Regulators are increasingly interested in how financial firms are managing conduct risk. Thomson Reuters’ second annual survey on conduct risk identifies the most important industry-wide trends, and is based on a global survey of more than 200 compliance and risk practitioners from financial services firms.
The report can act as a framework against which firms can benchmark their own views, preparations, progress and expectations against those of their peers. Primary points of interest include:
- Eighty-one percent of firms surveyed by Thomson Reuters’ are unclear about what conduct risk is and how to deal with it. Thomson Reuters’ rather dryly points out that this lack of knowledge will make conduct risk management a major challenge for firms in 2015, and expects that significant resources will be dedicated to defining and creating action plans to manage the issue.
- A regulatory approach towards conduct risk management is relatively new, the issues really didn’t begin to gel until last year. Thomson Reuters’ notes that while some jurisdictions are more advanced than others when it comes to tackling conduct risk but 2014 has seen indications of the “twin peaks” of prudential and conduct regulation coordinating to reinforce the potential implications of getting conduct risk wrong.
- The survey also showed that firms are reacting to this enhanced focus by creating specific teams to address conduct risk management or by employing experts in this space across all levels of an organization.
- Sixty-seven percent of respondents said that the regulatory focus on conduct risk would increase the personal liability of senior managers.
- Boards are apparently setting the “tone from the top” of an organization but there was also evidence that the pressure was now on middle management to “adopt and turn these cultural messages into workable operating arrangements with appropriate systems and controls.” Effective corporate governance arrangements including clear reporting, adequate management information and improved training arrangements were cited as examples of this.
- Thomson Reuters noted that there is, as yet, no universally-agreed definition of conduct risk. It is the responsibility of financial services firms to define what conduct risk means in the context of their own business, and then to determine how to put in place systems and controls to manage the risks they have identified.
The five steps which Boards might wish to take to define risk and manage it appropriately were identified. These are:
- Describe: define what “good” in terms of what conduct risk looks like for a particular business. And be clear that regulators do not expect any definition of conduct risk to remain static. The description of a firm’s conduct risk profile should be reviewed on a regular basis. Changes should reflect lessons learned, evolving regulatory expectations, and changes to the company’s business model and activities.
- Assess: after conduct risk issues have been defined, conduct a gap analysis to determine where current practice is at variance from with where the firm wishes to be.
- Reorganization: prioritize the issues identified in the gap analysis. Determine how resources and, where needed, sponsorship from the very highest levels of the firm should be devoted to addressing these issues. (Note that once the gap analysis has been conducted, the compliance clock begins to tick. If mitigation isn’t undertaken in a reasonable amount of time, stakeholders will want to know why identified risks weren’t addressed.)
- Measure: Develop and institute ways to measure and report on the qualitative and quantitative elements that comprise the company’s concept of conduct risk.
- Evidence: All of the above activities need to be clearly evidenced, so that a transparent audit trail is available.