The MFSA has published its Risk Culture and Risk Appetite Statements, reflecting its drive to position risk management at the heart of its strategy.
The Statements will result in better identification, evaluation, management and communication of the Authority’s risk approach. The Authority aims to foster a positive risk culture by putting in place an approach which takes into account both threats and opportunities, and appropriately identifies, assesses, communicates and manages risk across all levels.
The Risk Culture statement sets the stage for the implementation of the MFSA’s risk culture change programme by defining three main stages for the process to take place. It will start by raising cultural awareness on risk management, responsibilities and accountability, which will involve establishing the basic expectations for managing risk and defining the roles and responsibilities of those dealing with risk.
This will be followed by developing and implementing practical strategies to achieve the desired risk management culture. This second stage will include the creation of motivational systems which reward correct risk behaviour and discourage wrong practice. The third stage will come about once entities have achieved many of the desired modifications to their risk culture. It will trigger a process of cultural refinement which will involve monitoring cultural performance and will require ongoing assessment of risk culture.
The Authority’s Risk Appetite Statement clearly sets the boundaries in terms of acceptable levels of risk in key areas of its supervisory activities in the financial services sector. The Statement lays out the regulator’s overall low risk appetite for supervisory risk, highlighting that the MFSA is willing to consider a certain degree of tolerance for uncertain outcomes, since this promotes innovation and helps achieve its overall vision and strategic objectives.
The Risk Appetite Statement also places risk appetite as a crucial part of the MFSA’s risk management framework, and defines what constitutes a low, moderate and high-risk appetite. It goes on to describe the regulator’s attitude towards key risks, namely those posed by information technology, people and culture, external risk, and risk related to authorisation, supervision, operations, strategies, legal and compliance aspects and finance.
The Statement also specifies that all heads of functions within the Authority will be responsible for implementing and complying with the risk appetite attitudes established within it, and sets out requirements for risk assessments, reporting and monitoring.
The Authority plans to review and update its Risk Appetite Statement periodically as its Supervisory functions evolve. A Risk-Based Supervisory Methodology programme which is licence-holder based and covers all sectors is also being currently developed. This programme will eventually determine and set the risk tolerance levels for its Authorisations and Supervisory processes.