The conduct risk imperative
The Financial Conduct Authority’s focus on ‘conduct risk’ marks a significant shift in mind-set for most financial organisations. The FCA has been clear that it is up to individual firms to decide what ‘good’ conduct and focus on customer outcomes mean for them. Moreover, the onus is on firms to show that they have done the right thinking and modified their business model accordingly. There are no set procedures, policies and frameworks to follow; the FCA has said they will assess conduct risk by looking at areas across the firm’s business, especially leadership behaviour and culture, to get a holistic view of conduct activity.
It is not enough to assume that this focus on softer, cultural metrics means that firms can pay lip service to the idea of ‘good conduct’ or that relying solely on old ‘tick-box’ methods and frameworks for managing risk will satisfy the regulator. After all, the FCA levied over £474M in fines last year alone. They have also moved towards a new supervisory approach that places ‘greater emphasis on individual accountability as well as corporate accountability for meeting our standards and we will be more prepared to hold these to account when things go wrong.’
Are firms ready for this sea change?
Culture and conduct risk
According to a recent Thompson Reuters study, 84% of respondents have yet to define a working corporate understanding of ‘conduct risk’. A few have taken steps to address conduct risk in their existing risk frameworks, but the wholesale cultural assessment and realignment based upon customer outcomes that the FCA requires is a demanding challenge.
Here is the FCA view:
“Firms have designed, manufactured and sold products not always with the needs and interests of their customers in mind but instead, seeing the customer as somebody to maximise profit from. This has been accentuated by a view, and it has to be said encouraged by the FSA, that disclosure at the point of sale absolves the seller from a real responsibly of ensuring that the product or service represents a good outcome for the customer. This, in turn, has led in many cases to a tick-box and overly legalistic compliance culture within firms, encouraged by what has been seen as a tick-box regulatory approach.”
The roots of these cultural behaviours seem to stem from a misalignment in risk appetite between the board and the risk functions within an organisation. Dr Roger Miles, writing for Thompson Reuters highlights how such ‘cognitive gaps’ or ‘asymmetries’ in the understanding or perception of risk help to explain why many risk controls have historically failed, including some major systemic collapses.
Corporate leaders may view risk as a business lever – something that provides the opportunity for profit if managed correctly. Risk staff, on the other hand, tasked with limiting the organisation’s exposure to harm, tend to see risk purely in terms of threats. To these staff, risk is by its nature bad and exposure to it needs to be limited at all times. These teams are by nature highly risk averse. It is their job to lock down systems. And, in the absence of any genuine impact on employee culture, they can only control behaviour by creating rigid frameworks that limit spontaneous customer contact and lets them demonstrate to regulators that they have ticked the correct boxes.
No wonder employees get confused – they can lack a consistent ethical directive to guide their behaviour and as a result are unable to maintain a focus on delivering fair customer outcomes.
Delivering a conduct risk culture in practice – A 10 step plan
So what might a cultural conduct risk initiative look like in practice? Here is a 10 step plan that I think would help deliver genuine cultural change.
1. Explore your purpose and values as an organisation and define the customer outcomes that you want to achieve within this context, you are then in a position to understand what needs to change
2. Work with leaders and risk teams on a one-to-one basis to explore their personal understanding and perceptions of risk and how this translates to behaviour in a business context
3. Work with leaders and risk teams to help them develop a clear view of the conduct risk culture to which they aspire, to create genuine alignment
4. Connect your desired business outcomes to this new model – and put protocols in place so that this mind-set is not forgotten in your future planning
5. Create behaviour change programmes that ensure leaders ‘walk the talk’ and demonstrate the change in tone from the top
6. Develop initiatives that allow safe ways to challenge poor behaviour within the business – working with leaders and employees to understand and address the barriers to speaking up
7. Examine how decisions are made in your organisation. How this process can be safeguarded so that customer outcomes are considered at all stages and the decisions do not just meet the needs of just one group
8. Work with managers to ensure that they are ready, willing and able to transmit the culture from the leadership to the wider business
9. Find new ways to incentivise and reward staff within this framework
10. Help your wider employee base to understand what this means for them. Make them feel motivated, empowered and committed to your purpose and values, delivering the right customer outcomes.
These activities should coalesce to build a purpose-led business culture that drives effective customer behaviours, protecting your organisation from regulatory breaches and penalties far more effectively than a tick-box approach to compliance.
About the author
My name is Danielle Sheerin, a senior consultant at NixonMcInnes. I would love to hear your thoughts on conduct risk and what it means to your organisation. You can contact me by email [email protected], or call me on +44 7824 557814 if you prefer.