JFSC Principle 3 on Risk Management – have you read the April 2026 Guidance

The Jersey Financial Services Commission (JFSC), has issued clear, practical guidance on sustainability-related risks as part of its April 2026 Sustainable Finance Guidance Note.

While the note addresses sustainability risks specifically, it

• Explicitly reinforces and illustrates the JFSC’s longstanding expectations under Principle 3 of the Codes of Practice for how any risk must be managed.

To qualify the two

• Principle 3
• Requires all registered persons to identify, consider, and adequately manage the risks they face.
• The sustainability guidance
• Does not create new obligations or require a separate risk framework.
• Instead, it sets a clear, consistent baseline for integrating risks (of any type) into existing governance, risk management, and internal control processes in a proportionate manner.
• This applies to all registered persons, scaled to the firm's nature, size, and complexity.

Core Expectations for Managing Any Risk (High-Level Summary)

For this briefing and compliance with the JFSC requirements,

• RISK SHOULD MEAN

• A risk is the potential for adverse impact on the firm’s objectives, financial position, performance, or operations.
• See Appendix 1 for a Comsure list
• RISK  IS MADE UP OF
• Threats (events or circumstances that could cause harm) and/or v
• Vulnerabilities (weaknesses that could be exploited or that increase exposure).
• RISK OWNER —
• Each material risk should have a clear and accountable person or people (e.g., a senior manager, department head, or designated individual) responsible for oversight, monitoring, and ensuring proportionate management of the risk within the firm’s existing governance and control framework.

Firms should apply the following baseline good-practice steps to all material risks (e.g., credit, market, liquidity, operational, strategic, reputational, or sustainability/climate risks):

1. Identify and Assess Risks
• Consider risks as part of ordinary (business-as-usual) risk management processes.
• Focus on financial materiality — i.e., how the risk could reasonably affect the firm’s financial position, performance, or cash flows.
• Map the risk to existing risk categories in your risk register where relevant.
• Document the assessment (scope, methodology, materiality judgements, and conclusions) proportionately.
2. Example:
• For climate risk, assess physical risks (e.g., flooding disrupting operations or supply chains) and transition risks (e.g., policy changes leading to asset re-pricing or higher costs in carbon-intensive sectors).
• The same approach applies to operational risk (e.g., cyber threats) or credit risk (e.g., counterparty default in a sector vulnerable to economic shifts).
3. Escalate and Obtain Board Oversight
• Escalate the assessment and conclusions to the board (or equivalent governing body) for review, challenge, and direction.
• The board must understand the implications for the firm’s strategy, business model, and financial resources.
• If the board determines the risk is not material, no further action is needed beyond periodic review.
• Where risks are material, the board should direct proportionate management responses within existing frameworks.
4. Manage Risks Proportionately
• Integrate the risk into your existing risk appetite statements, metrics, limits, policies, and controls.
• Allocate clear day-to-day responsibilities (e.g., via risk committees or accountable individuals).
• Include the risk in relevant processes such as product approval, outsourcing/vendor oversight, internal audit, or review cycles.
• Establish monitoring, escalation, and periodic reassessment mechanisms.
• Senior management must ensure appropriate skills and resources are in place (e.g., targeted training).
• Proportionality examples:
• Low materiality/complexity →
1. Qualitative desktop assessment (e.g., every 3 years or on material change) + short board paper + basic key risk indicators.
• Higher materiality →
1. Deeper quantitative analysis, specific metrics/limits, and more frequent board reporting.
• Example application:
• An operational risk such as IT system failure would be managed through existing business continuity plans and tested via regular drills — no need for a standalone framework.
5. Document and Evidence
• Keep proportionate records (e.g., risk assessments, board papers/minutes, controls implemented, and review schedules).
• This supports supervisory engagement and demonstrates compliance.

Governance and Integration

• No separate framework required:
• Risks (including sustainability/climate risks) must sit within your existing governance and risk management arrangements.
• The board retains overall oversight and accountability.
• The approach is principles-based and risk-based — firms are encouraged to use recognised standards (e.g., ISSB for deeper climate analysis where relevant) but only as helpful guidance, not as a mandatory overlay.

JFSC Supervisory Approach

• Supervision will be proportionate.
• The JFSC will primarily check whether the firm has taken reasonable steps, consistent with the baseline good practice above, to identify, assess, and manage risks within its existing frameworks.

Key Takeaways for Compliance Teams

• Review your current risk management framework (including the Enterprise-Wide Risk Assessment or Business Risk Assessment) to confirm sustainability/climate risks (and any other emerging risks) are appropriately captured.
• Update policies/procedures and board reporting templates as needed to reflect the integrated, proportionate approach.
• The guidance provides a helpful template for demonstrating robust risk management across any risk type — it is not limited to sustainability.
• Firms have a transition period to embed changes where required, but the underlying Principle 3 obligations already apply.

This high-level briefing reflects the JFSC’s clear direction:

• Effective risk management is not about creating new processes for every risk type — it is about intelligently integrating material risks into what you already do, with board oversight and proportionate documentation.
• Firms that follow this baseline will meet JFSC expectations for any risk.

Appendix 1

Here is a high-level list of common risks faced by financial services firms (including those regulated by the JFSC in Jersey). This is structured for easy inclusion in your compliance briefing and aligns with Principle 3 expectations — risks should be identified, assessed for materiality, and managed proportionately within existing frameworks, with clear risk owners.

Core Risk Categories (Common Across Financial Services Firms)

1. Cyber / IT / Information Security Risk
• Threats: Ransomware, phishing, data breaches, supply-chain attacks, malware.
• Vulnerabilities: Outdated systems, weak access controls, third-party dependencies.
• Potential impact: Data theft, service disruption, client asset misappropriation, regulatory fines, reputational damage.
• Typical owner: Chief Information Security Officer (CISO) or IT/Operations Head.
2. Operational Risk
• Threats: Process failures, human error, system outages, external events.
• Vulnerabilities: Inadequate controls, poor outsourcing oversight, and business continuity gaps.
• Potential impact: Financial losses, service interruptions, compliance breaches.
• Typical owner: Chief Operating Officer (COO) or designated Operational Risk Manager.
3. Financial Crime Risk (including AML/CFT, Fraud, Sanctions, Bribery & Corruption)
• Threats: Money laundering, terrorist financing, fraud, insider dealing.
• Vulnerabilities: Weak customer due diligence, high-risk clients/jurisdictions, unusual transaction patterns.
• Potential impact: Regulatory sanctions, criminal liability, reputational harm.
• Typical owner: Money Laundering Reporting Officer (MLRO) or Compliance Head.
4. Compliance / Regulatory Risk
• Threats: Changes in laws, codes of practice, or supervisory expectations (e.g., JFSC Principle 3, conduct rules).
• Vulnerabilities: Inadequate monitoring, training gaps, evolving requirements (including sustainability/climate).
• Potential impact: Fines, licence restrictions, enforcement action.
• Typical owner: Compliance Officer or MLCO.
5. Credit Risk
• Threats: Counterparty or borrower default.
• Vulnerabilities: Concentration in certain sectors/clients, poor underwriting.
• Potential impact: Asset impairment, capital strain.
• Typical owner: Credit Risk Manager or CFO.
6. Market Risk
• Threats: Adverse movements in prices, interest rates, exchange rates, or equity/commodity values.
• Vulnerabilities: Unhedged positions, volatile portfolios.
• Potential impact: Losses on trading/investment books.
• Typical owner: Market Risk Manager or Investment Committee.
7. Liquidity Risk
• Threats: Inability to meet cash obligations without high cost or loss.
• Vulnerabilities: Asset-liability mismatches, funding concentration.
• Potential impact: Solvency pressure, fire sales.
• Typical owner: Treasury or Finance Director.
8. Reputational / Conduct Risk
• Threats: Poor customer outcomes, misconduct, negative publicity.
• Vulnerabilities: Inadequate product governance, conflicts of interest.
• Potential impact: Loss of clients, trust erosion, business exit.
• Typical owner: Board / Senior Management or Conduct Risk Owner.
9. Strategic / Business Risk
• Threats: Changes in business model, competition, economic downturns.
• Vulnerabilities: Poor strategy execution, over-reliance on key lines of business.
• Potential impact: Reduced profitability, failure to meet objectives.
• Typical owner: CEO or Board.
10. Human Resources / People Risk
• Threats: Talent shortages, key-person loss, misconduct, inadequate training.
• Vulnerabilities: High turnover, skill gaps (especially in cyber/compliance), cultural issues.
• Potential impact: Operational failures, compliance breaches, succession problems.
• Typical owner: HR Director or Senior Management.
11. Sustainability / Climate Risk (as highlighted in the April 2026 JFSC Guidance)
• Threats: Physical (e.g., extreme weather) or transition (e.g., policy changes, carbon pricing).
• Vulnerabilities: Exposure in client portfolios or own operations.
• Potential impact: Financial losses, reputational damage.
• Typical owner: Chief Risk Officer or Board-nominated executive.
12. Third-Party / Outsourcing Risk
• Threats: Vendor failure or breach.
• Vulnerabilities: Weak due diligence or oversight of service providers.
• Potential impact: Operational disruption, data loss, regulatory exposure.
• Typical owner: Outsourcing / Vendor Risk Manager.

Tips for Your Briefing

• Risk = Threat(s) and/or Vulnerability(ies) — use this structure when documenting in your risk register.
• All material risks must have a clear risk owner (accountable person/people) responsible for monitoring and proportionate management.
• Integrate these into your existing Enterprise Risk Assessment / Business Risk Assessment — no need for a separate framework.
• Focus on financial materiality and board oversight, as per the JFSC Sustainable Finance Guidance Note (9 April 2026).

This list is illustrative and not exhaustive. Firms should tailor it to their specific business model, size, and complexity.

Sources

Here are the top 10 best, most relevant and official web sources for the JFSC Sustainable Finance Guidance Note (issued 9 April 2026) and related risk management expectations under Principle 3.  

1. Official JFSC Sustainable Finance Guidance Page (main hub with direct PDF download) https://www.jerseyfsc.org/industry/guidance-and-policy/sustainable-finance/
2. Full Guidance Note PDF (direct download – the core document) https://www.jerseyfsc.org/media/04zhbu22/2026-04-09-gn-sustainable-finance.pdf
3. JFSC News Announcement – New Sustainable Finance Guidance https://www.jerseyfsc.org/news-and-events/new-sustainable-finance-guidance-supports-clarity-and-proportionality/
4. JFSC Codes of Practice – Main Page (context for Principle 3) https://www.jerseyfsc.org/industry/codes-of-practice/
5. Investment Business Code of Practice (detailed Principle 3 text) https://www.jerseyfsc.org/industry/codes-of-practice/investment-business-code-of-practice/
6. Fund Services Business Code of Practice (Principle 3 reference) https://www.jerseyfsc.org/industry/codes-of-practice/fund-services-business-code-of-practice/
7. Comsure Summary Article (clear overview with links back to JFSC) http://www.comsuregroup.com/news/jfsc-new-guidance-effective-9426-requires-sustainability-related-risk-assessments-for-all-registered-persons/
8. JFSC Sustainable Finance Overview Page https://www.jerseyfsc.org/industry/sustainable-finance/
9. JFSC April 2026 Monthly Update (mentions the new guidance) https://www.jerseyfsc.org/news-and-events/watch-monthly-update-april-2026/
10. Fraction GC Summary of Consultation Outcomes (helpful background on how the guidance was developed) https://fraction-gc.com/regulatory/jfsc-sustainable-finance-consultation/