The language and culture of conduct is fundamental to the success of controlling non-financial risks, said keynote speakers and panellists at the 1LoD Summit. To that end, clarity and continuous communication within businesses is key, but so is an awareness that the conduct risk landscape is constantly evolving.
Firms would benefit greatly from ensuring that risks are identified and named uniformly across all business decisions, as conduct risks often arise in similar ways in different places, keynote speakers and panellists said.
Regulators interviewing banks about the nature of their conduct risk programmes have often been presented with well-designed PowerPoints, but have found that when asked what it is that is actually being governed, the response can be lacking in substance. Regulators don’t put importance, however, in the existence within business of systems of controls in and of themselves, attendees at the Summit noted. “Mountains of management information [MI] may not be that useful to enable firms to understand the conduct risk they have,” said one.
“You can’t mitigate a risk you can’t identify,” the attendee said. And making sure everyone in an organisation is aware of conduct risks and that a set terminology is established helps to ensure that “conduct is for life, not just for Christmas.”
But it is just as important for firms to ensure that risks are identified and communicated in the same way. In part, this is about clarifying the roles of the three lines of defence, panellists and keynote speakers said. But it’s also about continuous communication between lines of defence, as well as business groups themselves.
Speakers underlined the importance of elucidating the roles of the three lines of defence, but, as one attendee, who works for a large consultancy, said, while a lot of progress has been made to that end, “many of my clients still have some ways to go.”
This is where conversation is paramount, said Sally Clark, chief internal auditor at Barclays, using the analogy of children playing football. “The risk we have is that we could all be chasing after the football. We all run for the same thing and we all dive all over it and we end up getting in each other’s way.”
It is critical for ensuring that lines of defence cooperate and coordinate effectively. “The way forward for all of us is to have lots and lots of conversations,” Clark said. “We can certainly not always be in the same place at the same time doing the same things.”
Throughout the Summit, panellists echoed that point. Sir General Peter Wall, former head of the British Army and chief executive of consultancy group Amicus, highlighted the importance of both communication and diversity in getting desired outcomes. “What gets you resilience is diversity of thought,” he said in his keynote interview. When strategies are devised by people of similar cultures, backgrounds and ways of thinking, “you tend to have an organisation that’s brilliant at consensus and agreeing a plan and getting the job done,” Sir Peter said. “Which is great – if it’s the right plan.”
Libby Denchfield, managing director and head of conduct and SMR for financial markets at Standard Chartered, fleshed out the point on another panel, entitled “Conduct vs Control vs Culture”.
“We started with a particular conduct framework, which we ran with for two years and it worked very well with all our first line,” she said. But then, the team gradually found in their conversations with different functions at the bank that the framework didn’t apply uniformly across the group.
“On working with our initial Conduct Framework and moving to work with our second line and control functions, we realised that we needed to evolve our framework, as our understanding of how conduct risk was managed as an organisation had growth significantly,” said Denchfield. Risk control means different things to people in different functions.
“As with any organisation, understanding conduct risk, and the role each department plays in managing that, is sometimes more complex than initially understood,” said Denchfield. “For example, for our property department, it might be securing the building in the event of a health related outbreak; with finance, it’s more about understanding the conduct risk within the budget and strategy setting processes, which are instrumental in driving overall organisational targets and incentives.”
“Working with our control functions ultimately led to us evolving our Conduct Framework to one which was much more aligned to the way the overall organisation needs to work together to manage conduct risk and ultimately obtain the appropriate outcomes we desire, for all our stakeholders,” she continued. It had to be changed again when Denchfield found that cultural differences can throw a wrench in a fixed risk control framework. “Conduct risk in FX is different in London versus in Nigeria, for example,” she said. In the end, the process of developing a framework involves trying to really understand various roles in an organisation, often through communication, and staying flexible while keeping a steady eye on the goal.
Every business’ framework for identifying and mitigating non-financial risk will be different, but it is equally important for each firm’s framework to be coherent, panellists and speakers said. Once the various roles are defined clearly, they must be maintained — with an eye toward continuous evolution. “The things we looked at were indicators in the past may not be indicators in the future,” said Clark.
But though being aware that risks are evolving — in part because humans change their behaviour when they know they’re being watched — is important to regulators, businesses need to be sure they are identifying the correct risks.
“Regulators and boards can be inconvenient” for this reason, said one attendee. “[They say things like,] ‘You give us this every month that’s useful. Can we keep having it?’
But if the MI needs to evolve because it’s not actually doing its intended job, that’s a conversation risk professionals and regulators need to have.