The philosophy of “conduct risk” has risen to the top of firms’ and regulators’ agendas lately. In the UK, the FCA presumes conduct risk management as being lodged into firms’ risk management frameworks, sustained by relevant management information (MI).
Building on latest regulatory and supervisory expectations and our expertise of what works well in practice at firms, ten principles of strong conduct risk MI have been identified that our company believe provide an intelligent basis for conduct risk MI across all financial services firms and sectors.
The 10 principles of strong conduct risk MI are;
- Linked to strategy, culture and risk management framework
- Holistic and used to support analysis of trends
- Efficient and proportionate
- Accurate and timely
- Measured and reported on at an appropriate frequency
- Comprehensible and traceable
- Supports open communication and challenge
- Acted upon and recorded
Associated to strategy, culture and risk management framework
Conduct risk MI is considered when the firm talks about its strategy and the firm implements a process to review the conduct risk MI it collects, if the strategy or business environment should change (e.g. due to the economy, developments in policy and regulation, or technology).
Conduct risks are managed with the same rigour, and given the same priority, as prudential risks.
A variety of indicators are adopted to inform senior management on how adequately the firm’s culture has been embedded. Conduct risk MI is used as an aspect of performance appraisals and in regarding staff remuneration and promotions, for example, as an aspect of a balanced scorecard.
Firms go on to form conduct risk appetite statements for key risks and report MI against conduct risk appetite limits and triggers.
As part of the product governance process, firms articulate what a good outcome would most likely be for the target end client, in addition to the inherent risks of the services or product, and identify the MI they need to keep an eye on this.
MI enables an evaluation of whether good outcomes are achieved continuously, for instance, through monitoring whether the product offers value for money, instead of just paying attention to whether poor outcomes are avoided.
Deep-dive examinations, mystery shopping, customer sales reviews, branch visits and other activities are often used to develop a picture of the service or product from the client’s perspective.
Not all conduct risk metrics must be outcomes-focused, as firms need a package of metrics to accumulate an overall image of conduct risk. As an example, it is still necessary to receive MI on customer satisfaction, even when, on its own, this does not necessarily show a good customer outcome.
Holistic and in support of trend analysis
businesses use a suite of MI, formed on an analysis of what is needed, rather than what is readily obtainable through existing systems and processes, to ensure a combination of indicators is measured and used to identify potential problems to be investigated further. Using existing risk or control indicators may only provide a skewed view of the situation. We always encourage firms to set an ideal scenario and employ back from the future thinking.
MI is analysed in different ways to identify trends:
- Over a time period (consistent on a period-to-period basis) e.g. to identify increases in complaints over time for a product;
- Across products e.g. to identify products with relatively low claims ratios or low investment returns;
- Across business lines e.g. assessing breaches of conflicts of interest policies in different operations in the business; and
- Paying attention to one team or individual e.g. checking out a series of indicators from a trading desk to identify patterns.
MI reports on conceivable and emerging conduct risks, apart from crystallised risks, for instance, monitoring whether a product is promoted to the target audience.
The firm thinks about the emerging conduct risks and trends from the FCA, e.g. those highlighted in the Risk Outlook, alongside lessons picked up from previous mis-selling scandals or other regulatory enforcement action, and discusses whether any modifications are needed to MI and whether present MI suggests there may be problems that demand more investigation. For example, when the FCA’s Risk Outlook for 2014 highlighted that house price growth may bring about conduct issues, firms that provide mortgages should have targeted, such as, affordability and equity release loans.
The company is starting to use analytics resources to link data and enable identity of underlying conduct risks, for instance, linking post codes with types of mortgages sold and house price growth in the area to understand the risk of customers falling into arrears or the risk of customers being sold an unsuitable product. Many firms will already have this data for credit risk purposes.
Efficient and proportionate
The business takes a risk-based approach to reporting MI to stay away from a torrent of information; information that would not provide value to senior management is not included in MI.
There is a clear delineation of the purpose of conduct risk MI from other MI to eliminate duplication and overlap.
Accurate and timely
Decisions are made based on the right information, received sufficiently quickly after the relevant business activity has occurred, to enable action.
The second and third lines of defence are engaged in open conversations with the business on expectations relative to the quality and timeliness of data and what is realistic.
Internal Audit reviews the process governing how MI is collected, analysed and reported, and managers review and sense-check information on a sample basis.
Measured and reported on at an appropriate frequency
To allow proactive, as opposed to just reactive responses, conduct risk MI is provided to senior management as part of monthly, quarterly and annual reporting (as agreed with senior management), and on an ad hoc basis e.g. where risk appetite triggers are breached.
The firm’s resources, systems and processes allow sufficient flexibility in the frequency with which MI is measured and reported; if necessary, data might be aggregated quickly.
Comprehensible and traceable
Senior management is in receipt of clear and concise MI that highlights the key messages and risks in an easily digestible format; it is possible to drill down into the information for further detail and to trace where the information originated.
Conduct risk MI includes a mix of both quantitative and qualitative analysis, which is accompanied by commentary that explain what the MI means, why any conduct risk issues have come about and how significant they are, how MI was measured (including any limitations), and the proposed actions.
Supports open communication and challenge
Senior Managers examine and confront ratings across the ‘Red Amber Green’ (RAG) rating spectrum, rather than just focusing on ‘red’ ratings, and drill down into the analysis to prove risk ratings.
Firms ensure robust thresholds to avoid just ‘green’ and ‘amber’ ratings being reported, giving a misleading sense of comfort.
Anomalous or unexpected results are challenged and verified e.g. more than anticipated sales volumes in certain products, or continued successful market predictions from a certain trading desk.
Senior management openly reviews and seeks to understand weakness in how MI is collected and analysed.
Acted upon and recorded
Once potential, emerging and crystallised conduct risks are identified, the source are investigated and actions are tracked and reviewed to ensure they addressed the risks.
Conduct risk MI includes reporting on agreed remedial action and whether the action addressed the conduct risk adequately.
An audit trail is maintained detailing how areas of concern detected within conduct risk MI have been acted upon and monitored.
If you have any queries, please call us on 0207 097 1434
Lee Werrell Chartered FCSI