The Thomson Reuters Conduct Risk Report 2013, which surveyed more than 200 compliance and risk practitioners from financial services firms across the globe, found 84% of respondents did not have a working firm-specific definition of ‘conduct risk’, while almost two-thirds of respondents have implemented arrangements to deal with conduct risk and just over 50% of the firms surveyed reported having no, or a partly developed conduct risk appetite in place.
So how can conduct risk be defined? While there is no universal definition, Thomson Reuters states that it is generally agreed that the concept encompasses the risks associated with the way in which a firm and its staff conduct themselves; incorporating matters such as culture; tone from the top; governance; customers treatment; remuneration of staff and how firms deal with conflicts of interest.
Respondents to the Risk Report were asked to rate the key components to conduct risk and the majority (76%) rated culture as the most important, followed by corporate governance (74%) then conflicts of interest and reputation (both at 66%). Remuneration was also shown as a key component to conduct risk, relating to how staff are rewarded and incentivised to behave in the right way.
Despite confusion around its definition, momentum has begun within organisations to address conduct risk, with many changes being implemented in the past 12 months.
Chris Perry, Managing Director, Risk, Thomson Reuters, stated the increased focus wasn’t surprising due to the ever-demanding regulatory requirements.
“Good conduct is good business. The cost of poor conduct is high; not just in terms of enforcement actions, now totalling in the billions of dollars, but also in the reputational damage and the wider erosion in trust that this creates across the industry,” Perry said. “As the public looks to more transparency in our banks, and banks look to preserve and create value, firms and senior managers need to be able to define and measure what “good” looks like in terms of culture and customer outcomes in order to understand and respond to the implications of the regulatory focus on conduct risk.”
The report showed that half of the firms surveyed have reassessed their approach to culture. South America had the highest change rate with 67% of respondents indicating change and 65% in Australasia. In contrast, only 35% of firms in North America and 38% of firms in the Middle East had reconsidered their approach to culture in the last 12 months.
Thomson Reuters recommends the following five steps for organisations to consider when it comes to conduct risk:
- Define – Conduct risk is not a one-size fits all concept, boards need to decide what constitutes conduct risk and how it should be managed.
- Assess – Once a decision has been made on how the organisation will consider and manage conduct risk a gap analysis should be undertaken to highlight any areas where current practice is out of step.
- Reform – Where are gaps are flagged firms needs to be devoted and be seen to bringing those activities into line with the defined stance on conduct risk and culture.
- Measure – Organisations should measure and report on the qualitative and quantitative elements making up the concept of conduct risk.
- Evidence – Provide evidence of all these activities so a transparent audit trail is available and all material decisions recorded. This will not only benefit staff and reporting to the board but will also assure regulators that an organisation has a grip on all aspects of its governance and control of conduct risk.
Conduct risk has become one of the top priorities for regulators worldwide according to new research, but there is disparity in how firms define it.