The UK FS regulator, the FCA, has summarised findings from its recent review of risk assessment (‘RA’) practices across the financial services sector. The review highlights ‘good and poor’ practices that digital platforms can learn from to comply with RA duties in the technology sector, including those required by the UK’s Online Safety Act, EU’s Digital Services Act and EU AI Act.
Below are the key findings and takeaways for digital platforms.
Understanding, identifying and assessing risks
Conducting comprehensive and thorough RAs
The best RAs incorporated both qualitative and quantitative assessment elements, combining robust numerical scoring mechanisms with in-depth insights. Qualitative insights help to contextualise risks in ways that quantitative data is unable to fully capture in isolation. The FCA also highlighted assessment of both internal and external risk factors as an element of good practice, demonstrating consideration of the external threat landscape alongside risks arising within the assessing organisation.
The FCA further highlighted that some firms provided inadequate explanations of their methods for identifying and assessing risk. If RA methodologies are not well-defined, risks may be assessed inconsistently. In some instances, services also concluded ‘low risk’ in areas of their RAs without having detailed evidence to support their findings.
Key takeaway
Digital platforms can learn from the FCA’s highlighted good practices by incorporating qualitative and quantitative data, clearly documenting their RA methodology (e.g., in a playbook) and incorporating mechanisms for validation and credible challenge of risk ratings – particularly with respect to low or negligible ratings to ensure these are justified. The RA scoring rationale should be recorded and aligned to the specific regulator’s interpretation of those ratings.
Dynamic risk profiles
Static risk profiles were highlighted by the regulator as another instance of poor practice. Risk profiles should be treated as living instruments that reflect the current state of the business and its environment. For digital platforms, this means continuously horizon-scanning to account for changes to products, regulations and external threats.
Key takeaway
Digital platforms are already required (by OSA and DSA) to update risk assessments where there is significant change or critical impact. The FCA’s findings underscores the need for risk management to be dynamic.
Decide measures and mitigate risks
Taking an integrated approach to risk management
In its examples of ‘good practice’, the FCA highlighted that risks should be considered throughout different business areas including product development, business strategy, growth and sales.
Key takeaway
For platforms, risk considerations should inform decision-making across all areas of the business. This requires both operational and culture change. If product teams are faced with multiple risk reviews under different domains (privacy, security, safety etc) then commercially the speed to market is at risk. An efficient stream-lined and holistic approach to risk is key.
Evolving RAs alongside business growth
As an example of good practice, the FCA encourages businesses to consider the capacity of their compliance functions alongside growth plans, thereby ensuring consistency and continuing accuracy of RAs. Poor practice included rapid service expansion without scaling RAs or updating controls to ensure their ongoing effectiveness.
Key takeaway
Digital platforms are required to resource their compliance functions adequately (see Art 41 DSA for example). Based on the FCA’s approach, compliance functions can expect an assessment of the size and capability of that function and, importantly, that it is keeping pace with business growth.
Managing risk (governance and oversight)
Senior management oversight
In its examples of poor practice, the FCA identified inadequate evidence of senior management discussion around risk assessments.
Key takeaway
Digital platforms can learn from this by putting in place good governance that includes active engagement and oversight of RA processes from senior leadership and the board. Senior management should be equipped to accurately set the business’s risk position based on a comprehensive understanding of in-scope risks informed by detailed management information.
Next steps and how Deloitte can help
The FCA review offers a helpful perspective on RA good practices that are likely to build improved credibility with regulators and which digital platforms can learn from. This is particularly important given the connectivity between regulators in the digital and other sectors like FS. Continuous adoption of good practices is likely to lead to more collaborative, trust-based engagement from regulators. Conversely, bad practices may invite a more interventionist and directive approach, with communication focused on enforcing compliance and mitigating identified risks. Digital platforms can determine how to refine their RA methodologies to align to these good practices.
Deloitte is supporting organisations to deliver robust approaches to RAs across multiple regulations and sectors. If you want to find out more about how our multi-disciplinary Digital Regulation team can support you, please reach out to a member of the team below.
