We are enhancing our approach to risk-based supervision so that we allocate our resources to areas or firms which are higher risk.
We do not seek to eliminate risk completely, but to make the best use of our limited resources to proactively reduce risk to an acceptable level.
We also take an explicitly non-zero failure approach to regulation, meaning we do not seek to prevent every harm from occurring, choosing instead to allow greater flexibility for firms to operate freely, and in the best economic interests of Jersey as long as risks remain within tolerable levels.
In the course of letting firms operate freely, risks will crystalise that fall both within and outside our tolerance. When they occur our focus will be recovery, prevention of repetition and action in respect of any regulatory breach.
Risks to what?
Any risk we identify in the financial services sector, or in the way we carry out our business, must be something that has the potential to impact on the Guiding Principles set out in the Financial Services Commission (Jersey) Law 1998.
The risks we identify will be embedded at the heart of our risk-based methodology for supervision, and all our activities and reporting will be aligned to those risks.
Categories of risk
These are risks caused by the strategy, business model and structure of a regulated business and are an inherent factor in the overall level of risk a firm may pose. Inherent risks are usually a result of the firm’s legitimate choices rather than a regulatory breach.
Example: A regulated business with a business model focused on higher risk jurisdictions will have a higher inherent risk than one that doesn't.
These are the risks that relate to a firms’ operations and arise from its people, policies, processes and systems. Although they can be a regulatory breach, causal risks are not always associated with any harm that can impact on the Guiding Principles.
Example: a firm may be in financial distress for some time, without any direct harm to its customers, and may eventually trade its way out of difficulty.
These are the risks that have a direct and negative impact, causing harm. They are the result of an individual or set of actions or omissions on the part of a firm, and will always impact on the Guiding Principles.
Example: a firm loses or inadvertently discloses client data, which could cause financial loss or reputational damage to the customer and firm, and also damage the reputation of Jersey.
How we will assess these risks
We assess risk by the combination of impact (the potential harm that could be caused) and probability (the likelihood of a particular risk occurring).
In our risk-based approach, impact and probability are combined to give a measure of the overall risk posed to our Guiding Principles. We then compare this assessment to our appetite for risk to prioritise and select the appropriate response.
We typically consider risk at an individual, entity and thematic level. In some cases, risks may already have occurred, meaning that we actually assess and respond to the consequences rather than the potential harm posed by a risk.
A key advantage to taking a risk-based approach is that it enables us to become much more proactive, identifying and tackling risks before they occur, rather than acting retrospectively once harm has arisen.
Consistent assessment, across the broad spectrum of risks that we monitor, is essential to ensure that our action is targeted proportionately at controlling the risks that we will not tolerate.