Underpinning better decision-making by employing Effective Management information for conduct risk
The conception of “conduct risk” has risen to the top of firms’ and regulators’ agendas in the last few years. In the UK, the FCA presumes conduct risk management as being implanted into firms’ risk management frameworks, maintained by suitable management information (MI).
Building on current regulatory and supervisory expectations and our years of experience of what works well in operations at firms, ten principles of strong conduct risk MI have been identified that our team believe serve as a solid base for conduct risk MI across all of financial services firms and sectors.
The 10 principles of strong conduct risk MI are;
- Linked to strategy, culture and risk management framework
- Holistic and used to support analysis of trends
- Efficient and proportionate
- Accurate and timely
- Measured and reported on at an appropriate frequency
- Comprehensible and traceable
- Supports open communication and challenge
- Acted upon and recorded
Associated to strategy, culture and risk management framework
Conduct risk MI is taken into consideration when the firm discusses its strategy and the firm implements a process to examine the conduct risk MI it accumulates, if the strategy or business surroundings should change (e.g. due to the economy, developments in policy and regulation, or technology).
Conduct risks are supervised with the same rigour, and given the same priority, as prudential risks.
A stable of indicators are operated to inform senior management on how correctly the firm’s culture has been embedded. Conduct risk MI is used as a component of performance appraisals and in looking into staff remuneration and promotions, for example, as a part of a balanced scorecard.
Firms go on to form conduct risk appetite statements for key risks and report MI against conduct risk appetite limitations and triggers.
As a component of the product governance approach, firms articulate what a good outcome would likely be for the target end client, including the inherent risks of the product and services, and distinguish the MI they need to keep an eye on this.
MI enables a diagnosis of whether good outcomes are achieved continuously, such as, through monitoring whether the product offers value for money, instead of just concentrating on whether poor outcomes are avoided.
Deep-dive investigations, mystery shopping, customer sales reviews, branch visits and other exercises are often used to develop an image of the product and services from the client’s viewpoint.
Not all conduct risk metrics must be outcomes-focused, as firms need a suite of metrics to build up an overall understanding of conduct risk. As an example, it is still necessary to receive MI on customer satisfaction, even when, by itself, this does not necessarily indicate a good customer outcome.
Holistic and in support of trend analysis
Enterprises use a suite of MI, formed on an appraisal of what is needed, instead of what is readily obtainable through existing systems and processes, in order that a combination of indicators is measured and used to identify potential problems to be investigated further. Using existing risk or control indicators may only provide a skewed view of the situation. We always encourage firms to set an ideal scenario and employ back from the future thinking.
MI is analysed in different ways to identify trends:
– Over a period of time (consistent on a period-to-period basis) e.g. to identify increases in complaints over time for a product;
– Across products e.g. to identify products with remarkably low claims ratios or low investment returns;
– Across business lines e.g. examining breaches of conflicts of interest policies in different areas in the business; and
– Focusing on one team or individual e.g. considering a range of indicators from a trading desk to identify patterns.
MI reports on possible and emerging conduct risks, besides crystallised risks, as an example, monitoring whether a product is promoted to the target market.
The company considers the emerging conduct risks and trends from the FCA, e.g. those highlighted in the Risk Outlook, as well as lessons gained from previous mis-selling scandals or other regulatory enforcement action, and talks about whether any realignments are needed to MI and whether current MI suggests there may be issues that call for additional investigation. For instance, when the FCA’s Risk Outlook for 2014 highlighted that house price growth may give rise to conduct issues, firms that provide mortgages should have focused on, for instance, affordability and equity release loans.
The business is starting to use analytics tools to link data and enable recognition of underlying conduct risks, for instance, linking post codes with types of mortgages sold and house price growth in the area to understand the risk of customers falling into arrears or the risk of customers being sold an unsuitable product. Many firms will already have this data for credit risk purposes.
Efficient and proportionate
Business takes a risk-based approach to reporting MI to avoid a flood of information; information that would not provide value to senior management is not included in MI.
There is a clear delineation of the purpose of conduct risk MI from other MI to eliminate duplication and overlap.
Accurate and timely
Decisions are made based upon the right information, collected sufficiently quickly after the relevant business activity has transpired, to enable action.
The second and third lines of defence are participating in open conversations with the business on expectations in relation to the quality and timeliness of data and what is achievable.
Internal Audit reviews the process governing how MI is collected, analysed and reported, and managers review and sense-check information on a sample basis.
Measured and reported on at an appropriate frequency
To allow practical, in lieu of just reactive responses, conduct risk MI is provided to senior management as a part of monthly, quarterly and annual reporting (as agreed with senior management), and on an ad hoc basis e.g. where risk appetite triggers are breached.
The firm’s resources, systems and processes allow sufficient flexibility in the frequency with which MI is measured and reported; if necessary, data may be aggregated quickly.
Comprehensible and traceable
Senior management is in receipt of clear and concise MI that feature the key messages and risks in an easily digestible format; it is possible to drill down into the information for more detail and to trace where the information was derived.
Conduct risk MI includes a mix of both quantitative and qualitative analysis, which is accompanied by remarks that explain what the MI means, why any conduct risk issues have come about and how substantial they are, how MI was measured (including any limitations), and the proposed actions.
Supports open communication and challenge
Senior Managers discuss and challenge ratings across the ‘Red Amber Green’ (RAG) rating spectrum, as opposed to just targeting ‘red’ ratings, and drill down into the analysis to support risk ratings.
Firms ensure robust thresholds to avoid just ‘green’ and ‘amber’ ratings being reported, giving an inaccurate sense of comfort.
Anomalous or unexpected results are challenged and verified e.g. more than expected sales volumes in certain products, or continued successful market predictions from a certain trading desk.
Senior management openly discusses and seeks to understand weaknesses in how MI is collected and analysed.
Acted upon and recorded
Once probable, emerging and crystallised conduct risks are identified, the origin are investigated and actions are tracked and gone over to ensure they addressed the risks.
Conduct risk MI includes reporting on agreed remedial action and whether the action addressed the conduct risk properly.
An audit trail is maintained detailing how areas of concern acknowledged within conduct risk MI have been acted upon and monitored.
If you have any queries, please call us on 0207 097 1434
Lee Werrell Chartered FCSI