What is conduct risk?

Why is conduct risk important?

Conduct risk management started gaining more attention in the corporate sector, especially the financial field, after it was revealed that unethical behavior was a primary cause of the 2007 financial crisis.

According to the Financial Stability Board, an international financial regulatory body, a major takeaway from the Great Recession of 2007 is that risk to a firm's reputation should not be underestimated, and more attention must be paid to improving the quality of products sold to consumers. In today's complex and highly regulated business environment, it is crucial for companies to understand and manage conduct risk as a part of a broader approach to risk.

If misconduct is found in financial, healthcare or other regulated fields, businesses can face fines or sanctions. Misconduct could include unnecessary fees, consumer privacy violations, manipulating performance metrics and discrimination. It could additionally lead to lawsuits, which could cause financial risks and strains, as well as operational disruptions.

Three key elements of managing conduct risk

To effectively manage conduct risk, companies need to consider the following three main elements:

1. Understanding relevant regulations.
2. Identifying conduct risk areas.
3. Determining mitigation strategies.

Understanding relevant regulations

Conduct risk is closely tied to regulatory frameworks that govern business behavior. Noncompliance with frameworks or regulations might not even be intentional -- it could stem from misinterpretation.

Understanding and complying with these regulations is crucial for companies to mitigate potential impacts of conduct risk. Knowledge of the relevant regulations enables businesses to align their practices with regulatory expectations and industry standards.

The following are some examples of legislative safeguards commonly implemented:

• Securities and Exchange Commission regulations. In the U.S., the SEC plays a crucial role in enforcing conduct risk management in organizations, particularly in the financial industry. It has regulations in place to promote fair and ethical practices, prevent fraud and protect investors.
• Sarbanes-Oxley Act. Enacted in the U.S., SOX is primarily focused on financial reporting and corporate governance. It sets requirements for organizations to establish internal controls, maintain accurate financial records, and ensure transparency and accountability. Compliance with SOX mitigates conduct risk and increases investor confidence.
• Consumer protection regulations. These have been implemented in many jurisdictions to safeguard consumers and prevent unfair practices. These regulations might include requirements for clear and transparent communication, fair pricing, product safety and consumer privacy protection. Compliance with consumer protection regulations is essential for managing conduct risk when dealing with customers.
• Anti-money laundering regulations. AML regulations are designed to prevent money laundering, terrorist financing and other illicit activities. These regulations oblige organizations, particularly those in the financial sector, to implement strong risk mitigation measures, such as customer due diligence, transaction monitoring and suspicious activity reporting. Compliance with AML regulations reduces conduct risk associated with illicit financial activities.
• Dodd-Frank Wall Street Reform and Consumer Protection Act. The Dodd-Frank Act established new government agencies to oversee the financial system and monitor the financial stability of major financial firms. It also introduced regulations for consumer protection, derivatives, credit ratings and whistleblowing, among other areas. It covers a wide range of activities such as banking, consumer finance, derivatives and corporate governance.

Identifying conduct risk areas

Conduct risk can exist across various areas of a business operation. By identifying where these areas could arise early on, companies can recognize potential risks and take proactive measures to address risks.

Common areas where conduct risk might arise include customer interactions, sales practices, product design, market manipulation and fraud prevention. In the U.S., several regulatory compliance bodies consider corporate culture a factor when conducting risk violations.

Strategies to mitigate conduct risk

Implementing mitigation strategies is essential to minimizing conduct risk. Organizations should implement systems, processes and cultural practices that address and reduce the chances of conduct risk occurring. Companies should establish frameworks and controls to prevent misconduct, provide staff training on ethical practices, develop codes of conduct, and establish reporting mechanisms to address potential instances of misconduct promptly.

Organizations can also keep track of key metrics that can be an indicator of conduct risk, such as customer satisfaction, transparency in sales or surveys and questionnaires to customers or employees. Proactively managing conduct risk can prevent legal, reputational and financial consequences.

Common examples of conduct risk

There are many ways an organization could either intentionally or unintentionally add to conduct risk. Some common examples of business risks related to conduct include the following:

• Bribery. Offering or accepting bribes for some personal benefit, such as influencing decisions or gaining contracts.
• Employee discrimination. Discrimination against employees based on factors such as race, sex and religion.
• Engaging in a conflict of interest. Acting in a way that benefits an employee or organization at the expense of established ethical standards.
• Insider trading. Using nonpublic market information for personal gain.
• Misrepresenting a product. Promoting false or incomplete information about a product or service can mislead customers and lead to financial and reputational damage.
• Misusing customer data. Using or sharing customer data in a way that is not properly disclosed to customers.
• Price fixing. Artificially inflating prices or colluding with competitors to set prices much higher than normal.

Effects and consequences of conduct risk

Conduct risk is often a problem during product development. It requires employees to actively manage potential risk issues throughout the product development lifecycle.

Conduct risk management strategies should not stop at product development, however. They can permeate nearly every aspect of business operations that involve customer interactions and do not fall under other risk categories such as credit, liquidity, market or operational risks.

The consequences of conduct risk can be far-reaching. Violating conduct risk regulations can result in legal action, fines and penalties, which can then impede future or long-term business strategies.

Companies might face regulatory enforcement actions, lawsuits from affected stakeholders, and damage to their operating licenses. Notable examples include financial institutions that have faced significant penalties for improper sales practices and fraudulent activities.

Conduct risk incidents can also severely damage a company's reputation, erode customer trust and reduce customer loyalty. Negative publicity and public perception can have long-lasting effects on the company's brand image and market standing. Well-known brands that have suffered reputational damage due to conduct risk include Enron and Volkswagen.

Conduct risk incidents can result in substantial financial losses for companies. Legal settlements, regulatory fines, customer compensation and damage to long-term business prospects all contribute to these losses.

Role of proactive measures in managing conduct risk

To effectively manage conduct risk, companies should adopt proactive measures. Implementing comprehensive mitigation measures is essential for preventing conduct risk incidents.

The process for managing conduct risk will be different at each company based on factors such as the company's industry and its customer base. In general, a successful conduct risk management approach includes the following steps:

1. Identify and assess conduct risk vulnerabilities throughout the organization's departments.
2. Develop and monitor key conduct risk metrics unique to the organization's needs.
3. Educate and train staff about their conduct risk avoidance responsibilities, and reinforce training regularly.
4. Evaluate employees' sales incentives programs and make sure employees are compliant with consumer protection rules when interacting with customers.
5. Establish clear policies and procedures, promote a strong risk culture across the organization, and emphasize ethical conduct and compliance.
6. Foster a speak-up culture that encourages employees to report potential misconduct without fear of retaliation.

A strong risk culture ensures that employees understand the importance of conduct risk management and actively contribute to its mitigation efforts.

Additionally, a third-party compliance audit can help an organization to evaluate and improve the following:

• How employees interact with customers.
• The firm's product approval process.
• How the company addresses regulatory requirements.
• How decisions are made.
• A whistleblower policy -- if the organization has one -- that lets employees report dishonest or illegal business activities without repercussions.

Conduct risk is a critical consideration for businesses across industries. By understanding the key elements of conduct risk, recognizing potential risk areas and implementing proactive measures, companies can effectively manage and mitigate conduct risk.

Failure to address conduct risk can lead to negative impacts, such as legal, reputational and financial consequences, that can harm a business's long-term success and sustainability. By prioritizing conduct risk management, companies can protect their customers, maintain trust, and foster a culture of integrity and accountability.

Explore top enterprise risk management trends. These include the use of GRC platforms, risk maturity models, risk appetite statements and AI tools.