U.K. firms must prepare to map the relationship between operational and conduct risk . .
It won’t be long before a new regulatory supervisor, the Financial Conduct Authority (FCA), one of the successors to the U.K.’s Financial Services Authority, comes knocking on the door. For U.K. financial firms, now is the time to map the relationship between operational risk and conduct risk.
Over the past three years a majority of operational losses occurred in the “clients, products and business practices” event category. Mis-selling, billing errors, failure to pay client claims … the list is ever growing and represents huge operational losses. Hence the U.K.’s new twin-peaks model, which has a particular focus on conduct-of-business, or conduct, risk.
Consumers today understand the definition of conduct risk through their own experiences — either their medical insurance has failed to provide necessary coverage, their investments are now worthless, or their pension claims are just claims. Recognizing the consumer demand for fair and suitable products, financial institutions face an enormous challenge in designing their product offerings and trade strategies to not only ensure future growth and profitability, but also to win shareholder confidence.
In this article we will analyze the relationship between conduct risk and operational risk, while charting the opportunities and benefits of collective risk and compliance management under the organization-wide operational risk management framework.
Mis-selling of interest-only mortgages, a conduct risk event, may result from incorrect advice on the mortgage product or inadequate checks on the borrower’s in-place capital repayment vehicle. “Wrong advice” qualifies under the “product flaws” and/or “product suitability and disclosure” operational risk event categories, and “inadequate checks” qualify under the “improper business or market practices” category. Controls devised to monitor and mitigate such events, though ineffective, may exist in the risk and control assessment document, which is a key component of the operational risk management framework.
Financial institutions must recognize these relationships before endeavoring to add measures to monitor compliance with conduct-of-business rules. It is highly likely that supervisory reviews, rising product claims and compliance issues will drive management’s focus toward a specific event or a product class, like mortgages. Nevertheless, for effective conduct-of-business compliance, organizations must act to enhance their operational risk management capabilities.
Essential enablers and components of an effective operational risk management framework are illustrated in Figure 1.
Figure 1 – An Effective Operational Risk Management Framework
Operational risk management techniques have evolved over the past few years, yet financial institutions have not made much progress on the effective implementation of these standards. Traditional techniques with a heavy focus on risk and controls, inconsistent risk management standards, and inconsistent interpretation and application of policies and procedures have resulted in teething problems, including:
When planning to enhance their operational risk management framework, financial institutions must assess the relationship with conduct risk before embarking on a journey to manage compliance requests from the regulators. Below is a viewpoint on – or an approach to – the crucial next steps.
1. Understand the definition and significance of conduct risk
Where should you find conduct risk definitions? A good starting point is the FCA’s Risk Outlook, which sets out the most significant retail conduct risks. For example, changes in product design pose a strategic risk, but the complexity of design or lack of marketing disclosures pose operational risks with a potential for reputational damage. Mis-selling is a “business practice” operational risk event and also falls under the definition of conduct risk. Articulating the relationship between operational risk and conduct risk is a fundamental step for effective monitoring and management of these risks.
2. Map conduct risk relationships in the operational risk taxonomy
Accurate operational risk taxonomy, which is a key enabler, outlines the strong foundation of a robust operational risk management framework. Identify and map conduct risk relationships –based on the nature of business and product offerings — to the operational risk taxonomy. Remember the boundary definitions when categorizing operational risk events as conduct risk. This step also offers an opportunity to find gaps in accuracy and completeness in the existing operational risk taxonomy.
Operational risk technology infrastructure will play a significant role in the effective management and reporting of conduct risk. Ease of use, data customization and the ability to expand the data dictionary will help in implementing unified operational risk management standards with an explicit focus on conduct risk.
3. Enhance policies and procedures
Past supervisory reviews have reflected weaknesses in management’s policy framework — jurisdictional vs. global, and divisional vs. group standards, for example. Review the existing policy statements and procedures for inconsistent definitions and the potential for misinterpretation. Enhance and develop unified standards for effective measurement, monitoring and management of operational risk and conduct risk.
4. Create awareness
Common understanding and consistent use of the operational risk taxonomy, including conduct risk relationships, will be essential for driving enhancements to the operational risk management framework. Create awareness of conduct risk relationships and an enhanced operational risk taxonomy by hosting workshops, to develop skills and train “risk champions” or people responsible for managing operational risk in the organization.
Clear and well communicated risk management strategies and appetite definitions help embed risk culture in the organization. Involve people responsible for implementation of operational risk management frameworks when developing standards and policy statements. Results will be visible in the quality of risk management information, risk mitigation responses, and escalation of threats and concerns.
5. Assess and align the operational risk framework
Review the key components of the operational risk management framework — risk and control assessment, control assurance, loss and risk event analysis, and key indicator analysis — for conduct risk coverage. One key aspect of such an assessment should be the ownership of risks and controls. Most organizations still struggle to assign responsibility for risk and to make the business accountable for managing these risks.
Another key aspect is the use of “risk indicators”. With conduct risk in question, organizations will have to re-align key risk indicators for effective analysis and compliance. For example, monitor and measure product design change vs. product mis-selling, cost reduction initiatives vs. quality of customer service, use of advanced payment platforms vs. potential for fraud, and others.
While the Financial Conduct Authority will question compliance with conduct-of-business rules, the Prudential Regulation Authority will question compliance with regulatory capital standards. Many financial institutions suffer from deficiencies in their historical loss event database, which is needed to perform scenario analysis and stress testing. Establish robust standards for loss and risk event capture. Validate and capture loss and risk events, when possible, keeping in mind the boundary definition and relationship between operational risk and conduct risk. For instance, while performing a root-cause analysis for reasons of product mis-selling, map and capture resulting claims (losses) to the correct operational risk event categories — “product flaws” or “product suitability and disclosure” or “improper business or market practices.” A comprehensive account of internal losses will help in conducting empirical study for capital management and to establish an adequate risk appetite definition.
Resources are scarce so be wary of the end-to-end impact of regulatory change on your operational risk management framework. Aligning a compliance program to respond to regulators’ requests is essential for compliance monitoring and reporting. However, for effective regulatory compliance, such initiatives must be aligned under an umbrella program with the overarching objective of enhancing the operational risk management capabilities. Otherwise, budgets wasted on “monitoring and reporting” will have to be considered operational losses under the “execution, delivery and process management” operational loss event category.
Profisor Services Private Limited
Management Consulting Office
Welldone Technology Park, 1106 A & B,
Sohna Road, Sector - 48
Gurgaon, Haryana 122 018 India
mobile India: +91 70110 69795