Is your firm ready for the new era of risk management?

The FCA is redefining what “good” looks like

Across the FCA’s recent publications, from financial crime reviews to consumer duty supervision, operational resilience assessments, and market‑wide thematic work, a consistent message has been delivered.

Firms must demonstrate evidence‑based and dynamic risk management.

This is the principle behind the FCA’s regulatory priorities. The FCA’s expectations converge on the same theme: that firms must understand their risks, manage them proactively, and evidence their decisions.

In this article, we will explore what the FCA’s risk management expectations are for financial service firms operating in the modern era.

 

Financial Crime

Weak risk management drives most financial crime failings.

The FCA’s multi‑firm reviews of Business‑Wide Risk Assessments (BWRAs), Customer Risk Assessments (CRAs), and CDD/EDD frameworks, repeatedly highlight the same issues:

• Risk assessments are generic and not tailored
• Firms cannot explain how risks translate into controls or monitoring
• Data is under‑used, leading to subjective or inconsistent risk ratings
• Governance is underperforming, with limited challenge from senior management

Simply having a policy is not what ‘good’ looks like. Firms need to be able to show a clear link between risks and controls, and why controls are appropriate for each risk.

 

Consumer Duty

Firms must identify and mitigate risks to consumer harm.

Under the Consumer Duty, the FCA expects firms to:

• Understand the drivers of poor outcomes
• Identify vulnerable customer risks
• Use data to monitor and mitigate emerging harms
• Evidence how risks are escalated and addressed

Consumer Duty is not a tick-box exercise; firms must be able to show what they have with evidence supporting how the firm is operating in line with the duty.

 

Operational Resilience

Resilience is about understanding and managing impact, not just preventing incidents.

The FCA’s operational resilience framework is built on risk management principles:

• Identify important business services
• Map dependencies and vulnerabilities to those important business services
• Set impact tolerances and test the ability to remain within them

With cyber threats ever increasing, the FCA’s operational resilience priorities centre on ensuring that firms can prevent, adapt to, and respond to threats but importantly, also how to recover from, and learn from disruption in a way that protects consumers and market integrity.

 

Governance and Culture

Boards must understand risks, challenge management and make informed decisions.

Across its governance reviews, the FCA has emphasised:

• Boards must have clear sight of risks, not filtered summaries
• Senior managers must be able to explain their risk decisions
• Risk appetite must be meaningful, measurable, and monitored
• Culture must support speaking up and challenging assumptions

The FCA is increasingly sceptical of firms where risk management is siloed. The expectation is that risk is embedded into strategy, product design, and customer decision‑making. Senior management should ensure that the business understands the inherent risk its activities create, the controls required, and the residual risk that remains.

 

Technology, Data, and Innovation

Innovation is welcome, but only with strong risk controls.

As firms adopt AI or any other technology, the FCA’s expectations are clear:

• Understand the risks of new technologies
• Ensure model governance and explainability
• Maintain data quality and lineage
• Monitor for impacts, including unintended outcomes

The FCA is supportive of innovation, but only when firms can demonstrate robust risk assessment and ongoing monitoring. The recent announcement from the FCA in relation to AI has confirmed that it will not introduce bespoke AI regulations, and it has emphasised that existing regulatory frameworks already govern the use of AI in UK financial services.

 

Risk Management as the foundation

Whether the issue is financial crime, consumer outcomes, resilience, governance, or innovation, the FCA expects firms to demonstrate:

• Clear understanding of risks
• Tailored, data‑driven assessments
• Strong governance and challenge
• Evidence‑based decision‑making
• Continuous monitoring and improvement

Firms that embrace this approach will not only meet regulatory expectations, but they will build stronger, safer, and more resilient businesses. Those who treat risk management as a compliance formality will find themselves increasingly exposed.

 

Action firms should take

Senior Management of firms should be reviewing their risk management framework and paying attention to three key areas:

1. Can the firm evidence their workings?

• Risk identification, assessments, controls and mitigants, and monitoring

• Failures identified in controls

• Actions taken to remedy

• Evolution of the risks, control environment, and assessments

• The governance and oversight

2. Is risk management embedded across the business in:

• Product governance

• Customer journeys

• Financial crime controls

• Operational resilience

• Board reporting

3. For the areas they are responsible for:

• Are risks in those areas fully understood?

• What steps have been taken to ensure they are the right risks for the business?

• Are assumptions being challenged or accepted at face value?

• Are decisions documented fully, and are any challenges addressed?

• Is oversight documented fully?

Ocorian supports firms across the entire risk lifecycle, from risk identification and control design to oversight and assurance. We help firms demonstrate that frameworks operate effectively in their businesses.

To discuss whether your current approach aligns with evolving regulatory expectations, contact our team.