Date post: | 08-Feb-2018 |
Category: |
Documents |
Upload: | lee-werrell |
View: | 218 times |
Download: | 0 times |
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 1/22
Conduct Risk in Financial Services
To help you stay on track for regulatory success
By Lee Werrell Chartered FCSI FISMM
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 2/22
Disclaimer
© Lee Werrell 2014 All rights reserved.
1st Edition
Publisher: Lee Werrell
The Publisher and/or author has strived to be as accurate and complete as possible in the creation of this publication,notwithstanding the fact that he does not warrant or represent at any time that the contents within are accurate due to the rapidly
changing nature of the Internet.
While all attempts have been made to verify information provided in this publication, the Publisher and/or author assumes no
responsibility for errors, omissions, or contrary interpretation of the subject matter herein. Any perceived slights of specific persons,
peoples, or organisations are unintentional.
This book is not intended for use as a source of legal, business, regulatory compliance, accounting or financial advice. All readers are
advised to seek services of competent professionals in legal, business, regulatory compliance, accounting, and finance field. While
examples of past results may be used occasionally in this work, they are intended to be for example purposes only. No representation is
made or implied that the reader will do as well from using the suggested techniques, strategies, methods, systems, or ideas.
The Publisher and/or author does not assume any responsibility or liability whatsoever for what you choose to do with this
information. Use your own judgment. This material is based on UK regulatory guidance at the time of publication and may apply to
worldwide applications but this will be subject to your own judgement.
Any perceived slight of specific people or organisations, and any resemblance to characters living, dead or otherwise, real or fictitious, is
purely unintentional.
In practical advice books, like anything else in life, there are no guarantees of income made. Readers are cautioned to reply on their own
judgment about their individual circumstances to act accordingly.
ALL RIGHTS ARE RESERVED. No part of this book may be reproduced or transmitted in any form or by any means, electronically or
mechanical, including photocopying, recording or by any informational storage or retrieval systems without express written
permission from the publisher.
This EBook is intended to be printed on acid free paper
Printed in the UK with World-wide rights attached
Facebook : https://www.facebook.com/Lee.Werrell.EBooks
Facebook : https://www.facebook.com/ComplianceConsultantLinkedIn: uk.linkedin.com/leewerrell
@leewerrell
@complianceconst
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 3/22
Conduct Risk: How To Build An Effective Framework
Conduct Risk is the buzz phrase in the financial services world today. Throughout the
recruitment job boards and ringing around the recruiters offices abound the titles of
"Conduct Risk Managers" or "Head of Conduct Risk"; but very few seem to know what this
involves precisely.
There is obviously a great deal of information available including reasons for failure and
fines that point you in the right direction, however, try to enter a Boolean search
(containing the search term in inverted commas) for "Conduct Risk" into the handbook
search box and you will find that it is not specifically defined in the regulator's handbookand nothing can be found between “COND” and “conflicts of interest policy” in the Glossary.
From the various speeches and publications, a number of focus areas become evident and
include;
Aligning business models to fair treatment of customers
Complaints handling
Product development and governance
Product Intervention
Remuneration and reward policies
Financial Promotion withdrawal and prohibition
Conflicts of interest
Incentives
Wholesale
Business Continuity
On January 24th 2014 Mark Carney, Governor of the Bank of England told bankers at a
meeting in Davos that conduct is replacing capital as the key risk facing the industry.
After progressing in building up their capital buffers against potential shocks since the
financial crisis, firms need to improve their behaviour to regain public trust, Carney said.
Firms are still battling with the damage to their reputations caused five years ago by thecollapse of Lehman Brothers Holdings, interest rate swaps mis-selling and more recently
financial the rigging of the London interbank offered rate and the alleged manipulation of
key benchmarks in the foreign-exchange market.
Carney, who is also chairman of the Financial Stability Board, echoed his private remarks at
a speech at the annual meeting of the World Economic Forum, in which he urged banks to
seriously change their behaviour.
“Banks must recognise that only exemplary behaviour can confer social license to global
financial capitalism,” Carney said. “For the system to operate with integrity, penalties for
misconduct cannot be seen as a cost of doing business.”
Conduct risk is not new and stems from not only the scandals and mis-selling debacles but is
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 4/22
rooted in the Treating Customers Fairly (TCF) initiatives and echoed throughout the rules in
COBS, MCOBS and ICOBS. It would appear that the definition of the term is excluded within
the FCA handbook and glossary purposely to make it a reflective and subjective term
defined by each company.
Added to this is the complexity of RDR effective from 31 December 2012 which madesignificant and fundamental changes to, and impacted the business models within the
investment advice market. Add to this the additional work of implementing MIFID II as well
as new regulator with a more intrusive supervisory stance and there are bound to be a great
deal of elements that firms are unaware of and will undoubtedly get caught out whenever
they are visited or complete "online" or "telephone" assessments. Also, don’t forget, the
previous regulator’s ARROW is replaced with the Firm Systematic Framework (FSF) with the
aim of focussing the assessment of how firms manage the risks they create, and identify the
root causes of what leads to these risks.
The changes brought about by the new regulator are;
FSA: Rules/Principles Based –
Reactive/Passive
FCA: Judgements & Outcomes
Based – Intensive/ intrusive
Judgement/Opinion on adequacy of
controls
Judgement about Senior management
Decision Making Process
Firms decided best method to achieve
outcomes (TCF)
Regulatory Intervenes to ensure firms take
action for required outcomes
Focussed on processes and procedures Focus on Governance, Outcomes &
Behaviour
Management responsible for identifyingand developing controls for risk
Regulator will proactively identify risks andact to prevent crystallisation
Senior Management to demonstrate
adequate systems and controls
implementation
Greater emphasis on systems and controls
to demonstrate Governance, Outcomes &
Behaviour
Defined actions from risks Evidence of risk identification,
measurement and decision making process
Recently the FCA asked 26 life insurers and advisory firms to provide information about
their service or distribution agreements; in total it received and reviewed 80 agreements.
The FCA’s findings included huge potential issues regarding undisclosed conflicts of interest,
incentives and an amount of joint ventures that could lead to biased advice and undisclosed
costs.
Alongside the review, proposed guidance has been published to help firms further
understand how they should act. The guidance explains why the FCA thinks certain
payments between providers and advisers may cause conflicts of interest and also gives
some helpful examples of good and bad practice. This includes how advisory firms might
want to deal with conflicts caused by providers paying for IT development and maintenance,
staff training, conferences and seminars, hospitality, research and promotional activities.
Clive Adamson, the FCA’s director of supervision, commenting on the findings, said:
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 5/22
“The changes we made to the retail investment advice sector were
designed to mark a step change in the way advice was given. It
signalled the end of advice that might be influenced by the
commission payments made by product providers to advisory firms,
and the start of a new era of trust and transparency between a firm
and its customers. The findings of this review reveal that the actions
of some firms have the effect of undermining the objectives of the
RDR.
“Most the firms involved in the review have already made changes,
which are welcome, but we want all firms in this market to reviewand, if necessary revise their existing arrangements. We will revisit
this area in the future to check that the necessary improvements
have been made.”
Full Details can be found here http://www.fca.org.uk/news/life-insurance-and-advisory-
firms-undermining-the-objectives-of-the-rdr
Confusion reigns
According to the Thomson Reuters Conduct Risk Report of 2013 (published January 2014),
200 firms from major nations, in response to an increasing volume of regulatory change,
demands and priorities admitted to placing increased importance on what they believe tobe “Conduct Risk” while simultaneously working to identify and clarify what the concept
means for their specific organisations.
On questioning 200 compliance and risk practitioners from financial services firms across
the Americas, Europe, Africa, Asia, Australia and the Middle East (and from across the
financial services sector including banks, insurers and fund managers) to find their views on
how the industry is defining and dealing with conduct risk.
What is Conduct Risk?
Since the 2008 worldwide banking crisis, many regulators have been working to impose and
articulate their view and requirement to put policies in place to improve the behaviour of risk management within firms.
Although there is no specific or universal definition of conduct risk, it is generally agreed
that the concept encompasses the risks associated with the way in which a firm and its staff
conduct themselves translated into fair customer outcomes. It should incorporate matters
such as intrinsic culture, tone from the top, robust governance, how customers are treated
(TCF?), remuneration of staff and how firms deal with conflicts of interest.
The Thomson Reuters survey shows that over 84% of firms reported the absence of a clear
working definition of Conduct Risk indicating the immaturity of the field.
Respondents were asked their views regarding the key components they perceived as of Conduct Risk, culture rated the most important at 76%, closely followed by corporate
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 6/22
governance at 74%, then by conflicts of interest and reputation both at 86%. Remuneration
was flagged as a key component to conduct risk and a significant factor that contribute to a
firm's culture.
Addressing Conduct Risks
It is clear that the majority of firms around the world have started to address conduct riskand most of the changes have been implemented in the last 12 months indicating that firms'
awareness of conduct risk is growing. This is also evidence of the emphasis in which
regulators are placing on corporate culture and the response across the industry toward
consumer protection.
The financial crisis of 2008 also created a greater focus on remuneration and incentive
practices and these have become increasingly controversial. A recent fine for Lloyds Bank
showed the flawed “commission” or “bonus” culture that was prevalent in yesteryear
financial services sales. This proved a recent review conducted by the UK Financial Conduct
Authority found that sales rewards and incentive schemes were likely to have exacerbated
the risk of poor sales practice. 66% of surveyed firms said that they had reviewed their
approach to incentives since 2008, the majority in the last 12 months. Just over half of firms
had made changes to their remuneration policy with a third of them in the last 12 months
and a further 10% plan to make changes in the next 12 months.
So how do you prove "Conduct Risk" to a satisfactory level in the UK?
Firstly you have to understand where conduct risk falls within your organisation and, in
conjunction with the FCA Risk Outlook 2013 create an idea of where your risks may lie.
The majority of these risks can fall under the Operational Risk umbrella, which a few
consultancies can assist you with. You don’t necessarily need expensive software for most
modest size of firm, but you need to know how you arrive at the findings, and more
importantly what you do about them. If you look in the handbook SYSC, you will see that
Operational Risk would seem to apply to insurers (SYSC 13) and it could be easy to overlook
SYSC 7. SYSC 7.1.2 R states "A common platform firm must establish, implement and
maintain adequate risk management policies and procedures, including effective procedures
for risk assessment, which identify the risks relating to the firm's activities, processes and
systems, and where appropriate, set the level of risk tolerated by the firm." This effectively
means that all risks apply to every firm; the three types are Credit Risk, Business or Market
Risk and Operational Risk.
Operational Risk is widely accepted to be the Basel II definition that states that operationalrisk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”
Identifying them is only the start as you then have to agree how best to measure them,
which creates a real challenge and considerable work for most firms who do not normally
deal in this area. Within the three main areas of conduct risk impact; Inherent, Structures &
Behaviours and Environmental, there are a great deal of areas that can be measured. Within
the first two areas a degree of qualitative and quantitative data already exists, but much of
it is overlooked or unreported in most firms.
A Conduct Risk Framework will help in identifying the elements and areas impacted. From
this adequate and proportionate measurements can be made for reporting. Overlaid with arationally decided appetite the data can provide an exception report for Senior
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 7/22
Management to consider.
The three phases of good management are definition and measurement, management
followed by activity. Running any business is typically conducted this way but the skill of
management is actually created and enhanced as a result or product of the activity,
therefore there is no definitive answer on how best to manage. The key to these phases is
providing accurate and usable data to the second phase. Unfortunately many people when
defining the Management Information do this the wrong way round.
To assist Compliance professionals in their job and assist in the planning of their
responsibilities, get your copy of our “Compliance Managers Guidebook and Reference”
from http://www.complianceconsultant.org/guide/
Need a Compliance Manual?
Over 90 Pages covering your regulatory universe.
Get more details from HERE or click the link
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 8/22
Conduct Risk: Understanding the Aims
The FCA's main aim in relation to the initiative of Conduct Risk is to ensure that firms do the
right thing for their customers whilst keeping them and the integrity of the markets in which
they operate at the heart of everything that they do. Whereas Treating Customers Fairly
was essentially viewed as common sense and good business practice, this was partly its
downfall and created with it a certain impotence. Conduct Risk is looking at fair customer
outcomes in all activities including extremely remote treasury transactions or outsourcing
processes, through regulatory engagement and even ensuring that the root cause analyses
of complaints are assessed for conduct risk objectives.
Although many firms will say that they always consider the best outcomes for their
customers, in reality and on closer inspection most processes are in place to protect the firm
or deflect any criticism or complaint from customers.
Many processes are designed to reflect the smoothest and most efficient running of the firm
in providing its products or services to the customers on an initial and ongoing basis, but is itseeking to be fair to customers? Does the firm have an obligation to manage its costs and
reduce the overheads of its operation to not only become slicker and faster in the general
operation, but this would then increase the profit: should this be shared or used to keep
customer fees down, or invest in better technology, or perhaps just swell the coffers of the
firm? After all, surely the fundamental of any corporate social responsibility for any firm is
to make sufficient profits to sustain their activity for the good of the community as well as
all their customers, stakeholders and employees?
Obviously it is clear that firms should seek to promote good behaviour across all aspects of
their organisation and to develop a culture in which it is clear that there is no room for
misconduct. Although TCF has long been part of the retail regulatory framework it is vital
that Conduct Risk should not be seen as merely an extension of this.
As mentioned above, there appears to be a commonly held misconception that Conduct
Risk is only a retail issue. The FCA is just as interested in the roles that wholesale conduct
and prudential standards plays in underpinning the integrity of the markets. This keeps
alignment with its objective to protect and enhance the integrity of the UK's financial
services. It therefore expects both wholesale and retail firms to have properly functioning
Conduct Risk policies and procedures in place.
Wholesale and commercial activity can obviously impact the customer by the firm taking
excessive haircuts on the monies borrowed on the market to be lent out on mortgages orusing the same provider all the time because of a long standing relationship or habit without
any diligent justification of that relationship. It all comes down to getting value for money
for the customers.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 9/22
How does RDR fit in with Conduct Risk?
The potential distortion of the advice that consumers received with the complexity of
commission rates and payments was removed by, and was the cornerstone of the Retail
Distribution Review (RDR). Originally set as an objective by the regulator back in 2006, the
dual purpose was to wipe out any influence of inappropriate advice from the payment of
commission and to ensure that providers were to compete on price and quality of their
products, including investment expertise, and not to taint the advice with additional
supplements or enhancements to their generous commission percentages.
Various schemes were dreamed up by some providers who sought to channel business to
particular providers by setting up service or distribution agreements, and thus ultimatelyaffect or influence the advice the consumers received.
To establish a view and test the potential issues, the FCA wrote to a sample of 8- firms and
included insurers, advisory and investment firms and asked them to provide their top five
distribution agreements which they than scrutinised very closely.
Their findings were that there was a poor management culture in some firms and some
advisory firms were “incentivised” to promote some particular products or services, thereby
creating the risk of a personal recommendation being weighted towards the driver of the
firm’s commercial benefit, rather than considering the best interest of the consumer; a
flagrant breach of the RDR rules.Additionally this review highlighted the poor and inaccurate systems and controls that were
in place. In some there was minimal conflicts of interest management or disclosure.
Providers and advisory firms sometimes set up joint ventures and further work uncovered
huge concerns about these. Appearing predominantly to channel money to advisory firms to
secure the effective distribution, these arrangements obviously had the potential to to
influence any advice dispensed by the firm’s advisers.
The result was the issuing of the document “GC13/5 Inducements and Conflicts of Interest
Guidance” which explained the importance of and the expectation by the regulator that all
regulated firms were expected to undertake their business practices aligned to the FCA’s 11Principles of Business. Specifically, Principle 8 Conflict of Interest; requires firms to manage
conflicts of interest fairly, and in accordance with SYSC 10.
The report findings show that firms showed a very real risk of breaching principal 8 and the
inducement rules, and so, once a firm has identified an actual or potential conflict, it must
implement, maintain and operate effective organisational arrangements and take
reasonable steps to prevent any recurrence or future conflicts of interest.
Firms were expected by October 2013 to review and if necessary revise their existing
distribution arrangements in order to prevent undermining the objectives of the RDR.
One of the major risks identified in the Conduct Risk initiative is the identification andmanagements of conflicts of interest and need to be broken down across the following
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 10/22
topics:
How identification and control of any conflicts of Interest are documented.
This involves having an effective and well articulated risk framework and controls on
research spending and correct governance in place which will be clearly documented.
Additionally there will need to be joint Compliance and Ops monitoring and reporting and
this will in itself require effective design of Management Information (MI).
How firms manage the purchase of research and trade execution services on customers’
behalf
This obviously involves accurate due diligence and investment governance, including what
services are to be paid by whom.
How firms managed gifts and entertainment
Again, this involves having an effective and well articulated risk framework and controlscoupled with robust governance around the frequency and value being correctly
documented.
Ensuring customers have fair access to all suitable investment opportunities;
This will involve accurate due diligence and investment governance.
How firms manage personal account dealing by all employees;
This will involve accurate monitoring and fair application to all staff, and
How trading firms allocate the cost of errors between themselves and customers.
This is a further need to have an effective and well articulated risk and controls framework
and reliance of contractual limitations being correctly and fairly documented.
The regulator will be following up on this work and the fallout from the previous findings
will create the expectation that firms have acted on the consultation guidance and
additional publications. Firms who fail to act could very well be subjected to further action.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 11/22
Conduct Risk: Regulatory Expectations
Sometimes it is easier to se what shouldn’t be continued, to understand the antithesis and
start your planning. In this regard the FCA has emphasised that it expects firms to move
away from certain behaviours, such as
prioritising profits over ethics and commercial interests over consumer interests;
the still prevalent tick box and overly legalistic approach to compliance;
as an extension of the former, only complying with the letter instead of including
the spirit of laws and regulations;
effectively removing caveat emptor for firms who still consider that disclosure atthe point of sale absolves the seller from all responsibility of ensuring that a
product or service represents a good outcome for the customer
Unnecessarily complex products may lead to excessive prices for consumers or reduced
access to financial services. The FCA will act where:
There are unfair obstacles to consumers’ ability to enter or exist a product due to
consumers’ changing needs or environmental conditions.
In responding to environmental or changing business conditions, firms adopt
strategies that support their own interests but which may not be in the long-
term interests of their customers. Firms are over-exploiting their existing customer base due to limited new
business.
Firms are developing complex, opaque and over-priced products that are not in
the long-term interests of consumers and are difficult to compare.
Consumers are not fully aware of their financial needs and what products or
product features would adequately serve these needs.
Consumers do not have access to products that meet real needs within regulated
markets, due to a lack of competition and resulting shortfall in product
availability and innovation.
There is a key element to all this that firms may not realising and that is that when assessingConduct Risk the FCA will not only consider a firm's approach to such matters, but will also
want to see evidence of the board being fully engaged with these issues. An example of this
could be that the regulator would look to see whether the board of a firm probes high
return products or services and the extent to which the board monitors whether products
are being sold to the markets that they were designed for. This is likely to represent a
significant cultural shift for some firms and accordingly it is important to ensure that this
change in the regulatory environment is taken into account when designing a firm's Conduct
Risk framework.
In addition, the FCA has made clear that it intends to hold senior management to account for
Conduct Risk failings and accordingly a strong Conduct Risk framework is an important tool in
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 12/22
protecting senior management from such liability.
How will the FCA hold Senior Management to account?
Quite simply by using the recently introduced attestations that are actively sought by the
FCA from management of usually the most senior roles.
What is the FCA achieving with Attestations?
The FCA has declared that attestations are key elements to the new Firm Systematic
Framework (FSF) replacement of the ARROW Visits. This movement of emphasis may be
overlooked or even dismissed by the foolhardy as the seemingly light touch verifications is
designed with the aim of confirming how the firm’s assessment, management of the risks
they create, and how they identify the root causes that leads to these risks.
FSF assessment modules will be completed through a series of interviews between
supervisors and the firm to look at the various processes in specific and areas considered to
be high risk. This is in contrast to detailed testing that the FCA has clarified will not be used
unless it is the only way to assess a particular risk and will look to prioritise actions with theintended outcome, being that firms will have fewer Risk Mitigation Programme (RMP)
points than at present.
A shift of responsibility away from the regulator and directly onto firm’s senior management
to do their own monitoring on some of the less important points and then to self-attest that
they have been addressed will be achieved by the use of section 166 skilled persons’
reports, internal audit reviews and non-executive director reports.
The emphasis on accountability and personal responsibility has been echoed in recent
speeches both from FCA CEO Martin Wheatley and Tracey McDermott, the FCA director of
enforcement:“You will probably already have seen an increasing emphasis from our supervisors on
getting senior management to attest where remedial action is being taken, and asking
questions about exactly who is responsible for what. This is all part of focusing our attention
– and yours – on the responsibility and accountability of senior management. And this is an
area where you can expect to see more in the coming months and years.”
Needing to “Up its game” the FCA has purposely adopted the attestation approach to senior
management accountability as a direct result of the failure of the FSA to do so in the last 5
years. It also reflects the FCA’s determination in making judgement-based decisions on
matters of individual conduct. New requirements to have a specific and identifiable, suitably
senior individual responsible for the satisfactory completion of the work is not only a
powerful motivation factor for the senior manager but adds personal accountability to the
change. The FCA will expect this individual to attest to any change completion or more
generally to the adequacy of relevant controls.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 13/22
Conduct Risk: The Challenge of Constructing a Framework
It is impossible not to have noticed that recently there have been many examples of failures
to deliver fair customer outcomes, resulting in potential detriment and redress, regulatory
intervention and fines, and ultimately reputational damage for the firms involved.
According to the regulator, at the heart of recent failures were a number of common
factors:
Unclear governance structures and unclear or poorly defined risk appetite without
supporting conduct risk metrics or tolerances.
Lack of clarity around roles and responsibilities across the 3 lines of defence (3LoD),
resulting in:
– Lack of robust outcomes testing in the first line of defence.
– 2nd line assurance often undertaking 1st line activity.
– Lack of skills and capability.
Metrics without clearly defined tolerances or clear audit trail back to source data.
Addressing issues proactively.
A culture that does not put the customer at the heart of the business, resulting in:
– A lack of understanding of the required behaviours across the firm.
– Not undertaking robust root cause analysis and addressing issues proactively.
Poorly defined measures of performance in terms of the delivery of customer
outcomes.
Lack of organisational focus on target market and the design of products.
Inadequate skills, knowledge and experience within senior management teams.
Singularly or, more often, a combination of the above factors has represented potential
weaknesses in a firm’s framework for the efficient and effective management of Conduct
Risk.
To implement a well-defined Conduct risk framework, the firm must articulate the
components they have in place to manage Conduct Risk. There must be clear linkage
between the components and how they interact with each other, who is responsible foreach element and absolute clarity on how the three lines of defence model will operate.
The first thing is for a firm to evaluate their own risk profile
Most firms have grown organically over the years and have been shaped in the last twenty-
five years being shaped by market conditions as well as domestic and EU regulatory change.
The almost constant adding and taking away has lead to legacy blind spots where the
processes and procedures may work well from a regulatory perspective but have not been
tested or indeed measured as a whole to provide an overlay of consumer protection (what
all regulation professes to champion), with something like Conduct Risk.
Firms need to honestly consider their true risk exposures and not shy away from identifiedrisks. Calling risks events, incidents or exposures, without accepting that the risks are
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 14/22
present is self-defeating and pointless, providing a false platform or base line from which to
work.
Customers segmentation, outsourcing, suppliers, sales, marketing, client service and
internal processing need to be understood in the context of their business, their specific
market, and what their cultural and a candid behavioural indicators appraisal.Peter Drucker Said "What gets measured, gets managed" and circumstantial conditions can
often lead to unintended risk exposures. Ignoring or side-lining risks is worse than not
knowing or monitoring, but in all cases can lay as dormant threats until a unique trigger can
cascade system, process or people failure. This short sightedness leads not only to costly
remedial work, but also loss of clients, potentially irreparable reputational damage and
worse still, regulatory scrutiny and intervention.
Due to the financial crisis your firm may well have lost experienced staff which has the result
of increasing your risk profile. Losing experience and even whole disciplines if outsourcing
has been involved, does not create fiscal risks alone, but can easily affect the way the firm
develops new products, treats their customers, or manages their processes which all
amount to a failure of conduct risk.
Although in some firms Conduct Risk is lodged under Operational Risk and Operational Risk
is widely accepted to be the Basel II definition that states that operational risk is “the risk of
loss resulting from inadequate or failed internal processes, people and systems, or from
external events”, the alternative is to create Conduct Risk as an equivalent level one risk
that both provides a pillar of risk support to the firm, but also underpins and spreads across
the remaining risk pillars to affect their culture.
Raising Conduct Risk to top the firm’s priorities
To raise the profile of Conduct Risk and ensure that conversations are occurring at the board of
directors level as well as forming a part of senior management’s agenda and risk profiling
perspectives can sometimes be a challenge.
There is of course a recent evolution called Operational Risk and there are still firm’s that try to shy
away from calling a risk by that name, for fear that the firm may consider them weak or ineffective
in their role for the risk to occur. Many people hold the belief that operational risk is not important,
especially in smaller firms, as it doesn’t really apply. Everyone knows everyone else is a common
argument, but everyone in Baring’s Bank knew Nick Leeson and he lost millions of pounds because
there were no checks, no reviews, no trend analysis; no operational risk.
The mis-selling scandals and LIBOR rate fixing scandals have shown this false belief to be just that
and critically damaging. Damaging not only to the remediation costs, but also the regulatoryintervention costs such as S166 and Risk Mitigation programmes borne off the back of skilled
person’s reports, compounded by the reputational damage of the individual firms and the industry
as a whole.
Senior Management has to stand up and be counted among the good guys as the FCA is looking for
proactive, positive action from all of the people who are occupying these senior positions. It has
already started with the Non Executive Director vetting and regulatory visits will become more
thorough in questioning of management. It may not be easy in a big organisation to change in this
way, but the regulator is expecting then to show some robustness and intelligence and not just go
along with things as before.
SIMPLY PUT: CONDUCT RISK MUST BE A KEY RISK IN ANY ORGANISATION
Managing conduct risk is not a simple case of
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 15/22
issuing dictats or strengthening policies. Although these will help, this involves applying proper risk
management principles to the way that firms manage the development of their products. A new
fresh look at the governance around those products and services and well as the monitoring and
analysis. There also has to be a new thinking around every aspect of the new paradigm of customer
centric outcome driven business.
As Einstein said; “We can not solve our problems with the same level of thinking that created
them”.
Conduct Risk Appetite
The Conduct Risk Appetite should consider the full customer journey and conduct risk lifecycle, with
each of the appetite statements specific enough, so that it can be accurately measured and is notopen to misinterpretation.
Firms are traditionally taking one of two approaches to including Conduct Risk within their existing
Enterprise Risk Management Framework (ERMF):
1. Establish Conduct Risk as a Key Risk Driver (Level 1 risk), alongside Credit, Market and Operational
risk, for example; or
2. Establish Conduct Risk as a sub-risk of Operational risk.
The decision on the most appropriate approach needs to take into account the size and complexity
of the firm, but more importantly the view of the Board on how Conduct Risk fits into the overall
Enterprise Risk Management Framework (ERMF).
Irrespective of the decision around the classification of Conduct Risk, it will remain a key risk
objective with the elements of the Conduct Risk lifecycle as the Risk Dimensions (Product design,
sales process, after-sales and culture in the example below)
Threshold Conditions
The regulator’s approach to Conduct Risk is not simply a matter of making rules as the
relevant powers for their approach can be found in section 55B and Schedule 6 to the
Financial Services & Markets Act 2000.
This section deals with the threshold conditions and whenever the FCA gives or varies
permission to a firm to carry on one or more of the regulated activities, the FCA and PRA“must ensure that the person concerned will satisfy, and continue to satisfy, in relation to all
of the regulated activities for which the person has or will have permission, the threshold
condition for which that regulator is responsible”.
Threshold Conditions are set out in an order made by the Treasury under the Act and are
important as the regulators derive their authority to consider a firm’s capacity to meet the
stated condition on an ongoing basis.
For any firm considering implementing Conduct Risk or any other risk framework needs to
understand what the Threshold Conditions cover and mean to them.
The threshold conditions deal with the following matters.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 16/22
(a) Location of offices
Generally speaking, a regulated firm that is incorporated in the UK must have its head office in the
UK also.
(b) Effective supervision
Under this condition, the firm “must be capable of being effectively supervised by the FCA”. Thereare a number of additional circumstances to consider, such as the complexity of the firm’s business
or products, the way in which the business is organised, the firm’s membership of a group of
companies, and the links the firm may have with other persons.
(c) Appropriate resources
The firm must have appropriate resources, as judged by the FCA, to carry on the regulated activities
that the firm carries on. Relevant considerations include the nature and scale of the business and the
skills and experience of the firm’s managers.
(d) Suitability
The condition here is that the firm “must be a fit and proper person having regard to all thecircumstances”. Considerations include:
• The nature and complexity of the business.
• Whether the firm “is complying with requirements imposed by the FCA in the
exercise of its functions, or requests made by the FCA, relating to the provision of
information to the FCA, and where [the firm] has complied or is so complying, the
manner of that compliance”.
• Whether those who manage the firm’s affairs “have adequate skills and experience
and have acted and may be expected to act with probity”.
• “Whether [the firm’s] business is being, or is to be, managed in such a way as to
ensure that its affairs will be conducted in a sound and prudent manner”.
• The need to minimise the use of the firm “for a purpose connected with financial
crime”.
(e) Business model
The firm’s strategy for business “must be suitable for a person carrying on the regulated
activities that [the firm] carries on or seeks to carry on”. In assessing the business model,
the FCA’s consideration must include:
• Whether the business model is compatible with the firm’s affairs being conductedsoundly and prudently.
• The interests of consumers.
• The integrity of the UK financial system.
It is evident that the threshold conditions give the FCA significant powers to assess the
firm’s future behaviours. If the conclusions are adverse to the firm, the FCA has the power
to vary the firm’s permissions on its own initiative, or indeed to remove permissions
altogether from the firm.
Managing Conduct Risk
To manage Conduct Risk, every individual firm must understand the risks facing it and
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 17/22
although these will vary from firm to firm, across the various sectors, the FCA helpfully
publishes an annual Risk Outlook which sets out how the FCA views the distribution of risks
across its regulated sector. In 2013 the FCA also published its business plan alongside Risk
Outlook. The two documents are closely linked; the business plan sets out what the FCA’s
proposed plan of action is for 2013/14 to deal with the risks described in the Risk Outlook.
It is critical that every member of senior management reads, understands and raises
discussions around the issues within the Risk Outlook and the accompanying business plan.
A firm that is unprepared when challenged by the regulator really needs to be prepared for
the potential of unwelcome and possibly “Deep Dive” review attention from them .
Conduct Risk: Building Your Framework
Fortunately, we do not have to look toward a raft of new jargon or terminology to build our
framework as many aspects of Conduct Risk resembles operational risk so closely, we can
leverage the tools of operational risk and adapt them to conduct risk management.
Risk Matrix
Within their operational risk plans (and yes, these can be developed together if you do not
already have an Enterprise Wide Risk management Scheme or Framework) firms will use the
typical risk matrix approach to prioritise and identify the risks that impact their business
areas.
For a small or medium sized enterprise that is not yet ready to spend out on software to
manage their operational or Conduct Risk, can purchase our “ ARMS” – Analysis & Risk
Management System from http://www.complianceconsultant.org/arms/ or if you are an
IFA then get the “IFA Risk Management ” from http://www.complianceconsultant.org/ifarm
in PDF form.
Regulatory Documentation
As mentioned earlier in this document, adhering to regulatory rules are also of immense
importance in the management of conduct risk. There are countless rules in the FCA
Handbooks that deal with the conduct of firms and their officers and employees. Many of
them are expressed at high-level, with the FCA Principles themselves at perhaps the highest
level of all. In addition to monitoring compliance with those rules after the event, firms
should also consider how they will comply and continue to comply with them in their future
offerings and developments. The strongest challenge from the FCA is likely if they believe
there is any hint of doubt over whether a firm will continue to be able to comply with
conduct-based rules.
In 2007 the FSA published “Treating Customers Fairly – Culture”, as part of its range of
publications on treating customers fairly. The document remains accessible from the
archived content of the FSA website. Although the document is now quite aged, it still
remains useful in terms of the specific issues and matters that the FCA are likely to consider
in their threshold condition view of firms.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 18/22
The document singles out the following matters as being important:
• Leadership.
• Strategy.
• Decision-making.
• Controls, including management information.
• Recruitment, training and competence and Reward.
Where TCF Ranks
When TCF was launched as one of the FSA’s flagship projects it ranked so highly on the list
of initiatives that it had its own Director responsible solely for it. As with all mature models,
more recently it has become part of normal supervision. This should not be seen as an
indicator of the lesser importance of the measures as TCF remains vitally important to the
FCA and they are likely to continue to look at firms’ compliance with the TCF Outcomes.
The 6 TCF Outcomes
The TCF Outcomes sought are as follows:
Outcome 1
Consumers can be confident that they are dealing with firms where the fair treatment of
customers is central to the corporate culture.
Outcome 2
Products and services marketed and sold in the retail market are designed to meet the
needs of identified consumer groups and are targeted accordingly.
Outcome 3
Consumers are provided with clear information and are kept appropriately informed before,
during and after the point of sale.
Outcome 4
Where consumers receive advice, the advice is suitable and takes account of their
circumstances.
Outcome 5Consumers are provided with products that perform as firms have led them to expect, and
the associated service is of an acceptable standard and as they have been led to expect.
Outcome 6
Consumers do not face unreasonable post-sale barriers imposed by firms to change product,
switch provider, submit a claim or make a complaint.
Decision-Making
Although the list of important issues are all relevant and fundamental considerations as
underpinning the conduct risk, decision-making is probably the key element and worthy of
special mention.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 19/22
Conduct risk is simply about the conduct of individuals and how, within firms, they are
organised, directed and lead according to the management principles. The Board, and the
Executive, run the firm, but the authority to make decisions cascades through the firm with
differing levels of governance and managerial responsibility. The firm’s decision-making
framework is a key matter for conduct risk. People who make decisions for the firm need to
be identified and accountable for the decisions they make. Firms must ensure that decisions
are not buried in committees where it is more appropriate for them to be made by
identifiable individuals. What is expected is that decision makers must make decisions whilst
in possession of all the relevant facts, and they must seek to avail themselves of all of these
facts.
Decisions must be made at a level in the organisation that carries appropriate authority to
make that decision. For example, if a firm faces a matter where customers may not have
received a fair outcome, or in old parlance, they were not treated fairly, the decision maker
may well need to be empowered to sanction a loss for the company in recompensing
customers, if that is the right thing to do. If the decision maker is ‘too junior’, so cannot
consider that option, the decision must be pushed escalated appropriately or run the risk of
the wrong decision risks being made.
Summary
Conduct Risk is not only here to stay as an extension of the TCF Outcomes, but is also going
to ramp up as the FCA get a deeper and fuller understanding of what is missing in the retail
distribution world. Focussing on your exposure and level of risk is critical to your firm’s
survival and escaping close regulatory scrutiny, supervision or worse.
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 20/22
Conduct Risk: Building Your Framework
Building your own framework takes a large amount of thought and considerable effort to
get it right. At Compliance Consultant we can assist your firm, but there has to be a desire
from the firm to make it work; the tone from the top has to be consistent and loud.
The elements you need to consider are;
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 21/22
7/22/2019 Creating Your Conduct Risk Framework
http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 22/22
Don't forget, Compliance Consultant can provide a whole range of servicesincluding:
Initial Risk Assessment or audit — an initial analysis to identify higher risk areas of the
business and weaknesses in procedures.
Design Risk Management —
build a system with your business, for your business showing
complete audit trail of risk areas of the business and identifying any weaknesses in
procedures.
Business Development — business analysis advice or advice on particular issues — for
example, how your firm is Treating Customers Fairly and an action plan for implementing TCF
across your business.
Governance Templates — Policies, Logs, Minutes, Terms of Reference and other items
available from our IP library.
Help with setting up procedures — for example procedural manuals for recruitment, training
and competence, complaints handling and anti-money laundering. May also include templates
for disclosure documents, fact-finds and registers.
File audits — checks to ensure that procedures are being followed and identify good practices
and weaknesses
Complaints Handling – cost effective and project managed from start to finish making your
response robust and consistent
Technical support — may include advice on particular products or regulatory reporting. May
be available in various formats, including website, helpdesk and individual technical advice.
Training — for example competency assessments, training opportunities or product risk
guidance. May be online support, regulatory updates or seminar based.
Support on individual issues — for example in dealing with a complaint, a financial
promotion or a particular suitability letter.
Financial promotions (all areas of advertisement) - full support which would include
websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing
clients and so on.
Remedial work — helping to action remedial work required by the FCA.
Ensuring you are aware of Handbook changes and the specific impact onyour business.
Your responsibilities and liabilities under SYSC and the recent changes. And
much more ... just ask! Email [email protected]