Conduct Risk and Control in the Banking Sector: Part Two – Exploring the Challenges


In our first article on Conduct Risk, Vox SME Charanpal Matharu gave us an overview of the conduct risk landscape and high-level thoughts on the challenges banks face, and the steps regulators are taking to apply control methods.  In this article, our conversation went deeper into the issues that continue to make conduct risk challenging.

Conduct risk is defined as any action of a financial institution or individual that leads to customer detriment or harms market stability or effective competition. The Financial Conduct Authority (FCA) has deliberately set out a broad definition of ‘conduct risk,’ leaving the onus on financial services firms to prove how they are protecting customers. Banks were asked to define conduct risk and submit their definitions to the FCA for review. This process took much more time than anticipated, and many banks had to go back with revised definitions

Businesses that fail to bring conduct risk in line face regulatory action, fines, and reputational damage, which can harm a company for years beyond the event. We have seen a significant financial impact on firms due to conduct-related regulatory action—and it can all stem from an individual’s actions. 

Since 2013, regulators have issued fines well in excess of $300 billion for violations arising from various business lines and functions. These include instances of LIBOR manipulation, FX manipulation, and also shortcomings in other areas. Instances of Conduct Risk are frequently emerging throughout financial organizations. It is also notable that regulators are more frequently sanctioning individuals.

Conduct Risk Frameworks

As risk professionals, we are all well versed in defining risk appetite statements, developing risk taxonomies, implementing risk frameworks, identifying inherent risks, examining controls, and determining residual risks. There are remediation programs for those instances where the controls are not sufficient, and the residual risks are above tolerances defined in a risk appetite.

So, if awareness of conduct risk exists and frameworks have been created, and regulators pay attention and issue fines, it begs the question, why does it still occur with relative frequency? 

The challenges are numerous.

Conduct Risk has proved to be challenging to define. Many organizations had to revisit and agree on their definition of conduct risk with the FCA from the outset. Conduct risk has proven to be a much more significant risk to manage than what was envisaged in 2013.

Many organizations tagged conduct risk to their Operational Risk Framework, but regulatory direction and instances of conduct risk demonstrated an inadequate methodology. Organizations may have done this due to resourcing or because they did not understand the risk quantum.

The FCA rightfully made clear their view that banks were good at fixing things that had gone wrong but relatively weak at preventing something from happening. They shifted their focus to emerging conduct risk.

The pressure and focus on banks’ costs means that regulatory initiatives are often resourced with individuals who have existing dedicated roles and responsibilities. The increased pressure on cost management has usually meant that there is insufficient resourcing (skill/expertise and bandwidth) to implement meaningful solutions that reduce the risk profile of the organization

Where are organizations now?

The table below is not reflective of any specific organization, but rather a snapshot of the conduct risk landscape over the last eight years, highlighting that there is much need for improvement.

How do you identify the risk?

Most businesses stress the importance of senior executives playing a role in conduct risk, particularly in raising the visibility of a program. Firms with in-house initiatives are intrinsically better at identifying drivers of conduct risk, such as conflicts of interest. Good corporate culture comes from the top and should be articulated through extensive internal communications programs

Even with a conduct risk program already in place, some firms still focus too much on crystalized risk, such as avoiding fines and losses instead of developing forward-looking risk indicators. Another core question to consider is: when does a product or behavior move from being acceptable to unacceptable? 

What are the drivers?
Understanding and addressing the drivers of conduct risk is essential to improving standards of behavior. While the starting point will vary from bank to bank, there are three core areas at the base of conduct risk:

  • Ingrained factors: These are characteristics inherent to financial markets and their participants, such as information irregularities between firms and their clients or clients’ financial capability. 
  • Common practice: The financial services sector has long-established behaviors and conflicts of interests that could prevent markets from working as well as they could. 
  • Outside influence: Macro-economic developments that can impact financial markets and, in turn, the long-term needs of consumers. Firms ineffectively responding to these pressures can lead to poor conduct outcomes.

While measuring conduct risk can be challenging, it may be helpful to assess drivers through three lenses: specific business units, the overall firm, and the strategic medium to long term outlook.  

Conduct risk framework
Conduct risk programs should be tailored to each firm’s needs based primarily on size, business model, and geographic reach. The framework should take into account both short and long-term goals. The most successful programs usually have regular board-level reviews that assess and, more importantly, challenge the plan.

At Vox, we regularly help financial institutions with all aspects of their conduct risk frameworks. Our approach applies our expertise in regulatory compliance and the in-depth analysis of company data, including: 

  • An analytical review of conduct risk frameworks
  • Analyzing company datasets to identify where risk management failures are most likely to appear
  • Reviewing conduct risk profiles and devising associated remediation plans
  • Implementing mechanisms to embed conduct and culture processes throughout an organization
  • Design and operation of conduct risk management information, specifically individual-based scorecards to identify historical and emerging conduct risks. Our methodology includes other categories that have been particularly appealing to regulators.
  • Developing and implementing a supervisory framework that supports global senior manager accountability regimes

If you need help, get in touch with Phil Marsden at or visit to learn more.

Share on facebook
Share on twitter
Share on linkedin
Insights Topics


Recent Posts

Insights Topic List

Insights Directly to Your Inbox

By submitting your details, you are acknowledging that you have read and understood our privacy statement. 

Stay Connected

Subscribe to our periodic newsletter & keep up to date with the changing regulatory environment

No thanks