Skip to main content
main content, press tab to continue

ICCAP to ICARA – The impact on investment firms – October 2021

Global FINEX – Operational Risk Solutions

By Mark Hannam | October 22, 2021

This article reflects on some of the key components of the incoming Investment Firms PrudentialRegime (IFPR), specifically the Internal Capital and Risk Assessment (ICARA).
Financial, Executive and Professional Risks (FINEX)|Work Transformation

This article reflects on some of the key components of the incoming Investment Firms Prudential Regime (IFPR), specifically the Internal Capital and Risk Assessment (ICARA), and proposes the new regulations present an opportunity for Investment Firms to reassess their approach to risk management.

The IFPR, due to be implemented in January 20221, will have wide-reaching implications for many investment firms, although firms classified as ‘small and non-interconnected investment firms’ (SNIs) and ‘non-SNI’s’ will have some differing rules applied. The focus of this article is non-SNIs. Central to the regulation is the replacement of the Internal Capital Adequacy Assessment Process (ICAAP) with the ICARA2, with heighted focus on risk framework and governance procedures.

The incoming regulation presents an opportunity for non-SNI’s to evaluate current ICAAP processes to understand what action is required to conform to the ICARA, whilst further assessing areas for improvement. A risk framework that accurately reflects a firm’s risk profile places a firm in a better position to manage and reduce exposures. Within this article we suggest firms consider the following actions:

  • Contemplate the harm risk events could cause beyond the firm and establish appropriate governance.
  • Go ‘back to basics’ in considering appropriate mitigants and controls, following the ‘accept, avoid, reduce, transfer’ methodology and document the measure chosen for principal risks.
  • Perform a thorough evaluation of the firm’s risk appetite, assessing the level of risk prepared to be accepted, with a regular monitoring of changes.
  • Utilise a variety of data sources, supplementing internal data with external data to ensure thorough consideration of the evolving risk landscape.

Capturing the changing risk landscape

Businesses do not operate in silo and whilst it is important to consider direct impacts to the firm’s own operations, consideration should also be given to the impact on clients and the wider system in which the firm operates. To address this the IFPR has introduced a new capital requirement, the K-factor approach (KFR) for non-SNIs, where impacts of risks are broken down into three core categories; Risk to Client (RtC), Risk to Market (RtM) and Risk to Firm (RtF).

Considering the linkage between clients, the market and the firm, firms need to take a systematic approach to risk management, understanding how their activities are both impacted by, and impact, wider market environmental, social and governance factors.

Once risks have been identified, firms should sufficiently contemplate the range of harms that certain events could cause and clearly document the relevant controls for each. For instance, if a firm were to experience a data breach event in which customer’s accounts details were subject to unauthorised access, whilst there is a financial impact to the firm to rectify compromised security systems and potential client compensation, harm to clients could moreover be caused through confidential information leakage.

Through taking a broader view, the IFPR aims to enhance protection for the entire ecosystem. For firms with a mature risk framework the modelling work already undertaken for Risk to Firm could be expanded to incorporate Risk to Client and Risk to Market.

Mitigants and controls

To best approach the new risk categories of RtC, RtM and RtF, the firm should go ‘back to basics’ in terms of implementing mitigants and control measures. The four simple actions of accept, avoid, reduce or transfer should form the basis of decisions.

Probability and impact graphic
ICCAP to ICARA Diagram

Mitigants and controls probability and impact

The IFPR encourages firms to assess the adequacy of current mitigants and to identify any gaps in protection. Mature financial institutions have for several years considered the financial impact of risk transfer through insurance on their operational risk exposure and this is set to continue. For firms who are not currently considering the mitigating impact of insurance we recommend the following actions:

  • Document how current insurance policies are expected to respond to key operational risk scenarios.
  • Consider how reduced Risk to Firm translates to reduced Risk to Client and Risk to Market.
  • Incorporate insurance within your risk aggregation framework to quantify the financial mitigation.

Quantified risk appetite

Further to enhanced areas of focus outlined above, the ICARA puts a greater spotlight on risk appetite. Whilst within separate FCA guidance, titled ‘FG 20/1 Our framework: assessing adequate financial resources’, the regulator remarks that “firms should have a clear and quantified risk appetite which is communicated, understood and followed across the firm3", in our experience risk appetite statements are often of insufficient maturity. For many, there is inadequate understanding of the firm’s risk profile to happily settle on a risk appetite value.

The previous approach taken by many, of using only qualitative or low-level functional risk appetites will no longer be sufficient. However, through refining the risk assessment and scenarios processes with a more-encompassing framework and methodology within ICARA, firms will be in a better position to evaluate the level of risk they are prepared to accept and regularly monitor changes.

Ensuring risk appetite statements are well-considered is fundamental to ensure investments in controls and risk transfer are both delivering the best financial value to the firm and supporting long-term stability.

The importance of data

When assessing risks, the ICARA outlines the need for firms to consider risks of relevance to the business model and core business activities/operations.

In capturing the principal exposures, firms should broaden the lens of identification. Data is central to this, as it enables a firm to demonstrate their understanding of numerous risk exposures. We recommend firms utilise a variety of data sources, to include:

  • Internal loss events - considering both the loss value and the cause, as this may indicate areas where incidents could re-occur;
  • Risk Control Self-Assessments (RCSAs) (for larger firms) - enabling a bottom-up approach to risk identification, with business unit risk assessments performed by employees with good knowledge of specific operations.
  • External risk event information- as a means of analysing events experienced by firms with similar business characterises, ensuring consideration of the industry risk landscape.

Analysing varied sources of data will enable a firm to assess current exposures but moreover future exposures, through influencing the creation of plausible worst-case scenarios. Scenario development is pivotal to developing a forward-looking approach and consideration of future threats is a key requirement for building adequate preparedness and operational resiliency.

Through supplementing internal data with external data, Investment Firms can broaden their horizon of risk exposures and form appropriate strategies to mitigate - either through controls or insurance.

Improve your risk framework procedures

Willis Towers Watson’s Operational Risk Solutions team helps firms of all sizes to enhance their operational risk framework and manages projects that include operational risk assessment, risk gap analysis, insurability analysis, statistical modelling and model validation.


1 Further information on the Investment Firms Prudential Regime (IFPR):

2 Under the new IFPR, “The ICARA process is the centrepiece of firms’ risk management processes” (p.35):

3 FG 20/1 Our framework: assessing adequate financial resources (p.15):

The Willis Towers Watson Insurance Claims Database is comprised of over 40,000 insurance notifications made to FINEX Global. Our claims analysis, whilst maintaining confidentiality, illustrates important details about the nature, trends, causes and cost breakdown of loss events impacting global financial institutions.


This publication offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. It is not intended to be, and should not be, used to replace specific advice relating to individual situations and we do not offer, and this should not be seen as, legal, accounting or tax advice. If you intend to take any action or make any decision on the basis of the content of this publication you should first seek specific advice from an appropriate professional. Some of the information in this publication may be compiled from third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of Willis Towers Watson. Copyright Willis Limited 2021. All rights reserved.

Willis Towers Watson offers insurance-related services through its appropriately licensed and authorised companies in each country in which Willis Towers Watson operates, for example:

  • In the United Kingdom, Willis Limited, registered number: 181116 England and Wales. Registered address: 51 Lime Street, London, EC3M7DQ. A Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority for its general insurance mediation activities only; and

  • Willis Towers Watson SA/NV, Quai des Vennes, 4020, Liège, Belgium (0415.981.986 RPM Liège) (registered as a branch in the UK at 51Lime Street, London, EC3M 7DQ UK Branch Number BR021056) in relation to all EEA-regulated business. Authorised by the Financial Services and Markets Authority (FSMA) Belgium, and authorised and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our authorisation and regulation by the Financial Conduct Authority are available from us on request.

For further authorisation and regulatory details about our Willis Towers Watson legal entities, operating in your country, please refer to our Willis Towers Watson website.

It is a regulatory requirement for us to consider our local licensing requirements prior to establishing any contractual agreement with our clients.


Associate Director, Consulting and Client Management, ORS – FINEX GB

Head of Innovation and Acceleration – FINEX GB

Contact us