Conduct has recently become one of the most popular words in the operational risk lexicon. In the years following the 2008 crisis, with financial institutions having been fined billions of dollars over the manipulation of Libor interest rates and global foreign exchange markets, that's hardly surprising.
Today, the talk is of what went wrong with conduct and how it can be fixed – in common parlance, how to manage 'conduct risk'. Certainly, there are plenty of financial services firms that regard this as a high priority: in a recent survey conducted by Risk.net, conduct risk ranked as the second most pressing concern of chief risk officers, heads of operational risk and other op risk practitioners.
Regulators across the globe are also homing in on conduct risk. This has been particularly true at the UK Financial Conduct Authority (FCA), which plans to introduce new rules on conduct, including the controversial Senior Managers Regime, on March 7. Those rules are meant to increase scrutiny over the conduct of senior staff and, interestingly, could also lead to greater probing of firms' prior conduct by their future employees.
What exactly is conduct risk? A typical response might be that conduct risk arises as a result of how firms and employees conduct themselves, particularly in relation to clients and competitors. In this case, poor management of conduct risk might result in problems such as mis-selling, market abuse and fraud, along with lawsuits and fines.
The FCA seemingly favours a more exhaustive definition. The regulator has identified nine drivers of conduct risk, including some as diverse as "technological developments", "regulatory and policy changes" and "ineffective competition". This could be read as an effort to maximise its own jurisdiction, although some practitioners take a similarly broad view. As one recently asked me: if somebody in your organisation fails to conduct client on-boarding checks and you become involved in money laundering, is that financial crime or conduct risk? At some point, everything boils down to a question of conduct – whether it's the conduct of the individual or the firm as a whole.
Looking at the way major banks approach conduct risk, as Risk.net did recently, some differences also emerge. In the past few years, there has been a general trend towards developing a specific treatment for conduct risk – whether that means hiring heads of conduct, setting up committees to deal with conduct-related issues, or merely mentioning conduct risk more frequently in annual reports.
UK banks have been at the forefront of this, hiring former regulators in conduct risk roles and referring liberally to conduct risk in investor communications. Some European and US banks similarly share a renewed focus on conduct and the behaviour of their employees, but describe this in different terms. Others are reluctant to follow suit, fearing that a specific treatment for conduct risk might result in a siloed approach to risk management.
More findings from this research are available here.
The truth is that conduct risk and a variety of other risks overlap and interconnect in many different ways. Defining, organising and managing this hazy no-man's land is the challenge that faces risk practitioners. To a large extent, firms' continuing attachment to the term will depend on how useful it is for achieving this task.