Conduct Risk - is your framework compatible with the FCA's agenda?

22 minute read
12 June 2019

In May 2019, the Financial Conduct Authority (FCA) published its third annual report on its 5 Conduct Questions Programme. Since its introduction, the FCA observed that firms have been investing substantial efforts in change programmes related to conduct and culture, a key cross-sector priority for the FCA.

In this Insight, Sushil Kuner, a Senior Associate within our Financial Services Regulatory team, identifies the 5 Conduct Questions, providing guidance on how firms can identify the conduct risks associated with their businesses. She also highlights key aspects of the FCA's latest report, outlining examples of good and poor practices identified by the FCA during their Supervisory activities.

The FCA launched the 5 Conduct Questions Programme in 2015, initially as a Supervisory tool for the Wholesale Banking sector to help firms improve their conduct risk management and, ultimately, drive cultural change. The programme has been very successful to date, with the FCA observing that many firms have been making significant strides in improving their conduct risk frameworks.

On the basis of this success, the 5 Conduct Questions have now been incorporated into the FCA's Approach to Supervision, applying to all firms in the financial sector, wholesale or otherwise.

What are the 5 Conduct Questions?

  1. What proactive steps do you take as a firm to identify the conduct risks inherent within your business?
  2. How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?
  3. What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?
  4. How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or Exco consider the conduct implications of the strategic decisions that they make?
  5. Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?

The first step in addressing the 5 Conduct Questions is for firms to understand what 'conduct risk' means. This is not an FCA defined term as the FCA expects firms to develop their own conduct risk definition and strategies and put in place a tailored conduct risk framework to address the specific risks that their business is exposed to.

However, at the very highest level, it is generally accepted that conduct risk means any action of a firm or an individual that has the potential to cause harm to consumers or market integrity.

How do I identify the key conduct risks associated with my business?

There are a number of conduct risk drivers stemming from firms' structures and behaviours which could create a risk of harm to consumers or market integrity. Firms that understand the drivers of conduct risk can better understand whether their conduct risk frameworks are robust enough to mitigate against the risk of harm stemming from its activities or individual behaviours. We set out below some examples of key conduct risk drivers.

  • Governance - a firm which has poor governance arrangements cannot effectively identify and mitigate risks of harm caused by its business activities. For example, if a firm has many layers of management and/or committees, which receive similar and overlapping Management Information ("MI"), how does it ensure that risks identified through reporting are being addressed? Is there effective oversight in terms of how issues are being handled and by whom?
  • Conflicts of interest - do you routinely review your business models and assess whether there are any potential conflicts of interest that may be present? For example, do you have a vertically integrated business model? Do you manufacture and distribute products? Are staff incentive schemes creating conflicts of interest?
  • Systems and controls - a firm which has inadequate systems and controls cannot effectively identify risks of harm caused by its activities. MI is a key form of control and, if not designed properly, can lead to risks not being properly identified. Is senior management keeping the design of MI under regular review and ensuring that it continues to be fit for purpose in highlighting risk areas? Training is another important form of control and rather than adopting a tick box approach, the FCA expects firms to develop training in order to embed awareness of conduct risk at all levels of the organisation. The Senior Managers and Certification Regime aims to strengthen accountability and provides firms with a great opportunity to roll out new conduct risk training programmes to all staff so that they truly understand the risks attached to their specific roles and how they should behave.
  • Business model - a firm's business model can itself be a driver for conduct risk, for example in the design and delivery of products/services. Taking the example of consumers' search for yield in a low interest rate environment, this often encourages firms to try and design more complex and risky products to try to meet this demand. But that may present key conduct risks, for example, consumers not fully understanding the products to which they are signing up and the products being wholly unsuitable for them.
  • Culture - culture and governance are key recurring themes in the FCA's latest report on the 5 Conduct Questions Programme, as well as in its Business Plan for 2019/20. A key indicator of culture is the tone from the top:
    • Does senior management act in accordance with the firm's policies and procedures?
    • Does senior management still reward bad behaviour, through remuneration, for example because an employee is hitting their financial targets?
    • Is there a blame culture when things go wrong? This often discourages people from speaking up and admitting they have made a mistake, thereby preventing problems from being rectified.
    • Do people turn a blind eye to misconduct in the workplace for fear of speaking up? While firms may have great speaking up initiatives, are these truly embedded within the organisation?
    • Is there an element of indecision within the firm? Do difficult decisions tend to be put off? This could lead to long running failings at the firm not being addressed through prompt decisive action.

FCA's Key Findings in its Third Annual 5 Conduct Questions Report

The FCA's latest report covers supervisory activity and discussions with a sample of approximately 50 firms in the Wholesale sector but the content of the report is relevant for all firms in the financial sector. It builds on the previous two annual reports which we do not cover here in detail, but overall, since its launch, firms in the Wholesale sector have made significant strides in improving their policies, processes, training and identification of conduct risk through this programme.

Early firm initiatives concentrated on process flows and bad behaviour, leading to the creation of new policies and procedures, new training programmes and the use of technology for better surveillance. The FCA's recent report highlights that the previous emphasis was on avoiding preventable breaches, addressing conflicts of interest and designing MI to help identify weaknesses. This work was often led by functions such as Compliance, Risk, HR and IT. While these strategies are supported by the regulator, the FCA is keen now for firms to consider conduct in its widest sense.

The FCA has observed firms implementing two or three year programmes that focus narrowly on regulatory adherence and avoiding rule breaches which they consider leads to conduct being narrowly defined and treated like a 'tripwire' with staff being more likely to respond with fear than forward-looking enthusiasm.

In contrast, firms integrating conduct with longer-term corporate goals and framing it as a component of a broader strategic effort are more likely to lead to a culture of positive behaviour and not just an environment of avoiding bad behaviour / rule breaches.

Those firms which have framed conduct as an integral part of larger corporate goals, have seen positive reactions from all stakeholders. Firms embedding good behaviours across the whole organisation have benefitted from better client engagement (clients like to deal with firms they can trust) which has also benefitted shareholders. Firms investing resource into developing their Purpose and Mission statements to underpin a meaningful social impact, are also more likely to engage the wider stakeholder community as well as staff, thereby securing the long-term sustainability of the business - a sense of individual purpose that aligns with corporate purpose has been demonstrated to drive superior performance.

Noticeably, the FCA has increasingly been emphasising the need for firms to focus on psychological safety in the workplace, whistleblowing, as well as non-financial misconduct. The FCA's view is that where there is psychological safety at work, staff are comfortable sharing concerns and mistakes without fear of embarrassment or retribution. As such, they feel comfortable that they can speak up and won't be humiliated, ignored or blamed. As well as being vigilant to the well-being of staff, firms have been encouraged to develop training on a wide range of human development skills to support psychological safety. While senior management and junior employees have benefitted from training on conduct, the FCA's view is that middle management (which is highly influential in providing day to day leadership on conduct) could benefit from more attention.

Regarding whistleblowing, the FCA reviewed whether staff could use firms' whistleblowing processes without fear of identification and reprisal. The FCA noted that, perhaps due to active promotional efforts, a greater than usual number of cases were being reported with firms being uncertain as to what a normalised volume would prove to be. The nature of the whistleblowing reports also varied significantly across firms, where similar cases handled in the normal course of business at one firm triggered a whistleblowing event at another. The FCA has concluded that the challenge for firms remains to fully embed the desired changes of mind-set across the whole organisation.

Despite this progress, the FCA is particularly concerned that the largest component of investigated cases in the whistleblowing channel were categories like 'Dignity at Work' or 'Non-Financial Misconduct', which captured bullying, favouritism, exclusion and sexual harassment. These cases seemed to be on the rise, although it is not yet clear whether this is due to more active reporting rather than a deterioration in behaviour.

The FCA is keen to understand how firms are dealing with non-financial misconduct; tolerating any form of misconduct is not indicative of a healthy culture and if this gives rise to failures or harm, the FCA is likely going to take an interest, especially where senior management is involved. Senior management positions within the financial services sector are positions of trust and the FCA expects holders of these positions to act appropriately both in and outside the workplace.

Examples of Good and Poor practices found by the FCA during Supervisory visits

In line with the FCA's 2017 5 Conduct Questions Programme and 2018 5 Conduct Questions Programme annual reports, the FCA's third annual report provides examples of good and poor practices within Wholesale firms, identified by the FCA during its Supervision activity. While these were identified within the Wholesale sector, the examples do apply to all firms in the financial services sector.

1. What proactive steps do you take as a firm to identify the conduct risks inherent within your business?

Examples of Good Practice

  • Defining conduct risk as a separate category that sits sensibly alongside other major risk types such as Credit, Counterparty, Market and Operational risks;
  • widening the working scope of conduct risk, as framing it more narrowly potentially limits both the design of efforts to identify it and the outcomes;
  • raising the profile of, and actively promoting, competition concerns as a business as usual consideration where firms have a large market share;
  • taking action to reduce the conduct risk challenges from staff using smartphones and social media by creating short breaks and safe locations to step out and log on or connect;
  • assessing the impact and harm of potential events from the customer's point of view;
  • formalising a bottom-up approach as a monthly exercise for each key business unit;
  • introducing approaches that immediately feed newly identified risks or crystallised risk into the delivery of targeted training; and / or
  • clearly interweaving conduct topics with business discussions, rather than relegate them to more narrowly focused discussions in, for example, Operational Risk Committees.

Examples of Poor Practice

  • Firms showing little impetus to identify new risks through forward-looking proactive efforts;
  • reliance on a largely top-down approach where key risks are not comprehensively apparent or captured;
  • investing a lot of effort into identification exercises but then underinvesting in the steps to take action on the risks identified;
  • difficulties differentiating conduct risk from operational risk with the result being that the business line ownership of conduct risk being weak;
  • support services and second line of defence units not conferring with each other; and / or
  • firms approaching conduct risk in a diffused way instead of defining it as a category.

2. How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?

Examples of Good Practice

  • Holding CEO-led town hall sessions on conduct;
  • holding smaller town hall events hosted by desk or area heads, reflecting the fact that staff listen carefully to their more immediate line managers who are also able to actually observe their day-to-day behaviour;
  • carefully planning town hall sessions to ensure more junior staff and their management do not attend together in an effort to encourage discussion; and / or
  • openly communicating with staff the mistakes made by the firm in the past year, and inviting the staff to a session to discuss how those mistakes had happened and make sure they couldn't happen again.

Examples of Poor Practice

  • Senior executives promoting the general importance of the firm's conduct messages without explaining what any of those messages were;
  • issues being escalated too rapidly, which risked bypassing key individuals who may be more directly accountable for managing and resolving the problem; and / or
  • undermining programme objectives by not ensuring that Desk Heads and other more senior managers attend open session Conduct Risk Forum meetings.

3. What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?

Examples of Good Practice

  • Framing risk appetite statements as a series of expectations of staff and developing metrics around those desired outcomes;
  • positive framing of key initiatives by strongly emphasising openness, transparency, accessibility and safety;
  • reframing initiatives to focus more on rewarding efforts such as identifying and resolving policy deficiencies, rather than solely punishing breaches as they happen;
  • repositioning 'zero tolerance for conduct risk' culture (which can make staff fearful and reluctant to disclose problems) as 'zero tolerance for unmanaged conduct risk' where staff are encouraged to be alert and respond to conduct risks;
  • participating in industry-led initiatives to address conduct issues;
  • looking beyond firms' own boundaries to assess conduct standards and risks from clients, counterparties, outsourced service providers and others;
  • not looking the other way if a client mistreats a member of the firm's staff;
  • introducing a reverse mentoring programme where staff significantly more junior than an executive meet regularly to share feedback;
  • introducing a one-off, tailored internal survey to assess conduct and culture and prevailing views among staff rather than use a more wide-ranging annual staff survey;
  • introducing a specific communication programme around disciplinary outcomes to provide transparency on how the firm decided and applied them;
  • specifically analysing the potential conduct risk in examining, preparing and implementing changes from EU withdrawal;
  • shifting beyond gender-based diversity by raising the importance of other aspects, such as race, educational background, economic background and other skills or experience; and / or
  • going beyond simply encouraging people to speak up by providing them with specific tools and training on how to raise a challenge with more senior staff. Correspondingly, providing related training for senior staff on how to receive and deal with a challenge.
  • Building a library of 'grey issue' scenarios for use across a wide range of businesses;
  • using notes from 'grey area' discussions to tailor additional targeted training and consider where revised policy and procedures may be helpful;
  • employing professional actors to role-play risk scenarios; and / or
  • extension of training to include the recruitment process to ensure that training includes conduct and behaviour assessments so that they are carried out consistently across all businesses.

Examples of Poor Practice

  • Weighty, complex, centrally-led committees and programme management infrastructure - sometimes leading to fractured accountability in the firm, noticeably slower or stifled progress and less ability to summarise its position and progress.

4. How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or Exco consider the conduct implications of the strategic decisions that they make?

Examples of Good Practice

  • Greater investment in data design, creation aggregation and trend analysis leading to the creation of dashboards and MI that Managers and Boards can use to steer more effectively;
  • MI growing in depth and scope;
  • key risk indicators enabling firms to strengthen and reinforce more positive conduct and behaviours;
  • development of more focused and streamlined processes to collate and aggregate perceived risks, which are useful for management oversight;
  • introduction of a semi-formal 'Shadow Executive Committee' comprised of staff several levels below the actual Exco;
  • providing clear evidence that conduct risk is a key component of the review of strategic business initiatives, including business expansion (e.g. through committee papers and minutes);
  • evidence of challenge of new product approvals; and / or
  • better use of customer feedback, so while not a complaint, can alert firms to potential problems.

Examples of Poor Practice

  • Key risk indicators being inwardly focused on misbehaviour, rule breaches or policy compliance.

5. Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?

Examples of Good Practice

  • Horizon-scanning being formally included within strategic business planning, there being formal tipping point analysis for risks that appear to be growing;
  • new working groups being established to specifically address Question 5 and the conduct issues from new or evolving products or other business initiatives such as an acquisition; and / or
  • senior and middle-level executives actively participating in industry-wide initiatives. Engagements with industry peers acts as both a source and a delivery channel of progressive views.

Examples of Poor Practice

  • No periodic horizon-scanning for the firm as whole involving business representatives; and / or
  • insufficient thought being given by firms to Question 5 as a whole.

Next Steps

If you are creating or reviewing the conduct risk framework within your firm, and would like a review or assistance, please contact us to discuss whether and to what extent you are capturing the key conduct risks relevant to your business.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.