Management information for conduct risk
Underpinning better decision-making
The concept of “conduct risk” has risen to the top of firms’ and regulators’ agendas in recent years. In the UK, the FCA expects conduct risk management to be embedded into firms’ risk management frameworks, supported by appropriate management information (MI). Building on current regulatory and supervisory expectations and our experience of what works well in practice at firms, the EMEA Centre for Regulatory Strategy have identified 10 principles of strong conduct risk MI that we believe serve as a sound foundation for conduct risk MI across all financial services firms.
Our 10 principles of strong conduct risk MI:
Linked to strategy, culture and risk management framework
· Conduct risk MI is considered when the firm discusses its strategy and the business puts in place a process to review the conduct risk MI it collects, if the strategy or business environment should change (e.g. due to the economy, developments in policy and regulation, or technology).
· Conduct risks are managed with the same rigour, and given the same priority, as prudential risks.
· A range of indicators are used to inform senior management on how effectively the firm’s culture has been embedded. Conduct risk MI is used as part of performance appraisals and in considering staff remuneration and promotions, for example, as part of a balanced scorecard.
· Firms continue to develop conduct risk appetite statements for key risks and report MI against conduct risk appetite limits and triggers.
· As part of the product governance process, firms articulate what a good outcome would be for the target end client, as well as the inherent risks of the product or service, and identify the MI they need to monitor this.
· MI enables an assessment of whether good outcomes are achieved consistently, for example, through monitoring whether the product offers value for money, rather than just focusing on whether poor outcomes are avoided.
· Deep-dive investigations, mystery shopping, customer sales reviews, branch visits and other exercises are used to build up a picture of the product or service from the client’s point of view.
· Not all conduct risk metrics must be outcomes-focused, as firms need a suite of metrics to build up an overall picture of conduct risk. For example, it is still important to receive MI on customer satisfaction, even if, by itself, this does not necessarily demonstrate a good customer outcome.
Holistic and used to support analysis of trends
· Firms use a suite of MI, based on an assessment of what is needed, rather than what is readily available through existing systems and processes, so that a combination of indicators is measured and used to identify potential problems to be investigated further.
· MI is analysed in different ways to identify trends:
- Over a period of time (consistent on a period-to-period basis) e.g. to identify increases in complaints over time for a product;
- Across products e.g. to identify products with relatively low claims ratios or low investment returns;
- Across business lines e.g. looking at breaches of conflicts of interest policies in different parts of the business; and
- Focusing on one team or individual e.g. looking at a range of indicators from a trading desk to identify patterns.
· MI reports on potential and emerging conduct risks, in addition to crystallised risks, for example, monitoring whether a product is sold to the target market.
· The firm considers the emerging conduct risks and trends from the FCA, e.g. those highlighted in the Risk Outlook, as well as lessons learned from previous mis-selling scandals or other regulatory enforcement action, and discusses whether any adjustments are needed to MI and whether current MI suggests there may be problems that require further investigation. For example, when the FCA’s Risk Outlook for 2014 highlighted that house price growth may give rise to conduct issues, firms that provide mortgages should have focused on, for example, affordability and equity release loans.
· The firm is starting to use analytics tools to link data and enable identification of underlying conduct risks, for example, linking post codes with types of mortgages sold and house price growth in the area to understand the risk of customers falling into arrears or the risk of customers being sold an unsuitable product. Many firms will already have this data for credit risk purposes.
Efficient and proportionate
· The business takes a risk-based approach to reporting MI to avoid a deluge of information; information that would not provide value to senior management is not included in MI.
· There is a clear delineation of the purpose of conduct risk MI from other MI to eliminate duplication and overlap.
Accurate and timely
· Decisions are made based on the right information, received sufficiently quickly after the relevant business activity has taken place, to enable action.
· The second and third lines of defence are engaged in open conversations with the business on expectations in relation to the quality and timeliness of data and what is achievable.
· Internal Audit reviews the process governing how MI is collected, analysed and reported, and managers review and sense-check information on a sample basis.
Measured and reported on at an appropriate frequency
· To allow proactive, rather than just reactive responses, conduct risk MI is provided to senior management as part of monthly, quarterly and annual reporting (as agreed with senior management), and on an ad hoc basis e.g. where risk appetite triggers are breached.
· The firm’s resources, systems and processes allow sufficient flexibility in the frequency with which MI is measured and reported; if necessary, data can be aggregated quickly.
Comprehensible and traceable
· Senior management receives clear and concise MI that highlights the key messages and risks in an easily digestible format; it is possible to drill down into the information for further detail and to trace where the information originated.
· Conduct risk MI includes a mix of both quantitative and qualitative analysis, which is accompanied by commentary that explains what the MI means, why any conduct risk issues have occurred and how significant they are, how MI was measured (including any limitations), and the proposed actions.
Supports open communication and challenge
· Senior Managers discuss and challenge ratings across the ‘Red Amber Green’ (RAG) rating spectrum, rather than just focusing on ‘red’ ratings, and drill down into the analysis to substantiate risk ratings.
· Firms ensure robust thresholds to avoid just ‘green’ and ‘amber’ ratings being reported, giving a false sense of comfort.
· Anomalous or unexpected results are challenged and verified e.g. higher than expected sales volumes in certain products, or continued successful market predictions from a certain trading desk.
· Senior management openly discusses and seeks to understand weaknesses in how MI is collected and analysed.
Acted upon and recorded
· Once potential, emerging and crystallised conduct risks are identified, the root causes are investigated and actions are tracked and reviewed to ensure they addressed the risks.
· Conduct risk MI includes reporting on agreed remedial action and whether the action addressed the conduct risk effectively.
· An audit trail is maintained detailing how areas of concern identified within conduct risk MI have been acted upon and monitored.