Back Print this page
CompliNEWS Ethics   |   Ethics Wednesday 24 April 2024

Operational risk

By Lee Rossini

Over the last few years, the issues facing FSPs have grown in complexity, especially with regard to the operational ability.[1] The standards of operational ability that must be met by an FSP are spelled out in the fit and proper requirements. Operational risk is one aspect of the overall risk management framework adopted by an FSP.  Any strategies, operational activities and decisions of senior management should be tested against the framework.  The operational risks should be measurable and form part of a holistic approach to risk taken by senior management. Managing risk in this manner plays an important role in protecting against losses, liabilities and possible brand damage incurred due to the mismanagement of operational risks.     

Operational risk is not defined in the fit and proper requirements. However, the Basel Committee on Banking Supervision defines operational risk as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. As such, operational risk includes business continuity plans, environmental risk, crisis management, process systems and operations risk, people related risks and health and safety, and information technology risks’. Under the Basel Accords, operational risk can be broken down into seven areas: internal fraud; external fraud; employment practices and workplace safety; clients' products and business practice; damage to physical assets; business disruption and systems failures; and execution, delivery and process management. In addition to these seven areas, other areas of risk should also be evaluated, such as reputational, legal and market risk.

An important role of senior management and compliance professionals employed by the FSP is to draft a risk strategy which takes into account the above operational aspects of the business. The starting point is to carry out an analysis of what is required by the legislation and whether the business adequately meets these requirements.  Following the analysis, an operational risk management plan should be designed.  The plan must take into account factors such as security, safety, internal controls, policies, procedures, employees and liability cover, amongst others. The potential risk that each factor may cause the business should also be assessed in terms of likelihood or probability and impact. After all the relevant information has been gathered, a plan of action should be drafted to effectively deal with any potential operational risks facing the business.

The minimum standard of operational ability that must be met by FSPs is broken down into seven key areas. These include general requirements whereby the FSP must have ‘adequate and appropriate human, technical and technological resources to effectively function as a particular category of FSP’ and the FSP must ‘adopt, document and implement an effective governance framework'. In addition, the FSP must have a fixed physical business address and adequate communication facilities, adequate facilities for the safe-keeping of records, a bank account and key individuals to manage and oversee the activities of the FSP. The FSP is required to implement and monitor a governance framework. This must include the following:

·         a business plan;

·         risk management policies, procedures and systems (including systems and procedures to safeguard the security, integrity and      confidentiality of information and to ensure compliance);

·         accounting policies and procedures;

·         sound and sustainable remuneration policies and practices;

·         a business continuity policy;

·         a financial recovery plan; and

·         a system to provide for regular monitoring and evaluation of the systems, processes and internal controls.

When an FSP outsources functions to persons other than the representatives of the FSP, there are also certain operational requirements that must be met. When appointing a representative, the FSP must ensure that the person has not been declared insolvent or provisionally insolvent, is not under liquidation, provision liquidation or business rescue or is not subject to pending proceedings which may lead to one of the above-mentioned situations. The person appointed must not increase the risk to the FSP, impair the quality of the governance framework, compromise the fair treatment or continuous and satisfactory service to clients, prevent the FSP from acting in the best interests of its clients or result in key decision making responsibilities being removed from the FSP.  There are additional requirements with regard to the remuneration of representatives, the development of contingency plans should a representative leave, and representatives may not outsource any activity relating to the rendering of financial services on behalf of the FSP.  Both representatives and key individuals are also required to meet the operational abilities.  Although not applicable to all FSPs, there are also additional requirements for FSPs that provide automated advice. 

The failure by an FSP to meet the above operational ability requirements is likely to increase their risk. As with so many other aspects of business, the culture of an FSP largely determines how it will manage these risks and the attention paid to the requirements. Risk should be considered in all activities, there should be open and honest discussion about the risks and all employees, from senior management down, should take individual and collective responsibility for managing the risks facing the business. A good starting point is to ensure that the operational ability of the FSP is in place and effective to minimise operational risk.  In additional, these requirements are considered to be an important part of good business practice.    



[1] Chapter 5, Operational Ability, Determination of Fit and Proper Requirements for Financial Services Providers, Board Notice, 194 of 2017.