Conduct Risk Management – The Essential Ingredients
What are the essential ingredients of a framework designed to ensure that a financial services institution manages its conduct risks appropriately.
First of all one needs to clearly define what we mean by conduct risk. I see it as the risk of inappropriate behaviour in relation to not only customers, but also other key stakeholders. These obviously include the regulator but also employees, providers of funding, investors, politicians and the media.
The process for defining what is expected needs to be dynamic given changing perspectives.
The framework needs an owner. I believe the CRO has a key role to play. Whilst the business should play a role do they really have the necessary skills to really push framework construction forward.
We need to allocate responsibility for understanding what drives conduct in our organisation. Money is not the only driver!
The organisation has to then work out exactly what good conduct should look like in relation to all of its customers and stakeholders. Somebody needs to be on the hook for building a set of objectively measureable policies and procedures.
A little training would help. I would argue that HR has a role to play in commissioning the design of training that explains what is required that is delivered in a user-friendly format.
The training needs to explain the “client journey” in a way that captures not only the logical part of the brain but also the heart.
In terms of measurement, I would expect operational risk, HR and compliance to sort out who is measuring compliance with policies and procedures as well as ultimate outcomes.
In my experience nobody does anything without consequences. Hopefully the consequences framework use positive as well as negative stimuli to promote appropriate behaviour. Just clawing bank bonuses or threatening dire actions will only promote a culture of fear.
Finally we need to have some governance around our framework. A Conduct Risk Committee with representation from CEO, business leaders, risk managers and internal audit would certainly help.
Does any organisation have this holistic framework in place?