Time to test your conduct risk management framework

In the wake of the financial crisis the FCA championed the need for firms to overhaul the way they identified and managed the conduct risks inherent in their business models. Firms responded by developing programmes and making wide-ranging changes to their conduct risk frameworks in response to the FCA’s calls for rapid improvement. However, conduct risk does not remain stagnant and a firm’s conduct risk framework must therefore evolve as new conduct risks emerge and regulators’ expectations as to what “good” looks like continue to evolve. This note will help those charged with oversight and/or development of conduct risk management frameworks test whether their existing framework is still fit for purpose. 

Key elements of an effective conduct risk framework

We set out below the key issues firms ought to consider when testing the effectiveness of their conduct risk framework and some of the key questions to be asking (please click through the headings below for further details). 

Time to test

Ownership

  • Is it clear who owns the overall conduct risk framework and what their responsibilities extend to (e.g. setting common standards, ensuring appropriate processes are in place for conduct risk management and providing advice on appropriate implementation)?
  • Are the responsibilities of the first line for implementation of the conduct risk framework clearly defined? How are those responsibilities communicated to them?
  • Are responsibilities for conduct risk management written into relevant job descriptions and role profiles?
  • Is it clear who is the accountable senior manager for conduct risks arising in any given business area/function? Are there areas of potential overlap (e.g. between business line and support functions (such as IT)? If so, is there clarity as to who is responsible for what?

Governance

  • Are there appropriate escalation processes in place for conduct-related issues to be considered and addressed by the right individuals and in a timely manner?
  • Are conduct risk issues escalated to governance forums with appropriate authority and decision-making power?
  • Do governance materials reflect consideration of the impact business decisions may have on the customer/client experience?
  • Do minutes of meetings reflect balanced discussion in relation to conduct issues more generally?

Management information

  • Is conduct risk MI considered by the appropriate individuals with decision-making responsibility and authority to make changes as risks evolve?
  • Are there appropriate justifications for tolerances set for MI reporting? Where tolerances have been set by reference to historical trends, has the firm independently considered whether these tolerances remain acceptable to the business?
  • Do any of the firms underlying conduct risk metrics measure customer/client outcomes? If not, why not?
  • Is MI supported by appropriate commentary where relevant?
  • Do Senior Management have an awareness/understanding of how MI has been compiled?

Controls

  • Is there a defined process in place for identifying the conduct risks to which individual business units are exposed? Does this process involve a sufficient mix of business-led experience with second-line support and oversight?
  • How does the firm ensure a level of consistency in the controls applicable across its business, whilst also allowing individual business units to put in place different controls to mitigate particular conduct risks unique to them?
  • Is control effectiveness tested on a regular basis? What level of challenge is provided over the assessment of control effectiveness?
  • What systems are used to record the process of conduct risk identification, mitigation and effectiveness reviews? Are these systems adequate to easily identify specific controls within specific business units and the individuals with ultimate responsibility for those controls?

Culture and incentives

  • Does the firm have a documented approach to ensuring a culture of conduct risk awareness?
  • Does the firm issue regular communications to staff about the importance of effective conduct risk management? Are these communications from a cross section of senior individuals at the firm? Do they call out examples of good and poor conduct risk management practices?
  • Are there processes in place for the escalation of concerns relating to conduct risk management practices?
  • Is the firm’s incentive model consistent with the conduct outcomes it is seeking to achieve?
  • Are incentive models regularly reviewed to ensure they do not incentivise poor conduct or lead to poor outcomes for customer or clients?

Training

  • Is tailored training on conduct risk management provided across all levels of the firm, including back office, IT and support functions?
  • Does the training enable discussion and discovery between teams as to those conduct risks that may arise in their day to day activities? Does the training provide real-life scenarios/examples of how conduct risks may crystallise?

Lessons learned

  • Where conduct risks are not managed appropriately, does the firm identify the root cause(s) of the issue?
  • Are assessments undertaken of potential read across to other areas of the firm?
  • Are processes in place for lessons learned and cascading of changes to a firm’s conduct risk framework in light of identified failings?

Record keeping

  • Can the firm evidence that conduct risk is appropriately embedded across all areas of its business?
  • Is there appropriate version control in place to enable third parties (including regulators) to track how policies, procedures, controls, risk owners, training materials etc. has evolved over time?
How we can help

We regularly advise firms on their approach to conduct risk management, both in the context of advising on a firm’s framework for management of conduct risks and in relation to crystallised events. We draw on our contentious regulatory experience in advising firms on how to avoid pitfalls with conduct risk management and the issues that the FCA are likely to focus on. We can assist firms in understanding and aligning themselves with regulatory expectations, supporting senior management teams as they consider the effectiveness of their conduct risk framework and providing external assurance and benchmarking against peer firms.

To find out more, please contact one of the key contacts.