“Conduct risk” has been a top priority for the FCA ever since their formation in 2013, but to many it’s still a confusing and vague concept. The FCA have defined it as “the risk that firm behaviours will result in poor outcomes for customers”, one suggested explanation from Thomson Reuters 13/14 Conduct Risk survey is that it is “the risk that detriment is caused to our customers, clients, counterparties and their employees because of inappropriate judgement in the execution of our business activities”.
So who is responsible for something so wide ranging? When discussing conduct risk we tend to talk a lot about company “culture” and the need to have the right kind of culture and failings of a company’s culture. The Institute of Risk Management (in their 2012 paper ‘Risk Culture: Under the Microscope Guidance for Boards’) say that “the culture of a group arises from the repeated behaviour of its members. The behaviour of the group and its constituent individuals is shaped by their underlying attitudes. Both behaviour and attitudes are influenced by the prevailing culture of the group.”
At a recent event held in association with our business partners Crowe Global Risk Consulting, John Thirlwell spoke about ‘culture’ not being something that your compliance management team can quickly fix, it’s a question of how everyone in your organisation behaves on a day to day basis, especially the people at the top. If your senior management team, with all their power and influence, are behaving unethically, they can’t expect any better from the staff beneath them. Thirlwell went on to say that conduct risk shouldn’t be monitored and managed purely for regulation’s sake, good conduct should be something that we do regardless because it’s the right thing to do.
Compliance management obviously play an important role in monitoring but if we’re talking about people’s personal conduct on a day to day basis, who does that fall to? If we’re talking about people’s everyday behaviour and moral standing, are HR responsible? Or is it the line managers that people are reporting to? Or should the board be held accountable for embedding the right kind of culture and modelling good conduct? You can’t expect a company with 5000 employees to have a board member sat in every single interview, or to have an HR representative in every meeting, or to have a compliance officer tracking everyone’s behaviour all day. It falls then to every person within an organisation to make sure they individually are doing the right thing and enacting a positive culture.
The question you need to ask then is not ‘how can we make sure we’re compliant?’ but instead ‘who controls the culture in our company?’ and ‘am I making positive contributions to that culture?
For more risk-related reading why not try – “The Modern CRO: It’s All About Risk”