UK: Conduct Risk - Is Your Framework Compatible With The FCA's Agenda?

In May 2019, the Financial Conduct Authority (FCA) published its third annual report on its 5 Conduct Questions Programme. Since its introduction, the FCA observed that firms have been investing substantial efforts in change programmes related to conduct and culture, a key cross-sector priority for the FCA.

In this Insight, Sushil Kuner, a Senior Associate within our Financial Services Regulatory team, identifies the 5 Conduct Questions, providing guidance on how firms can identify the conduct risks associated with their businesses. She also highlights key aspects of the FCA's latest report, outlining examples of good and poor practices identified by the FCA during their Supervisory activities.

The FCA launched the 5 Conduct Questions Programme in 2015, initially as a Supervisory tool for the Wholesale Banking sector to help firms improve their conduct risk management and, ultimately, drive cultural change. The programme has been very successful to date, with the FCA observing that many firms have been making significant strides in improving their conduct risk frameworks.

On the basis of this success, the 5 Conduct Questions have now been incorporated into the FCA's Approach to Supervision, applying to all firms in the financial sector, wholesale or otherwise.

What are the 5 Conduct Questions?

  1. What proactive steps do you take as a firm to identify the conduct risks inherent within your business?
  2. How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?
  3. What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?
  4. How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or Exco consider the conduct implications of the strategic decisions that they make?
  5. Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?

The first step in addressing the 5 Conduct Questions is for firms to understand what 'conduct risk' means. This is not an FCA defined term as the FCA expects firms to develop their own conduct risk definition and strategies and put in place a tailored conduct risk framework to address the specific risks that their business is exposed to.

However, at the very highest level, it is generally accepted that conduct risk means any action of a firm or an individual that has the potential to cause harm to consumers or market integrity.

How do I identify the key conduct risks associated with my business?

There are a number of conduct risk drivers stemming from firms' structures and behaviours which could create a risk of harm to consumers or market integrity. Firms that understand the drivers of conduct risk can better understand whether their conduct risk frameworks are robust enough to mitigate against the risk of harm stemming from its activities or individual behaviours. We set out below some examples of key conduct risk drivers.

  • Governance - a firm which has poor governance arrangements cannot effectively identify and mitigate risks of harm caused by its business activities. For example, if a firm has many layers of management and/or committees, which receive similar and overlapping Management Information ("MI"), how does it ensure that risks identified through reporting are being addressed? Is there effective oversight in terms of how issues are being handled and by whom?
  • Conflicts of interest - do you routinely review your business models and assess whether there are any potential conflicts of interest that may be present? For example, do you have a vertically integrated business model? Do you manufacture and distribute products? Are staff incentive schemes creating conflicts of interest?
  • Systems and controls - a firm which has inadequate systems and controls cannot effectively identify risks of harm caused by its activities. MI is a key form of control and, if not designed properly, can lead to risks not being properly identified. Is senior management keeping the design of MI under regular review and ensuring that it continues to be fit for purpose in highlighting risk areas? Training is another important form of control and rather than adopting a tick box approach, the FCA expects firms to develop training in order to embed awareness of conduct risk at all levels of the organisation. The Senior Managers and Certification Regime aims to strengthen accountability and provides firms with a great opportunity to roll out new conduct risk training programmes to all staff so that they truly understand the risks attached to their specific roles and how they should behave.
  • Business model - a firm's business model can itself be a driver for conduct risk, for example in the design and delivery of products/services. Taking the example of consumers' search for yield in a low interest rate environment, this often encourages firms to try and design more complex and risky products to try to meet this demand. But that may present key conduct risks, for example, consumers not fully understanding the products to which they are signing up and the products being wholly unsuitable for them.
  • Culture - culture and governance are key recurring themes in the FCA's latest report on the 5 Conduct Questions Programme, as well as in its Business Plan for 2019/20. A key indicator of culture is the tone from the top:
    • Does senior management act in accordance with the firm's policies and procedures?
    • Does senior management still reward bad behaviour, through remuneration, for example because an employee is hitting their financial targets?
    • Is there a blame culture when things go wrong? This often discourages people from speaking up and admitting they have made a mistake, thereby preventing problems from being rectified.
    • Do people turn a blind eye to misconduct in the workplace for fear of speaking up? While firms may have great speaking up initiatives, are these truly embedded within the organisation?
    • Is there an element of indecision within the firm? Do difficult decisions tend to be put off? This could lead to long running failings at the firm not being addressed through prompt decisive action.

FCA's Key Findings in its Third Annual 5 Conduct Questions Report

The FCA's latest report covers supervisory activity and discussions with a sample of approximately 50 firms in the Wholesale sector but the content of the report is relevant for all firms in the financial sector. It builds on the previous two annual reports which we do not cover here in detail, but overall, since its launch, firms in the Wholesale sector have made significant strides in improving their policies, processes, training and identification of conduct risk through this programme.

Early firm initiatives concentrated on process flows and bad behaviour, leading to the creation of new policies and procedures, new training programmes and the use of technology for better surveillance. The FCA's recent report highlights that the previous emphasis was on avoiding preventable breaches, addressing conflicts of interest and designing MI to help identify weaknesses. This work was often led by functions such as Compliance, Risk, HR and IT. While these strategies are supported by the regulator, the FCA is keen now for firms to consider conduct in its widest sense.

The FCA has observed firms implementing two or three year programmes that focus narrowly on regulatory adherence and avoiding rule breaches which they consider leads to conduct being narrowly defined and treated like a 'tripwire' with staff being more likely to respond with fear than forward-looking enthusiasm.

In contrast, firms integrating conduct with longer-term corporate goals and framing it as a component of a broader strategic effort are more likely to lead to a culture of positive behaviour and not just an environment of avoiding bad behaviour / rule breaches.

Those firms which have framed conduct as an integral part of larger corporate goals, have seen positive reactions from all stakeholders. Firms embedding good behaviours across the whole organisation have benefitted from better client engagement (clients like to deal with firms they can trust) which has also benefitted shareholders. Firms investing resource into developing their Purpose and Mission statements to underpin a meaningful social impact, are also more likely to engage the wider stakeholder community as well as staff, thereby securing the long-term sustainability of the business - a sense of individual purpose that aligns with corporate purpose has been demonstrated to drive superior performance.

Noticeably, the FCA has increasingly been emphasising the need for firms to focus on psychological safety in the workplace, whistleblowing, as well as non-financial misconduct. The FCA's view is that where there is psychological safety at work, staff are comfortable sharing concerns and mistakes without fear of embarrassment or retribution. As such, they feel comfortable that they can speak up and won't be humiliated, ignored or blamed. As well as being vigilant to the well-being of staff, firms have been encouraged to develop training on a wide range of human development skills to support psychological safety. While senior management and junior employees have benefitted from training on conduct, the FCA's view is that middle management (which is highly influential in providing day to day leadership on conduct) could benefit from more attention.

Regarding whistleblowing, the FCA reviewed whether staff could use firms' whistleblowing processes without fear of identification and reprisal. The FCA noted that, perhaps due to active promotional efforts, a greater than usual number of cases were being reported with firms being uncertain as to what a normalised volume would prove to be. The nature of the whistleblowing reports also varied significantly across firms, where similar cases handled in the normal course of business at one firm triggered a whistleblowing event at another. The FCA has concluded that the challenge for firms remains to fully embed the desired changes of mind-set across the whole organisation.

Despite this progress, the FCA is particularly concerned that the largest component of investigated cases in the whistleblowing channel were categories like 'Dignity at Work' or 'Non-Financial Misconduct', which captured bullying, favouritism, exclusion and sexual harassment. These cases seemed to be on the rise, although it is not yet clear whether this is due to more active reporting rather than a deterioration in behaviour.

The FCA is keen to understand how firms are dealing with non-financial misconduct; tolerating any form of misconduct is not indicative of a healthy culture and if this gives rise to failures or harm, the FCA is likely going to take an interest, especially where senior management is involved. Senior management positions within the financial services sector are positions of trust and the FCA expects holders of these positions to act appropriately both in and outside the workplace.

Examples of Good and Poor practices found by the FCA during Supervisory visits

In line with the FCA's 2017 5 Conduct Questions Programme and 2018 5 Conduct Questions Programme annual reports, the FCA's third annual report provides examples of good and poor practices within Wholesale firms, identified by the FCA during its Supervision activity. While these were identified within the Wholesale sector, the examples do apply to all firms in the financial services sector.

1. What proactive steps do you take as a firm to identify the conduct risks inherent within your business?

Examples of Good Practice

  • Defining conduct risk as a separate category that sits sensibly alongside other major risk types such as Credit, Counterparty, Market and Operational risks;
  • widening the working scope of conduct risk, as framing it more narrowly potentially limits both the design of efforts to identify it and the outcomes;
  • raising the profile of, and actively promoting, competition concerns as a business as usual consideration where firms have a large market share;
  • taking action to reduce the conduct risk challenges from staff using smartphones and social media by creating short breaks and safe locations to step out and log on or connect;
  • assessing the impact and harm of potential events from the customer's point of view;
  • formalising a bottom-up approach as a monthly exercise for each key business unit;
  • introducing approaches that immediately feed newly identified risks or crystallised risk into the delivery of targeted training; and / or
  • clearly interweaving conduct topics with business discussions, rather than relegate them to more narrowly focused discussions in, for example, Operational Risk Committees.

Examples of Poor Practice

  • Firms showing little impetus to identify new risks through forward-looking proactive efforts;
  • reliance on a largely top-down approach where key risks are not comprehensively apparent or captured;
  • investing a lot of effort into identification exercises but then underinvesting in the steps to take action on the risks identified;
  • difficulties differentiating conduct risk from operational risk with the result being that the business line ownership of conduct risk being weak;
  • support services and second line of defence units not conferring with each other; and / or
  • firms approaching conduct risk in a diffused way instead of defining it as a category.

2. How do you encourage the individuals who work in front, middle, back office, control and support functions to feel and be responsible for managing the conduct of their business?

Examples of Good Practice

  • Holding CEO-led town hall sessions on conduct;
  • holding smaller town hall events hosted by desk or area heads, reflecting the fact that staff listen carefully to their more immediate line managers who are also able to actually observe their day-to-day behaviour;
  • carefully planning town hall sessions to ensure more junior staff and their management do not attend together in an effort to encourage discussion; and / or
  • openly communicating with staff the mistakes made by the firm in the past year, and inviting the staff to a session to discuss how those mistakes had happened and make sure they couldn't happen again.

Examples of Poor Practice

  • Senior executives promoting the general importance of the firm's conduct messages without explaining what any of those messages were;
  • issues being escalated too rapidly, which risked bypassing key individuals who may be more directly accountable for managing and resolving the problem; and / or
  • undermining programme objectives by not ensuring that Desk Heads and other more senior managers attend open session Conduct Risk Forum meetings.

3. What support (broadly defined) does the firm put in place to enable those who work for it to improve the conduct of their business or function?

Examples of Good Practice

  • Framing risk appetite statements as a series of expectations of staff and developing metrics around those desired outcomes;
  • positive framing of key initiatives by strongly emphasising openness, transparency, accessibility and safety;
  • reframing initiatives to focus more on rewarding efforts such as identifying and resolving policy deficiencies, rather than solely punishing breaches as they happen;
  • repositioning 'zero tolerance for conduct risk' culture (which can make staff fearful and reluctant to disclose problems) as 'zero tolerance for unmanaged conduct risk' where staff are encouraged to be alert and respond to conduct risks;
  • participating in industry-led initiatives to address conduct issues;
  • looking beyond firms' own boundaries to assess conduct standards and risks from clients, counterparties, outsourced service providers and others;
  • not looking the other way if a client mistreats a member of the firm's staff;
  • introducing a reverse mentoring programme where staff significantly more junior than an executive meet regularly to share feedback;
  • introducing a one-off, tailored internal survey to assess conduct and culture and prevailing views among staff rather than use a more wide-ranging annual staff survey;
  • introducing a specific communication programme around disciplinary outcomes to provide transparency on how the firm decided and applied them;
  • specifically analysing the potential conduct risk in examining, preparing and implementing changes from EU withdrawal;
  • shifting beyond gender-based diversity by raising the importance of other aspects, such as race, educational background, economic background and other skills or experience; and / or
  • going beyond simply encouraging people to speak up by providing them with specific tools and training on how to raise a challenge with more senior staff. Correspondingly, providing related training for senior staff on how to receive and deal with a challenge.


  • Building a library of 'grey issue' scenarios for use across a wide range of businesses;
  • using notes from 'grey area' discussions to tailor additional targeted training and consider where revised policy and procedures may be helpful;
  • employing professional actors to role-play risk scenarios; and / or
  • extension of training to include the recruitment process to ensure that training includes conduct and behaviour assessments so that they are carried out consistently across all businesses.

Examples of Poor Practice

  • Weighty, complex, centrally-led committees and programme management infrastructure - sometimes leading to fractured accountability in the firm, noticeably slower or stifled progress and less ability to summarise its position and progress.

4. How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organisation and, equally importantly, how does the Board or Exco consider the conduct implications of the strategic decisions that they make?

Examples of Good Practice

  • Greater investment in data design, creation aggregation and trend analysis leading to the creation of dashboards and MI that Managers and Boards can use to steer more effectively;
  • MI growing in depth and scope;
  • key risk indicators enabling firms to strengthen and reinforce more positive conduct and behaviours;
  • development of more focused and streamlined processes to collate and aggregate perceived risks, which are useful for management oversight;
  • introduction of a semi-formal 'Shadow Executive Committee' comprised of staff several levels below the actual Exco;
  • providing clear evidence that conduct risk is a key component of the review of strategic business initiatives, including business expansion (e.g. through committee papers and minutes);
  • evidence of challenge of new product approvals; and / or
  • better use of customer feedback, so while not a complaint, can alert firms to potential problems.

Examples of Poor Practice

  • Key risk indicators being inwardly focused on misbehaviour, rule breaches or policy compliance.

5. Has the firm assessed whether there are any other activities that it undertakes that could undermine strategies put in place to improve conduct?

Examples of Good Practice

  • Horizon-scanning being formally included within strategic business planning, there being formal tipping point analysis for risks that appear to be growing;
  • new working groups being established to specifically address Question 5 and the conduct issues from new or evolving products or other business initiatives such as an acquisition; and / or
  • senior and middle-level executives actively participating in industry-wide initiatives. Engagements with industry peers acts as both a source and a delivery channel of progressive views.

Examples of Poor Practice

  • No periodic horizon-scanning for the firm as whole involving business representatives; and / or
  • insufficient thought being given by firms to Question 5 as a whole.

Next Steps

If you are creating or reviewing the conduct risk framework within your firm, and would like a review or assistance, please contact us to discuss whether and to what extent you are capturing the key conduct risks relevant to your business.

Read the original article on

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
19 Sep 2019, Seminar, Birmingham, UK

Providing GCs, Heads of Legal and senior in-house lawyers with timely, topical and practical legal advice on a variety of topics.

26 Sep 2019, Seminar, London, UK

Providing GCs, Heads of Legal and senior in-house lawyers with timely, topical and practical legal advice on a variety of topics.

8 Oct 2019, Seminar, Birmingham, UK

Supporting the development of paralegals, trainees and lawyers of up to five years' PQE by providing valuable knowledge and guidance together with practical tips.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions