Organisations are currently facing increased scrutiny over their conduct risk culture.

In this blog we explore the nature of conduct risk, how businesses can achieve good outcomes, and the relationship between incentive structures, performance metrics, and their impact on shaping the conduct culture in financial institutions.

What is conduct risk?

Conduct risk refers to the potential harm that can arise from the behaviour of individuals within an organisation. It is crucial for companies, especially financial institutions, to measure and assess their conduct risk culture to ensure alignment with their values.

There are many methodologies and frameworks used to measure and evaluate conduct risk culture. The best culture change initiatives will not be one-off exercises, but long term programmes, because it takes time to change embedded assumption, norms and beliefs.

All culture 'journeys' require a consistent and focussed effort from the top of the organisation down - and should look at how to move beyond simply meeting regulations. It is essential that firms do not become complacent; they must regularly re-assess their culture, understand progress to date, take action on gaps and instil an effective and resilient culture.

Culture is lived by the people in the organisation, and things are always fluid; new employees come in bringing new ideas, or the business may have to make changes due to external factors. The most effective firms constantly keep in mind that the culture is evolving all the time – and they shift their strategy to cope with this.

What do the regulators say?

Recently there has been increased regulatory focus on the topic of culture. In 2022, the FCA's Emily Shepperd gave a speech entitled "From Zeroes to Heroes: How culture in financial services can change for everyone's benefit." The FCA has also boosted a cultural shift in financial services with the 2023 Consumer Duty regulations, and their recent consultation paper about Diversity and Inclusion.

The Australian Prudential Regulation Authority (APRA) published their 'Risk culture 10 Dimensions' framework, outlining these 10 key aspects which contribute to risk culture:

APRA's Risk Culture 10 Dimensions:

Risk Behaviours
1. Leadership
2. Decision-making and challenge
3. Communication and escalation
4. Risk capabilities
5. Alignment with purpose and values

Risk Architecture
6. Risk governance and controls
7. Risk appetite and strategy
8. Risk culture assessment and board oversight
9. Responsibility and accountability
10. Performance management and incentives

Measuring and assessing conduct risk culture

To effectively measure and assess conduct risk culture, organisations employ various methodologies and frameworks. The most commonly used framework is the "Three Lines of Defence" model. This model delineates the roles and responsibilities of different stakeholders within an organisation to ensure effective risk management.

The first line consists of the employees who directly interact with customers and clients.
The second line involves risk management and compliance functions.
The third line includes internal audit and independent review functions.

This model facilitates a comprehensive assessment of conduct risk culture by incorporating multiple perspectives.

Another methodology used to measure conduct risk culture is conducting cultural surveys and assessments. These surveys aim to gauge employees' perceptions and behaviours regarding conduct risk. By gathering data through anonymous surveys, businesses can identify potential gaps and areas for improvement. Assessments can also include interviews with key personnel to gain a deeper understanding of the organisation's culture and its impact on conduct risk.

Using appropriate conduct and culture management information will embed and strengthen the methodology used.

Incentives and culture: aligning behaviour with values

The relationship between incentive structures, performance metrics, and conduct culture is important in shaping the behaviour of employees within financial institutions. Incentives play a significant role in motivating individuals to achieve desired outcomes - but they can also inadvertently encourage risky behaviour if not aligned with an organisation's values.

To align behaviour with values, leadership teams should design their incentive structures carefully. This involves setting performance metrics that promote conduct risk awareness and adherence to ethical standards. Examples of these metrics could be:

• Customer satisfaction ratings
• Compliance with regulatory requirements
• Internal reviews from fellow employees
• Adherence to ethical codes of conduct

Linking incentives to these metrics should encourage employees to prioritise responsible behaviour and align their actions with the values of the business.

It's also important to communicate effectively with employees and implement training programmes to help create a strong conduct risk culture. Employees need to understand the importance of conduct risk and how it aligns with the organisation's overall mission and values. Regular training sessions using real life examples or external cases studies can help reinforce the desired behaviour and promote a culture of accountability.

What's the outcome of a strong conduct risk culture?

Measuring and assessing conduct risk culture is a priority for organisations, particularly financial institutions, if they want to mitigate potential harm and align employee's behaviour with their values. The gold standard is for employees to understand the expected behaviours, and to live the values through their work at all times, thereby safeguarding the business and its customers – as well as fostering trust and confidence among stakeholders.

Firms should use methodologies such as the "Three Lines of Defence" model and conducting cultural surveys to gain insights in to their conduct risk culture, as well as make changes in order to strengthen it. And it's also important to align incentives and performance evaluations with values so that the right behaviour is encouraged and rewarded in ways that promote responsible conduct.

Ultimately, a robust conduct risk culture contributes to the long-term success and sustainability of an organisation, the experience of its employees - and more importantly, the safety and satisfaction of its customers.

************************************************

This blog was written in collaboration with Martyn Carvey, Head of Ops Risk and Compliance SMF16 at National Australia Bank. 

Martyn has 20+ years of experience in risk management, regulation, policy-making and leading complex projects across sectors including Corporate Institutional Banking, Asset Financing, Private Banking and Asset Management. Key specialisms include embedding risk management, risk culture, risk reporting, regulatory strategy, ICAAP, stress testing, recovery planning, wind-down analysis and Brexit planning and has a strong background in delivering effective Governance, Risk, Compliance and AML/Financial Crime programmes within the Financial Services industry. Martyn currently is the Head of Operational risk and Compliance holding the SM16 function, as well as Head of Financial crime at National Australia Bank. He is a pragmatic and practical problem solver and leader who enjoys a complex challenge. Martyn has previously Chaired the Risk Network , which consists of 100+ CRO's across all finance sectors and has presented on risk assessment methodology and embedding risk frameworks into organisations. Martyn is a member of various trade associations and industry bodies.