, misuse of confidential client information, data entry errors, and natural disasters. Strategy/business model risk Strategy/business model risk refers to the risk which firms face if they cannot compete effectively – for example, in a market economy, other firms may offer better products or substitute products at better prices and the firm may fail because they may not be able to compete at the same prices/product offerings. Strategy/business model risk also covers the inherent risk in the strategy (e.g. overly aggressive business growth, merger and acquisitions activity, and/or significant business diversification). Business model risk also covers areas such as potential ‘funding mismatches’ in banking, over reliance on reinsurance in insurance, out dated distribution models or cost bases out of line with competitors. The Commission may review the matters set out in this document from time to time to ensure that they remain appropriate. Further, the Commission reserves the right to amend its practices and this document without prior notice.