Menu Close


FCA Regulatory Compliance: Effective Management information for conduct risk

Regulatory Compliance: Underpinning better decision-making by making use of Effective Management information for conduct risk

Regulatory ComplianceRegulatory Compliance: The conception of “conduct risk” has been elevated to the top of firms’ and regulators’ agendas in recent years. In the UK, the FCA expects conduct risk management to be lodged into firms’ risk management frameworks, sustained by relevant management information (MI).

Regulatory Compliance: Developing on ongoing regulatory and supervisory expectancies and our practical experience of what works well in operations at firms, ten principles of strong conduct risk MI have been identified that our company believe provide a stable base for conduct risk MI across all of financial services firms and sectors.
The 10 principles of strong conduct risk MI are;

  • Linked to strategy, culture and risk management framework
  • Outcomes-focused
  • Holistic and used to support analysis of trends
  • Forward-looking
  • Efficient and proportionate
  • Accurate and timely
  • Measured and reported on at an appropriate frequency
  • Comprehensible and traceable
  • Supports open communication and challenge
  • Acted upon and recorded
  • Linked to strategy, culture and risk management framework

Regulatory ComplianceConduct risk MI is taken into consideration when the firm examines its strategy and the organisation implements a process to review the conduct risk MI it gathers, if the strategy or business conditions should modify (e.g. due to the economy, developments in policy and regulation, or technology).

Conduct risks are handled with the same rigour, and given the same priority, as prudential risks.

A variety of indicators are used to inform senior management on how productively the firm’s culture has been embedded. Conduct risk MI is used as part of performance appraisals and in regarding staff remuneration and promotions, for example, as part of a balanced scorecard.
Firms continue to design conduct risk appetite statements for key risks and report MI against conduct risk appetite limits and triggers.

Regulatory Compliance: Outcomes-focused
As an aspect of the product governance technique, firms articulate what a good outcome would certainly be for the target end client, along with the inherent risks of the services or product, and establish the MI they need to observe this.

I enables an assessment of whether good outcomes are achieved regularly, for example, through monitoring whether the product offers value for money, instead of just concentrating on whether poor outcomes are avoided.

Deep-dive examinations, mystery shopping, customer sales reviews, branch visits and other exercises are often used to build up an understanding of the product or service from the client’s perspective.

Regulatory ComplianceDefinitely not all conduct risk metrics must be outcomes-focused, as firms need a package of metrics to build up an overall understanding of conduct risk. Such as, it is still necessary to receive MI on customer satisfaction, even if, in itself, this does not necessarily show a good customer outcome.

Regulatory Compliance: Holistic and in support of trend analysis
businesses use a suite of MI, based on a consultation of what is needed, as opposed to what is readily obtainable through existing systems and processes, so that a combination of indicators is measured and used to identify potential problems to be investigated further. Using existing risk or control indicators may only provide a skewed view of the situation. We always encourage firms to set an ideal scenario and employ back from the future thinking.

MI is analysed in different ways to identify trends:

– Over a time period (consistent on a period-to-period basis) e.g. to identify increases in complaints over time for a product;
– Across products e.g. to identify products with relatively low claims ratios or low investment returns;
– Across distribution channels e.g. assessing breaches of conflicts of interest policies in different parts of the business; and
– Focusing on one team or individual e.g. looking at a series of indicators from a trading desk to identify patterns.

Regulatory Compliance: Forward-looking
MI reports on possible and emerging conduct risks, besides crystallised risks, i.e.,, monitoring whether a product is marketed to the target market.

The business takes into account the emerging conduct risks and trends from the FCA, e.g. those highlighted in the Risk Outlook, alongside lessons picked up from previous mis-selling scandals or other regulatory enforcement action, and discusses whether any realignments are needed to MI and whether existing MI suggests there may be problems that necessitate additional investigation. For example, when the FCA’s Risk Outlook for 2014 highlighted that house price growth may trigger conduct issues, firms that provide mortgages should have concentrated on, for instance, affordability and equity release loans.

The firm is starting to use analytics tools to link data and enable identification of underlying conduct risks, for example, linking post codes with types of mortgages sold and house price growth in the area to understand the risk of customers falling into arrears or the risk of customers being sold an unsuitable product. Many firms will already have this data for credit risk purposes.

Regulatory Compliance: Efficient and proportionate
The business takes a risk-based approach to reporting MI to prevent a deluge of information; information that would not provide value to senior management is not included in MI.
There is a clear delineation of the purpose of conduct risk MI from other MI to eliminate duplication and overlap.

Regulatory Compliance: Regulatory ComplianceAccurate and timely
Decisions are made based upon the right information, obtained sufficiently quickly after the relevant business activity has taken place, to enable action.

The second and third lines of defence are engaged in open conversations with the business on expectations in relation to the quality and timeliness of data and what is possible.

Internal Audit reviews the process governing how MI is collected, analysed and reported, and managers review and sense-check information on a sampling basis.

Regulatory Compliance: Measured and reported on at an appropriate frequency
To allow active, in lieu of just reactive responses, conduct risk MI is provided to senior management as a part of monthly, quarterly and annual reporting (as agreed with senior management), and on an ad hoc basis e.g. where risk appetite triggers are breached.

The firm’s resources, systems and processes allow satisfactory overall flexibility in the frequency with which MI is measured and reported; if necessary, data could be aggregated quickly.

Regulatory Compliance: Comprehensible and traceable
Senior management is given clear and concise MI that accentuate the key messages and risks in an easily digestible format; it is possible to drill down into the information for further detail and to trace where the information originated.

Conduct risk MI includes a mix of both quantitative and qualitative analysis, which is accompanied by remarks that explain what the MI means, why any conduct risk issues have occurred and how important they are, how MI was measured (including any limitations), and the proposed actions.

Supports open communication and challenge
Senior Managers talk about and confront ratings across the ‘Red Amber Green’ (RAG) rating spectrum, instead of just concentrating on ‘red’ ratings, and drill down into the analysis to prove risk ratings.

Regulatory ComplianceFirms ensure robust thresholds to avoid just ‘green’ and ‘amber’ ratings being reported, giving an incorrect sense of comfort.

Anomalous or unexpected results are challenged and verified e.g. more than anticipated sales volumes in certain products, or continued successful market predictions from a certain trading desk.

Senior management openly explains and seeks to understand weak spots in how MI is collected and analysed.

Regulatory Compliance: Acted upon and recorded
Once prospective, emerging and crystallised conduct risks are identified, the origin are investigated and actions are tracked and gone over to ensure they addressed the risks.

Conduct risk MI includes reporting on agreed remedial action and whether the action addressed the conduct risk adequately.

An audit trail is maintained detailing how areas of concern identified within conduct risk MI have been acted upon and monitored.

If you have any queries, please call us on 0800 6890790 or 0207 097 1434

Lee Werrell Chartered FCSI
Compliance Doctor
Regulatory Compliance

Recent Enquiry
Copy code