The MFSA recognises that it is imperative to monitor and mitigate risks. During 2019, the MFSA continued to focus on enhancing its resource capabilities to maintain residual supervisory and operational risks at acceptable levels. The MFSA’s Risk Management function was established as a separate function within the Authority reporting directly to the Risk committee as an independent committee of the Board of Governors.

The first step undertaken towards the transformation process was the establishment of a Risk Management Framework, developed as a practical model in alignment with the MFSA’s strategies and priorities.

The three lines of defence concept is the basis for promoting clear accountability for risk taking, oversight and independent assurance within the MFSA.

The first line of defence within the MFSA is provided by the business, support and operational functions, such as Supervision, Technology, Data Management and People & Culture. They “own” the risks associated with their activities and are responsible for assessing risks and taking action to address them. At the MFSA, we have appointed Risk officers within each of these functions to act as the central point of contact for all related risk subjects and to assist in the promotion and awareness of the Authority’s risk culture.

Our Risk Management Function is responsible for the MFSA’s internal risk analysis and mitigation. It acts as the second line of defence and is responsible for keeping the risk control framework of the authority under review whilst providing strategic input and direction regarding the authority’s risk appetite. The team is also responsible for the organisation and development of work processes for the identification, management and reporting of risk within the authority.

Internal audit provides the third level of defence. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.

During its first year in operation, the MFSA’s Risk Management Function carried out the following activities:

• Identified    and    assessed    known    risks    and emerging issues.
• Developed the MFSA’s Risk Appetite Statement which documented the most significant risks to which the authority is exposed and provides an outline of the approach to managing these risks.
• Drafted  the  MFSA’s Risk Culture Statement which describes the set of shared attitudes, values and behaviours that characterise how the authority and its staff consider risk in their day-to-day activities.
• Provided guidance on risk management processes.
• Assisted in strengthening the supervisory risk- based approach by carrying out a sectoral risk analysis that identified licensable sectors that expose the MFSA to the highest of risk.

The Risk Management team also worked towards enhancing and strengthening the risk methodology and models underpinning the authority’s supervisory activity. The Risk-Based Supervision document which has been recently published outlines the work conducted in this regard. It clarifies how the authority’s supervisory risk models have been enhanced to incorporate financial crime risks into the risk assessment processes, and how these risks are now positioned at the heart of it.

Adopting a risk-based supervisory approach enables the MFSA to better allocate its resources, supervisory plans and procedures based on the unique risk profile of each firm under its supervision.