BY: ComplyLog|October 25, 2022|Risk
Failure to mitigate conduct risk can prove costly for organisations. In 2021, the European Union fined credit rating firm Moody’s €3,700,000 after it breached rules that included failing to disclose conflicts of interest. In large companies, there can be inconsistencies over how internal stakeholders deploy the conduct risk strategy, and that is why a conduct risk appetite statement is essential.
The EU has stringent legislation to deal with many areas of conduct risk. These include:
With the increasing compliance burden landing on companies, it is essential that all stakeholders understand and abide by the agreed risk strategy.
Table of Contents
III) How to create a risk appetite statement
The conduct risk appetite statement is a formal articulation of how much risk the company is willing to take in order to achieve its aims. When formulating the statement, you must consider the legislative environment in which you work, the corporate culture and the kinds of risks the organisation is exposed to on a regular basis.
The risk appetite statement will guide both your internal compliance processes and strategic decision-making. It informs all relevant parties of your expectations with regard to how they approach risk on a daily basis and how they fulfil your conduct risk strategy.
Having an official statement from which to work means that there is a consistent approach to mitigating risk across the organisation, and those who fall short of expectations cannot claim to have misinterpreted the policy.
Your statement should also detail both quantitative and qualitative approaches to monitoring the progress and success of your conduct risk strategy.
Here are some areas of potential conduct risk that organisations must monitor and address:
|Customer onboarding||Without a stringent know your customer (KYC) screening process, bad actors could use your institution for the purposes of money laundering or funding terrorism.|
|Market abuse||Insider dealing and the unlawful disclosure of inside information can lead to significant sanctions against individuals and the company. In addition, employees front-running their clients is another example of market abuse risk.|
|Tax avoidance||Many companies seek legal routes to reduce the amount of tax that they pay. However, some of these schemes, billed as facilitating tax avoidance, can sometimes contravene the local law and expose the company to sanctions for tax evasion instead.|
|Lack of transparency||Sometimes institutions can fail in their duty to correctly communicate charges and fees to customers. This can lead to customers paying more than they expected for products and services.|
|Personal data||Companies must restrict access to the personal data it holds to only those who need it for legitimate professional reasons. Otherwise, this can cause a contravention of GDPR, for example.|
Your senior management and board are useful sources of information when it comes to developing a conduct risk appetite statement. As your company’s statement will be unique, you need to understand the individual blend of conduct risks that relate to your business and its unique goals.
The content of your statement will depend on your strategic goals, key business drivers, the expectations of shareholders, jurisdictions, rating agencies and other stakeholders, and any specific risks that are currently at play in your market.
Ask your leaders for their input on the risks you should include in the statement and the timeframes over which they are relevant to your business. You should also determine how you will monitor the progress of the conduct risk strategy.
You need to analyse the details of the conduct risks relevant to your organisation. This will depend on your unique situation, as discussed with the senior management and board.
Think about how these risks manifest themselves within your organisation and what you can do to mitigate them. It is important that there is a consistent approach to conduct risk across the business, and this is your opportunity to set that out in writing.
Depending on your business goals, you should set the level of risk exposure accordingly. You should also define the acceptable range of volatility around your conduct risks in order to settle on the company’s risk tolerances for individual risks.
This will help you prioritise the compliance efforts towards those risks to which you have the lowest tolerance and which would be most detrimental to your organisation. All organisations must take some risks to a degree, but this process will help you weigh up the most appropriate balance between meeting your strategic goals and maintaining compliance with the legislation relating to your business.
The conduct risk appetite statement does not exist in a vacuum. Although you can plan out your desired risk appetite and tolerances, that doesn’t mean external factors will simply allow you to remain within them. You have to reconcile your risk appetite and tolerances with your current risk exposure. There is a chance that they do not align, and, in this case, you must develop an action plan to bring them back in line.
In practice, the actions you decide to take will typically involve a wide range of risk controls. For example, this might mean improving your customer due diligence processes or implementing a pre-clearance system for employees’ personal trades so that you can monitor their deals and ensure they do not create a conflict of interest with a client.
Whatever the area in which your company is most exposed to risk, that is what you need to target first to bring your company back within balance.
Place all of the relevant details about the conduct risks and company procedures into a formal statement. It should also include the KPIs that will help you monitor the success and progress of your conduct risk efforts. You should consider both quantitative and qualitative metrics in order to understand whether your appetite statement is working effectively.
You should ensure all stakeholders receive this document and updates when they occur. This is key to ensuring that it is implemented in the correct manner and with consistency across the organisation.
It is especially important to communicate your conduct risk appetite statement to middle management, who are usually those tasked with aligning operational tactics and business objectives. When you ensure they understand all conduct risks presented in the statement, you enable them to put this in context when managing the day-to-day business.
Given the board’s role in overseeing both strategy and risk, it is for them to oversee the implementation of the conduct risk appetite statement. Compliance functions should also monitor the statement and its ongoing use.
TCF is treating customers fairly and is related in some ways to conduct risk. But there are differences. Both look to improve the customer experience and ensure they are not affected detrimentally by the organisation. However, conduct risk also applies to other areas, such as market abuse.
Due to the nature of conduct risk and the range of activities that businesses are involved in, it would be very difficult to set the risk appetite to zero. Some government bodies, such as the Financial Conduct Authority, believe this to not be realistic.
Your conduct risk appetite statement is an essential part of protecting your organisation from overstepping the mark and experiencing regulatory issues. As a document, it helps you clarify what the conduct risks are to your organisation, how much risk you are willing to take relating to these issues and how you will ensure the business remains within its acceptable risk exposure.
One way to reduce your risk exposure is to use automated compliance solutions. For example, InsiderLog helps you create and maintain insider lists in a manner that helps you and your employees adhere to the Market Abuse Regulation. You can request a free demo to find out how right now.