Conduct risk programmes

Find out more about what programme features are generally recognised by firms as effective.

Conduct risk programmes should be tailored to the needs of each firm based on its:

  • size
  • business model
  • geographic reach

While there is no ‘correct’ answer, these features are generally recognised by firms as effective:

  • highly visible CEO sponsorship together with engagement and challenge by the Board
  • senior executives taking leading roles in programme design
  • programmes that cover both front office, control and operational functions
  • detailed roll-out plans with clearly defined short-term and long-term goals
  • clear ownership and responsibility for programme implementation by senior executives, sometimes supported by conduct specialists within the organisation
  • programmes integrated within strategic or operational risk management frameworks
  • use of a standardised conduct risk self-assessment process across the firm
  • a firm-wide taxonomy for conduct risk types, enabling consistent data capture and risk reporting
  • a forum to compare conduct risk across business lines and functions
  • regular discussion at Board level of conduct, culture and programme implementation
  • active engagement in the programme by internal audit, including monitoring the programme’s early stage effectiveness
  • training, promotion, performance management and remuneration all linked to conduct and culture objectives
  • long-term conduct risk initiatives becoming fully embedded in business as usual
  • for international firms, adoption or at least support of the UK programmes from the head office

Programmes with the following features did not always generate the desired results:

  • one-off or stand-alone projects with a short timeframe
  • Compliance or the COOs being the primary driver of the programme
  • top-down mapping of desired conduct outcomes to business-level risks that were not balanced by similar bottom-up efforts by business units to identify where conduct risks could arise
  • disjointed or uncoordinated efforts by different business units
  • significant business units, control or operational functions being excluded
  • not examining if conduct risk arising in one area could arise in another
  • programme focus being limited to front office senior personnel, with limited or no involvement from middle and back office, risk, control and other support functions