Implementing conduct risk measures

Several risk management areas rocketed to greater prominence in the wake of Global Financial Crisis (GFC), most notably an intensified focus on the behaviour and conduct of employees.

In particular, the financial services sector was targeted to ascertain how to avoid the type of fiscal meltdown which brought markets to their knees in 2007/08.

Today, however, firms from all industries must consider the concept of conduct risk.

At the recent 3^rd Regulatory Summit in Sydney, a panel discussion (pictured) tackled the issue of conduct risk, analysed why it has never been more important to corporations and outlined how organisations can minimise its negative impacts.

Defining and implementing conduct risk

There are a variety of definitions around the emerging concept of conduct risk, but in essence it refers to risks attached to the way in which an organisation and its employees conduct themselves.

Summit panellist Christian Hunt, global head of compliance and operational risk control for asset management, UBS, says while there is a tendency to blame computer systems for company problems, human behaviour is where the key challenge remains.

“[Conduct risk] is about changing people’s behaviour patterns and making sure that people’s behaviour patterns are appropriate,” he says.

“You can do that in a multitude of different ways. You need to train people [employees] and make sure they are fully aware of what the expectations of them are.

“You need to empower them, you need to make sure that there are appropriate mechanisms for them to call out their colleagues when they are not doing it. [You must ensure] that they are listened to, so you need aspects like whistle blowing.”

Hunt says it is also important that employees are “correctly remunerated” for the work they are performing.

“It’s about doing [the right] things, even when no-one is looking and making sure that you have empowered your people to take the right decision even when there is no-one looking over their shoulder and they think they might get away with something,” he says.

“The conduct is straightforward … it’s back to good old-fashioned business sense. Are we ripping our customers off? Does this feel like the sort of business that we ought to be in? Does this feel like a good thing to do?”

Hunt says such concepts are easy to say and acknowledge, but much harder to action.

“You can train people and you can incentivise them, but you need to encourage them and you need to basically build a framework,” he says.

“You need to hire the right people and you need to get rid of the people that are not with the program.

“All of that stuff takes time and effort and it’s not a straightforward piece at all — you really need to work at it. The key thing here is putting huge amounts of resources behind it, being seen and being committed to do it, and you need senior [management] to walk the talk.”

Another member of the financial services fraternity on the panel was Anatoly Kirievsky, country compliance officer, Bank of America Merrill Lynch, who says that conduct risk is simultaneously simple and complex.

“It’s simple in the sense that it’s pretty much commonsense. When you see a situation you look at it in the cold sort of light of day and you know what the right action is and what the wrong action is,” he says.

“[The more complex aspect is] when you see that somebody took the wrong action you are trying to understand, why did they take the wrong action? Was it because we did not get the right person in the first place? Was it because you did not provide the right incentives?

“Or was it the culture of the particular environment, which led that person to believe that the choice he was making was the right choice, whereas in fact when you look at it objectively, it’s not the right choice?”

Kirievsky says it is those more complex questions that define a conduct risk approach.

The Summit’s third panellist Kevin Nixon, partner, risk, Deloitte, agrees.

He says: “There are a number of layers to [conduct risk]. The first layer, and this is often where a lot of people stop thinking, is where you look at complying with the rules.

“So conduct risk is the risk if you get caught breaching a rule and you are subject to a fine, a sanction or possible undertaking, something like that.

“So at one layer you are just making sure that everyone follows the rules and you would want to have a framework — a compliance framework — that is robust enough that everyone knows what the rules are and everyone follows that.”

But Nixon says when it comes to the next layer of conduct risk, it is focused on behaviour too.

“The next level is looking at the behaviour of an individual — why would an individual want to break that rule? Do they fully understand the rules?

“Then you take it up another level, to the culture of the organisation and you look at whether there is a systemic issue where many individuals are looking to step around the rules and maybe play in a grey area, because they feel they need to for a competitive reason, from a career progression reason, or from a KPI [Key Performance Indicator] measure.”

Nixon says the classic example is if an employee has a KPI, perhaps on selling a certain product or service, and that is the only KPI they are working towards, then the company could be setting themselves up for a conduct risk issue.

Corporate culture

Nixon says these aspects come back to the overall culture of the organisation and Hunt’s idea of how you act when no-one is looking.

“It’s what they used to call the front page test. Would you be happy if your mother picked up the front page of the newspaper and saw your name there and what you have done? I think the key thing is it’s not just whether you have broken the law or not, it’s how people feel about the way you have approached it,” Nixon says.

“It may be perfectly legal what you are doing but it’s whether you have treated people fairly and appropriately. It’s not that you should not be trying to make money, everyone’s in business, but it’s how you make money and whether you are making a profitable return from doing good business in a sustainable way.”

Kirievsky says if you look at the culture of a company and if you look at how people react, this provides an insight into the conduct risk of an organisation.

“We have a Financial Services Licence obligation to provide services honestly, efficiently and fairly. That’s one of the keys to our financial services licensing and that’s one obligation that is really going to prove decisive going forward. I do not think that the regulators have made full use of this obligation yet.”

Hunt says the concept of culture is how someone does business and it is very difficult to define.

“You know bad culture when you see it but you cannot start to define what a good culture is because each firm has its own DNA,” he says.

“What we need to do — and I love using history — is come back to the traditional partnership model where you have a small number of people sitting there and they take a collective decision that was for the good of the partnership, and in fact the franchise [business].”

Hunt says protecting your firm’s business, maintaining long-term sustainable customer relationships and keeping staff happy because they know they are being fairly rewarded for doing the right thing, is a great mindset to have as it avoids taking short-term decisions.

“Good culture just comes and it’s not about writing stuff down. You need to have that [cultural approach] written down, clearly, but it’s about how people behave, it’s about walking the talk and that’s the key thing. It’s factors such as: how do they [employees] interact with their fellow people? Do they say one thing and do another?” adds Hunt.