Firms are required under the Senior Management Arrangements, Systems and Controls (SYSC) manual of the Financial Conduct Authority Handbook to have in place robust governance arrangements and effective procedures which allow it to identify, manage, monitor and report the risks it is or might be exposed to.
Wren Investment Office Limited is authorised and regulated by the Financial Conduct Authority and this document sets out how the Firm complies with its obligations to identify, manage and mitigate risks.
This document will be reviewed regularly, at least once a year, and amended as considered necessary by the Firm’s Management Body in the event of changing circumstances or regulations.
The Management Body of the Firm are responsible for the Firm’s risk management governance structure and how the Firm’s risk exposure must be managed in line with the Firm’s overall business objectives and within its stated risk appetite. This includes the governance of the process for identifying, evaluating, managing and reporting the significant risks faced by the Firm.
The Management Body are ultimately responsible for ensuring that the Firm maintains sufficient capital and liquidity resources to meet its regulatory capital and liquidity requirements and to support its growth and strategic objectives. Risk management is embedded throughout the business, with the overall risk appetite and risk management strategy approved by the Management Body propagated down throughout the business as appropriate.
The Non-Executive Directors have broad business and commercial experience with independent and objective judgement and they can provide independent challenge to the Management Body. They are able to allocate sufficient time to meet the expectations of their role with the Firm.
The Firm has reviewed the number of directorships held by members of the Management Body and are satisfied that the arrangements are such that the management body is able to commit sufficient time and resources to perform their obligations in the Firm. The number of directorships held is monitored on an ongoing basis.
The Capital Requirements Directive (‘CRD’) of the European Union created a regulatory capital framework across Europe governing how much capital financial services firms must retain. The rules are set out in the CRD under three pillars:
The rules in the FCA Prudential Sourcebook for BIPRU sets out the requirements for a Pillar 3 disclosure. The document is designed to meet the Firm’s Pillar 3 Disclosure obligations.
The Firm’s activities primarily involve providing wealth management services to UHNWI and family members. This involves offering both advisory and discretionary investment advice to a number of very wealthy families and endowments. The Firm’s customers are categorised as Retail Clients and Professional Clients. The Firm is classified as a BIPRU Firm as it carries out the activity of portfolio management and investment advice but does not provide safekeeping and administration of financial instruments.
The Firm’s overall approach to assessing the adequacy of its internal capital is documented in the Internal Capital Adequacy Assessment Process (“ICAAP”).
The ICAAP process includes an assessment of all material risks faced by the Firm and the controls in place to identify, manage and mitigate these risks. The risks identified are stress-tested against various scenarios to determine the level of capital that needs to be held.
Where risks can be mitigated by capital, the Firm has adopted the CRD requirements for Pillar 1. Where the Management Body considers that the Pillar 1 calculations do not adequately reflect the risk, additional capital is added on in Pillar 2.
Whilst the ICAAP is formally reviewed by the Management Body once a year, Senior Management review risks and the required capital more frequently and will particularly do so when there is a planned change impacting risks and capital or when changes are expected in the business environment potentially impacting the ability to generate income.
A BIPRU Firm must always maintain capital resources equal to or in excess of the base requirement (€50,000). The Pillar 1 capital requirement for a BIPRU Firm is the higher of:
The Firm has no innovative Tier 1 capital instruments or deductions.
The Firm must always maintain capital resources equal to or in excess of the Pillar 1 requirement. During the 12-month accounting period to 31 December 2020, the Company complied fully with all capital requirements and operated well within regulatory requirements. At the accounting reference date, the Firm held the following capital position:
|Eligible Capital Resources||Dec 20
|Tier 1 Capital|
|Total Tier 1 Capital||380,580|
|Deductions from Tier 1 Capital|
|Eligible capital resources (Tier 1)||380,580|
|Additional Tier 1|
|Other Tier 1 capital||0|
|Total Tier 1 capital||380,580|
|Total own funds||380,580|
The Firm’s base capital requirement is €50,000 (equivalent to £44,695).
The Firm’s Fixed Overhead Requirement (FOR) as at 31st December 2020 was £296,237, which meant there was surplus capital of £84,253 over the minimum requirement.
The Management Body are therefore comfortable that the Firm is, and has been throughout the financial year, adequately capitalised for Pillar 1 purposes. As at 31st December 2020, the Firm held £417,750 in cash and cash equivalents. The Management Body are comfortable that this will ensure prudent capitalisation and cover for market downturns and other risks that may materialise in the short to medium term.
The Management Body constantly monitors the performance of the Firm and capital adequacy is regularly assessed by them. The Firm will also monitor risks throughout the year and decide if additional capital should be held against them. Additional risks that supplement the Pillar 1 requirements are detailed below and, where necessary, additional capital will be provided.
The Firm uses the standardised approach for computing Credit and Market Risk. Consequently, the capital requirement is computed as 8% of the total risk weighted exposure amounts. The Firm had no market risk exposures as of 31 December 2020. Credit risk exposures are as summarised in the table below:
|All figures in £’s||Exposure Value||Risk weight||Risk weighted exposure Amount||Capital requirement (@ 8%)|
|Cash at Bank||417,750||20%||83,550||6,684|
The Firm has identified the following core risk categories: investment, reputational, liquidity, operational, legal, compliance & AML, business – strategic and fraud & security.
The Firm’s profile of these risks is continually evolving and is generally driven by:
The Firm will seek to generate positive returns through carefully considered risk taking and robust risk management. As such the effective management and control of both the upside of risk taking and its potential downside is a fundamental core competency of the Firm.
The Management Body are responsible for setting the Firm’s risk appetite, defining the type and level of risk that the Firm is willing to accept in pursuit of its business objectives.
The Firm’s governance structure is designed such that the business is the first line of defence, the compliance function is the second line of defence with the Management Body representing the third line of defence.
|First line of Defence
|Strategies and goals||Firm Values||Risk Appetites|
|Identification, control and management of risks. Operating requirements: roles and responsibilities, supervision, procedures, systems and controls|
|Identifying Risks Faced||Identifying Risks Taken|
|Control and Management of Risks|
|Second line of Defence
Compliance and independent oversight of business
|Risk Management Framework|
|Policies and Procedures, Guidance and Training|
|Third Line of Defence
|Full accountability for the management of risks|
The Management Body are responsible for approving the Risk Assessment Framework, which is used to ensure that the Firm has a comprehensive understanding of its risk profile, including both existing and emerging risks facing the Firm, and to enable it to assess the adequacy of its risk management in the context of the Firm’s risk appetite.
|The risk of loss resulting from damages to a Firm’s reputation, in lost revenue; increased operation, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty. Adverse events typically associated with reputational risk include ethics, safety, security, sustainability, quality and innovation.||The Firm will have systems and controls in place to prevent such risks occurring. Steps will be taken to prevent such risks from increasing the Firm’s costs.||The biggest threat to reputation is seen to be a failure to comply with regulatory or legal obligations and failure to deliver minimum standards of service and product quality to customers.
When assessing reputational risk the Firm considers issues such as:
The Firm addresses these risks by:
Reputational risk can also be affected by Business Risk which is the exposure of the Firm’s business caused by uncertainty in the macroeconomic environment with specific consideration of earnings volatility and cost overruns in severely adverse conditions.
|The risk that arises from poor performance on the portfolios managed by the Firm and the investment advice given.||The Firm has no appetite for poor performance and advice||Poor investment performance on the portfolios the Firm manages and advises on could result in a reduction in the fees that the Firm earns. This is a fundamental risk to the Firm’s business which is actively managed by:
As an investment manager and advisory firm, The Firm also suffers from the risk of failing to comply fully with the terms of its mandates. In the event of such a failure, a firm can be exposed to substantial losses resulting from customer’s claims and legal actions. The Firm takes this risk very seriously and constructs the mandates in such a way that it is clear what constitutes risk beyond the control of the Firm
|Business – Strategic Risk|
|Risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness of investment and/or change the competitive landscape. Regulatory risks can also arise from breaches of regulations caused by operational or financial risks.||The Firm will remain competitive by identifying opportunities and assessing the risks, rewards and costs associated with them before proceeding||Business Risk is the exposure of the Firm’s business to risk caused by uncertainty in the macroeconomic environment, with specific consideration of earning volatility and cost overruns in severely adverse conditions, particularly in the start-up phase. Business Risk is managed with a mid-term focus and is assisted by careful development of business plans, appropriate management oversight and an embedded corporate governance framework. Strategic Risk can be a manifestation of business risk as it is any diversion away from the business plan/risk appetite statement due to changes in the environment or because management is unable to deliver the strategy as intended.
The risk also incorporates the business risk that the Firm faces. Business risk for the Firm is represented by the risk that the financial projections might not be fully representative of the actual business attained once FCA authorisation has been granted and therefore, it has been considered as part of start-up risk.
In a serious downturn the Firm could be at risk of posting an annual loss arising largely from a reduction of revenue/commission income. This risk cannot be further mitigated by holding additional capital, since the problem would arise in the Profit & Loss account, rather than the balance sheet. The directors of the Firm have undertaken to:
Identify early warning indicators that would allow the Board to withdraw from riskier markets well ahead of a downturn, before the level of business already written became a serious problem.
It is possible that such an approach may cause the Firm’s strategy to become uncompetitive: if so, the business strategy will be reviewed rather than the risk appetite increased.
|The risk that the Firm does not have sufficient liquid resources or is unable to deploy such resources to meet its actual or potential obligations in a timely manner as they fall due||The Firm will have sufficient and accessible financial resources as to meet any financial obligations as they fall due||Even though the Firm considers Liquidity Risk is highly unlikely to affect its business, the risk can be managed by:
The risk is managed principally by holding cash and other easily realisable liquid assets. Backwards cash flow is monitored via the accounting software used (Xero). The CEO monitors forward looking cash flow. The management team review financials monthly and assess variances to the budget.
As a result of the simple business model, the Firm takes very little risk from a capital adequacy perspective and do not hold any exposure to the underlying market in any way.
Liquidity Risk could however arise where the income and revenue streams are either lost completely or are severely reduced. Revenue could be reduced or stopped for a number of reasons. These include but are not limited to, a marked downturn in the market for a prolonged period or a continued period of recession.
Exposure to Liquidity Risk is increased where a reduction, or erosion of revenue is experienced by the Firm, the Firm would still be required to service their fixed overheads. This would take the form of the rent for the premises and directors’ and employees’ salaries.
With regards to salaries, the directors will not increase their revenue in circumstances that would mean the Firm is exposed to financial difficulties. In extreme circumstances the directors may defer the payment of any income to themselves.
|The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events||The Firm will actively identify and manage the risk of its people, processes or systems failing. Operational risk is inherent in any business, however, the Firm will take steps to prevent such risks from increasing operating costs||Operational risk is defined as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external parties. Specifically, this includes: employees (e.g. fraud or key man dependencies), third-party intermediaries, information technology (systems), and processes including failure to meet regulatory/legislative requirements or internal procedures.
The Firm’s approach to mitigating operational risk is as follows:
This risk is continuously monitored by the directors and Management Team to ensure adequate systems and controls are in place.
|Business Continuity Risk|
|The risk that the business will not be able to operate should the Firm encounter a disaster.||The Firm will ensure mitigation measures are in place to reduce this risk.||The Firm has a business continuity plan that will be tested annually. The directors are satisfied that the plan will allow the Firm to continue to function under a wide-range of disaster scenarios. The business model can continue to operate from any location, provided there is secure internet access.|
|Interest Rate Risk|
|The risk that interest rates and/or their implied volatility will change.||The Firm will continue to ensure it generates the majority of income from advisory services, therefore reducing the risks associated with changes in interest rates.||Interest rate risks may arise from a number of sources, including the possibility that rate changes will affect future profitability or the fair value of financial instruments.
Based on its activities, the Firm is not exposed to interest rate risk in real terms as it is not carrying any significant assets or liabilities. Changes to any assets and liabilities held would not impact the Firm’s financial position. Keeping this in view, no additional capital allocation has been made by the directors to cover a major change in interest rates.
|The risk which can arise from uneven distribution of exposures to particular sectors, regions, industries or products.||Due to the nature of the business, the Firm has a small number of clients, therefore concentration risk is inevitable, however funding is in place to mitigate this risk.||The Firm’s main concentration risk is the fact that it depends on revenue from a small number of clients, which could impact the business if clients terminate their agreements leading to a loss of profitability and possible requirement to cut costs.
At this point, the directors have decided that it is not necessary to hold additional capital against this risk.
|Legal, Compliance & AML Risk|
|The risk arising from defective transactions, failing to take appropriate measures to protect assets, changes in regulations and law and claims resulting in a liability or loss to the Firm.||The Firm will appoint external legal and compliance advisors however the Firm does not intend to have any appetite for legal, compliance or AML breaches||As an investment focussed business, the Firm is required to comply with different legislation, non-compliance of which may expose the Firm to redress in the form of fines, penalties or litigation. Management is fully aware of such risk and have set out documented controls and procedures in the form of a Compliance Manual, a Compliance Monitoring Programme, AML training (which will be refreshed annually) and the appointment of external compliance consultants to perform compliance reviews. All members of the management team are involved in client on-boarding to help to identify any potential issues. AML and KYC checks are carried out as part of the on-boarding process and regular client meetings are held to identify key changes over the client life cycle.
The Firm have engaged Farrer & Co to provide legal advice. Legal contracts are reviewed by the senior management team and if deemed necessary will be sent to an external law firm for review and comment.
The Firm maintains a log of contractual undertakings, NDAs and Third-Party Relationships.
The Firm has Professional Indemnity Insurance and Directors & Officers Insurance in place.
In the view of management, such procedures are adequate and accordingly no capital has been set aside for this risk component. However, as the business grows, management will continuously review this risk to assess the need for additional capital.
|Fraud & Security Risk|
|The risk that the Firm fails to prevent its involvement in or use by other parties to commit fraud.||The Firm has no appetite for any breaches or lapses occurring that result in fraud taking place||Fraud involving the Firm’s clients could cause reputational damage and possible financial loss to the Firm and its clients. This is managed by ensuring a signed client instruction or authority is kept on file for all third-party payments. Payments to an account in the client’s own name is permitted, providing the client has confirmed their bank details in writing. Payments can be instructed over the phone, by fax, letter or email in line with written authorities provided by the client. If an unexpected request is received, the Firm will query the request with the client. Where necessary, signatures are checked back to the client agreements.
To manage the threat of fraud occurring within Wren, transfers out of the Firm’s bank account require dual authorisation in line with the limits set out in the Articles of Association and authorised signatory list. Cash flow reports are submitted to the Board on a monthly basis covering P&L and cash movements.
Office security is controlled by access cards and a PIN outside of normal office hours. During office hours, the reception is manned and access to the elevators and stairs is restricted to card holders. Cameras cover shared areas in the building. The Firm’s office door has its own lock which can only be opened with access cards. Client files are kept in a secure cabinet and a clear desk policy operates when the office is empty. PCs are set to auto-lock after 10 minutes of inactivity.
Company data is held in the Cloud so there are no physical servers on site. Office 365 logins are password protected and multi-factor authentication is active for full users. Confidential data is only available to authorised personnel. Internet security policies are in place to protect data. Mobile phones with access to company data are only accessed with a PIN or fingerprint scan.
The Firm has a Cyber Security Policy and a Security Protocols Policy, which must be read by all employees. If an employee believes their data has been compromised, they must change their passwords and inform the management team. Operating system updates are installed automatically, as are virus and malware updates. All PC’s are scanned daily.
The Firm’s Remuneration Policy complies with the Remuneration Code in relation to its size, nature, scope and complexity of its activities.
The Policy is aligned to the Firm’s business strategy, objectives, values and long-term interests in respect of performance and effective risk management in line with the Firm’s risk appetite.
A copy of the Remuneration Policy is available via the Firm’s website and sets out how the Firm complies with the Remuneration Code.
Total remuneration paid out to members of staff whose actions have a material impact on the risk profile of the Firm are as follows:
|Categories||Number of employees||Basic Pay (£)||Variable pay (£)|
|All other staff||3||50,000||0|
Any breaches of the BIPRU rules will be recorded on the Firm’s breach log in conjunction with its Regulatory Breach procedure.