PRIN 3 requires firms to take reasonable care to organise and control their affairs with adequate risk management systems. What most FCA-regulated firms have is a list of risks somewhere and a vague understanding of who's responsible for them. What the FCA expects is a documented, operational framework — one that defines risk appetite, categorises risk systematically, applies a consistent scoring methodology, assigns ownership, and feeds into Board reporting through a structured three-lines-of-defence model. The gap between those two things is where supervisory findings are generated. A risk register without a risk management framework is just a list.
What's included:
Full regulatory mapping: PRIN 3 & 11, SYSC, COBS, CONC, ICOBS, UK GDPR/DPA 2018/PECR, MLRs 2017, PSR 2017, Consumer Rights Act 2015, and FSMA 2000
Six-category risk taxonomy: Financial, Operational, Regulatory, Reputational, Legal, and Ethical — with definitions and examples across each
Five-point probability/impact scoring matrix: Rare through Almost Certain × Negligible through Catastrophic — with prioritisation thresholds: Critical (immediate), High (30 days), Medium (90 days), and Low (quarterly)
Three-lines-of-defence model: First Line (operational management), Second Line (risk and compliance), Third Line (internal audit) — with proportionate arrangements for smaller firms
Multi-layer monitoring: real-time operational, daily dashboards, weekly KRI trend analysis, monthly comprehensive, and quarterly strategic review
Three-level escalation framework: Level 1 (24-hour departmental), Level 2 (4-hour senior management), and Level 3 (immediate Board and regulatory consideration)
Four-tier reporting hierarchy: Operational daily, Management monthly, Board quarterly, and Regulatory as required
+ much more
Who is this for?
Chief Risk Officers, Chief Compliance Officers, SMF holders, Board governance teams, and risk function personnel at FCA-regulated firms across all sectors who need a complete, board-approved Risk Management Policy that satisfies SYSC requirements and operates as a genuine management framework — not a shelf document.
How it works
Step 1 — Read it. Every section exists for a reason, grounded in a specific regulatory obligation.
Step 2 — Understand it. Map the content against your current practices. Identify where you're strong and where gaps exist.
Step 3 — Make it yours. Tailor the language to reflect how your organisation actually operates. A policy that sounds like your firm is a policy your people will follow.
Step 4 — Take ownership. Assign clear accountability — Board approval, named SMF holder, designated policy owner. A policy without an owner is a liability, not an asset.
Step 5 — Operationalise it. Embed the policy into your governance calendar, training programme, and annual review cycle. This is where compliance becomes culture.
Or, get this free with RegTechPRO
Access this alongside the full compliance policy library — SM&CR, COBS, AML, Consumer Duty, GDPR, and more — for a fraction of the cost of consultancy.
View RegTechPRO pricing and packages →
PRIN 3 requires firms to take reasonable care to organise and control their affairs with adequate risk management systems. What most FCA-regulated firms have is a list of risks somewhere and a vague understanding of who's responsible for them. What the FCA expects is a documented, operational framework — one that defines risk appetite, categorises risk systematically, applies a consistent scoring methodology, assigns ownership, and feeds into Board reporting through a structured three-lines-of-defence model. The gap between those two things is where supervisory findings are generated. A risk register without a risk management framework is just a list.
What's included:
Full regulatory mapping: PRIN 3 & 11, SYSC, COBS, CONC, ICOBS, UK GDPR/DPA 2018/PECR, MLRs 2017, PSR 2017, Consumer Rights Act 2015, and FSMA 2000
Six-category risk taxonomy: Financial, Operational, Regulatory, Reputational, Legal, and Ethical — with definitions and examples across each
Five-point probability/impact scoring matrix: Rare through Almost Certain × Negligible through Catastrophic — with prioritisation thresholds: Critical (immediate), High (30 days), Medium (90 days), and Low (quarterly)
Three-lines-of-defence model: First Line (operational management), Second Line (risk and compliance), Third Line (internal audit) — with proportionate arrangements for smaller firms
Multi-layer monitoring: real-time operational, daily dashboards, weekly KRI trend analysis, monthly comprehensive, and quarterly strategic review
Three-level escalation framework: Level 1 (24-hour departmental), Level 2 (4-hour senior management), and Level 3 (immediate Board and regulatory consideration)
Four-tier reporting hierarchy: Operational daily, Management monthly, Board quarterly, and Regulatory as required
+ much more
Who is this for?
Chief Risk Officers, Chief Compliance Officers, SMF holders, Board governance teams, and risk function personnel at FCA-regulated firms across all sectors who need a complete, board-approved Risk Management Policy that satisfies SYSC requirements and operates as a genuine management framework — not a shelf document.
How it works
Step 1 — Read it. Every section exists for a reason, grounded in a specific regulatory obligation.
Step 2 — Understand it. Map the content against your current practices. Identify where you're strong and where gaps exist.
Step 3 — Make it yours. Tailor the language to reflect how your organisation actually operates. A policy that sounds like your firm is a policy your people will follow.
Step 4 — Take ownership. Assign clear accountability — Board approval, named SMF holder, designated policy owner. A policy without an owner is a liability, not an asset.
Step 5 — Operationalise it. Embed the policy into your governance calendar, training programme, and annual review cycle. This is where compliance becomes culture.
Or, get this free with RegTechPRO
Access this alongside the full compliance policy library — SM&CR, COBS, AML, Consumer Duty, GDPR, and more — for a fraction of the cost of consultancy.
View RegTechPRO pricing and packages →
Image 1 of 6
Image 2 of 6
Image 3 of 6
Image 4 of 6
Image 5 of 6
Image 6 of 6
