Skip to content

How To Create A Conduct Risk Policy + Examples

Post Picture

Creating a conduct risk policy is essential for avoiding financial misconduct within your organisation and remaining compliant with legislation. It should apply to the conduct of the organisation as a whole and of individual employees. This article will share some conduct risk policy examples to help you avoid the negative outcomes that such wrongdoing within businesses can precede.

From misusing inside information to manipulating markets to mis-selling products to customers, conduct risk is a wide-ranging area that requires special attention. 

1. What is a conduct risk policy?

A conduct risk policy is a document that identifies the key drivers of misconduct within the organisation. It sets out the responsibilities of the business, its senior management and employees with regard to mitigating those risks. 

It will usually lay out how the organisation monitors risk, envelops new risks into its policy and how conduct risk relates to strategic decisions that the board makes. 

The conduct risk policy should also set out procedures for encouraging a culture of compliance within the business. 


2. Why do you need a conduct risk policy?

Your conduct risk policy helps your organisation create a culture that dissuades stakeholders from misconduct. The price of allowing misconduct to flourish within a business is potentially huge, both financially and reputationally.

In 2021, the European Commission fined five major banks over the role some of their employees played in a foreign exchange trading cartel. The staff members shared sensitive information and trading plans in a WhatsApp group. 

Issuing sanctions worth €344 million to Credit Suisse, UBS, RBS, HSBC and Barclays, the Commission said that the group had allowed the traders to “make informed market decisions on whether and when to sell or buy the currencies they had in their portfolios, as opposed to a situation where traders are acting independently from each other take an inherent risk in taking these decisions.” 

Not only did the banks involved have to pay the fine, but they suffered reputational damage that could lead to potential clients being reluctant to work with them in the future. 

A robust conduct risk policy should dissuade employees from acting in a manner such as that which caused the five major banks to be fined. This is why it is important to get it right.

2.1 What should you conduct risk policy contain?

Element Explanation
Conduct objectives You need to start your conduct risk policy with a summary of what you want the policy to achieve. This will relate to the main risk drivers for your particular organisation.It might be as simple as stating that the organisation and its people
commit to conducting themselves ethically in their work, in line with the best practices of the sector in which they work. The objectives could also include a commitment to stakeholders, both internal and external, that the company will work in line with their best interests at all times.
Company culture The conduct risk policy should outline your
desired company culture and reinforce your
commitment to acting in an ethical manner being central to your work environment.This section is also the place to state that, as part of your
compliance culture, you will strive to keep ahead of the changing regulatory landscape. You can also show here that you encourage the reporting of wrongdoing and that the company will not
retaliate against whistleblowers.
Roles and responsibilities Detail the roles and responsibilities relating to conduct risk within the organisation. For
example, how does the board of directors
consider conduct risk factors within the strategic plan of the business? How do you divide up
actions relating to conduct between senior
managers?You can also outline how you
communicate employees’ responsibilities in
relation to conduct risk. This might include
reviewing and updating job descriptions,
undertaking regular training sessions or any other measure that helps stakeholders
understand how they can contribute to the
culture of the company.
Policies and procedures You do not need to list the full range of policies and procedures relating to conduct risk, but it is the place to signpost these documents and
remind stakeholders that they exist and that they should consult them.Some companies add a clause requesting that employees report any gaps or inconsistencies in the policy to help maintain the most robust stance against potential misconduct.
Breach reporting and investigation With a conduct risk policy that sets out the
importance of compliance and working within the company’s expectations, you need a route through which stakeholders can report and
escalate wrongdoing
 that they witness in the course of their duties.Detail your commitment to encouraging and investigating whistleblowing reports, as well as to preventing retaliation against reporting persons. Set out the method by which you investigate whistleblowing reports and follow up with the people who make those reports.

3. Tips for creating a robust conduct risk policy

3.1 Consider short-term and long-term goals

Short-term conduct risk goals are a necessity because there are many regulatory challenges to navigate. However, solely focusing on not breaching laws and regulations over the next couple of years gives a restrictive feel to conduct risk that can lead to it being seen as something to fear and be concerned about.

Adding in long-term conduct goals allows you to frame compliance as an integral part of a positive corporate culture. It is something to strive towards rather than something to avoid at all costs. Instilling a positive attitude towards avoiding conduct risks helps to make the idea more palatable for employees. 

3.2 Have regular board-level reviews to challenge the programme

As conduct risk and company strategy go hand-in-hand, it is important that your directors support your conduct risk policy and challenge it on a regular basis. They look towards long-term goals in all aspects of the company’s work, and that should include directing a conduct risk policy, too.

Given the future compliance landscape, is your programme fit for purpose? Is there a better way to engage employees and reach your conduct risk objectives? The board should continually ask questions relating to the policy. 

3.3 Identify the key areas that require immediate development

You should assess your current conduct risk efforts and be honest about which areas still pose a significant risk of non-compliance. It is essential that you focus on these elements to shore up your programme. 

This could mean improving the way that employees report wrongdoing by installing an online whistleblowing system, shoring up your pre-clearance regime for employee personal trades or any other aspect of conduct risk management.

3.4 Make sure your policy covers governance, culture and behaviour

Conduct risk encompasses governance, culture and behaviour. So, your framework or policy must reflect this multi-faceted approach. 

Without good governance, you cannot discover, address and mitigate conduct risk factors effectively. There should be a clear line of command for conduct risk matters with someone, potentially a specific committee, taking charge of anticipating and planning for conduct risks. 

But a large part of the way companies manage conduct risk is through developing a culture that values compliance and puts it at the forefront of all it does. This, in turn, feeds into the behaviour of employees. Some behaviour is influenced by the culture, but you can also steer behaviour with disciplinary measures, for example. 

3.5 Create workflows that mitigate risk

The best way to prevent employees from committing misconduct in their work is to develop workflows that enable them to complete their day-to-day tasks in a compliant manner.

This could, for example, include using an automated platform to create compliant insider lists for each piece of inside information so that you meet the requirements of the Market Abuse Regulation. Rather than attempting to handle the process with spreadsheets, you can use InsiderLog to create an audit trail of all your changes to the list in case there is an investigation. 

 Conduct risk policy examples

  • Travel firm Holiday Extras’ conduct risk policy is clear and concise, signposting the most important information relating to the way the company seeks to mitigate risks stemming from misconduct.
  • Marketing company ODM has a more detailed conduct risk policy, showing the processes behind the company’s aims and goals.
  • Insurance marketplace Lloyds sets out its commitments very clearly in its policy. It is a detailed document that explores multiple elements of the company’s compliance policies for further information.

4. FAQs

4.1 Why does conduct risk occur?

Conduct risk occurs when individuals or organisations intentionally or unintentionally behave in a way that falls below acceptable standards relating to the markets or customers. It can happen due to greed, potential conflicts of interest, cutting corners or any other reason for behaving in an unethical manner. 

4.2 What is a conduct risk strategy?

Your conduct risk strategy informs how you implement the conduct risk policy to ensure the organisation works towards developing a compliance culture in the future. It sets out how your business activities help you maintain market integrity and meet your ethical goals. 

4.3 How do you identify the key conduct risks associated with your business?

The key conduct risks associated with your organisation relate to the manner in which you carry out your work, your industry and the structure of the business. Taking into account the regulatory landscape, you should identify areas in which there are opportunities for non-compliant behaviour and plan to mitigate those risks.

5. Conclusion

These conduct risk policy examples show that there is no single way to create a policy, but the key aim is the same. Such a document should take proactive steps to remind all stakeholders of their responsibilities regarding their conduct at work. It is important to understand that the policy should seek to create the conditions in which conduct risk factors are less likely to occur, and that requires a company to grow its compliance culture. 

One step you can take to instil a stronger culture is to enable employees to report wrongdoing. IntegrityLog can help you do that by providing an online whistleblowing channel that meets the requirements of the EU Whistleblowing Directive and GDPR. IntegrityLog keeps you on track with deadlines so that you remain compliant with the deadlines for feedback and investigation. Request a free demo of IntegrityLog today.

6. References and Further Reading


Share this post

Article Summary

Subscribe to our newsletter

Stay up to date with the latest news and products


Sign up for our newsletter

Stay up to date with the latest news and products

You have successfully subscribed!

This is your official confirmation. Thank you for joining ComplyLog Newsletter. While you wait for the next issue of ComplyLog, check out the latest articles and references.

Related articles

Post Picture

Measure Conduct Risk: 7 Key Risk Indicators To Track

Conduct risk is a relatively recent arrival on the risk landscape. Of course, people have always broken rules, especially those whereby they can...
Read More
Post Picture

How To Prepare A Conduct Risk Appetite Statement: Complete Guide

Failure to mitigate conduct risk can prove costly for organisations. In 2021, the European Union fined credit rating firm Moody’s €3,700,000 after it...
Read More
Post Picture

Why And How To Develop A Compliance Risk Management Framework

Compliance risk is a shifting landscape that businesses must navigate in order to avoid financial penalties and reputational damage. As regulators...
Read More
Post Picture

How To Create A Compliance Risk Assessment Questionnaire

In 2021, the national competent authorities (NCAs) in the European Union issued 366 administrative and 29 criminal measures and sanctions for...
Read More
All articles