Risk management

We consider risk to be the combination of impact (the potential harm that could be caused) and probability (the likelihood of the particular issue or event occurring).

In the FCA context, we combine these impact and probability factors to give us a measure of the overall risk posed to our statutory objectives. We then use this measure to prioritise risks and make decisions on what, if anything, our regulatory response should be. We also use it to set our strategic aims and outcomes and to allocate resources based on our regulatory priorities.

Risk for the FCA


IMPACT of the problem if it occurs


PROBABILITY of the problem occurring

In short, it is designed to:

  • identify the main risks to our objectives as they arise
  • measure the importance of the risk
  • mitigate risks, and
  • monitor the progress of the risk.

This helps us to plan how we should address those risks and allocate resources based on our regulatory priorities.

Risk identification

The first stage is to identify the risks to the statutory objectives. We do this through intelligence gathering from a wide variety of sources (e.g this can be through visits to firms as part of our supervision or enforcement action; information provided by firms' monitoring of regulatory returns and similar data; transaction monitoring; sector and environmental analysis; project work).

We regularly consult a wide range of stakeholders, including market participants and the Consumer and Practitioner Panels, and also use information supplied by the Financial Ombudsman Service on industry trends and problems revealed through complaints.

Risk measurement

The next stage is to measure the risks. This involves scoring the risk against several probability and impact factors. Both these are weighted as high, medium-high, medium-low or low. The probability factors relate to the likelihood of the event happening, and the impact factors indicate the scale and significance of the problem if it were to happen. Combining the probability and impact factors gives a measure of the overall risk posed to our objectives.

Risk mitigation

Our measure of the overall risk will be used to prioritise the risks, help make decisions on the regulatory response and, together with an assessment of the costs and benefits of using alternative regulatory tools, help us to determine resource allocation.

Risk monitoring and reporting

Risk management systems provide management with regular reports to give assurance that risks are being managed appropriately and that internal controls are adequate.