The first round of Annual Conduct Meetings focused on: ‘What proactive steps do you take as a firm to identify the conduct risks inherent within your business?’
Defining conduct risk
Most firms consider defining ‘conduct risk’ an essential first step.
Definitions typically refer to client outcomes and some include factors such as sustainability of their business and market integrity. Other elements include the danger of actions or behaviours, or the conduct of business, that may:
- harm clients
- cause the firm reputational damage
- risk undermining the integrity of the financial markets
Some definitions also refer to the FCA’s competition objective, namely, ‘to promote effective competition in the interest of consumers’.
Identifying conduct risk
Firms described 3 main approaches to identifying conduct risk:
- A top-down model where centrally defined key risks were mapped to business activity, products and processes.
- A bottom-up model where individual business units analysed their own business and processes end-to-end and identified risks (often at the desk level) that were then aggregated.
- A reverse-engineered approach where the firm’s processes are reviewed to identify threats to desired firm-level conduct outcomes and the design of controls that could mitigate the risks to these desired outcomes.
Most firms used a combination of approaches 1 and 2. Only a few firms used the third approach (and some of those firms subsequently supplemented this with approach 2).
Many firms believe that approaches designed in-house are more effective – although some firms engaged external consultants, often to start the process or provide a peer perspective.
Firms adopted different approaches to collaboration and challenge in the risk identification process.
We saw examples where the business alone would identify a set of risks before the 2nd line challenged the result and other examples where the business and the wider 2nd line would work together to identify the risks.
In some cases, we observed risk identification work driven primarily by control functions such as Compliance (as opposed to a business-led approach) having made less progress or needing to be repeated in order to be effective.
Firms also used different levels of detail in their risk identification process. Some firms used a desk-by-desk level, involving the individual desk heads and front office; others combined groups of desks, businesses or products.
Some firms held sessions led by senior business line staff where conduct risks and ‘grey’ areas or ‘dilemmas’ were discussed. Firms used these sessions to discuss difficult issues and reinforce expectations, uncover additional conduct risks and to produce FAQs for the rest of their staff.
Firms found these sessions were useful for both raising awareness of risks and identifying them, and so the risk identification process itself also became a training session, including regarding the importance of prompt issue escalation.
Most firms initially focused their identification effort on front office activity. Firms have generally made less progress identifying conduct risks outside of specific business lines, but conduct risks can also occur across both operational and control functions. There is increasing awareness that risk assessments based on front-to-back process mapping require coordination with all the necessary support functions to be effective.
Different firms are at different stages of embedding their approaches to conduct risk identification with more advanced firms now having a process that has been in place for several years.
Additionally, we have observed an increasing number of firms considering how they can map their conduct risk frameworks into their Enterprise Wide Risk Management Frameworks under their Chief Risk Officers.
Business leadership of the programme
Most firms emphasised the importance of having prominent involvement of leaders from the Executive Committee level, who are active in supporting the status and visibility of the programme within the organisation.
Firm approach and the cross-comparison of risks
Risks identified in one business may manifest, perhaps in a slightly different form, in other businesses.
Some firms have highlighted the benefit of performing ‘read-across’ exercises around conduct risk incidents and comparing the conduct risks identified.
The FCA has consistently stated the value of considering the applicability of risks and issues from one area to other business areas. This should be seen as good risk identification rather than an isolated exercise of ‘read across’.
One example we saw is a monthly ‘Conflicts Academy’ where cross-firm conflict issues are raised and case studies examined, with subject matter experts available to give guidance.
Another example is where a firm has established a Lessons Learnt Team, which undertakes the reviews to determine root causes and proactively apply the lessons learnt to other businesses.
Another firm, highlighting the individual responsibility business heads have under the Senior Managers Regime (SMR), allowed business heads more discretion in how they identify their conduct risks in the early stages but planned for more cross-comparison work in the future.