As we all know, ill-advised risk taking in the financial sector led the industry to the brink of collapse in recent years. Not only that, but sales schemes driven by inappropriate incentive plans and outlandish short-term objectives caused many consumers to suffer severe financial consequences and lose trust in the entire financial marketplace. It seemed as though the customers, whether individual borrowers or institutional investors, became mere pawns in a chess game played by bankers willing to sacrifice them for a big win. Something was desperately wrong with conduct in the banks, and it needed to change.
Such was the genesis of the U.K.’s new Financial Conduct Authority (FCA) which was formed to address the protection of both customers and the financial markets as a whole. In a recent speech to the Association of Professional Compliance Consultants, Clive Adamson, FCA director of supervision addressed the need for change to address conduct risk in this way:
Achieving an effective conduct-or customer-focused culture is challenging for firms, particularly for those whose focus has been primarily on profitability and shareholder returns. ... From what we see, there are key drivers that set and re-enforce this conduct-focused culture, with the most important being clear and ongoing leadership from the top of the organization, constant re-enforcement, hiring practices, incentive structures, effective performance management, and penalties for not doing the right thing, all of which should set the tone for a framework for decision making on a day-by-day basis.
Throughout his speech and other materials published by the FCA, there is a theme that returns over and over again to integrity, leadership, culture, the concept of controls over conduct, and strong risk management—all tied to an outcome of business success. What is this? It is a vision of principled performance—a point of view and approach to business that enables organizations to reliably achieve objectives while addressing uncertainty and acting with integrity. And it is refreshing to see leaders (and in some cases past wrongdoers) in the financial sector rising to the occasion and establishing a principled performance approach to conduct risk, even though they may not yet call it that.
In 2012, Barclay’s started down this path by including a statement in its Annual Report noting that it was actively assessing how best to feed conduct risk appetite into strategic decision making, develop management information to support decision-making, and facilitate the monitoring of the conduct risk profile against appetite. Since then, it has taken steps to establish a strong internal team to address these needs. In 2013, JP Morgan formed a new conduct risk and strategy team within its regulatory policy and strategy group, with the objective of providing advice and support across lines of business to identify, manage and mitigate conduct risks.
Another investment bank has recently advertised an opening for a new role of operations & technology conduct risk manager, with tasks that mirror a principled performance approach:
Strategy and Management Information—Assess how to feed conduct risk appetite into strategic decision making and develop information to support management decisions.
Frameworks Design and Rollout— Design and embed a new conduct risk definition and approach across the business in accordance with the group principal risks policy.
Conduct Risk Assessment—Assessthe current state of controls and assess strategic risk within each Centre of Excellence to capture what is done well and identify where risk really lies.
Communications and Training—Coordinate and drive communications and training throughout the company, and report to the Enterprise-wide risk management committee.
These are but a few examples of the many pronouncements and job posting that can be seen about the latest buzzword —conduct risk. Expect to see many more in the coming months as the FCA expands its oversight and similar authorities in other regions of the world take action.
Chess remains an apt metaphor for a strategic approach to conduct risk, except that customers must be viewed as more than mere pawns to be sacrificed on the road to profit. To the contrary, protection of customer interest is essential for predictability of the market confidence and financial stability necessary for attainment of strategic objectives.
In a 2005 interview in the Harvard Business Review, the world chess champion Gary Kasparov was quoted as saying:
Think about it: After just three opening moves by a chess player, more than 9 million positions are possible. And that’s when only two players are involved in the game. Now imagine all the possibilities faced by companies with a whole host of corporations responding to their new strategies, pricing, and products. The unpredictability is almost unimaginable.
This couldn’t be truer than when facing the myriad challenges presented under the umbrella concern of conduct risk. Masterful strategic planning and execution is essential to stay in the game and win.
Considering Conduct Risk: An OCEG Roundtable
Switzer: The term “conduct risk” has been driven into the lexicon of the financial services sector recently, particularly through its use by the new U.K. Financial Conduct Authority, which indicates that it is focused on risks to the delivery of fair customer outcomes. Is this just a new term for operational and compliance risk?
Harper: Conduct risk embodies elements of the risks that we have been discussing over the past few years, including not only operational and compliance risk, but also reputational risk and tone-at-the-top. The idea that organizations need to ‘do the right thing’ and balance the immediate pressure of short-term growth and revenue along with meeting the aspirations of equity holders and managers is not new. In the past, conduct risk was primarily mitigated by the long-term focus on the goals of the organization of the board and management.
Miles: The idea of benchmarking “conduct” as a basis for business, or life in general, is actually of course a very old one. Constraints on behavior are exactly the right direction to go in, though it’s not yet clear how these will be framed, let alone policed. Now with the FCA’s new Risk Outlook 2014, there’s a big step forward. They have a deep commitment to sharing understanding about how various elements of behavior feed through into good and bad product design, into selling or mis-selling. The old formulations of operational risk and compliance didn’t really catch the spirit of that, even if they did address some of the same concerns.
Switzer: What sort of activities have financial institutions engaged in that negatively affected both individual or classes of consumers and the financial sector?
Brown: Unfortunately, there is no shortage of risk-related failures to illustrate the complexity and difficulty in managing conduct risk. In December 2013 the FCA issued a massive fine to Lloyds TSB, Bank of Scotland, and Halifax (all part of the Lloyds Banking Group), for serious failings in systems and controls governing financial incentives to sales staff. In March 2013 the Hong Kong Securities and Futures Commission fined Manulife Asset Management for inadequate internal controls in relation to distribution of Manulife Global Fund from 2007 to 2012. And of course there is the $13B settlement with JP Morgan to resolve the packaging, marketing, sale, and issuance of residential mortgage-backed securities. All of these in one way or another harmed individuals by selling inappropriate investment products, creating many underwater homeowners and resulting in a global financial meltdown. These are some big ones. There are legions of smaller ones.
Miles: Of course the interventions that have grabbed the headlines are those big fines for ‘consumer detriment.’ But to me what’s more interesting is not so much those fines for over-selling— that’s a classic non-compliant behavior. What grabbed my attention were the fines for some newly defined types of bad behavior. Things like poor handling of complaints, lack of effort with new AML controls, not being transparent with the regulator ... And how about the firm that was fined for being ‘insufficiently customer-friendly’ for the way they asked to recover their fees, even though they’d just accidentally undercharged everyone?
Harper: Conduct risk is not isolated to the financial sector, nor to consumer businesses. One could argue that some of the recently reported issues in the automotive industry relate directly to conduct risk. Nevertheless, the financial services industry seems to be the area of most focus; perhaps because of the immediacy of the rewards of ‘poor’ conduct, or the lag in identifying the consequences of such poor conduct, as well as the wide-ranging impact of some recent events. Anecdotally, leading up to the mortgage crisis, there were a number of organizations that raised concerns about the appropriateness of what was occurring in the industry and were reluctant to enter the market but ultimately the peer pressure was simply too great and they felt forced into the market. While much has been written about the mis-selling of mortgages, it is now clear that the largest banks and aggregators had knowledge that the mortgages that were being purchased and re-sold were not as warranted; however, they were earning significant income from these deals and thought that most if not all of the imperfect loans would be refinanced before they defaulted. In a similar way, as the derivatives market started to expand, banks and securities houses started marketing these instruments to a broader and more naive customer segment. It may be fair to say that senior management at the banks did not understand the products themselves, but they did understand the revenue stream that was being created. This imbalance of immediate earnings on long-term products sold to naive customers by opportunistic bankers supervised by ill-informed senior managers led to the toxic conduct risk problems that are epitomized by Orange County derivative losses.
Switzer: So, what are the areas of concern that have to be better managed to control conduct risk? Are there particular aspects of business strategic planning and operation that now require change?
OCEG ROUNDTABLE PANELISTS
Carole Switzer,Moderator
President,
OCEG
John Brown,
Managing Principal,
Risk Segment,
Thomson Reuters
Tom Harper,
EVP, General Auditor,
Federal Home Loan Bank
of Chicago
Dr. Roger Miles,
Behavioral Risk Lead,
Thomson Reuters
Source: OCEG.
Brown: Behavioral drivers will vary around the world based on societal culture. I’ll focus on what might be appropriate for U.S.-based organizations. Most people operate to maximize their personal return, so compensation structures are an obvious avenue to modify conduct. If my bonus or equity compensation is based on specific targets, such as new accounts, loans written, or customer satisfaction index, I will try to maximize those targets. Depending on my personal ethics, actions I take to maximize my reward may not be in the best interest of the organization or of customers.
Harper: There seems to be two main factors in common here where conduct risk becomes a more prominent component. First, we have the new products or new markets where there is an imbalance of knowledge between sellers and buyers and managers and other supervisors. In the derivatives example, senior managers on both the sell and the buy side had a poor understanding of the risks they were undertaking but had a clear understanding (so they thought) of how it would benefit them and their business. Similarly, knowledge of how the mortgage market was working on the margins was not well understood by either the original home owners or the investors who purchased mortgage- backed bonds. The second main factor is compensation, whereby immediate rewards accrue (especially large ones) and the risks of the activity are largely delayed (often by years). There is a gap in the natural tension that tends to invite conduct risk problems. In both the mortgage and derivatives examples, there were many fees, bonuses, and sales incentives that were accrued up front to parties in the transactions, whereas the contract was for multiple years.
Switzer: Why has conduct and culture proven so difficult for firms to manage the risks around in the past? And why has it been so difficult for regulators to effectively supervise?
Miles: Basically because “bad behavior” doesn’t show up in any of the old econometric indicators that people were using. We needed to learn to look in different ways and different places to understand what was going wrong. Just one of the challenges of grasping behavior-based risk controls is that what we define as ‘acceptable behavior’ is hugely dynamic. Just think of how people’s attitudes toward smoking, and particularly passive smoking, have changed completely in less than 20 years. So I’d want to see—though I don’t expect—a new type of qualitative risk control that looks outside the organization; that teaches companies to see themselves more clearly as they appear to others. Good behavior sounds easy but it’s a slippery object to model, needing a new approach: scalar frames rather than binary; qualitative rather than quantitative; complex multi-variates. I’m fairly comfortable that our prototype now captures all this, though I’ve seen some badly misdirected attempts at this in other parts of the market. You really do need to be able to understand, and model, human factors—this is not a field for amateurs.
Brown: Volumes have been written about corporate cultures, and very smart people have tried to describe organization culture in simple and definitive terms. It is an elusive subject, because there are many inter-related factors at play. I don’t believe it is possible to say Company A has Culture X and Company B has Culture Z, and then define a set of policies or regulations that govern the organizations and their employees’ behavior. The situation is much more complex. It is typical for multiple cultures to exist within a single organization. To further complicate matters, each individual views risk uniquely based on a complex set of heuristics and biases. Managing risks due to behaviors and cultures requires a deep understanding of psychological drivers and then developing programs to modify behavior based on those drivers. This is difficult enough within an organization, and much more so when viewed from a regulator’s perspective.
Harper: I’m not sure it has proven so difficult for the majority of firms; it’s more that when there is a failure it makes the front page of the newspapers. Arguably in the recent mortgage crisis, the vast majority of community banks in the United States managed to avoid many of the spectacular errors of a few of their peers. Part of the challenge, as with other areas, is that while there are metrics and artifacts that can be measured or observed, a significant part of the risk mitigation is down to the management culture throughout the organization—this is especially important in very large organizations, such as global banks where the behavior and strategy of one small unit can be critical to the much larger organization. The other significant challenge that is inherent in any capitalistic enterprise is that there has to be a balance between the risk-taking entrepreneurship culture and the risk-adverse and regulatory culture. It is probably inevitable that from time to time there will be products and marketing efforts that, with hindsight, were ill-conceived or poorly executed. Part of the nature of the capitalistic business model is to exploit inefficiencies in the market to your advantage. What conduct risk efforts focus on is making sure that this is balanced so that investors, consumers, and counterparties are not excessively exploited.
No comments yet