Home > News & Insights > Insights & Publications

1/3/19 - Why Effectively Managing Conduct Risk Should Be a Top Priority

What is “conduct risk,” and why should firms — in all industries — care about it?

Conduct risk can generally be defined as the risk that a firm’s employees (or third parties acting on a firm’s behalf) behave in such a way that may cause: 

  • Harm to the firm’s customers and clients
  • Reputational damage to the firm
  • Damage to the firm’s competitive position
  • Costly litigation, regulatory actions that limit the firm’s ability to execute its business strategies, and fines
  • Damage to the integrity of the markets in which the firm operates

Firms of all types should care about conduct risk, because effective identification and control of conduct risk is simply good business. Unfair practices affecting customers and clients drive away business — either directly or through harm to the firm’s reputation. Firms that fail to detect unethical behavior, or even worse, tolerate it, will drive away the types of employees they want to keep. Civil or criminal penalties related to misconduct may cause harm far beyond their actual cost by impacting the firm’s ability to compete for talent and customers. And social media can transform what may appear to be limited instances of misconduct into a reputational epidemic.

These considerations are not limited to firms in the financial services industry, although the spotlight has been on that industry in recent years. Recently, for example, instances of misconduct have been embarrassing and expensive for media and communications firms. 

Challenges of Managing Conduct Risk  

A healthy firm culture is important to help reduce conduct risk, but culture is a collective state of mind, and it is through the behaviors of its employees — conduct — that a firm acts. Assumptions that good culture immunizes a firm to conduct risk skip a critical link — how is that culture actually manifested in conduct? Reliance on an assumption of a good culture, without verifying and managing conduct and conduct risk, leaves a firm open to some of the most embarrassing and expensive risk consequences impacting businesses today. Conduct risk needs to be recognized and managed as a risk type and traditional risk management tools need to be adapted in various ways to effectively identify and manage conduct risk.

In particular, firms are challenged to clearly define conduct risk, effectively identify conduct risk information, and provide actionable reporting on conduct risks. The challenge is compounded because conduct risk-relevant information is often housed in multiple systems, can appear in differing levels of detail, takes different forms associated with different lines of business, and may not even be thought of as “risk” information.

Firms may find it difficult to identify relevant sources of structured and unstructured data. In some cases, the exact data elements that the firm wants to track may not be available, although there is similar information or other data that differs in granularity. For global firms, the problem is compounded by different regulatory regimes and a diversity of global practices.

Improving the strength of conduct risk signals — and reducing false positives — may also depend on correlating data across very different domains, for example, to determine what relationships exist between information from customer complaints, customer transactional behaviors, ethics hotlines and whistleblower reporting, incentive-compensation results, and trade surveillance. How can a firm recognize if different sources of data are sending the same warning signals of conduct risk?

Without connecting the substance of different data points, simply “pooling” existing conduct-related information into a common repository will be of limited value. Creating “data lakes” may sound sophisticated, but the cumulative results can be a murky picture of conduct risk throughout an enterprise and the production of imprecise, non-actionable information for senior management and the board, neither of which help advance the effective management of conduct risk.

Keys to Effective Management of Conduct Risk 

Effectively managing conduct risk has similarities — and important differences — to managing other types of risk.

For starters, conduct risk does need to be thought of and managed as a risk — deploying risk management tools and with the governance rigor associated with risk management. Risk management fundamentals — defining roles and responsibilities of risk managers and lines of business as well as internal audit, a risk assessment process to identify types of risk and the quality of risk controls, monitoring and testing risk identification and controls, and training — need to be in place. 

These fundamental risk management elements need to be adapted for conduct risk, but, at the same time, firms have the opportunity to leverage risk management routines and processes applied to other risk areas, such as compliance and operational risk, to avoid duplicative efforts. A target operating model for conduct risk can describe where and how conduct risk management activities can leverage existing risk management routines for closely related types of risk and produce efficiencies in risk management.

In addition, unlike many traditional risk types, such as credit exposures or market risk, sources of information on conduct risk are often lodged in multiple systems that capture diverse types of information and label them in different ways. Conduct risk information may also come from external sources, such as social media, or data created by a firm, such as the results of culture surveys. In evaluating all these potential signals of conduct risk exposure, simply toting up numbers and trends of incidents — for example, the number of ethics issues or an increase in the volume of complaints — is only a start. When is the number of complaints too high? What types of complaints is the firm receiving? Which trends are meaningful? What are the types of issues that can impact the firm’s franchise and require escalation and expedited reaction?

A particular challenge in managing conduct risk is establishing an operating model that supports effective cross-disciplinary investigation and true root-cause analysis. For example, determining whether a cluster of customer complaints is related to a whistleblower allegation may require new protocols that are sensitive to the confidentiality of employee data while allowing the correlation of specific facts. An even greater challenge can arise in determining whether conduct incidents are isolated to individual bad actors or if they are driven by work conditions, training, incentives, product design, or other structural factors that impact multiple individuals.

Meeting this risk management challenge requires recognizing where the same conduct risk information is being reported in different ways, which numbers and trends are meaningful, and where relationships need to be recognized between different types of conduct risk-relevant information. This involves: 

  • Identifying sources of structured and unstructured data relevant to the conduct risk data elements the firm determines to track
  • Evaluating inconsistencies in the definitions and granularity of the data and identifying where and how similar, but not identical, types of data can be used
  • Rationalizing situations where comparable information is being captured in different ways by different parts of the enterprise, which can involve harmonizing or “cross-walking” comparable data from different systems to produce a unified taxonomy
  • Within each category of conduct risk information, determining how best to categorize, or “tag,” the information for factors relevant to evaluating risk and structuring risk reporting — e.g., number of incidents, severity of the concern, source, lines of business, product, geography, or process generating the risk, considering both a firm’s policies and relevant regulatory expectations
  • Developing approaches using conduct risk experts, and potentially machine learning and other cognitive techniques, to make connections between different types of conduct risk-relevant signals — e.g., number and types of incidents; incentive compensation of, and customer complaints against, individual employees; customer transactional behavior connected to particular products or employees; incentive-compensation and customer-complaint patterns for branches/offices and regions
  • Creating dashboards and other data-reporting tools tailored to different levels of users and keyed to conduct risk factors by type, line of business, product, process, geography, and any other breakdowns sought by the firm

Conduct risk has many dimensions and failure to manage it effectively can be one of the most expensive and embarrassing risk management failures for firms in any industry. Successful management of conduct risk requires application of recognized risk management disciplines, plus new approaches to data aggregation, data relationships, and risk reporting to senior management and boards of directors that combines the skills of conduct risk experts and data technologists. 

Contact Us 

Julie Williams
Managing Director and Director of Domestic Advisory Practice 
juwilliams@promontory.com 
+1 202 384 1087

Linda Gallagher
Managing Director 
 lgallagher@promontory.com 
+1 202 370 0411

Raymond Strecker
Managing Director
rstrecker@promontory.com
+1 212 365 6980

Eric Ferri
Director
eferri@promontory.com 
+1 202 370 0611

Allyson Savin
Director
asavin@pomontory.com
+1 202 370 0434