Skip to main content

Stakeholder Risk Management for FCA Regulated Firms: A Practical Guide

This guide sets out how senior leaders at FCA regulated firms should identify, assess and manage stakeholder risk in a way that stands up to supervisory scrutiny. After reading, you will know how to structure a stakeholder risk framework that connects to Consumer Duty, SM&CR accountability and board-level reporting.

Stakeholder Risk Management for FCA Regulated Firms: A Practical Guide

If you run a regulated firm, stakeholder risk is no longer a communications problem. It is a prudential and conduct problem the FCA expects you to identify, monitor and act on. Consumer Duty, SM&CR, operational resilience rules and the FCA's increasingly interventionist supervisory style have moved stakeholder risk into the same territory as capital, liquidity and conduct risk. This guide explains how to build a stakeholder risk approach that holds up under supervisory challenge and gives the board something usable.

What stakeholder risk actually means in an FCA context

Stakeholder risk, in regulated firms, is the risk that the expectations, behaviour or actions of a defined group, customers, the FCA, PRA, HM Treasury, distributors, appointed representatives, institutional shareholders, ratings agencies, whistleblowers, consumer groups, cause harm to consumers, market integrity, or the firm's ability to meet its Threshold Conditions.

The common mistake is to treat stakeholder risk as reputational risk with better packaging. It is not. Reputational risk is an outcome. Stakeholder risk is a driver. If you cannot show the causal chain from a specific stakeholder's likely behaviour to a specific regulatory or customer outcome, you do not have a framework, you have a heat map.

Build the stakeholder register the FCA would recognise

Start with a register that mirrors how the FCA thinks about your firm. That means categorising stakeholders by their ability to affect:

  • Consumer outcomes (Principle 12 and the four outcomes)
  • Market integrity
  • Threshold Conditions and authorisation status
  • Operational resilience and important business services
  • Financial soundness

For each stakeholder, record: what they expect, what they can do if those expectations are not met, the leading indicators that their position is shifting, and the SMF holder accountable. If you cannot name the SMF, the entry is not finished.

Where most firms fall short: they list stakeholder groups ("customers", "regulators") rather than decision-making units. The FCA supervision team covering your firm is not the same stakeholder as the FCA's policy division. Your top ten distributors are not the same as your long tail. Aggregation hides risk.

Connect stakeholder risk to the risk taxonomy

Stakeholder risk should sit inside your enterprise risk framework, not alongside it. Map each material stakeholder risk to the existing risk types: conduct, operational, prudential, strategic. This forces two useful things. First, it makes stakeholder risk quantifiable through existing appetite statements. Second, it stops the second line treating it as somebody else's problem.

Good looks like: a conduct risk appetite statement that includes explicit thresholds for FCA supervisory interaction (for example, number of s165 requests, tone shift in periodic summary meetings) as leading indicators, not lagging ones.

Assess likelihood and impact with actual evidence

Stakeholder risk assessments fail when they rely on internal opinion about what regulators or customers think. Supervisory judgement changes. Consumer expectations shift. Distributor economics move. The assessment needs external inputs: Dear CEO letters, portfolio letters, speeches, enforcement patterns, complaints data benchmarked against peers, FOS decisions in your product area, and where appropriate, direct testing of stakeholder positions.

Refresh cadence matters. Annual is too slow for FCA supervisory posture. Quarterly is the minimum for material stakeholders, with trigger-based reviews when portfolio letters land or enforcement action hits a peer.

Governance that survives an SMF interview

The board needs to see stakeholder risk in a form it can challenge. That means: top five stakeholder risks, movement since last report, mitigating actions with owners and dates, and a clear statement of where the firm is operating outside appetite.

The SMF16 and SMF17 holders should be able to explain, without notes, the firm's three largest stakeholder risks and what is being done about them. If they cannot, the framework is decorative.

Where to go next

Before your next board risk committee, pull your current stakeholder or reputational risk register and ask one question: for each entry, can you name the specific action the stakeholder might take, the outcome it would drive, the leading indicator you are monitoring, and the SMF accountable? Any entry that fails that test is the place to start.

Polar Insight helps senior leaders in financial services understand what their key stakeholders actually think before significant decisions are made.

Book a conversation