Conduct risk and reputational risk are receiving more attention from banks than ever before as they strive to gain better control over their activities.

The conduct and risk culture of banks has improved significantly in the wake of the financial crisis and the many misdemeanours that have happened since, such as rogue trading, product mis-selling and Libor-rate rigging. The change of attitude has been driven not only by the regulatory response, but by a realisation among bank boards and senior management that they had to mend their ways

It was obvious after the events of 2008 that banks needed to enhance their credit and market risk management, and set aside more capital and liquidity to support their activities. But more recently it has also become clear that they should place more emphasis on managing the non-financial operational risks –  in particular 'conduct risk' (the risk of acting unethically or illegally) and 'reputational risk' (the risk of damaged or destroyed reputations resulting from poor conduct).

The responsibility for controlling all the risks generated by a bank’s activities is a wide one. It goes beyond the remit of the chief risk officer (CRO) and the risk management function; it is a risk governance issue.

In other words, the board of directors and senior management now have to take full responsibility for risk, with proper interaction, cross-checking and transparency between all parties. Only then can a bank’s leaders claim to be in control. Clearly some of the world’s biggest banks are still out of control, as evidenced by the €1.7bn in fines handed out by the European Commission in December 2013 to several banks for forming cartels to manipulate Yen Libor and Euribor rates.

Defining risk appetite and culture

The Financial Stability Board (FSB) is trying to help banks in this respect. In November it published two papers. The first, Principles for an Effective Risk Appetite Framework, lays down what the FSB believes should be the key elements of such a framework, and how the authorities should supervise it. For example, a risk appetite framework should:

• Set the aggregate level and types of risk a financial institution is willing to assume within its risk capacity to achieve its strategic objectives and business plan.

• Set out the overall approach – policies, processes, controls and systems – through which risk appetite is established, communicated and monitored.

• Be driven by both top-down board leadership and bottom-up involvement of management at all levels, and embedded and understood across the financial institution.

• Be embedded into the financial institution’s risk culture.

The second paper, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, is a consultation document, open for comment until January 31, 2014, which seeks to help financial institutions understand their risk culture, and how it should be supervised.

“Failures in risk culture are often considered a root cause of the global financial crisis as well as headline risk and compliance events, for example the London whale [and] Libor manipulation,” states the paper. “A financial institution’s risk culture plays an important role in influencing the actions and decisions taken by individuals within the institution and in shaping the institution’s attitude toward its stakeholders, including its supervisors.”

Regulators get tough

The FSB only offers principles and guidance. It is the national regulators that write the rules, enforce them and mete out the justice when they are flouted. The UK’s new Financial Conduct Authority (FCA), for instance, has just fined Lloyds Banking Group £28m ($45.57m) for serious failings in its controls over sales incentive schemes. It is the largest ever fine imposed by UK financial regulators for retail conduct failings, and the reputational damage done to the bank is immeasurable.

“The incentive schemes led to a serious risk that sales staff were put under pressure to hit targets to get a bonus or avoid being demoted, rather than focus on what consumers may need or want,” said the FCA in describing the culture of mis-selling at the bank. In one case an advisor sold protection products to himself, his wife and a colleague to prevent himself from being demoted.

Pierre Pourquery, partner and European lead for risk and regulatory strategic solutions at EY, says European and US regulators are exerting pressure on banks on everything related to conduct and the control environment. “It’s causing banks to take risk culture more seriously. It is really changing their mind-set, making them much more risk aware than before.”

Banks began to take a methodical approach to operational risk management after Basel II, but they tended to focus on IT systems and processes, taking a heavily quantitative approach and not properly embedding it in the business. Now they realise that operational risk includes poor conduct and lack of control.

Being in control

“Banks should ask themselves a very simple question: are we in control of these risks? Many of them are not,” says Mr Pourquery. “On the one hand they have quantitative data on operational risk, which is of limited value. On the other hand they have some kind of control assessment, but it is done as a self-assessment so is extremely subjective and not based on a standard.

“CROs need to ensure they are in control. Defining the standard that needs to be attained is the first step. Then you can assess whether you have the right controls in place to meet that standard.

“Once you understand the gap between your position and the standard, you can decide what to do. You can accept the gap, but more banks are not accepting the gap, which gives you two further options: make some improvements, or cease the activity you are engaged in.”

Fragmented views

This is easier said than done. The main problem is that the CRO gets fragmented views from different departments – from the operational risk department, the audit department, and the business lines. The data coming out of these different silos needs to be integrated.

“Historically, no one has had the role of integrating these different pieces of information,” says Mr Pourquery. “But such a role is now emerging, that of the chief control officer, the CCO. That person’s role is to define the standards, and then integrate all the risk data so that the key question – ‘Am I in control?’ – can be answered accurately.”

Jenny Clayton, partner and retail banking lead in the risk practice at EY, explains that the large UK banks have set up 'conduct risk' programmes of work. This is largely in response to the risk mitigation activities prescribed by the FCA, and prior to that the Financial Services Authority.

“Many of the larger banks have created the specific role of director of conduct risk, or head of conduct risk,” says Ms Clayton. “That elevates the importance of conduct risk as a class of risk. These programmes centre on the business strategy, culture and controls of the organisation. There is a focus on demonstrating how strategy is complementary to conduct, and how the strategy embeds the philosophy of putting the customer at the centre of decision making.” 

What banks have to say

Frank Stöfer, head of credit risk management at Helaba, one of the larger German landesbanken, explains that the bank’s risk function was strengthened when a new CRO joined a year ago. “We also have a risk-controlling executive and, due to the increase in regulatory reporting requirements, the CRO and the chief financial officer co-operate more closely these days.”

Mr Stöfer is at pains to point out that conduct and reputational risk is not as big an issue for landesbanken as it is for global banks. Even so, Helaba is among the many eurozone banks that is being subjected to the European Central Bank’s risk assessment, asset quality review and stress-tests, due to be completed in October 2014. The exercise is bound to have an impact on banks’ risk management frameworks.

“It’s early days, but it is a fair assumption that standards will be raised in terms of how prudently banks look at their exposures and how consistent they are with exposures, valuations and methodology,” says Mr Stöfer. “Everything has to be consistent and logical so that third parties can easily understand it.”

Barclays' change in culture

Barclays is one of the global banks whose reputation has been badly damaged by its past conduct. It was constantly in the news in 2012 for unethical behaviour, resulting in the departure of its chief executive, chairman and other senior directors. It is now trying harder than most to change its culture and ethics.

Under the stewardship of new chairman Sir David Walker and new chief executive Antony Jenkins there has been a massive cultural change at the top which seems to be permeating down. In 2013, it announced a strategic review, Transform, which, among other things, defined new 'purpose and values' and aimed to ensure that its business activities would not have a negative impact on the bank’s reputation.

In a recent speech, Mr Jenkins explained that the bank had also taken a number of “de-risking actions”, to make it “less susceptible to mistakes of the past such as mis-selling and other forms of conduct risk”. These de-risking actions included closing the personal financial planning business in the UK, closing its structured capital markets tax planning and advisory unit, and eliminating sales incentives in the branch network.

“These and other actions reduced revenues in the short term, but I believe that they are a critical part of ensuring long-term revenues are more sustainable and of reducing the risk of conduct issues in the future,” said Mr Jenkins. 

What banks are doing to improve their culture and exercise greater control over their activities is commendable. Big questions remain though. Will fine words about adopting high moral values and de-risking really make a difference? How easily can bankers, and the banks they work for, modify their ways? If leopards cannot change their spots, can bankers change their conduct? 

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter