Foolproofing ICARAs for 2024

It has been two years since the Investment Firms Prudential Regime (IFPR) came into force, and many firms will have now completed the second iteration of their Internal Capital Adequacy Risk Assessment (ICARA). In this paper, we explain the priorities for ICARAs in 2024 by combining our observations on good and bad practices from the second iteration of ICARAs (based on our experience and feedback from the hundreds of ICARAs our experts have reviewed over the last year) with feedback received directly from the Financial Crime Authority (FCA) at recent roundtable discussions.

For most of our clients, the first iteration of the ICARA took longer than expected as they grappled with understanding the requirements and assessing the risks inherent to their business. Many firms pushed back some of the development of their ICARA to the following year, having been surprised by the amount of work involved. Indeed, the FCA was not expecting firms to get it perfect the first time, but there were higher expectations for version two. From what we have seen and noted below, work still needs to be done.

In our view, many firms have missed an opportunity to add value to their business. Although it is a compliance requirement, a good risk assessment and the wider ICARA can make the most of the financial resources held to address risks, drive the improvement of controls, and provide breathing room if risks do crystallise. If things go wrong for a firm, a strong ICARA will generate goodwill when the regulator inevitably asks to see it.


Before starting an ICARA, it is essential to ascertain whether an Investment Firm Group exists. We have observed that a number of firms still have not correctly identified their Investment Firm Group or have not notified the FCA that they have one. The FCA has made it clear that they will be contacting firms this year if they believe an Investment Firm Group exists.

Risk of harm assessment

We recommend firms prioritise improving their approach to the risk of harm assessment over the course of the year. We have seen that firms are still struggling with identifying the risk of harm assessments and in calculating how much additional financial resources to hold against their risks. The appropriate use of risk mitigation techniques is still not fully understood, with only a few firms developing robust plans to improve their risk mitigation year-on-year. This should be a continuous improvement exercise as risks inevitably change, as do the options for mitigation.

Many firms are still using Excel-based risk assessments. Spreadsheet risk assessments can be a reasonable tool to start with, but their weaknesses quickly come to light in terms of connecting to other datasets, susceptibility to typos and limitations on collaboration across functions. We have seen firms make this task easier and faster using risk management platforms.

Risk appetite

In the first version of ICARAs, very few firms articulated their risk appetite quantitatively. Happily, more firms did so in the second version, although a significant number still do not. A quantitative risk appetite is essential for monitoring and controlling the key risks.

Early warning indicators

Early warning indicators should give firms enough time to react to an oncoming stress. Many firms use the FCA’s 110% threshold requirement as their early warning indicator, but this is not effective in fast-moving liquidity stress. The FCA has made it clear that it expects firms to set a higher trigger than the 110% minimum and demonstrate that it provides the breathing room needed to deploy recovery options effectively.

Liquidity risk assessment

Most firms we have spoken to said they did not consider liquidity risk a significant risk to their business. Most have run liquidity stress tests, but these often do not reflect all the stresses that could impact their business models, such as a market-wide strain on funding, and they usually do not include granular cash flow models. Very few firms revised their approach to liquidity risk following the failure of Silicon Valley Bank last year. Although the failure did not affect all firms, it highlights the impact an unforeseen counterparty failure can have on a firm’s ability to pay liabilities as they fall due. Firms discovered that a new bank account that allows cash deposits to qualify as core liquid assets (must be with a credit institution) can take weeks to set up; an eternity in the context of a bank run!

The FCA also highlighted their concerns over liquidity risk, particularly amongst wholesale brokers, in their Dear CEO letter last year: “Firms continue to underestimate their exposure to intraday liquidity risks arising from their own business as well as from key clients and counterparties” and “we are particularly concerned by weakness in the clearing brokers’ liquidity risk management”

For firms that have not already done so, revisiting liquidity stress tests regarding breadth and severity in 2024 will be a key priority. This will focus on a short, sharp shock and slower burn stress and consider whether the current mix of liquid assets and contingency funding plans is sufficient.

Operational risk assessment

We have found that operational risk assessments would benefit from more robust challenges. Many firms use operational risk models that are not fully understood by senior management, who, therefore, have limited oversight and ability to confirm that the output model is sensible.

The FCA has observed that group operational risk models are not always appropriate for individual firms’ ICARA processes and should be assessed for fitness beforehand. The FCA also highlights that firms are failing to adjust for the impact of any diversification effect.

Improved oversight of models, clear visibility into and understanding of their workings, assumptions, and data feeds, and improved transparency should be high on the agenda for senior managers this year.

Recovery options

Recovery options are one of the weakest areas we have seen across all ICARAs and yet one of the most important, enabling firms to utilise a range of levers they can pull to recover from stress. A more diverse menu of options means a firm can recover from a wider range of stress scenarios and reduce the franchise impact on the firm’s post-recovery

In our experience, firms have found it difficult to devise a diverse menu of recovery options that would benefit capital or liquidity stress. We have found it helpful for firms to have focused discussions amongst business heads with the mindset that a severe crisis has already occurred and a solution must now be found.

From our observations, most firms have between one and five recovery options, with a handful of larger firms having around twelve to fifteen. We expect all firms to have a mix of capital and liquidity accretive options, with more options available to more complex firms.

The most common recovery options we have seen involve support from the group and cost reduction. Many firms also have liquidity improvement and capital preservation options. Less common are reductions in risk limits and asset sales, mainly utilised by the larger non-SNI firms.

Few firms have adequately assessed the credibility of their recovery options. At the very least, firms need to think about the practicalities of execution, such as timelines, impact on the firm and the group and previous experience of execution, particularly in a stress scenario, which is very different from a BAU environment. For example, many firms rely on support from the group without thinking about what they would do if the group itself were under

Stress testing

We tend to see SNI firms running three to five scenarios, and nonSNI firms usually run around five to seven scenarios, with more complex firms running up to sixteen. The quantity is usually about right, but often the quality is missing. For example, we often see scenario testing that results in little or no losses. Stress scenarios should be plausible and severe enough to stress the capital or liquidity positions of a firm and test its recovery options to provide comfort that the firm can recover from real-life stress.

Last year, the scope of what is plausible shifted due to a bank failure, the Ukraine war, and the previous year’s fallout from a pandemic, which gave rise to a new range of operational risks. Firms should broaden their thinking when considering scenarios and build in sufficient severity.

Trusted expertise that adds value

We also find that scenario assumptions are usually missing from ICARAs. When we speak with firms, these have almost always been considered but are often not documented, with
no evidence of debate. Opening these assumptions up to challenge only serves to make scenario testing more robust and allows the ICARA to really add value.

Wind-down planning

We often hear feedback from the FCA stating that firms underestimate how long it would take to wind down. Most wind-down plans we see range from three to nine months. We consider twelve months appropriate for most firms. This, of course, means that firms would need to have sufficient financial and non-financial resources to cover that period.

We were encouraged to see a wide range of wind-down scenarios last year, reflecting the various business models that fall under the regime. The most common scenarios tended to include severe market or operational events. Group risk was also considered more frequently as a wind-down scenario; we previously found this was often overlooked in 2022.

However, in scenario testing, firms generally need to give more consideration to specific group issues, particularly operational and financial interconnectedness. Scenario testing could also be improved by documenting behavioural assumptions such as counterparty or client actions in response to the wind-down.


Significant progress has been made in the last year in developing prudential risk management across the industry. However, there is also significant work to be done, and firms must challenge themselves with their risk assessments, stress testing, recovery options, and wind-down planning. The development of the ICARA is an iterative process, and firms should strive to make continuous improvements every year.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?