ARROW II
Brief Overview
By Kyra Paraschaki, Associate Institutional Business Policy Division FSA
‘ARROW’ stands for Advanced Risk-Responsive Operating frameWork and is the framework used by the FSA to assess risks against its statutory objectives. We remind the reader that the FSA’s statutory objectives are: market confidence, public awareness, consumer protection, reduction of financial crime and that these objectives are supported by the Principles of Good Regulation.
ARROW prescribes processes to identify and measure the risks to the FSA's objectives in individual firms or a group of firms, in the market or in an entire sector. Risks related to firms are dealt with under ARROW firms and risks related to sectors are dealt under ARROW-themes, which is horizontal, across a number of firms belonging in the same sector.
The new ARROW II (2006) revised communication methods, thematic work, allocation of resources in proportion to the risks and capital assessments. The ARROW framework is most closely associated with the assessment of risk in regulated firms and the remainder of this article will focus on that part of the work.
The FSA has identified seven main channels by which firms can pose a threat to the FSA achieving its objectives: financial failure, misconduct or mismanagement, consumer understanding, market quality (deterioration in a market’s functions and therefore risk to market confidence and consumer protection), fraud or dishonesty, market abuse and money laundering.
Determining Impact
There are three types of ARROW assessments and each one of them requires different levels of resources: Full ARROW, ARROW Light and ARROW Small Firms.
In the population of the FSA regulated firms 0.33% are high impact and they represent two thirds of the total regulatory impact. These firms receive a full ARROW assessment and close and continuous monitoring. Below them are 2% of the population which are medium-high impact. They receive a full ARROW assessment. The next 3% of the total population of the regulated firms are medium-low impact and are more likely to be assessed in a lighter mode, called ARROW Light. This is a reduced scope risk assessment. The remaining 95% comprises mostly of small businesses - typically advisory firms. Should a regulatory risk occur the impact will be low. For these firms an ARROW Small Firms approach would normally be used which consists of remote monitoring, using information from other sources such as the FOS and thematic risk review.
Determining Probability
The main tools for an ARROW assessment include the firm’s returns and the information exchanges throughout its relations with its supervisor, the firm’s past assessments, the risk profile of the sector it belongs to and the onsite visit reviewing relevant aspects of the firm’s business. For those firms under full ARROW the visit lasts about a week or more, while the ARROW light visit would normally last one or two days and would mainly focus on sector risks.
The ARROW assessment for firms uses as a tool a risk matrix consisting of 10 risk groups:
• environmental risk;
• customers, products and markets;
• business processes;
• prudential (the business model of the firm)
• customer, product and market controls;
• financial and operating controls;
• prudential risk controls (the controls of the firm)
• control functions;
• management, governance and culture;
• excess capital and liquidity (other mitigants)
The ARROW risk model has both horizontal and vertical dimensions. Horizontally, risks are separated into three categories, represented by the three rows in the matrix:
• risks associated with the firm's direct interactions with retail customers and market counterparties – this may be broadly characterised as the firm's "front office";
• risks associated with the firm's internal processes; and
• prudential risks relating to the financial soundness of the firm.
Vertically, the risk groups fall into four categories:
• Business Risks – defining the inherent or gross risks within the firm;
• Controls – the primary risk controls of the firm which should directly reduce the inherent risk of the firm;
• Oversight and Governance – defining the secondary and pervasive controls in the firm; and
• Other mitigants – the amount of excess capital and liquidity that can be used to absorb prudential risks.
The supervisors, based on their knowledge on the firm and/or the sector, will assign a level of risk to each of the 10 groups. Each of the 10 groups above is split further into its respective risk elements. For example, ‘business processes’ is further broken down into: litigation/legal; people; IT systems; structure and ownership; other business processes. Some of the risk elements under ‘financial and operating controls’ are: financial controls; IT security; policies, procedures and controls; human resources controls; business continuity planning. And ‘control functions’ are split to: compliance monitoring and guidance; internal audit; enterprise-wide risk management. The split of groups into elements clarifies the areas contained in each group and enables supervisors to direct and focus their assessment work when gathering information.
Full Arrow and Arrow Light visit – the basics
The assessors will structure the stages of the assessment for Full Arrow and Arrow Light and will tailor it to the profile of the firm or the group. The starting point for an ARROW Firm assessment is for supervisors to identify risks through different sources and information such as firms’ returns, any supervisory contact and complaints records, as well as wider data, mainly industry trends.
A key part of the assessment is the visit to the firm. Obtaining information prior, during and after the visit is vital: supervisors will write to the firm asking for documents, including financials, compliance reports, organisational structure and board papers and strategy documents. During the visit, the assessors will interview key individuals whose work is related to one or more of the 10 risk groups; for example, an interview with the Head of HR could fall under the review of ‘Customers, Products and Markets Controls’, ‘Business Processes’ and ‘Financial and Operating Controls’. An interview with the Head of Internal Audit would fall under the review of ‘Customers, Products and Markets Controls,’ Financial and Operating Controls’, ‘Prudential Risk Controls’ and ‘Control Functions’.
After the visit and within ten weeks (or six weeks for ARROW Light), firms will receive in the form of a draft letter the results of the assessment which will be finalised after having received the response and feedback by the firm. The letter will also include the Risk Mitigation Programme containing the issues identified, the actions to achieve the required outcomes and the timetable for the action. ARROW requires the firms’ active involvement especially in the final stage during which the senior management firm would have to come up with outcome-focused solutions to mitigate risks.
The assessors' work is subject to validation by senior and independent members of staff - a committee for higher impact firms.
Senior management responsibility
The assessment places a strong emphasis on the role and responsibility of senior management in setting and monitoring a controls and governance culture. The assessors will form an understanding of the controls culture of the firm and the way its senior management fosters it, based on interviews during the visit and other material, such as board minutes, policies and procedures and communication documents. In the area of governance for example, the assessors would want to find out how the board performs its role, and how its decisions are communicated, understood and implemented by staff. An example of this in practice is how the exceptions in the findings of internal reviews are reported to the board and what actions are taken as a result.
Useful documents:
The FSA’s risk-assessment framework, August 2006. You can find this document here:
http://www.fsa.gov.uk/pubs/policy/bnr_firm-framework.pdf
There is also a guide written specifically for non-executive directors. You can find this document here:
http://www.fsa.gov.uk/pubs/other/arrowguide.pdf
General ARROW letter sent to firms. You can find this here:
http://www.fsa.gov.uk/pubs/other/letter_changes.pdf
December, 2007
| 
