Part IX Legal and Conduct Risk Management, 31 Metrics in Conduct Risk and Reputation Management: Predictions and Perception
Roger Mccormick, Chris Stears
Roger McCormick, Chris Stears
- Banking — Financial stability
Predictions and Perception
Historically, FICC market participants appear not to have put sufficient weight on the importance of measuring and addressing issues of poor conduct. While considerable resources have been invested in managing various types of financial and operational risk, approaches to measuring and changing conduct and culture have been much less well developed. Recent misconduct has underscored the importance of having good management information in these areas as a complement to effective lines of defence, and as a means of monitoring change.1
31.01 Despite being over a decade on from ‘Lehman’ and the onset of the Crises, organizations are still battling to regain the trust that was lost; trust that now largely centres equally on the ethical compass of individuals as it does on the solvency of the organization.2
31.02 It is, of course, almost impossible to guarantee that people will behave in a certain way: an immutable consequence of free will. A bank cannot reduce to zero the risk of a trader going rogue. But it can create an environment in which, one (p. 576) might say, ‘conduct/people risk’ is identified, measured, and actioned in the interests of stakeholders, whether that be the organization’s clients, counterparties, and employees, or the public at large. The essential question, nevertheless, remains; how do stakeholders test these more nebulous risk concepts when the traditional metrics for financial appraisal only tell half the story? A bank whose business practices might be applauded on the basis of its financial performance in one year might be harbouring an unidentified/unmitigated level of conduct risk that, if known, would cause people to question the bank’s sustainability and trustworthiness. One has to look ‘behind the balance sheet’ at reliable metrics for evaluating (and predicting) an organization’s culture and conduct record. This, we might refer to as the use of metrics by a bank’s stakeholders as part of their assessment of the bank’s culture, conduct and, ultimately, its trustworthiness and ‘investment value’.
31.03 But metrics also play an important role with regard to a bank’s internal management of conduct risk: the setting of appropriate risk appetites; the measuring of potential impact; and the consequential assessment of conduct risk for the purposes of implementing ‘risk-based’ controls, monitoring programmes, and communication and consultancy channels to (re)appraise the ‘risk response’. As discussed in Chapter 29, the legal, regulatory and good practice expectations for risk management are clear; albeit qualified, as they must be, by the recognition that the appropriate risk response—across the broad range of risks, from credit and liquidity risk, to matters of conduct and culture—reflects the size, nature, and complexity of the ‘risk’ as it is defined and ‘captured’ for any given financial institution. The expectation, for example, that the bank’s board and senior management will regularly discuss and challenge the firm’s conduct record, culture, and the implementation of programmes designed to drive ‘defensible behaviour’,3 cannot be met without management information, based on reliable, relevant and, where possible, predictive metrics. Indeed, it is with respect to the ‘predictive’ ambitions of metrics that a firm’s approach to conduct risk and reputation management coalesce.
31.04 Extracting (or extrapolating) a predictive quality from conduct risk metrics (notwithstanding the potential for disciplines such as behavioural economics to add valuable context to the more binary or abstract key risk indicators4) is not so readily achieved in the context of conduct risk as is the case with other risks.5 In comparison to risks where historical data and predictive characteristics are (p. 577) more apparent and verifiable (even more so, where quantitative data is available), conduct risk (in some form) attaches to every activity of the firm; it can arise out of the most idiosyncratic of circumstances and be due to an unpredictable turn of events, or indeed, the actions of a rogue individual. As we discussed in Chapter 29, the design of an effective risk management response, much less the identification and leveraging of metrics to assist in this process, is a challenge. The limits of metrics for ‘good (or bad) conduct’ and ‘culture’ must be viewed with this in mind; and subjected to regular review and feedback from all those involved in the design, execution, and management of the firm’s products and services. The metrics will inevitably be driven by the firm’s specific risk profile, the data available to it, its governance arrangements and its approach to conduct risk management. However, an effective conduct risk management approach is not one that looks at the firm’s profile and experience in isolation. Market driven conduct risks and the experiences of other firms with comparable operations, products and, invariably, personnel, can be hugely instructive as regards the management of conduct risk (certainly with respect to the identification of proactive remedial measures) prior to the risk manifesting itself at the firm. And it is with respect to the comparability of conduct performance (and associated metrics) and the value in cross-pollinating conduct-related experiences,6 enabling firms to derive insights into conduct risk and ‘get ahead’ of any reputational risk, that internal conduct risk management and external stakeholders interests are aligned.
31.05 This chapter explores the use of metrics for both conduct and reputational risk management. We focus specifically on the use of ‘conduct costs’ as a metric for internal risk management, as well as its potential—despite it being, on its face, a ‘negative indicator’ of [mis]conduct—to serve as a simple, yet defining metric for non-financial performance, firm culture and trust, from an external stakeholder assessment perspective.
31.06 In 2016, the FCA introduced Annual Conduct Meetings (ACM) for the largest firms with a view to understanding ‘how [those firms] have considered the (p. 578) ‘5 Conduct Questions’ and what measures they’re taking to improve conduct in their firms’. The 5 Conduct Questions are:
(4) How does the Board and ExCo (or appropriate senior management) gain oversight of the conduct of business within their organization and, equally importantly, how does the Board or ExCo consider the conduct implications of the strategic decisions that they make?
• significant progress has been made in identifying and managing conduct risk;
• firms believe that maintaining a reputation for the highest standards of conduct benefits their business;
• some initially UK-centric conduct and culture programmes are now being applied internationally;
• frontline business areas are taking greater ownership for conduct risk;
• firms should be aware that conduct risk may arise across the whole organization and not just in the frontline business areas.
31.08 It is clear from the FCA’s report on the first ACM that ‘ownership’ of conduct risk should not rest simply with the firm’s Chief Risk Officer, but should be embedded in the firm’s culture, products, processes and service, with the identification exercise (or at least, input into that exercise), as well as the monitoring, management and feedback being a stated duty of all employees (and read-across into outsourcing and other third-party services). Specific feedback on the first conduct question was published by the FCA in April 2017 (details of which are considered in Chapter 29). The use of metrics and quality management information is of critical importance to all five conduct questions. Indeed, the identification of appropriate metrics should be done at the same time of the identification of the risk, as well as in response to a conduct incident, and subject to annual reappraisal.
31.09 With regard to Question 2 on the ways in which firms encourage individuals to feel and be responsible for managing conduct risk, the FCA reported that firms utilize measures and metrics of varying descriptions: not all are hard data driven—some arise out of ‘soft discussions’ at challenge sessions, others are (p. 579) informed by the consideration of performance metrics traditionally associated with other risks, whether at board, committee, business line or at control function level. It is also of note (and, of course, importance) that conduct risk metrics were reported as being directed related to individual objectives, remuneration, recruitment, and promotion processes.
31.10 In providing ‘support’ to individuals in order to improve the conduct of their business or function (an issue at the heart of the third conduct question), firms leverage the value in conduct risk metrics by, for example:
• Tracking the number of trading incidents missing by supervisors in order to identify gaps in information flows to supervisors.
• Producing ‘dashboards’ at desk-level populated by metrics relating to individual behaviour and policy breaches, such as missed or late training, PA dealing breaches, excessive hours worked, late for work, limit breaches, late trades, expense policy breaches, suspicious transaction reports, word and voice surveillance reports, customer complaint analysis, most profitable trades, high client entertainment, clients earning the firm the most money, compliance exceptions, and selected HR reports.
• Using conduct management information that identifies specific actions and/or the need for escalation. Some firms have introduced risk tolerances for conduct that are represented on dashboards and which inform remedial treatment.
31.11 The identification and use of metrics is without doubt an area of significant development for firms, as they endeavour to design and embed a conduct risk framework that is both tangible and dynamic. The approach to conduct risk needs to be tangible with respect to: its operation; its impact on and furthering of firm culture; its application to all staff; and the effect of it on the non-financial performance of the firm—whether that be in reporting to the firm’s stakeholders, the regulator, or more broadly, with respect to the firm’s reputation. And, the adoption of appropriate metrics enables firms to review their framework and respond dynamically to experiences (and insights from external sources). As the FCA notes:
In general, firms indicated that they have more work to do on conduct risk metrics. Over time employee behaviour is likely to change as they better understand what is being measured – unless metrics continue to evolve as conduct risks and employee behaviour changes, there is a risk firms may take false comfort from their metrics.
Firms are also focusing on how to develop metrics tailored to the outcomes they want to achieve.
We agree with firms that management information is an area that requires continuing attention.7
31.12 Most notably among the FCA’s ACM feedback is the observation that undue reliance on (certainly ‘static’ or ‘standing’) metrics without an appreciation of their (p. 580) ‘predictive’ limitations can lead to the ineffective identification and management of conduct risk and the inefficient use of the firm’s financial and non-financial resources. The inclusion of conduct risk metrics alongside conduct incident reports and/or as in input into the assessment of new or emerging conduct risks or aligned with strategic decision-making, needs to acknowledge the nature of this risk-type. The use, for example, of surveys (whether taken from external clients or internal stakeholders) must be viewed with some circumspection given the risks and behavioural biases inherent in canvassing people’s views. Indeed we might ask: What metrics should rightly be taken into account by, say, the firm’s internal audit function when carrying out a business line assessment or a review of the firm’s ‘conduct and culture programme’? The difficulty, of course, is in identifying metrics that cannot be ‘gamed’ and that provide not only a factor against which to asses past actions, and predict, where possible, future behaviour, but also an insight into ‘culture’: the phrase that might be best described as the complex and variably weighted aggregation of a firm’s past conduct with that of its stated values, business model, and strategic objectives. The search for a single metric that represents firm culture is pointless. At best, one might identify a metric that is, when viewed over time and on a comparative basis against other banks’ performance, a mere ‘indicator’ of culture, and, subject to the result, a barometer for trust (and trustworthiness). Still, such a metric can have significant conduct risk and reputational management benefits, as we explore below.
31.13 In Chapter 10, we introduced the work of the Conduct Costs Project and prefaced the use of ‘conduct costs’ as a metric for not only conduct risk management purposes—but also as a proxy for how ‘ethically healthy’ a bank is and as an indicator of a firm’s culture and trustworthiness.8 Capturing a bank’s ‘conduct costs’, we argued, presented the opportunity to identify and assess the following: ‘root causes’; early trends in systemic misconduct (gained through the identification of conduct costs suffered by another firm, where the sector, product, governance structure, and controls are analogous with those of the firm); resource allocation inadequacies; training and competence requirements (and its impact on, and integration into, the firm’s SM&CR response); and to demonstrate transparency in such matters to stakeholders.9 The FEMR acknowledged this in its Final Report, referring to the use of conduct metrics to influence behaviour—both through the collection and measurement of directly applicable metrics, as well as indirectly through the publication of data relevant to conduct performance. The FEMR, notably endorsing the ‘conduct cost’ metric and the value in cross-industry collaboration, stated:
Increased public awareness of firms’ conduct—both good and bad—may also help to align the incentives of executives, shareholders and other investors, not least by bringing competitive pressure to bear. Currently, there are challenges in collating data on fines levied on firms in a consistent way. Fines are published in different ways by different regulators, and firms are under no obligation to disclose conduct costs, often aggregating fines with other legal costs in their annual reports. Greater clarity in reporting by firms would help shareholders monitor progress on conduct issues, and has been recommended by the BSB. The Conduct Cost Project publishes details of fines levied by a range of authorities from around the world, split by institution, and a number of private sector firms are also looking to develop conduct ratings using data on fines and measures of their severity.10
31.14 Conduct risk management is as much about the (re)programming of individual behaviour as it is about ‘controlling’ behaviour through, say, physical segregation, authority limits, and IT systems controls. Reprogramming behaviour to align with ‘expectation’—which changes from time to time, sector-to-sector, product-to-product and indeed, client-to-client—is achieved through a myriad of internal and external incentives to achieve good ‘defensible’ outcomes and avoid malfeasance, as well as soft law initiatives, such as standards setting and good practice guidance and as a consequence of the dissemination of conduct performance. The ‘conduct cost’ metric can add value to all of the above. As was noted in Sir Richard Lambert’s report on banking standards,11 a key barometer for success of the standards body’s conduct objective is the application of sound metrics against which banks can be benchmarked.12 Comparing banks’ conduct performance against one another serves to reinforce strengths and identify weaknesses in a process of continuous improvement. One such metric in our view (and this is endorsed within Lambert’s February 2014 consultation paper13) is that of a bank’s conduct costs. Indeed, we would argue that, of the various metrics being considered by BSR, conduct costs are alone in being completely factually based and objective. Surveys and opinion polls are useful tools in the armoury but fall short in delivering really ‘concrete’ indicators of how well a bank’s ethical agenda is working.
objective indicators of dysfunctional organisational culture (and cultural differences) become progressively more elusive as one moves through the multiple layers of any organization. The further away one gets from directly observable and measurable activity, against which executives can interpret and determine responses, the more behaviour becomes moulded by individual or departmental belief and reward systems and related thought processes. This ultimately informs culture which reinforces potentially unethical behaviour and delinquent corporate conduct.14
31.16 Firm conduct costs, the authors noted, are highly objective indicators of the negative effect of ‘inappropriate culture’. The hypothesis being that the roll out of a unified system of conduct cost reporting across all financial services firms will, over time, demonstrate whether banks are in fact becoming more or less effective in changing culture, managing conduct risk and ushering in a new era of ethically appropriate behaviour and financial sustainability. The Conduct Crisis exposed the flaws in operational risk management techniques that were aimed at conduct risk issues; and the conduct costs metric, utilized as a comparative data source on conduct and standards, is a valuable risk management tool and cultural gauge to address the perceived shortcomings. Indeed, the ‘recalibration’ of cultural and behavioural standards post-Crises, has seen banks espouse ‘values’ statements and engage ‘conduct’ risk management professionals, who invariably cite the usual ‘best practice’. However, it is arguable that senior management rhetoric is not translating into learned conduct risk management practice—although one would expect this to change under a successful senior managers and certification regime where individual accountability will drive ownership and feedback where it was previously lacking. Ominously, the EBA recorded in its December 2013 risk assessment of the European banking system, a comparative decline in the number of respondents who identified a need for culture and risk governance adjustments.15 The EBA stated that:
An indication of an identified decreasing need to improve risk/conduct governance while risks are rising should be an issue of supervisory concern, and continued heightened supervisory attention to risk culture and governance is warranted.
31.17 We would of course agree that conduct risk should not be ‘siloed’, or simply the preserve of compliance. It should indeed be ‘embedded’ with the business model and operational management of the bank (as the advice goes). However, in our view, conduct risk management must go further. Intermediating conduct requires not only a process for risk identification, assessment, and control but, moreover, the means by which to correlate that risk to the ethics or culture of the firm: the cultural-cause and conduct-effect. The evidence presented by a bank’s (and its (p. 583) peers’) conduct cost, for instance, gives a tangible insight into that correlation. Both the quantum and the cause, exposed by a conduct costs metric can inform bank’s risk governance and in particular, adjustment that may be necessary to products and/or business models. As the EBA notes in its 2016 risk assessment:
Aiming to adjust culture and risk governance is by far the most widely considered approach to addressing reputational and legal risks (85%) at banks, as responses to the RAQ indicate. Less than 50% of respondents have indicated an intention to adjust risk culture and governance in previous RAQs, and an increasing number of banks intending to adjust their culture and governance is a positive development. However, the roll-out and implementation of adjustments of risk culture and governance across business lines and into daily business often warrants scrutiny.
Supervisors have for some time identified the need for enhanced corporate governance, including management functions, compliance proceedings and risk culture. A lack of integration of conduct-of-business concerns into institutional governance arrangements was often identified, and governance arrangements often fell short of identifying conduct-of-business concerns.
31.18 The opinion of the EBA reflects, to an extent, the observations of the FCA in response to its first round ACMs, that is, the relative immaturity of conduct risk management practice. Metrics for conduct risk management are but a tool in the overall assessment process. Still, we expect firms to continue the development of such metrics in line with regulatory expectations. This development, we expect, will see firms looking to not only enhance internal conduct risk indicators, but to gain cross-industry insight into conduct risk—whether by tracking the narratives of peers’ annual and strategic reports, analysing regulatory enforcement actions or through the utilization of a ‘conduct costs’ metric (certainly so, where the latter is subjected to ‘cause’ and ‘cost’ codings, or weighted to form a culpability index that can be compared across jurisdictions, products, activities and firms).
31.19 A further prediction for conduct risk metrics is the need for firms to consider the prudential implications of conduct and the use of metrics (such as ‘conduct costs’) by firms (and regulators) in defending non-financial performance, business models, and, notably, firm’s internal capital adequacy assessment process. The lack of appreciation of conduct risk factors on banks’ capital adequacy assessment processes was, in fact, noted by the EBA, which stated in its 2016 assessment:
Further efforts are also warranted to adequately reflect conduct risk in banks’ internal capital adequacy assessment process (ICAAP). A recent supervisory stocktake conducted by the EBA covering the responses to conduct risks of 82 banks indicated that 57% of banks do not or only partially reflect conduct risks in their ICAAP. Also, 69% of banks do not or only partially reflect conduct risk in their stress-testing framework.
31.20 Figure 31.1 below (produced from Conduct Costs Project data) illustrates, for the banks covered by the Conduct Costs Project, the ratio of average conduct costs to net revenue from 2008 (during the Financial Crisis), through 2012 (arguably the height of the Conduct Crisis) to 2016 (on the basis of the latest published figures). It is uncontroversial to state that no longer can it be the case that conduct costs are booked to (p. 584) operational expenses. The Project’s data shows us that conduct costs can have a major impact on net income (for example, the 2016 conduct costs for the twenty banks surveyed represents 32.95 per cent of total revenues, without which net income could have doubled). Bank share prices have fallen (and, at the time of writing, remain depressed) while confidence, measurable through a bank’s conduct cost profile, remains elusive.
31.21 A final observation on conduct risk metrics relates to the need for firms to utilize metrics that indicate positive and negative performance against defined objectives—most likely, the desired customer (that is, both the ‘external’ and ‘internal’ client and stakeholders) outcome from any given business line, product, or function. Metrics should not be defined by reference first to regulatory risk: the regulator’s outlook or latest ‘priority list’. As the authors have argued,16 this largely misses the point and can in fact lead to an unconstructive preoccupation with regulatory expectation. It promotes a focus on pre-empting the next thematic review, product intervention or enforcement action. It results in management information and risk management output fit for ‘compliance-purpose’, rather than fit for ‘client-purpose’. It leads to regulatory neurosis.
31.22 Rather than ‘reverse engineer’ regulatory expectation, banks’ conduct risk frameworks should start with the identification of ‘what behaviour is right in the circumstances of the relationship/transaction?’ and consistently reappraise the answer to this question in light of the bank’s experiences: such as its conduct cost profile and the conduct cost profile of its peers. This, of course, necessitates a clearly defined and widely adopted framework for conduct costs reporting. The value in such disclosures and related ‘soft law’ initiatives on conduct risk insights and standards is explored in the next chapter.
2 See Parts III and IV generally, and Chs 10, 12, 14, and 15 in particular, for a discussion of the rise in importance of ethics, standards and individual accountability in banking and financial services.
5 Conduct risk data has been historically confined to internal metrics and specific management information (with the addition of ad hoc lessons derived from reported cases, regulatory enforcement actions and reports, and the like). Whereas, the data available to assess and monitor credit risk, for example, is wider ranging, more granular, more frequently available and more flexible than conduct risk data (see, Damia and Israel, ‘Standardised granular credit and credit risk data’, published in Irving Fisher Committee, 2015. ‘Indicators to support monetary and financial stability analysis: data sources and statistical methodologies,’ IFC Bulletins, Bank for International Settlements, number 39, March). Access to credit risk data is therefore significantly easier, aided by initiatives at national and European level (for instance, the ECBs creation of AnaCredit, see <https://www.ecb.europa.eu/explainers/tell-me-more/html/anacredit.en.html>) and the use of ‘big data’ for risk management purposes (see, Economist Intelligence Unit, ‘Retail banks and big data: Big data as the key to better risk management’ (2014)).
6 See Ch 32 for a discussion on the use of ‘grey area’ case studies to explore and ‘cross pollinate’ conduct risk experiences among various banks and financial institutions with a view to gaining risk insight and identifying a defensible approach (perhaps even a ‘standard’ in relation) to such scenarios.
8 See para 10.28 et seq.
10 HM Treasury, Bank of England and Financial Conduct Authority, ‘Fair and Effective Markets Review’, Final Report (June 2015), section 126.96.36.199. See also the FEMR Implementation Report (July 2016), in which the FEMR noted that ‘while a lot has been achieved in the past year it would be a mistake to think that the job is done. A key theme that came out of the ‘Open Forum’ held by the Bank in November 2015 was that there remains a lack of trust in financial markets and financial institutions because of past misconduct. Participants saw cultural and ethical changes as an essential component of building a social licence for financial markets.’ A key ingrediant to this is, in the view of the authors, greater collaboration among market participants over conduct risk issues and metrics (to the extent that legitimate commercial sensitivities, confidentiality contraints and competition law allow). This was indeed expressed in a paper submitted to the Open Forum, co-authored (and contributed to) by the authors, see O’Brien, Gilligan, and McCormick, ‘Professional Standards and the Social Licence to Operate: A Panacea for Finance or an Exercise in Symbolism’ (2015) LFMR Vol. 9 No. 4 at 283–92.
12 Ibid at p 16.