Skip to content

How To Prepare A Conduct Risk Appetite Statement: Complete Guide

Conduct Risk Assessment Guide

Failure to mitigate conduct risk can prove costly for organisations. In 2021, the European Union fined credit rating firm Moody’s €3,700,000 after it breached rules that included failing to disclose conflicts of interest. In large companies, there can be inconsistencies over how internal stakeholders deploy the conduct risk strategy, and that is why a conduct risk appetite statement is essential. 

The EU has stringent legislation to deal with many areas of conduct risk. These include:

With the increasing compliance burden landing on companies, it is essential that all stakeholders understand and abide by the agreed risk strategy. 

1. What is a conduct risk appetite statement?

The conduct risk appetite statement is a formal articulation of how much risk the company is willing to take in order to achieve its aims. When formulating the statement, you must consider the legislative environment in which you work, the corporate culture and the kinds of risks the organisation is exposed to on a regular basis. 

The risk appetite statement will guide both your internal compliance processes and strategic decision-making. It informs all relevant parties of your expectations with regard to how they approach risk on a daily basis and how they fulfil your conduct risk strategy. 

Having an official statement from which to work means that there is a consistent approach to mitigating risk across the organisation, and those who fall short of expectations cannot claim to have misinterpreted the policy.

Your statement should also detail both quantitative and qualitative approaches to monitoring the progress and success of your conduct risk strategy. 


2. Areas of potential conduct risk

Here are some areas of potential conduct risk that organisations must monitor and address:

Area Description
Customer onboarding Without a stringent know your customer (KYC) screening process, bad actors could use your institution for the purposes of money laundering or funding terrorism. 
Market abuse Insider dealing and the unlawful disclosure of
inside information can lead to significant sanctions against individuals and the company. In addition, employees front-running their clients is another example of market abuse risk. 
Tax avoidance Many companies seek legal routes to reduce the amount of tax that they pay. However, some of
these schemes, billed as facilitating tax avoidance, can sometimes contravene the local law and
expose the company to sanctions for 
tax evasion instead.  
Lack of transparency Sometimes institutions can fail in their duty to
communicate charges and fees to
customers. This can lead to customers paying more than they expected for products and services. 
Personal data Companies must restrict access to the personal data it holds to only those who need it for
legitimate professional reasons. Otherwise, this can cause a contravention of GDPR, for example. 

3. How to create a risk appetite statement

3.1 Consult on your unique situation

Your senior management and board are useful sources of information when it comes to developing a conduct risk appetite statement. As your company’s statement will be unique, you need to understand the individual blend of conduct risks that relate to your business and its unique goals. 

The content of your statement will depend on your strategic goals, key business drivers, the expectations of shareholders, jurisdictions, rating agencies and other stakeholders, and any specific risks that are currently at play in your market. 

Ask your leaders for their input on the risks you should include in the statement and the timeframes over which they are relevant to your business. You should also determine how you will monitor the progress of the conduct risk strategy. 

3.2 Analyse the conduct risks

You need to analyse the details of the conduct risks relevant to your organisation. This will depend on your unique situation, as discussed with the senior management and board. 

Think about how these risks manifest themselves within your organisation and what you can do to mitigate them. It is important that there is a consistent approach to conduct risk across the business, and this is your opportunity to set that out in writing. 

3.3 Establish the desired level of risk exposure 

Depending on your business goals, you should set the level of risk exposure accordingly. You should also define the acceptable range of volatility around your conduct risks in order to settle on the company’s risk tolerances for individual risks.

This will help you prioritise the compliance efforts towards those risks to which you have the lowest tolerance and which would be most detrimental to your organisation. All organisations must take some risks to a degree, but this process will help you weigh up the most appropriate balance between meeting your strategic goals and maintaining compliance with the legislation relating to your business. 

3.4 Develop an action plan

The conduct risk appetite statement does not exist in a vacuum. Although you can plan out your desired risk appetite and tolerances, that doesn’t mean external factors will simply allow you to remain within them. You have to reconcile your risk appetite  and tolerances with your current risk exposure. There is a chance that they do not align, and, in this case, you must develop an action plan to bring them back in line. 

In practice, the actions you decide to take will typically involve a wide range of risk controls. For example, this might mean improving your customer due diligence processes or implementing a pre-clearance system for employees’ personal trades so that you can monitor their deals and ensure they do not create a conflict of interest with a client. 

Whatever the area in which your company is most exposed to risk, that is what you need to target first to bring your company back within balance.

3.5 Prepare a formal document

Place all of the relevant details about the conduct risks and company procedures into a formal statement. It should also include the KPIs that will help you monitor the success and progress of your conduct risk efforts. You should consider both quantitative and qualitative metrics in order to understand whether your appetite statement is working effectively. 

3.6 Communicate your statement to all stakeholders

You should ensure all stakeholders receive this document and updates when they occur. This is key to ensuring that it is implemented in the correct manner and with consistency across the organisation. 

It is especially important to communicate your conduct risk appetite statement to middle management, who are usually those tasked with aligning operational tactics and business objectives. When you ensure they understand all conduct risks presented in the statement, you enable them to put this in context when managing the day-to-day business.

4. FAQs

4.1 Who should oversee the implementation of a conduct risk appetite statement?

Given the board’s role in overseeing both strategy and risk, it is for them to oversee the implementation of the conduct risk appetite statement. Compliance functions should also monitor the statement and its ongoing use. 

4.2 What is the difference between TCF and conduct risk?

TCF is treating customers fairly and is related in some ways to conduct risk. But there are differences. Both look to improve the customer experience and ensure they are not affected detrimentally by the organisation. However, conduct risk also applies to other areas, such as market abuse. 

4.3 If conduct risk appetite is set at zero, is this realistic?

Due to the nature of conduct risk and the range of activities that businesses are involved in, it would be very difficult to set the risk appetite to zero. Some government bodies, such as the Financial Conduct Authority, believe this to not be realistic. 


Your conduct risk appetite statement is an essential part of protecting your organisation from overstepping the mark and experiencing regulatory issues. As a document, it helps you clarify what the conduct risks are to your organisation, how much risk you are willing to take relating to these issues and how you will ensure the business remains within its acceptable risk exposure. 

One way to reduce your risk exposure is to use automated compliance solutions. For example, InsiderLog helps you create and maintain insider lists in a manner that helps you and your employees adhere to the Market Abuse Regulation. You can request a free demo to find out how right now.

6.References and Further Reading


Share this post

Article Summary

Subscribe to our newsletter

Stay up to date with the latest news and products


Sign up for our newsletter

Stay up to date with the latest news and products

You have successfully subscribed!

This is your official confirmation. Thank you for joining ComplyLog Newsletter. While you wait for the next issue of ComplyLog, check out the latest articles and references.

Related articles

Post Picture

Here Are 5 Conduct Risk Examples You Should Know About

The law firm Latham & Watkins says that “for many financial institutions, conduct risk will likely represent the single greatest specie of...
Read More
Post Picture

Measure Conduct Risk: 7 Key Risk Indicators To Track

Conduct risk is a relatively recent arrival on the risk landscape. Of course, people have always broken rules, especially those whereby they can...
Read More
Post Picture

How To Create A Conduct Risk Policy + Examples

Creating a conduct risk policy is essential for avoiding financial misconduct within your organisation and remaining compliant with legislation. It...
Read More
Post Picture

How To Create A Compliance Risk Assessment Questionnaire

In 2021, the national competent authorities (NCAs) in the European Union issued 366 administrative and 29 criminal measures and sanctions for...
Read More
All articles