Creating Your Conduct Risk Framework

7/22/2019 Creating Your Conduct Risk Framework

http://slidepdf.com/reader/full/creating-your-conduct-risk-framework 1/22

Conduct Risk in Financial Services

To help you stay on track for regulatory success

By Lee Werrell Chartered FCSI FISMM



Disclaimer

© Lee Werrell 2014 All rights reserved.

1st Edition

Publisher: Lee Werrell

The Publisher and/or author has strived to be as accurate and complete as possible in the creation of this publication,notwithstanding the fact that he does not warrant or represent at any time that the contents within are accurate due to the rapidly

changing nature of the Internet.

While all attempts have been made to verify information provided in this publication, the Publisher and/or author assumes no

responsibility for errors, omissions, or contrary interpretation of the subject matter herein. Any perceived slights of specific persons,

peoples, or organisations are unintentional.

This book is not intended for use as a source of legal, business, regulatory compliance, accounting or financial advice. All readers are

advised to seek services of competent professionals in legal, business, regulatory compliance, accounting, and finance field. While

examples of past results may be used occasionally in this work, they are intended to be for example purposes only. No representation is

made or implied that the reader will do as well from using the suggested techniques, strategies, methods, systems, or ideas.

The Publisher and/or author does not assume any responsibility or liability whatsoever for what you choose to do with this

information. Use your own judgment. This material is based on UK regulatory guidance at the time of publication and may apply to

worldwide applications but this will be subject to your own judgement.

Any perceived slight of specific people or organisations, and any resemblance to characters living, dead or otherwise, real or fictitious, is

purely unintentional.

In practical advice books, like anything else in life, there are no guarantees of income made. Readers are cautioned to reply on their own

judgment about their individual circumstances to act accordingly.

ALL RIGHTS ARE RESERVED. No part of this book may be reproduced or transmitted in any form or by any means, electronically or

mechanical, including photocopying, recording or by any informational storage or retrieval systems without express written

permission from the publisher.

This EBook is intended to be printed on acid free paper

Printed in the UK with World-wide rights attached

Facebook : https://www.facebook.com/Lee.Werrell.EBooks

Facebook : https://www.facebook.com/ComplianceConsultantLinkedIn: uk.linkedin.com/leewerrell

Twitter

@leewerrell

@complianceconst

https://www.facebook.com/Lee.Werrell.EBooks

https://www.facebook.com/ComplianceConsultant

http://uk.linkedin.com/leewerrell

http://twitter.com/leewerrell

http://twitter.com/complianceconst

http://twitter.com/complianceconst

http://twitter.com/leewerrell

http://uk.linkedin.com/leewerrell

https://www.facebook.com/ComplianceConsultant

https://www.facebook.com/Lee.Werrell.EBooks



Conduct Risk: How To Build An Effective Framework

Conduct Risk is the buzz phrase in the financial services world today. Throughout the

recruitment job boards and ringing around the recruiters offices abound the titles of

"Conduct Risk Managers" or "Head of Conduct Risk"; but very few seem to know what this

involves precisely.

There is obviously a great deal of information available including reasons for failure and

fines that point you in the right direction, however, try to enter a Boolean search

(containing the search term in inverted commas) for "Conduct Risk" into the handbook

search box and you will find that it is not specifically defined in the regulator's handbookand nothing can be found between “COND” and “conflicts of interest policy” in the Glossary.

From the various speeches and publications, a number of focus areas become evident and

include;

Aligning business models to fair treatment of customers

Complaints handling

Product development and governance

Product Intervention

Remuneration and reward policies

Financial Promotion withdrawal and prohibition

Conflicts of interest

Incentives

Wholesale

Business Continuity

On January 24th 2014 Mark Carney, Governor of the Bank of England told bankers at a

meeting in Davos that conduct is replacing capital as the key risk facing the industry.

After progressing in building up their capital buffers against potential shocks since the

financial crisis, firms need to improve their behaviour to regain public trust, Carney said.

Firms are still battling with the damage to their reputations caused five years ago by thecollapse of Lehman Brothers Holdings, interest rate swaps mis-selling and more recently

financial the rigging of the London interbank offered rate and the alleged manipulation of

key benchmarks in the foreign-exchange market.

Carney, who is also chairman of the Financial Stability Board, echoed his private remarks at

a speech at the annual meeting of the World Economic Forum, in which he urged banks to

seriously change their behaviour.

“Banks must recognise that only exemplary behaviour can confer social license to global

financial capitalism,” Carney said. “For the system to operate with integrity, penalties for

misconduct cannot be seen as a cost of doing business.”

Conduct risk is not new and stems from not only the scandals and mis-selling debacles but is



rooted in the Treating Customers Fairly (TCF) initiatives and echoed throughout the rules in

COBS, MCOBS and ICOBS. It would appear that the definition of the term is excluded within

the FCA handbook and glossary purposely to make it a reflective and subjective term

defined by each company.

Added to this is the complexity of RDR effective from 31 December 2012 which madesignificant and fundamental changes to, and impacted the business models within the

investment advice market. Add to this the additional work of implementing MIFID II as well

as new regulator with a more intrusive supervisory stance and there are bound to be a great

deal of elements that firms are unaware of and will undoubtedly get caught out whenever

they are visited or complete "online" or "telephone" assessments. Also, don’t forget, the

previous regulator’s ARROW is replaced with the Firm Systematic Framework (FSF) with the

aim of focussing the assessment of how firms manage the risks they create, and identify the

root causes of what leads to these risks.

The changes brought about by the new regulator are;

FSA: Rules/Principles Based –

Reactive/Passive

FCA: Judgements & Outcomes

Based – Intensive/ intrusive

Judgement/Opinion on adequacy of

controls

Judgement about Senior management

Decision Making Process

Firms decided best method to achieve

outcomes (TCF)

Regulatory Intervenes to ensure firms take

action for required outcomes

Focussed on processes and procedures Focus on Governance, Outcomes &

Behaviour

Management responsible for identifyingand developing controls for risk

Regulator will proactively identify risks andact to prevent crystallisation

Senior Management to demonstrate

adequate systems and controls

implementation

Greater emphasis on systems and controls

to demonstrate Governance, Outcomes &

Behaviour

Defined actions from risks Evidence of risk identification,

measurement and decision making process

Recently the FCA asked 26 life insurers and advisory firms to provide information about

their service or distribution agreements; in total it received and reviewed 80 agreements.

The FCA’s findings included huge potential issues regarding undisclosed conflicts of interest,

incentives and an amount of joint ventures that could lead to biased advice and undisclosed

costs.

Alongside the review, proposed guidance has been published to help firms further

understand how they should act. The guidance explains why the FCA thinks certain

payments between providers and advisers may cause conflicts of interest and also gives

some helpful examples of good and bad practice. This includes how advisory firms might

want to deal with conflicts caused by providers paying for IT development and maintenance,

staff training, conferences and seminars, hospitality, research and promotional activities.

Clive Adamson, the FCA’s director of supervision, commenting on the findings, said:



“The changes we made to the retail investment advice sector were

designed to mark a step change in the way advice was given. It

signalled the end of advice that might be influenced by the

commission payments made by product providers to advisory firms,

and the start of a new era of trust and transparency between a firm

and its customers. The findings of this review reveal that the actions

of some firms have the effect of undermining the objectives of the

RDR.

“Most the firms involved in the review have already made changes,

which are welcome, but we want all firms in this market to reviewand, if necessary revise their existing arrangements. We will revisit

this area in the future to check that the necessary improvements

have been made.”

Full Details can be found here http://www.fca.org.uk/news/life-insurance-and-advisory-

firms-undermining-the-objectives-of-the-rdr

Confusion reigns

According to the Thomson Reuters Conduct Risk Report of 2013 (published January 2014),

200 firms from major nations, in response to an increasing volume of regulatory change,

demands and priorities admitted to placing increased importance on what they believe tobe “Conduct Risk” while simultaneously working to identify and clarify what the concept

means for their specific organisations.

On questioning 200 compliance and risk practitioners from financial services firms across

the Americas, Europe, Africa, Asia, Australia and the Middle East (and from across the

financial services sector including banks, insurers and fund managers) to find their views on

how the industry is defining and dealing with conduct risk.

What is Conduct Risk?

Since the 2008 worldwide banking crisis, many regulators have been working to impose and

articulate their view and requirement to put policies in place to improve the behaviour of risk management within firms.

Although there is no specific or universal definition of conduct risk, it is generally agreed

that the concept encompasses the risks associated with the way in which a firm and its staff

conduct themselves translated into fair customer outcomes. It should incorporate matters

such as intrinsic culture, tone from the top, robust governance, how customers are treated

(TCF?), remuneration of staff and how firms deal with conflicts of interest.

The Thomson Reuters survey shows that over 84% of firms reported the absence of a clear

working definition of Conduct Risk indicating the immaturity of the field.

Respondents were asked their views regarding the key components they perceived as of Conduct Risk, culture rated the most important at 76%, closely followed by corporate

http://www.fca.org.uk/news/life-insurance-and-advisory-firms-undermining-the-objectives-of-the-rdr






governance at 74%, then by conflicts of interest and reputation both at 86%. Remuneration

was flagged as a key component to conduct risk and a significant factor that contribute to a

firm's culture.

Addressing Conduct Risks

It is clear that the majority of firms around the world have started to address conduct riskand most of the changes have been implemented in the last 12 months indicating that firms'

awareness of conduct risk is growing. This is also evidence of the emphasis in which

regulators are placing on corporate culture and the response across the industry toward

consumer protection.

The financial crisis of 2008 also created a greater focus on remuneration and incentive

practices and these have become increasingly controversial. A recent fine for Lloyds Bank

showed the flawed “commission” or “bonus” culture that was prevalent in yesteryear

financial services sales. This proved a recent review conducted by the UK Financial Conduct

Authority found that sales rewards and incentive schemes were likely to have exacerbated

the risk of poor sales practice. 66% of surveyed firms said that they had reviewed their

approach to incentives since 2008, the majority in the last 12 months. Just over half of firms

had made changes to their remuneration policy with a third of them in the last 12 months

and a further 10% plan to make changes in the next 12 months.

So how do you prove "Conduct Risk" to a satisfactory level in the UK?

Firstly you have to understand where conduct risk falls within your organisation and, in

conjunction with the FCA Risk Outlook 2013 create an idea of where your risks may lie.

The majority of these risks can fall under the Operational Risk umbrella, which a few

consultancies can assist you with. You don’t necessarily need expensive software for most

modest size of firm, but you need to know how you arrive at the findings, and more

importantly what you do about them. If you look in the handbook SYSC, you will see that

Operational Risk would seem to apply to insurers (SYSC 13) and it could be easy to overlook

SYSC 7. SYSC 7.1.2 R states "A common platform firm must establish, implement and

maintain adequate risk management policies and procedures, including effective procedures

for risk assessment, which identify the risks relating to the firm's activities, processes and

systems, and where appropriate, set the level of risk tolerated by the firm." This effectively

means that all risks apply to every firm; the three types are Credit Risk, Business or Market

Risk and Operational Risk.

Operational Risk is widely accepted to be the Basel II definition that states that operationalrisk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

Identifying them is only the start as you then have to agree how best to measure them,

which creates a real challenge and considerable work for most firms who do not normally

deal in this area. Within the three main areas of conduct risk impact; Inherent, Structures &

Behaviours and Environmental, there are a great deal of areas that can be measured. Within

the first two areas a degree of qualitative and quantitative data already exists, but much of

it is overlooked or unreported in most firms.

A Conduct Risk Framework will help in identifying the elements and areas impacted. From

this adequate and proportionate measurements can be made for reporting. Overlaid with arationally decided appetite the data can provide an exception report for Senior



Management to consider.

The three phases of good management are definition and measurement, management

followed by activity. Running any business is typically conducted this way but the skill of

management is actually created and enhanced as a result or product of the activity,

therefore there is no definitive answer on how best to manage. The key to these phases is

providing accurate and usable data to the second phase. Unfortunately many people when

defining the Management Information do this the wrong way round.

To assist Compliance professionals in their job and assist in the planning of their

responsibilities, get your copy of our “Compliance Managers Guidebook and Reference”

from http://www.complianceconsultant.org/guide/

Need a Compliance Manual?

Over 90 Pages covering your regulatory universe.

Get more details from HERE or click the link

http://fca-compliance-risk-assessment-fully-editable-template-manual.co.uk/



http://www.complianceconsultant.org/guide/



http://www.complianceconsultant.org/guide/




Conduct Risk: Understanding the Aims

The FCA's main aim in relation to the initiative of Conduct Risk is to ensure that firms do the

right thing for their customers whilst keeping them and the integrity of the markets in which

they operate at the heart of everything that they do. Whereas Treating Customers Fairly

was essentially viewed as common sense and good business practice, this was partly its

downfall and created with it a certain impotence. Conduct Risk is looking at fair customer

outcomes in all activities including extremely remote treasury transactions or outsourcing

processes, through regulatory engagement and even ensuring that the root cause analyses

of complaints are assessed for conduct risk objectives.

Although many firms will say that they always consider the best outcomes for their

customers, in reality and on closer inspection most processes are in place to protect the firm

or deflect any criticism or complaint from customers.

Many processes are designed to reflect the smoothest and most efficient running of the firm

in providing its products or services to the customers on an initial and ongoing basis, but is itseeking to be fair to customers? Does the firm have an obligation to manage its costs and

reduce the overheads of its operation to not only become slicker and faster in the general

operation, but this would then increase the profit: should this be shared or used to keep

customer fees down, or invest in better technology, or perhaps just swell the coffers of the

firm? After all, surely the fundamental of any corporate social responsibility for any firm is

to make sufficient profits to sustain their activity for the good of the community as well as

all their customers, stakeholders and employees?

Obviously it is clear that firms should seek to promote good behaviour across all aspects of

their organisation and to develop a culture in which it is clear that there is no room for

misconduct. Although TCF has long been part of the retail regulatory framework it is vital

that Conduct Risk should not be seen as merely an extension of this.

As mentioned above, there appears to be a commonly held misconception that Conduct

Risk is only a retail issue. The FCA is just as interested in the roles that wholesale conduct

and prudential standards plays in underpinning the integrity of the markets. This keeps

alignment with its objective to protect and enhance the integrity of the UK's financial

services. It therefore expects both wholesale and retail firms to have properly functioning

Conduct Risk policies and procedures in place.

Wholesale and commercial activity can obviously impact the customer by the firm taking

excessive haircuts on the monies borrowed on the market to be lent out on mortgages orusing the same provider all the time because of a long standing relationship or habit without

any diligent justification of that relationship. It all comes down to getting value for money

for the customers.



How does RDR fit in with Conduct Risk?

The potential distortion of the advice that consumers received with the complexity of

commission rates and payments was removed by, and was the cornerstone of the Retail

Distribution Review (RDR). Originally set as an objective by the regulator back in 2006, the

dual purpose was to wipe out any influence of inappropriate advice from the payment of

commission and to ensure that providers were to compete on price and quality of their

products, including investment expertise, and not to taint the advice with additional

supplements or enhancements to their generous commission percentages.

Various schemes were dreamed up by some providers who sought to channel business to

particular providers by setting up service or distribution agreements, and thus ultimatelyaffect or influence the advice the consumers received.

To establish a view and test the potential issues, the FCA wrote to a sample of 8- firms and

included insurers, advisory and investment firms and asked them to provide their top five

distribution agreements which they than scrutinised very closely.

Their findings were that there was a poor management culture in some firms and some

advisory firms were “incentivised” to promote some particular products or services, thereby

creating the risk of a personal recommendation being weighted towards the driver of the

firm’s commercial benefit, rather than considering the best interest of the consumer; a

flagrant breach of the RDR rules.Additionally this review highlighted the poor and inaccurate systems and controls that were

in place. In some there was minimal conflicts of interest management or disclosure.

Providers and advisory firms sometimes set up joint ventures and further work uncovered

huge concerns about these. Appearing predominantly to channel money to advisory firms to

secure the effective distribution, these arrangements obviously had the potential to to

influence any advice dispensed by the firm’s advisers.

The result was the issuing of the document “GC13/5 Inducements and Conflicts of Interest

Guidance” which explained the importance of and the expectation by the regulator that all

regulated firms were expected to undertake their business practices aligned to the FCA’s 11Principles of Business. Specifically, Principle 8 Conflict of Interest; requires firms to manage

conflicts of interest fairly, and in accordance with SYSC 10.

The report findings show that firms showed a very real risk of breaching principal 8 and the

inducement rules, and so, once a firm has identified an actual or potential conflict, it must

implement, maintain and operate effective organisational arrangements and take

reasonable steps to prevent any recurrence or future conflicts of interest.

Firms were expected by October 2013 to review and if necessary revise their existing

distribution arrangements in order to prevent undermining the objectives of the RDR.

One of the major risks identified in the Conduct Risk initiative is the identification andmanagements of conflicts of interest and need to be broken down across the following



topics:

How identification and control of any conflicts of Interest are documented.

This involves having an effective and well articulated risk framework and controls on

research spending and correct governance in place which will be clearly documented.

Additionally there will need to be joint Compliance and Ops monitoring and reporting and

this will in itself require effective design of Management Information (MI).

How firms manage the purchase of research and trade execution services on customers’

behalf

This obviously involves accurate due diligence and investment governance, including what

services are to be paid by whom.

How firms managed gifts and entertainment

Again, this involves having an effective and well articulated risk framework and controlscoupled with robust governance around the frequency and value being correctly

documented.

Ensuring customers have fair access to all suitable investment opportunities;

This will involve accurate due diligence and investment governance.

How firms manage personal account dealing by all employees;

This will involve accurate monitoring and fair application to all staff, and

How trading firms allocate the cost of errors between themselves and customers.

This is a further need to have an effective and well articulated risk and controls framework

and reliance of contractual limitations being correctly and fairly documented.

The regulator will be following up on this work and the fallout from the previous findings

will create the expectation that firms have acted on the consultation guidance and

additional publications. Firms who fail to act could very well be subjected to further action.



Conduct Risk: Regulatory Expectations

Sometimes it is easier to se what shouldn’t be continued, to understand the antithesis and

start your planning. In this regard the FCA has emphasised that it expects firms to move

away from certain behaviours, such as

prioritising profits over ethics and commercial interests over consumer interests;

the still prevalent tick box and overly legalistic approach to compliance;

as an extension of the former, only complying with the letter instead of including

the spirit of laws and regulations;

effectively removing caveat emptor for firms who still consider that disclosure atthe point of sale absolves the seller from all responsibility of ensuring that a

product or service represents a good outcome for the customer

Unnecessarily complex products may lead to excessive prices for consumers or reduced

access to financial services. The FCA will act where:

There are unfair obstacles to consumers’ ability to enter or exist a product due to

consumers’ changing needs or environmental conditions.

In responding to environmental or changing business conditions, firms adopt

strategies that support their own interests but which may not be in the long-

term interests of their customers. Firms are over-exploiting their existing customer base due to limited new

business.

Firms are developing complex, opaque and over-priced products that are not in

the long-term interests of consumers and are difficult to compare.

Consumers are not fully aware of their financial needs and what products or

product features would adequately serve these needs.

Consumers do not have access to products that meet real needs within regulated

markets, due to a lack of competition and resulting shortfall in product

availability and innovation.

There is a key element to all this that firms may not realising and that is that when assessingConduct Risk the FCA will not only consider a firm's approach to such matters, but will also

want to see evidence of the board being fully engaged with these issues. An example of this

could be that the regulator would look to see whether the board of a firm probes high

return products or services and the extent to which the board monitors whether products

are being sold to the markets that they were designed for. This is likely to represent a

significant cultural shift for some firms and accordingly it is important to ensure that this

change in the regulatory environment is taken into account when designing a firm's Conduct

Risk framework.

In addition, the FCA has made clear that it intends to hold senior management to account for

Conduct Risk failings and accordingly a strong Conduct Risk framework is an important tool in



protecting senior management from such liability.

How will the FCA hold Senior Management to account?

Quite simply by using the recently introduced attestations that are actively sought by the

FCA from management of usually the most senior roles.

What is the FCA achieving with Attestations?

The FCA has declared that attestations are key elements to the new Firm Systematic

Framework (FSF) replacement of the ARROW Visits. This movement of emphasis may be

overlooked or even dismissed by the foolhardy as the seemingly light touch verifications is

designed with the aim of confirming how the firm’s assessment, management of the risks

they create, and how they identify the root causes that leads to these risks.

FSF assessment modules will be completed through a series of interviews between

supervisors and the firm to look at the various processes in specific and areas considered to

be high risk. This is in contrast to detailed testing that the FCA has clarified will not be used

unless it is the only way to assess a particular risk and will look to prioritise actions with theintended outcome, being that firms will have fewer Risk Mitigation Programme (RMP)

points than at present.

A shift of responsibility away from the regulator and directly onto firm’s senior management

to do their own monitoring on some of the less important points and then to self-attest that

they have been addressed will be achieved by the use of section 166 skilled persons’

reports, internal audit reviews and non-executive director reports.

The emphasis on accountability and personal responsibility has been echoed in recent

speeches both from FCA CEO Martin Wheatley and Tracey McDermott, the FCA director of

enforcement:“You will probably already have seen an increasing emphasis from our supervisors on

getting senior management to attest where remedial action is being taken, and asking

questions about exactly who is responsible for what. This is all part of focusing our attention

– and yours – on the responsibility and accountability of senior management. And this is an

area where you can expect to see more in the coming months and years.”

Needing to “Up its game” the FCA has purposely adopted the attestation approach to senior

management accountability as a direct result of the failure of the FSA to do so in the last 5

years. It also reflects the FCA’s determination in making judgement-based decisions on

matters of individual conduct. New requirements to have a specific and identifiable, suitably

senior individual responsible for the satisfactory completion of the work is not only a

powerful motivation factor for the senior manager but adds personal accountability to the

change. The FCA will expect this individual to attest to any change completion or more

generally to the adequacy of relevant controls.



Conduct Risk: The Challenge of Constructing a Framework

It is impossible not to have noticed that recently there have been many examples of failures

to deliver fair customer outcomes, resulting in potential detriment and redress, regulatory

intervention and fines, and ultimately reputational damage for the firms involved.

According to the regulator, at the heart of recent failures were a number of common

factors:

Unclear governance structures and unclear or poorly defined risk appetite without

supporting conduct risk metrics or tolerances.

Lack of clarity around roles and responsibilities across the 3 lines of defence (3LoD),

resulting in:

– Lack of robust outcomes testing in the first line of defence.

– 2nd line assurance often undertaking 1st line activity.

– Lack of skills and capability.

Metrics without clearly defined tolerances or clear audit trail back to source data.

Addressing issues proactively.

A culture that does not put the customer at the heart of the business, resulting in:

– A lack of understanding of the required behaviours across the firm.

– Not undertaking robust root cause analysis and addressing issues proactively.

Poorly defined measures of performance in terms of the delivery of customer

outcomes.

Lack of organisational focus on target market and the design of products.

Inadequate skills, knowledge and experience within senior management teams.

Singularly or, more often, a combination of the above factors has represented potential

weaknesses in a firm’s framework for the efficient and effective management of Conduct

Risk.

To implement a well-defined Conduct risk framework, the firm must articulate the

components they have in place to manage Conduct Risk. There must be clear linkage

between the components and how they interact with each other, who is responsible foreach element and absolute clarity on how the three lines of defence model will operate.

The first thing is for a firm to evaluate their own risk profile

Most firms have grown organically over the years and have been shaped in the last twenty-

five years being shaped by market conditions as well as domestic and EU regulatory change.

The almost constant adding and taking away has lead to legacy blind spots where the

processes and procedures may work well from a regulatory perspective but have not been

tested or indeed measured as a whole to provide an overlay of consumer protection (what

all regulation professes to champion), with something like Conduct Risk.

Firms need to honestly consider their true risk exposures and not shy away from identifiedrisks. Calling risks events, incidents or exposures, without accepting that the risks are



present is self-defeating and pointless, providing a false platform or base line from which to

work.

Customers segmentation, outsourcing, suppliers, sales, marketing, client service and

internal processing need to be understood in the context of their business, their specific

market, and what their cultural and a candid behavioural indicators appraisal.Peter Drucker Said "What gets measured, gets managed" and circumstantial conditions can

often lead to unintended risk exposures. Ignoring or side-lining risks is worse than not

knowing or monitoring, but in all cases can lay as dormant threats until a unique trigger can

cascade system, process or people failure. This short sightedness leads not only to costly

remedial work, but also loss of clients, potentially irreparable reputational damage and

worse still, regulatory scrutiny and intervention.

Due to the financial crisis your firm may well have lost experienced staff which has the result

of increasing your risk profile. Losing experience and even whole disciplines if outsourcing

has been involved, does not create fiscal risks alone, but can easily affect the way the firm

develops new products, treats their customers, or manages their processes which all

amount to a failure of conduct risk.

Although in some firms Conduct Risk is lodged under Operational Risk and Operational Risk

is widely accepted to be the Basel II definition that states that operational risk is “the risk of

loss resulting from inadequate or failed internal processes, people and systems, or from

external events”, the alternative is to create Conduct Risk as an equivalent level one risk

that both provides a pillar of risk support to the firm, but also underpins and spreads across

the remaining risk pillars to affect their culture.

Raising Conduct Risk to top the firm’s priorities

To raise the profile of Conduct Risk and ensure that conversations are occurring at the board of

directors level as well as forming a part of senior management’s agenda and risk profiling

perspectives can sometimes be a challenge.

There is of course a recent evolution called Operational Risk and there are still firm’s that try to shy

away from calling a risk by that name, for fear that the firm may consider them weak or ineffective

in their role for the risk to occur. Many people hold the belief that operational risk is not important,

especially in smaller firms, as it doesn’t really apply. Everyone knows everyone else is a common

argument, but everyone in Baring’s Bank knew Nick Leeson and he lost millions of pounds because

there were no checks, no reviews, no trend analysis; no operational risk.

The mis-selling scandals and LIBOR rate fixing scandals have shown this false belief to be just that

and critically damaging. Damaging not only to the remediation costs, but also the regulatoryintervention costs such as S166 and Risk Mitigation programmes borne off the back of skilled

person’s reports, compounded by the reputational damage of the individual firms and the industry

as a whole.

Senior Management has to stand up and be counted among the good guys as the FCA is looking for

proactive, positive action from all of the people who are occupying these senior positions. It has

already started with the Non Executive Director vetting and regulatory visits will become more

thorough in questioning of management. It may not be easy in a big organisation to change in this

way, but the regulator is expecting then to show some robustness and intelligence and not just go

along with things as before.

SIMPLY PUT: CONDUCT RISK MUST BE A KEY RISK IN ANY ORGANISATION

Managing conduct risk is not a simple case of



issuing dictats or strengthening policies. Although these will help, this involves applying proper risk

management principles to the way that firms manage the development of their products. A new

fresh look at the governance around those products and services and well as the monitoring and

analysis. There also has to be a new thinking around every aspect of the new paradigm of customer

centric outcome driven business.

As Einstein said; “We can not solve our problems with the same level of thinking that created

them”.

Conduct Risk Appetite

The Conduct Risk Appetite should consider the full customer journey and conduct risk lifecycle, with

each of the appetite statements specific enough, so that it can be accurately measured and is notopen to misinterpretation.

Firms are traditionally taking one of two approaches to including Conduct Risk within their existing

Enterprise Risk Management Framework (ERMF):

1. Establish Conduct Risk as a Key Risk Driver (Level 1 risk), alongside Credit, Market and Operational

risk, for example; or

2. Establish Conduct Risk as a sub-risk of Operational risk.

The decision on the most appropriate approach needs to take into account the size and complexity

of the firm, but more importantly the view of the Board on how Conduct Risk fits into the overall

Enterprise Risk Management Framework (ERMF).

Irrespective of the decision around the classification of Conduct Risk, it will remain a key risk

objective with the elements of the Conduct Risk lifecycle as the Risk Dimensions (Product design,

sales process, after-sales and culture in the example below)

Threshold Conditions

The regulator’s approach to Conduct Risk is not simply a matter of making rules as the

relevant powers for their approach can be found in section 55B and Schedule 6 to the

Financial Services & Markets Act 2000.

This section deals with the threshold conditions and whenever the FCA gives or varies

permission to a firm to carry on one or more of the regulated activities, the FCA and PRA“must ensure that the person concerned will satisfy, and continue to satisfy, in relation to all

of the regulated activities for which the person has or will have permission, the threshold

condition for which that regulator is responsible”.

Threshold Conditions are set out in an order made by the Treasury under the Act and are

important as the regulators derive their authority to consider a firm’s capacity to meet the

stated condition on an ongoing basis.

For any firm considering implementing Conduct Risk or any other risk framework needs to

understand what the Threshold Conditions cover and mean to them.

The threshold conditions deal with the following matters.



(a) Location of offices

Generally speaking, a regulated firm that is incorporated in the UK must have its head office in the

UK also.

(b) Effective supervision

Under this condition, the firm “must be capable of being effectively supervised by the FCA”. Thereare a number of additional circumstances to consider, such as the complexity of the firm’s business

or products, the way in which the business is organised, the firm’s membership of a group of

companies, and the links the firm may have with other persons.

(c) Appropriate resources

The firm must have appropriate resources, as judged by the FCA, to carry on the regulated activities

that the firm carries on. Relevant considerations include the nature and scale of the business and the

skills and experience of the firm’s managers.

(d) Suitability

The condition here is that the firm “must be a fit and proper person having regard to all thecircumstances”. Considerations include:

• The nature and complexity of the business.

• Whether the firm “is complying with requirements imposed by the FCA in the

exercise of its functions, or requests made by the FCA, relating to the provision of

information to the FCA, and where [the firm] has complied or is so complying, the

manner of that compliance”.

• Whether those who manage the firm’s affairs “have adequate skills and experience

and have acted and may be expected to act with probity”.

• “Whether [the firm’s] business is being, or is to be, managed in such a way as to

ensure that its affairs will be conducted in a sound and prudent manner”.

• The need to minimise the use of the firm “for a purpose connected with financial

crime”.

(e) Business model

The firm’s strategy for business “must be suitable for a person carrying on the regulated

activities that [the firm] carries on or seeks to carry on”. In assessing the business model,

the FCA’s consideration must include:

• Whether the business model is compatible with the firm’s affairs being conductedsoundly and prudently.

• The interests of consumers.

• The integrity of the UK financial system.

It is evident that the threshold conditions give the FCA significant powers to assess the

firm’s future behaviours. If the conclusions are adverse to the firm, the FCA has the power

to vary the firm’s permissions on its own initiative, or indeed to remove permissions

altogether from the firm.

Managing Conduct Risk

To manage Conduct Risk, every individual firm must understand the risks facing it and



although these will vary from firm to firm, across the various sectors, the FCA helpfully

publishes an annual Risk Outlook which sets out how the FCA views the distribution of risks

across its regulated sector. In 2013 the FCA also published its business plan alongside Risk

Outlook. The two documents are closely linked; the business plan sets out what the FCA’s

proposed plan of action is for 2013/14 to deal with the risks described in the Risk Outlook.

It is critical that every member of senior management reads, understands and raises

discussions around the issues within the Risk Outlook and the accompanying business plan.

A firm that is unprepared when challenged by the regulator really needs to be prepared for

the potential of unwelcome and possibly “Deep Dive” review attention from them .

Conduct Risk: Building Your Framework

Fortunately, we do not have to look toward a raft of new jargon or terminology to build our

framework as many aspects of Conduct Risk resembles operational risk so closely, we can

leverage the tools of operational risk and adapt them to conduct risk management.

Risk Matrix

Within their operational risk plans (and yes, these can be developed together if you do not

already have an Enterprise Wide Risk management Scheme or Framework) firms will use the

typical risk matrix approach to prioritise and identify the risks that impact their business

areas.

For a small or medium sized enterprise that is not yet ready to spend out on software to

manage their operational or Conduct Risk, can purchase our “ ARMS” – Analysis & Risk

Management System from http://www.complianceconsultant.org/arms/ or if you are an

IFA then get the “IFA Risk Management ” from http://www.complianceconsultant.org/ifarm

in PDF form.

Regulatory Documentation

As mentioned earlier in this document, adhering to regulatory rules are also of immense

importance in the management of conduct risk. There are countless rules in the FCA

Handbooks that deal with the conduct of firms and their officers and employees. Many of

them are expressed at high-level, with the FCA Principles themselves at perhaps the highest

level of all. In addition to monitoring compliance with those rules after the event, firms

should also consider how they will comply and continue to comply with them in their future

offerings and developments. The strongest challenge from the FCA is likely if they believe

there is any hint of doubt over whether a firm will continue to be able to comply with

conduct-based rules.

In 2007 the FSA published “Treating Customers Fairly – Culture”, as part of its range of

publications on treating customers fairly. The document remains accessible from the

archived content of the FSA website. Although the document is now quite aged, it still

remains useful in terms of the specific issues and matters that the FCA are likely to consider

in their threshold condition view of firms.

http://www.complianceconsultant.org/arms/

http://www.complianceconsultant.org/ifarm

http://www.complianceconsultant.org/ifarm

http://www.complianceconsultant.org/arms/



The document singles out the following matters as being important:

• Leadership.

• Strategy.

• Decision-making.

• Controls, including management information.

• Recruitment, training and competence and Reward.

Where TCF Ranks

When TCF was launched as one of the FSA’s flagship projects it ranked so highly on the list

of initiatives that it had its own Director responsible solely for it. As with all mature models,

more recently it has become part of normal supervision. This should not be seen as an

indicator of the lesser importance of the measures as TCF remains vitally important to the

FCA and they are likely to continue to look at firms’ compliance with the TCF Outcomes.

The 6 TCF Outcomes

The TCF Outcomes sought are as follows:

Outcome 1

Consumers can be confident that they are dealing with firms where the fair treatment of

customers is central to the corporate culture.

Outcome 2

Products and services marketed and sold in the retail market are designed to meet the

needs of identified consumer groups and are targeted accordingly.

Outcome 3

Consumers are provided with clear information and are kept appropriately informed before,

during and after the point of sale.

Outcome 4

Where consumers receive advice, the advice is suitable and takes account of their

circumstances.

Outcome 5Consumers are provided with products that perform as firms have led them to expect, and

the associated service is of an acceptable standard and as they have been led to expect.

Outcome 6

Consumers do not face unreasonable post-sale barriers imposed by firms to change product,

switch provider, submit a claim or make a complaint.

Decision-Making

Although the list of important issues are all relevant and fundamental considerations as

underpinning the conduct risk, decision-making is probably the key element and worthy of

special mention.



Conduct risk is simply about the conduct of individuals and how, within firms, they are

organised, directed and lead according to the management principles. The Board, and the

Executive, run the firm, but the authority to make decisions cascades through the firm with

differing levels of governance and managerial responsibility. The firm’s decision-making

framework is a key matter for conduct risk. People who make decisions for the firm need to

be identified and accountable for the decisions they make. Firms must ensure that decisions

are not buried in committees where it is more appropriate for them to be made by

identifiable individuals. What is expected is that decision makers must make decisions whilst

in possession of all the relevant facts, and they must seek to avail themselves of all of these

facts.

Decisions must be made at a level in the organisation that carries appropriate authority to

make that decision. For example, if a firm faces a matter where customers may not have

received a fair outcome, or in old parlance, they were not treated fairly, the decision maker

may well need to be empowered to sanction a loss for the company in recompensing

customers, if that is the right thing to do. If the decision maker is ‘too junior’, so cannot

consider that option, the decision must be pushed escalated appropriately or run the risk of

the wrong decision risks being made.

Summary

Conduct Risk is not only here to stay as an extension of the TCF Outcomes, but is also going

to ramp up as the FCA get a deeper and fuller understanding of what is missing in the retail

distribution world. Focussing on your exposure and level of risk is critical to your firm’s

survival and escaping close regulatory scrutiny, supervision or worse.



Conduct Risk: Building Your Framework

Building your own framework takes a large amount of thought and considerable effort to

get it right. At Compliance Consultant we can assist your firm, but there has to be a desire

from the firm to make it work; the tone from the top has to be consistent and loud.

The elements you need to consider are;





Don't forget, Compliance Consultant can provide a whole range of servicesincluding:

Initial Risk Assessment or audit — an initial analysis to identify higher risk areas of the

business and weaknesses in procedures.

Design Risk Management —

build a system with your business, for your business showing

complete audit trail of risk areas of the business and identifying any weaknesses in

procedures.

Business Development — business analysis advice or advice on particular issues — for

example, how your firm is Treating Customers Fairly and an action plan for implementing TCF

across your business.

Governance Templates — Policies, Logs, Minutes, Terms of Reference and other items

available from our IP library.

Help with setting up procedures — for example procedural manuals for recruitment, training

and competence, complaints handling and anti-money laundering. May also include templates

for disclosure documents, fact-finds and registers.

File audits — checks to ensure that procedures are being followed and identify good practices

and weaknesses

Complaints Handling – cost effective and project managed from start to finish making your

response robust and consistent

Technical support — may include advice on particular products or regulatory reporting. May

be available in various formats, including website, helpdesk and individual technical advice.

Training — for example competency assessments, training opportunities or product risk

guidance. May be online support, regulatory updates or seminar based.

Support on individual issues — for example in dealing with a complaint, a financial

promotion or a particular suitability letter.

Financial promotions (all areas of advertisement) - full support which would include

websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing

clients and so on.

Remedial work — helping to action remedial work required by the FCA.

Ensuring you are aware of Handbook changes and the specific impact onyour business.

Your responsibilities and liabilities under SYSC and the recent changes. And

much more ... just ask! Email [email protected]

mailto:[email protected]

mailto:[email protected]

Documents

Creating Your Conduct Risk Framework