How to Prepare a Regulatory Filing With Stakeholder Risk Assessment

How to Prepare a Regulatory Filing With Stakeholder Risk Assessment

Most regulatory filings that include a stakeholder risk assessment fail in the same way: they treat the assessment as a narrative appendix rather than the analytical spine of the submission. Regulators notice. So do boards when something later goes wrong.

This guide sets out how to prepare a filing where the stakeholder risk assessment is genuinely load-bearing — the kind that survives challenge from a supervisor, a Section 166 reviewer, or a future enforcement team reading it cold.

Start with the regulator's actual question

Before drafting anything, write down — in one sentence — what the regulator is being asked to approve, notice, or accept. Variation of permission, change in control, new product approval, recovery plan, Consumer Duty attestation: each carries a different evidentiary bar for stakeholder impact.

Most teams skip this and start with templates. The result is a filing that answers questions no one asked and omits the ones that matter. The stakeholder risk section then becomes generic — customers, employees, shareholders, regulators — with no link to the specific decision under review.

Define stakeholders by exposure, not by category

Generic stakeholder maps are the single biggest weakness in regulatory filings. "Customers" is not a stakeholder group. A 72-year-old fixed-income customer holding a product affected by the change is. So is the IFA network that distributed it.

Segment stakeholders by:

• Exposure to the specific change — who is materially affected, in what way, over what time horizon
• Ability to absorb harm — vulnerability, concentration, switching cost
• Visibility to the regulator — who will write in, complain, or be quoted back to you

If a stakeholder group does not differ on at least two of these axes from another, collapse them. If they do differ, treat them separately throughout the assessment.

Build the evidence base before you write the narrative

A defensible filing rests on evidence gathered before a conclusion was formed. That means:

• Complaints data segmented to the affected cohorts, not aggregate
• Direct stakeholder input (research, advisory panels, distributor feedback) dated before the decision
• Internal challenge — minutes showing the risk was tested, not just noted
• Comparable cases: what happened when peers made similar changes

Where you do not have evidence, say so explicitly and explain the proxy. Regulators are far more forgiving of acknowledged gaps than of confident assertions they later discover were unsupported.

Sequence the assessment to match the decision logic

The assessment should read in the order the decision was actually made: what was the trigger, what options were considered, which stakeholders were affected by each option, what mitigations were tested, why the chosen path was preferred.

Filings that present the conclusion first and reverse-engineer the analysis are easy to spot. They use phrases like "the firm is satisfied that" before showing how it reached that view. Invert this. Show the working.

Treat mitigations as testable, not aspirational

For each material stakeholder risk, the filing should specify:

1. The mitigation (what will be done)
2. The owner (named role, not committee)
3. The trigger metric (what would tell you it is failing)
4. The escalation path (who decides to act)

If a mitigation cannot be expressed this way, it is not a mitigation — it is a hope. Strip it out or rewrite it. Supervisors will ask these four questions in any follow-up; better to answer them in the filing.

What good looks like

A strong filing makes it possible for a regulator to disagree with you without having to re-do the analysis. They can see your inputs, your weighting, your judgement calls, and the points at which a reasonable person might reach a different view. That transparency is what builds supervisory trust over time — and what protects the firm if outcomes later diverge from expectations.

Weak filings hide the judgement. Strong ones expose it and defend it.

The next decision

Before the filing leaves the building, give it to someone who was not involved in the decision — ideally someone with supervisory or enforcement background — and ask one question: if this went wrong in 18 months, would this document protect the firm? If the answer is not a confident yes, the stakeholder risk assessment is not finished.