Managing Conduct Risk: How Aggregating and Assessing Data Can Drive Culture-Changing Decisions Download . . .Second in a Series on Risk Quantification Nearly every financial institution expresses a commitment to fair and transparent treatment of customers, investors and partners, but many still struggle to articulate and communicate to employees what they deem to be appropriate conduct. Often, employees are left to presume whether their actions align with their organisation’s culture. This chasm between employee conduct and an organisation’s stated values is a common cause of conduct risk failures. Conduct risks exist in almost every part of a business. For this reason, it is essential for financial institutions to be able to identify, assess, control, manage, monitor, and test conduct risk across the three lines of defense. According to the Risk Management Association, conduct risk is the risk of loss to an institution, or the harm to an institution’s customers or other stakeholders, resulting from any willful act or omission by (a) an institution’s employee or independent contractor, or (b) an employee or independent contractor of an institution’s affiliate or third party. How employees conduct themselves is driven by organisational culture, which in turn is determined by the tone and actions from the top and by the efforts of middle management staff responsible for implementing and overseeing operations. This means, in all financial institutions, leaders have an opportunity to create a culture of transparency, ethics, and fairness in order to mitigate conduct risk. By collecting and aggregating data associated with conduct risk, managers can gauge whether they are creating the right culture, identify roadblocks, and develop actions to improve their risk profile. Download Why Conduct Risk Management Matters Conduct risk failures were major contributors to the global financial crisis just over ten years ago. In certain cases, the failures resulted in fines and civil penalties against financial institutions caught in misconduct, personal liability against senior officers and managers, and reputational damage, which hurt not only firms’ bottom line but also their ability to attract and retain top talent. Additionally, global regulators sprang into action, introducing formal accountability regimes and recommended frameworks. The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted in 2010, and the UK’s Senior Managers and Certification Regime (SMCR), which came into effect March 2016, are among numerous formal regulatory responses to the industry’s conduct dilemma. Still, more than a decade later, despite all that has incurred, global regulators are unconvinced that institutions are doing enough to manage conduct risk, and continue to propose and strengthen conduct regimes. In Australia, for instance, regulators currently seek to extend the Banking Executive Accountability Regime (BEAR)[1] beyond its initial focus on bank directors and senior executives and into the ranks of middle managers. Enacted in February 2018, BEAR requires authorised deposit-taking institutions (ADIs) to designate “accountable persons” who are personally accountable for business conduct that adversely affects the institution’s standing or reputation. Similarly, the Hong Kong Monetary Authority (HKMA)[2] and the Monetary Authority of Singapore (MAS) have introduced personal accountability regimes designed to increase industry awareness of conduct risk and regulatory expectations for managing it. Across these jurisdictions, regulators are particularly interested in the common sources of conduct failures such as sales practices, disclosures, and complaints handling, and are holding firms accountable for deficiencies in these areas. In the UK’s Financial Conduct Authority’s business plan for 2019/20,[3] it lists ensuring the fair treatment of firm’s existing customers by monitoring practices such as the information given to prospective and current customers as one of four cross-sector priorities. Given the growing regulatory interest on conduct and the cost of doing nothing, firms have a responsibility to manage conduct risk effectively. However, conduct risk cannot be managed properly without effective measurement and assessment. Conduct risk management is wide-ranging, and, as outlined by the FCA, includes regulatory objectives for protecting consumers and the financial markets, and promoting competition. For financial institutions, conduct risk often encompasses many risk areas, including operational, compliance, legal, reputation, and information technology risks. Due to the breadth of risk areas conduct risk impacts, financial institutions with the know-how to leverage management information, different sets of data, and risk indicators, are better positioned to navigate conduct and operational risk challenges effectively. How Metrics Help Leaders Measure Conduct Risk To measure and manage conduct risk effectively, companies should identify critical data points. Data related to culture and conduct is often qualitative so establishing a basis for reporting means applying quantitative measurements on innately qualitative data. Organisations that can capture this risk data and translate it to measurable terms will enhance their decision-making capabilities and opportunities to intervene in conduct failures. There are many areas where firms can look for conduct risk management data and reporting. It is not necessary to recreate the wheel; companies can leverage existing metrics such as customer reviews and complaints, client communications data, trading violations, product design and testing results, incentives and compensation, and marketing and promotion. Metrics around individual conduct and policy breaches can also provide management with a clear picture of the organisation’s risk and compliance culture. For example, in addition to the above, individual data can be consolidated from a variety of common conduct risk indicators, including: Missed or late training. Excessive working hours. New business initiative projections and business results after implementation. Suspicious transaction reports. Word and voice surveillance reports. High-client entertainment expenses. Take the case of a leading EMEA-based financial services firm that was experiencing increased regulatory scrutiny related to conduct risk and reporting. The firm had previously employed several disparate approaches to monitoring and measuring conduct across various lines of business, but, lacking a holistic approach, the execution and results from those activities were inconsistent. Given its complex and siloed structure, as well as the regulatory pressure, management recognised a need to develop an enterprisewide conduct risk management approach that would provide a complete view of conduct risk across various business units and geographic areas. The decision was made to develop a dynamic risk management tool to aggregate, monitor and manage conduct risk across the enterprise. Completing this objective first required gaining a complete understanding of the firm’s existing conduct risk strategy and objectives, as well as an understanding of the current data and reporting environment. Following the assessment, the team started the process of developing a structured means of gathering, aggregating, scoring and displaying conduct risk data utilising The Protiviti Risk Index™.[4] Protiviti and the firm combined metrics from customers, sales, product development, employee culture, and complaints areas to include in the conduct risk index. By capturing, calculating, and consolidating the risk metrics in a single number and displaying it on data visualisation dashboards, The Protiviti Risk Index™ completely transformed how the firm monitored conduct risk. Specifically, the firm’s leaders gained the capability to identify conduct issues proactively or before they evolved into a larger risk event. The ability to make risk-informed decisions, such as implementing a culture-transforming initiative, allowed the firm to continuously enhance how it conducted business and keep the customer in the forefront of its focus. . . . Risk Index Output The Protiviti Risk IndexTM captures, calculates and evaluates a large volume of complex data and reduces it to a single number. Integrated with a customisable infrastracture technology platform and data visualisation tools, the Risk Index helps to decrease time spent on reporting and documentation. The dashboard view above is an example of a risk index output generated from the platform. Visit protiviti.com/riskindex to learn more. How Metrics Help Leaders Measure Conduct Risk As this case study shows, managing conduct risk begins with a firm understanding of the common risk drivers. It requires firms to analyse their unique risk culture and assess the relationship between culture and conduct to identify areas of potential risk. Following are general recommendations to consider: Evaluate compliance obligations in the jurisdictions where the firm operate. Develop policies and procedures designed to mitigate risk. Assess current and emerging risks enterprisewide and identify the contexts where individuals can introduce conduct risk across the sales lifecycle. Identify and evaluate controls that are designed to mitigate conduct risk. Establish actionable reporting and other mechanisms to facilitate management and board oversight. Monitor metrics over time to enable swift intervention when culture and conduct begin to veer off course. Maintain prompt, regular communication with the board and senior management. Additionally, companies should create governance structures to ensure these steps are implemented and maintained. Creating new committees or enhancing to focus on conduct risk is recommended to ensure conduct risk management is given the appropriate level of focus. Conclusion Conduct risk is present in almost every part of a financial institution, driven by a firm’s strategy, products and services, and sales lifecycle. There is no one-size-fit-all way to manage conduct risk; it should be managed differently within each firm. However, firms can measure and manage conduct risk effectively by capturing underlying risk data to develop a comprehensive view of common sources and indicators of potential conduct risk failures. Tools such as The Protiviti Risk Index™ can be leveraged to measure and monitor conduct risk and help firms identify issues proactively and before they develop into major crisis events. As regulators increase their focus on conduct, financial institutions should incorporate conduct risk management and measurement into strategic decisions. Putting customers at the forefront of business decisions should be a central tenet of all managers. While no rule or guidance can compel individuals to behave appropriately if they don’t believe that ethics are more important than profits or personal reward, companies can reduce bad conduct by embedding conduct risk principles in their daily operations — and, with the right risk data and conduct-measuring tools, they can drive the cultural changes necessary to be successful as a business and to demonstrate to their shareholders, board, regulators, and employees that conduct risk management is important to address, just like all other critical risks to the enterprise. [1] Implementing the Banking Executive Accountability Regime, APRA. [2] Supervision for Bank Culture, Hong Kong Monetary Authority. [3] "FCA Sets Out Its Priorities for 2019/20," Financial Conduct Authority. [4] The Protiviti Risk IndexTM: A Single-Number Snapshot of Risk, Protiviti.