Part 1: RISQED - One Methodology for Every Risk (JFSC's Summer 2026 Guidance)
02/07/2026
Introduction
- This is Part 1 of 4 of a RISQED series on risk management for Jersey-registered persons
- This Part 1 provides an overview of how RISQED provides a solution to risk management; later pieces look at financial crime, data protection, and sustainability risks and how RISQED helps.
ALL RISKS
Between 4 and 29 June 2026, the JFSC did two things worth reading together.
- It revised its Guidance Note on Compliance Monitoring for the first time since 2013, and
- it published its 2025 Financial Crime Examination Feedback.
Please read them separately; they appear to be two documents on the same topic. Read together, the pattern is broader than financial crime:
- Firms can usually point to the individual pieces of a risk framework, but struggle to show the pieces are connected, current, and owned, whichever risk you're looking at.
That's not a financial crime-specific problem, and the Codes of Practice for registered persons, not just Schedule 2 persons, say so directly.
- Principle 3 requires a registered person to
- "Organise and control its affairs effectively... and
- Be able to demonstrate the existence of adequate risk management systems."
- The Code is explicit about scope: in this context,
- "risk" refers to all the risks a registered person faces, or may face, "as a business enterprise" not a named subset of them.
- The Code mentions Cyber risks, and this year the JFSC has issued documents that address other risks; two prominent ones include:
- Financial crime
- Sustainability risks
- What is important is that these are not the only Risks Principle 3 covers.
Why one methodology, not four
- The instinct, when a new risk category demands attention, is to build a new spreadsheet for it.
- That's how firms end up with a financial crime risk register, a separate data protection tracker, a sustainability questionnaire from last year's consultation, and no single view of where any of them stand relative to each other or to the board.
RISQED is built the other way round:
- One methodology: probability and impact scored from gross risk, through the controls and treatment applied to a residual position once compliance monitoring plan (CMP) testing confirms whether those controls are actually working, applied consistently across risk categories, with named ownership (who's responsible, accountable, consulted, informed) attached to each one.
- The same structure that answers a financial crime finding answers a data protection or sustainability finding, because it's the same underlying question every time: what's the risk, what's mitigating it, has that mitigation been tested, and who owns it.
A quick tour of Risks that the JFSC talk about (sources below)
- Financial crime.
- The JFSC's 2025 examinations found BRAs that hadn't kept pace with the business, risk appetites that weren't consistently applied, and MLCO/MLRO conflicts and oversight gaps that weren't documented.
- We go deep on this in the next piece in this series.
- Data protection.
- This one isn't a direct JFSC obligation at all (albeit it is a regulated firm risk), which is exactly the point; it applies whether or not you're JFSC-regulated.
- Under Article 16 of the Data Protection (Jersey) Law 2018, any organisation carrying out processing likely to result in high risk to individuals' rights and freedoms must complete a Data Protection Impact Assessment before that processing begins.
- The JFSC's own guidance even acknowledges the overlap, noting that a firm's CMP "may also extend beyond the financial services and countering financial crime legislation to include areas such as... data protection laws."
- Sustainability and climate risk.
- The JFSC's Guidance Note on Sustainable Finance sets a baseline under two principles:
- Principle 3, assessing and managing climate-related risk, and
- Principle 7, ensuring sustainability-related claims are fair, clear, and not misleading.
- Its baseline good practice is proportionate by design: assess climate risk as part of ordinary risk management, document it proportionately, and escalate to the board, which can conclude risk is immaterial and take no further action beyond periodic review.
- Climate risk is meant to sit inside existing risk registers and categories, not stand apart from them.
- The JFSC's Guidance Note on Sustainable Finance sets a baseline under two principles:
- Cyber security.
- Also anchored in JFSC cyber web pages and Principle 3 of the codes are the following statements:
- The Codes require a documented policy to identify assets and risks, protect them, detect incidents, respond, and recover.
- All financial services businesses are exposed to cyber risks. They need to be aware of the threats and defend themselves effectively if a cyber event occurs.
- Also anchored in JFSC cyber web pages and Principle 3 of the codes are the following statements:
- There are many more.....
Four do go into one.
- Four categories, four different regulatory sources, one requirement running underneath all of them: a documented, proportionate, board-visible view of the risk, the controls, and who's accountable for both.
- RISQED's job is to be that one structure, not four separate tools, each answering a different examiner's question.
- We'll go deeper on financial crime, data protection, and sustainability in the pieces that follow this update.
Book a demo:
- yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil 07797 936464 | Mathew 07797 747490
RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.
For Part 1 (sources):
- RISQED website and brochure below
- JFSC 2025 Financial Crime Examination Feedback (published 29 June 2026)
- Guidance Note: Compliance Monitoring, revised 4 June 2026 (7-step CMP cycle, EWRA definition, probability/impact language)
- Trust Company Business Code of Practice (Principle 3, "all the risks... as a business enterprise")
- Guidance Note: Sustainable Finance (Principle 3 climate risk, Principle 7 fair claims, baseline good practice)
- JFSC's Risk-Based Supervision framework (inherent/causal/impact risk, impact × probability)
- Codes of Practice landing page
- JFSC Cyber-security - All financial services businesses are exposed to cyber risks. They need to be aware of the threats and defend themselves effectively if a cyber event occurs.
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.