Regulators are placing increasing emphasis on the management of conduct risk within financial services firms. Central to this is the right management information (MI). The importance of MI is also set to increase in the UK under the Senior Managers Regime (SMR) and Senior Insurance Managers Regime (SIMR), where strong conduct risk MI will help Senior Managers to demonstrate that they have taken reasonable steps to understand conduct risks and that they have put in place appropriate controls.

While both retail and wholesale firms across the financial services sector have made progress in embedding conduct risk within their risk management frameworks, and have sought to improve associated MI, there are still several areas where firms can continue to make improvements. Recognising that firms cannot afford to delay in this work and to assist them as they undertake it, we set out 10 principles of strong conduct risk MI in our new paper, launched today.

Our 10 principles of strong conduct risk MI

There are a number of themes that emerge in these principles. Conduct risk MI should be linked to strategy, culture and risk management frameworks and be outcomes-focused and forward-looking.  Firms should use a suite of MI, analysed in different ways to identify trends, for example, over a period of time, across products or business lines, or focusing on one team or individual. Getting the frequency, accuracy and timeliness of MI right are important, as is the need for MI to be comprehensible and traceable, so that Senior Managers are not deluged with detail. MI should support open communication and challenge within the firm, with Senior Managers discussing ratings across the 'Red Amber Green' (RAG) rating spectrum and challenging anomalous results. Where relevant, MI should be acted upon, with those actions recorded. MI is not about providing all information to Senior Managers, but should be efficient and proportionate, so that only MI that helps Senior Managers to manage conduct risks is provided.

Governance, culture and capabilities

The 10 principles build on regulatory and supervisory expectations and our experience of what works well in practice at firms. While the precise way that firms achieve strong conduct risk MI is unique to them, we believe that the principles serve as a sound foundation for conduct risk MI across all financial services firms. They should be underpinned by robust and clearly articulated governance, culture, and capabilities. Firms should ensure that there is a documented governance framework for conduct risk MI, and the Board and senior management should seek to instil a culture where conduct risk is given the same prominence as other risks. Staff need to have the right skillset and firms need to ensure that the processes by which they source data and information are as streamlined as possible. Investing in technology enables increased automation to report, govern and aggregate conduct risks on both a periodic and ad hoc basis. Analytics, when used effectively, can also be a powerful tool to highlight risks often obscured by large data volumes.

Putting the principles into practice

In putting the principles into practice, there are a number of steps that firms can take. They can establish a governance framework and conduct a stock-take of existing MI governance arrangements and the data and information collected to populate MI, using our 10 principles as a guide to identify areas of weakness in conduct risk MI. Firms will need to review and determine a set of key conduct risk indicators and underlying metrics, specific to their organisation, which can be quantified and measured. These should cover operational technology, market propositions, conduct, behaviour, culture, breaches of policies or regulations, as well as the effectiveness of conduct risk mitigants and controls. They should also review and determine conduct risk appetite and thresholds and establish a consequences framework for when MI thresholds are triggered. Sourcing the data and information needed to populate MI and deciding on the process for analysing and presenting MI will be important. Finally, firms will need to continue to work on effective conduct risk MI, as they are unlikely to get it right first time.

Senior Managers who fail to make progress in achieving strong conduct risk MI will ultimately fail in arming themselves with the evidence of 'having done the right thing' in a world where they face increased personal accountability for issues taking place within their firms. More importantly, however, conduct risk MI is essential for better decision-making in advance of any problems. It can help to avoid potential conduct costs such as fines, redress, legal fees, or reputational damage, as seen in recent mis-selling and benchmark manipulation cases. This allows firms to address conduct risks before they crystallise, rather than being handed a bill after the event. It can also help senior management to understand client needs and behaviours, driving commercial benefits as well as building trust. By getting conduct risk MI right, improvements in governance and culture will translate into better outcomes for clients, and for the firms themselves in the long-run.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.