‘Managing risk’ would surely score highly in a game of financial services buzzword bingo. It is not just a buzzword, though. It is something we are all encouraged to do from an early age - you were probably quite small the first time someone told you “don’t put all your eggs in one basket”. Yes, it is an intangible concept, but it is no arcane corner of academia. It is very real; something we surely all grasp in the wake of the financial crisis.
In focus
The Sipp industry has been directly in the focus of the regulator for years. Sipps were cited as an emerging risk three years running in the former FSA’s Retail Conduct Risk Outlook. The FSA published its first thematic review of Sipp operators back in 2009, with the failure to manage risks sufficiently at the heart of many of the concerns. Looking back, the failures raised sound wearily familiar: monitoring the quality of business, embedding treating customers fairly (TCF), implementing effective systems and controls, managing conflicts of interest and providing adequate disclosure.
There should be no mistaking that the FCA sees Sipps as a risk, too. Its final notice on the managing director of a failed Sipp operator was remarkably damning, covering at length the failure to control growth, monitor the exposure to non-standard investments and vet third parties.
These papers cite the handbook rules extensively - they should be imprinted in the minds of those managing Sipp operators. Box 1 shows a small selection of excerpts. Managing risk is explicitly cited - repeatedly.
The areas of risk and means to monitor and manage them are too numerous to list exhaustively but examples include:
– Inducements and conflicts of interest - detailed and exacting standards were set out in January’s finalised guidance. The biggest area of risk is, arguably, agreements under which providers pay distributors large sums.
– Sources and quality of business - the Sipp operator will need to set out and enforce the conditions on which it accepts business and pay particular regard to TCF if it accepts execution-only business. The operator cannot blindly accept advised business: it must check advisers’ authorisation and permissions on an ongoing basis and monitor patterns for advice that gives rise to concern (for example, frequent use of high-risk investments or in high concentrations). It must also monitor the extent of its exposure to its biggest introducers.
– Investments - just as advisers diversify clients’ portfolios, so the Sipp operator needs to ensure that its overall portfolio for all members is diversified. This could be in terms of the investment type, the individual investment or the third parties managing investments or providing execution or custody services (e.g. DFMs, platforms, brokers and banks).
There are also risks that are particular to or simply higher in certain investment types. These need mitigating at an individual level:
– Unregulated collective investment schemes (UCIS) - numerous failures and scams have been reported;
– Unquoted shares - may be used for pension liberation;
– Commercial property - liquidity of the Sipp is important to cover risks such as voids or arrears and to meet ongoing charges;
– Derivatives - agreements need to be designed to avoid unlimited liabilities and “cross contamination” of losses from one person to other members;
– Treating customers fairly (TCF) - use of management information (MI) and customer research to show, for example, that the Sipp is being used by the target audience, that service standards are being met and that members understand the operators’ communications;
– Banned lists - of investments, introducers and other parties with mechanisms to prevent their use;
– Tested back-up systems - to allow business to continue when disaster strikes (such as flooding);
– Effective means for whistle-blowing - the Association of Certified Fraud Examiners reports that tip-offs are three times more effective than any other method for fraud prevention.
Managing risk ought to follow a simple cycle as characterised in Figure 1. Policies set out the risks in an area, explain the tolerance for the risks, how they are mitigated and the reasons for that. They also need to identify the records that need to be kept and the reporting and MI that is needed to allow ongoing review.
Controls are built into systems and processes so they correspond to the policy; training and personnel reviews need to do likewise.
The systems and processes need to capture data to show what is going on. That forms the basis of the MI that the governance body or management board review to monitor the level of adherence to the policy.
The whole process needs to continue in a loop with governance or management considering whether the policy remains fit for purpose, the controls are adequate and whether they are getting the information they need to form an accurate view and take the necessary action if changes are required.
Out of control
It sounds almost childishly straightforward. So why does the FCA continue to find operators that are not controlling risks in their business? What is the underlying cause?
Having a policy is the easy bit - you can probably get one off the internet in seconds. But having a piece of paper doesn’t mean a thing: it has to be put into practice continuously. That is why, right from the first thematic review, the regulator has hammered home systems and controls. Systems need to be joined up and controls built in to avoid blind spots and human error, to ensure that what should happen (say, a drawdown review) does and what shouldn’t (say, drawdown income in excess of the maximum) doesn’t. Our behaviour easily relapses to old habits. That is why MI is repeatedly mentioned. However, it is no use producing MI if it isn’t actually reviewed and the operator doesn’t do anything about what it finds. That is why ‘governance’ would be a still higher-scoring buzzword and rightly so. But not the highest.
The FCA’s Risk Outlook 2013 sets out its approach to conduct risks to its objectives. It identifies firms’ culture as a key driver of conduct risk. The foreword by chief executive Martin Wheatley talks about the effects of firms’ culture. Part A even includes a chapter on structure, processes, management, culture and behaviour.
It is culture which determines whether the operator really cares about the quality of everything it does; whether it is sincere about putting the customer first; and whether it ensures staff genuinely share a belief in doing the right thing. All businesses are in the business of making money. The question is: how do they go about doing that?
Andy Leggett, head of Sipp business development at Barnett Waddingham
