CTRL Schedule 1 Guidance — classification of risks

(rule 7.1.7)

The following table sets out an example of a system of classifying the risks to which an authorised firm is exposed. An authorised firm is free to adapt this framework to reflect the nature, scale and complexity of its operations, or to develop and implement its own risk classification framework.

Item Risk factor Explanation
1 Financial soundness
1.1 Capital adequacy The risks arising from the nature of an authorised firm’s capital position. These risks include risks arising from the firm’s capital planning framework, the composition and quality of capital, the adequacy of capital to support the level of current and expected business activities, the adequacy of reserves and access to further capital.
1.2 Revenue/ profitability The risks arising from the nature of the firm’s earnings. These risks include risks arising from the adequacy of profitability, volatility of revenues and profitability and track record of performance against budget.
2 Business strategy
2.1 Quality of business strategy and plan The risks arising from the firm’s overall strategy. These risks include risks arising from the quality of the strategic planning process, the achievability of the strategy, the implications of the strategy, particularly for risk appetite, and the track record of implementation.
2.2 Regulated activities offered The risks arising from the characteristics of the firm’s business activities, including the extent and complexity of those activities.
2.3 Types of clients The risks arising from the characteristics of the firm’s client base, including the types of clients (market counterparties, business customers, commercial customers and retail customers).
2.4 Types of products The risks arising from the characteristics of the current products or services provided by the firm. These risks include the complexity, tenor and performance of the products.
2.5 Markets targeted The risks arising from the markets targeted, including the location of clients and the nature and jurisdiction of overseas investments offered.
2.6 Sources of business and distribution channels The risks arising from the nature of the current sources of business and distribution mechanisms used by the firm. These risks include risks arising from introductions by existing clients and the use of intermediaries and sourcing overseas customers.
3 Market and operational
3.1 Market risk The risks arising from the type and nature of market risk undertaken by the firm. These risks include risks arising from the firm’s risk appetite, and the nature of market risk exposures involved in the firm’s products and services.
3.2 Credit risk The risks arising from the type and nature of credit risk undertaken by the firm. These risks include risks arising from the firm’s risk appetite, the nature of counterparty exposures involved in the firm’s products and services, its portfolio characteristics and the nature and extent of credit risk mitigation.
3.3 Operational risk The risks arising from the type and nature of operational risk involved in the firm’s activities. These risks include risks arising from direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
3.4 Liquidity risk The risks arising from the type and nature of the firm’s liquidity or asset and liability mix. These risks include risks arising from the firm’s liquidity management framework and the composition of liquidity to allow funding of the firm’s operational and financial obligations both day to day and in crisis situations.
3.5 Insurance underwriting The risks arising from the type and nature of insurance underwriting risk undertaken by the firm. These risks include risks arising from the firm’s risk appetite, the nature of insurance underwriting exposures involved in the firm’s products and services and the nature and extent of reinsurance cover.
3.6 Legal risk The risks arising from the type and nature of the firm’s contractual agreements. These risks include risks arising from the risk that contracts may not be enforceable under applicable law.
4 Organisation and regulation
4.1 Clarity of legal ownership and structure The risks arising from the structure of the firm or corporate group. These risks include risks arising from the nature of the legal and ownership structure and openness of the group structure to regulators.
4.2 Controllers and group entities The risks arising from the characteristics of the firm’s controllers. These risks include risks arising from the jurisdiction and characteristics of shareholder controllers, directors, and nature of other group entities.
The risks arising from the relationship between the firm and the rest of its corporate group. These risks include risks arising from management arrangements, reliance on centralised functions, financial health and activities of the wider group and financial and other dependencies on other group entities.
4.3 Nature and extent of home state laws, regulation and supervision The risks arising from the content of applicable laws (such as statutory priority to local creditors), the level of regulation undertaken by another financial services regulator and the reliance that can be placed on the supervision of the firm by that regulator.
4.4 Political and economic environment in home jurisdiction The risks arising from any instability in political or environmental factors in the firm’s home jurisdiction. This (these?) risks include risks arising from terrorism, political sanctions or likelihood of natural disasters.
4.5 Relationship with regulators The risks arising from any instability in political or environmental factors in the firm’s home jurisdiction. This (these?) risks may include risks arising from terrorism, political sanctions or likelihood of natural disasters.
5 Clients
5.1 Communications with clients and financial promotions The risks arising from the nature of financial promotion and advertising practices employed by the firm.
5.2 Client assets The risks arising from arising from the firm holding or controlling of clients’ money and assets.
5.3 Client categorisation The risks arising from customer classification and the documentation procedures.
5.4 Advice management and dealing The risks arising from dealing and managing customer assets and the quality of advice (for example, suitability, customer understanding of risk and charges).
5.5 Disclosure and reporting The risks arising from the nature of product literature issued by the firm and the terms of business, periodic statements and other documentation provided to clients.
6 Conflicts management
6.1 Identification and management The risks arising from the identification of potential and actual conflicts of interest and how the firm manages them.
6.2 Staff remuneration The risks arising from the recruitment quality and training procedures for the sales force.
The risks arising from the nature of the remuneration scheme for employees.
6.3 Personal account dealings The risks arising from potential insider dealing and the process for identifying and approving directors and employees trading for their personal accounts.
7 Management and controls
7.1 Allocation of responsibilities The risks arising from the nature of the allocation and definition of directors’ and management responsibilities and the mechanism for ensuring that responsibilities are effectively delegated and carried out.
7.2 Quality of management and corporate governance The risks arising from the quality of the firm’s management, the nature of the firm’s corporate governance and its overall compliance culture. These risks include risks arising from management’s experience and integrity, fit with the business and operation of the executive body, non-executive directors and board committees.
7.3 Reporting lines and segregation The risks arising from reporting lines between management and the board or other senior staff and the appropriate segregation of duties between functions of a risk-taking nature and those of a risk-management nature.
7.4 Compliance function arrangements The risks arising from the nature and effectiveness of the compliance function. These risks include risks arising from its mandate, structure, staffing, methodology, reporting lines and effectiveness.
7.5 Risk management function arrangements The risks arising from the nature and effectiveness of the risk management function. These risks include risks arising from its mandate, structure, staffing, methodology, reporting lines and effectiveness.
7.6 Risk management systems The risks arising from the nature and effectiveness of the systems and procedures to identify, measure, monitor and control the risk of the business in an appropriate and timely manner. These risks include credit risk, insurance underwriting risk, market risk, operational risk, legal risk and new product risk.
7.7 Internal audit function arrangements The risks arising from the nature and effectiveness of the internal audit function. These risks include risks arising from its mandate, structure, staffing, methodology, reporting lines and effectiveness.
7.8 Complaints arrangements The risks arising from the firm’s procedures to deal with the receipt of complaints and to consider complaints to rectify systemic issues.
7.9 Business continuity The risks arising from the nature and effectiveness of business continuity arrangements. These risks include risks arising from the adequacy of the planning process, the quality of the business continuity plan and the testing process.
7.10 Outsourcing The risks arising from the use of outsourcing. These risks include risks arising from the reliance on, and the controls over, the service provider.
Authorised firms will need to be able to demonstrate that the systems and controls of service providers in relation to cybersecurity are at least as strong as the firm’s own controls.
7.11 Monitoring and audit The risks arising from the nature and effectiveness of the internal audit function. These risks include risks arising from its mandate, structure, staffing, methodology and effectiveness.
7.12 Employees and training The risks arising from human resources issues. These risks include risks arising from recruitment, training, remuneration, disciplinary procedures and resources.
7.13 Provision of information to management The risks arising from the nature of management information. These risks include risks arising from its adequacy, accuracy, relevance and timeliness and the effectiveness and efficiency of its distribution.
7.14 Data protection The risks arising from the firm’s use of personal information.
8 Financial crime
8.1 Anti-money laundering procedures The risks arising from the nature and effectiveness of the money laundering controls. These risks include risks arising from the effectiveness of the MLRO, training, identification of clients, know your business, internal and external reporting arrangements and record keeping arrangements.
8.2 Prevention of market abuse and financial crime The risks arising from the firm’s susceptibility to having market abuse carried out through it. These risks include risks arising from measures to prevent abusive, fraudulent or dishonest trading practices and cooperation in market enforcement matters.
9 Human and technical resources
9.1 Approved individuals The risks arising from the firm’s susceptibility to having market abuse conducted through it. These risks include risks arising from measures to prevent abusive, fraudulent or dishonest trading practices and cooperation in market enforcement matters.
9.2 IT Systems and technical resources The risks arising from the controls over the IT infrastructure. These risks include risks arising from adequacy of resources, procedures for implementation and procurement, effectiveness of security framework, etc. and consideration as to whether the IT infrastructure is an adequate platform on which to run the business.
9.3 Cybersecurity The risk that the firm may not have the capacity to anticipate, detect and recover from cybersecurity attacks.
10 Environmental and social impact
10.1 Impact of the firm’s operations The risk that the firm’s operations may have a detrimental environmental effect or social effect.
10.2 Financial risk linked to climate change The risk of financial loss arising from climate change, both physical risks (that is, relating to specific weather events, and shifts in climate) and transition risks (that is, the risks that may arise from the process of adjustment towards a lower-carbon economy).

 

Derived from QFCRA RM/2020-4 (as from 1st July 2021)