THE CONDUCT RISK IMPERATIVE

The FCA’s recent focus on conduct risk marks a significant shift in mindset for most financial organisations.

Leaving the term ‘conduct risk’ deliberately undefined, the FCA has been clear that it is up to individual firms to decide what ‘good’ conduct and customer outcomes mean for them. Moreover, the onus is on firms to show that they have done this thinking and modified their business accordingly. There are no set procedures, policies and frameworks to follow; the FCA has said they will assess conduct risk by looking at areas across the firm’s business and behaviour to get a holistic view of conduct activity.

It is not enough to assume that this focus on softer, cultural metrics means that you can pay lip service to the idea of ‘good conduct’ or that relying solely on old ‘tick-box’ methods and frameworks for managing risk will satisfy the regulator. After all, the FCA levied over  £474M in fines last year alone. They have also moved towards a new supervisory approach that places ‘greater emphasis on individual accountability as well as corporate accountability for meeting our standards and we will be more prepared to hold these to account when things go wrong.’

Are you ready for this sea change?

CULTURE AND CONDUCT RISK

According to a recent Thompson Reuters study, 84% of respondents have yet to define a working corporate understanding of ‘conduct risk’. A few have taken steps to begin to address conduct risk in their existing risk frameworks, but the wholesale cultural assessment and realignment around customer outcomes that the FCA require are much, much harder to define and deliver, and this has stymied most banks at the outset.

Yet the FCA insists that culture is an essential focus for conduct risk. They state baldly that,

‘It is clear to us [..] particularly as a conduct regulator, that the cultural characteristics of a firm are a key driver of potentially poor behaviour’.

And it goes much deeper than just creating an ethical agenda and demanding good conduct from employees, the FCA,

‘want to see this new tone translated into behaviours through the organisation.’

If, as the FCA do, we recognize that conduct risk requires a focus on culture, what can we do to make this change in our organizations and align activity toward fair customer outcomes?

A NEW MODEL FOR UNDERSTANDING CONDUCT RISK

I want to propose a new model for a cultural conduct risk approach. This first requires understanding how corporate culture can work to the detriment of customer outcomes so we can design methods to fix this.

The FCA address the way culture has negatively impacted customer outcomes, stating:

“Firms have designed, manufactured and sold products not always with the needs and interests of their customers in mind but instead, seeing the customer as somebody to maximise profit from. This has been accentuated by a view, and it has to be said encouraged by the FSA, that disclosure at the point of sale absolves the seller from a real responsibly of ensuring that the product or service represents a good outcome for the customer. This, in turn, has led in many cases to a tick-box and overly legalistic compliance culture within firms, encouraged by what has been seen as a tick-box regulatory approach.”

The roots of these cultural behaviours seem to stem from a misalignment in risk appetite between the board and the risk functions within as organisation. Dr Roger Miles, writing for Thompson Reuters highlights how such ‘cognitive gaps’ or ‘asymmetries’ in the understanding or perception of risk help ‘explain why many risk controls have historically failed, including major systemic collapses.

In this case, corporate leaders tend to view risk as a tool – something that provides the opportunity for profit if managed correctly. They have a high appetite for risk, driving a profit-focused culture, centred on short-term results. They don’t have to worry about risk, as the risk team does this for them. The impact of this is to create a culture of competition with a ‘do anything to get results’ mentality. It is how ‘gaming the system’ and bending rules becomes acceptable employee behaviour.

Risk staff, on the other hand, tasked with limiting the organisation’s exposure to harm, see risk purely in terms of threats. To these staff, risk is by its nature bad and exposure to it needs to be limited at all times. These teams are by nature highly risk averse. It is their job to lock down systems. And, in the absence of any genuine impact on employee culture, they can only control behaviour by creating rigid frameworks that limit spontaneous customer contact and lets them demonstrate to regulators that they have checked the correct boxes.

No wonder employees are confused – they lack a consistent ethical directive to guide their behaviour and as a result are unable to maintain a focus on delivering fair customer outcomes.

This might sound like a harsh view of the current financial world, but I bet there is something you recognize in here from your own organisation?

Even if things aren’t quite so bad in your organisation, the impact of any level of misalignment between leadership and risk is a cultural vacuum where customer outcomes can be forgotten at the cost of satisfying the diverse demands of the board and the regulator.

GETTING IT RIGHT

Fixing this gap requires realignment and this needs to start at the top of the organisation. Firstly, leaders need to explore and understand their own personal view of risk.

That is not to say that they need to see risk purely from the regulators’ point of view, what is key is getting clarity around motivations and understanding the unconscious biases and perceptions that steer their decision-making and personal behaviour. As Dr Miles suggests, ‘once we understand what is going on in our heads, it is easy to see [..] how we make decisions in practice’.

Exploring our assumptions and biases can help us ameliorate our weaknesses and provide a more rational, or at least more informed, basis for decision-making. It puts leaders in a position where they can work out what ‘good’ conduct really looks like in their organisation; the outcomes they can deliver to customers and what it will take for them to do this.

However, this alone cannot create a more conduct-focused culture. Cultural change involves the whole organisation – it requires personal accountability and empowerment to deliver outcomes from leadership, though middle management to the whole organisation. In short it means bridging the cultural vacuum that has stopped your organisation delivering these outcomes in the past.

So how do you fill this vacuum?

This requires a return to your organizational purpose and values; working out why, as an organisation, you exist – what you do for customers and how you do it.

Your values act as an anchor for your new conduct behaviour. They mean that everyone knows how they should behave and what they should do, even when there isn’t a risk framework in place to guide them or if the defined process isn’t the right one for the customer. It means everyone doing ‘the right thing’.

THE ALIGNED MODEL

A commitment to purpose and values demands that everyone in the organisation act with integrity, mandated by a leadership that understands that integrity is not bleeding-heart or anti-profit, but an inherently rational operating model for the long-term health of the organisation.

In order to support and prove this commitment, employees need to be rewarded and incentivized for demonstrating this behaviour. Moreover, they need to be empowered to have a means for calling out incidences of ‘bad’ conduct, no matter how high up the organisation this goes.

DELIVERING A CONDUCT RISK CULTURE IN PRACTICE - A 10 STEP PLAN

So what might a cultural conduct risk initiative look like in practice? Here is a 10 step plan that I think would help deliver genuine cultural change.

1. Explore your purpose and values as an organisation and define the customer outcomes that you want to achieve within this context, you are then in a position to understand what needs to change to deliver this

2. Work with leaders and risk teams on a one to one basis to explore their personal understanding and perceptions of risk and how this translates to behaviour in a business context

3. Work with leaders and risk teams to help them develop a clear view of the conduct risk culture to which they aspire, to create genuine alignment

4. Align your desired business outcomes to this new model – and put protocols in place so that this mindset is not forgotten in your future planning

5. Create behaviour change programs that ensure that leaders ‘walk the walk’ and demonstrate the change in tone from the top

6. Develop initiatives that allow safe ways to challenge poor behaviour within the business – working with leaders and employees to understand and address the barriers to speaking up

7. Examine how decisions are made in your organisation. How this process can be safeguarded so that customer outcomes are considered at all stages and the decisions do not meet the needs of just one group

8. Work with managers to ensure that they are ready, willing and able to transmit the culture from the leadership to the wider business

9. Find new ways to incentivise and rewards staff within this framework

10. Help your wider employee base to understand what this means for them and to feel motivated and empowered to deliver on your purpose, values and customer outcomes

These activities should coalesce to build a purpose-led business culture that drives effective customer behaviours. This will protect your organisation from regulatory breaches and penalties far more effectively than a check-box approach to compliance.