Understanding Conduct Risk Practices

No industry-wide definition of conduct risk, but actions and outcomes key

The past few years have seen increased supervisory scrutiny of conduct issues across the globe. This has resulted in a number of large penalties and settlements across multiple business lines. However, despite the regulatory pressure and its priority status, there is no universal definition of conduct risk.

Conduct risk is rising to the top of boardroom agendas at banks and insurance companies. But firms are struggling with an absence of industry best practices and guidance on how to measure and manage conduct risk.

To help ORX members better understand current industry practice around conduct risk, we ran our Understanding Conduct Risk Practices project. Thirty-six banks and insurers took part in the study.

We explored conduct risk’s interaction with the operational risk management framework and the shared challenges faced by the industry. The project focused on:

• Definitions and risk taxonomy
• Framework governance
• Risk identification and assessment
• Data collection and measurement
• Reporting and risk awareness

No universal understanding of conduct, though common themes emerge

Despite the regulatory pressure and its priority status, there is no commonly agreed definition of conduct risk. An analysis of definitions provided by survey participants showed that many think about conduct risk in terms of the actions that trigger the event versus the outcome itself.

Almost half of the surveyed institutions think of conduct risk in terms of the actions, i.e. the misconduct, that leads to the event. Approximately one third focus on the outcome of the event, typically expressed in the detriment experienced by their clients, customers or the wider market. A smaller group of firms reconcile both aspects in their definitions.

Progress being made on addressing conduct risk under the operational risk umbrella

The majority of institutions surveyed told us that they manage conduct risk as part of their operational risk framework. More than 30% said that conduct risk is managed wholly within operational risk. Just over 20% manage it across the operational risk and compliance frameworks.

Culture is key for managing conduct risk

Perhaps for more than any other risk type, establishing and embedding a strong organisational culture is fundamental to effective conduct risk management. As a Chief Risk Officer interviewed for the recently published Future of operational risk study stated, "risk culture is the single most important element of risk management."

We have identified four key cultural themes used to incentivise good conduct and mitigate potential risks: 

• Communication and tone from the top
• Risk awareness and training
• Remuneration and staff appraisal
• Understanding employee engagement

Find out more about the results of the study in the summary report below. The full report is available ORX member firms and those who took part in the study.