Conduct risk: what is it to investment management?
RiskInvest is a new event specifically for buy-side risk professionals that takes place alongside RiskMinds International 2017 in Amsterdam. It’s an opportunity for those involved in risk on the buy-side to share insight and practice relevant to their industry.
For instance, how relevant the notion of conduct risk actually is to the investment management industry.
Conduct risk – is it relevant?
Andrew Freeman, Chief Risk Officer at Ardian, didn’t think it was relevant at all. Firstly, what does it even mean?
One of the first problems with conduct risk is that it’s impossible to get a clear definition of it, he reckoned. “The FCA has a framework of things that they say influence conduct, but this includes everything from market structures and culture, to technology and regulatory frameworks, to human biases,” explained Andrew.
“If that’s conduct risk, or a framework for thinking about conduct risk, it’s very broad – I can talk about anything I want and call it conduct risk,” he added.
Nor did the The Universal Conduct Risk Paradigm, written by the United Nations Economic Commission for Europe, offer much illumination. “I think the point of this one is that conduct goes everywhere. As a risk manager, how do I turn that into something meaningful? I don’t think I can.”
What about fellow financial institutions? asked Andrew. Could they help define conduct risk? They all have different statements, he said, such as: “Detriment through inappropriate judgment in execution of business activities,” or “Conduct risk is the risk that our employees or agents may, intentionally or through negligence, harm customers, clients or the integrity of the markets, and thereby the integrity of our company.”
Yet some of those firms had received record fines specifically because of their untoward conduct.
“Forgive me, but conduct risk seems to be a thing dominated by regulators’ impulse to oversee banks, and lots of examples of banks saying one thing and doing another.”
Heading in the wrong direction
Ultimately, Andrew felt that the asset management industry was facing a “regulatory mission creep”, and conduct risk was an example of where the industry should not be going.
“We should not use the term conduct risk, or if we do, we should use it in a very limited way,” he said.
There were elements of the AIFMD, for instance, that didn’t make a huge amount of sense. “We have to have an operational loss database, but our data points are few and far between, so it’s really not very useful,” explained Andrew.
“Stress-testing is potentially useful, we can try and devise a stress test that might mean something for the management company, but stress testing came from the banking industry, it hasn’t come from regulators thinking that they must stress test investment portfolios, so it’s a lazy idea.”
“We have to have a risk limit system,” continued Andrew, “which is good, but we would have had that anyway. I don’t need a regulator to tell me that I’m going to use some form of limits concept.”
Get rid of conduct risk
One of Andrew’s proudest achievements was getting an agreed group risk appetite statement signed, sealed and delivered within Ardian’s first year of operation. “But that’s not enough. We now have to have a conduct risk appetite risk statement. Where does that sit alongside group risk appetite? Isn’t that what I’m doing as a risk manager anyway? What's the inherent difference between conduct risk and just risk management?” he wondered.
Reputational risk wasn’t any different under Andrew’s lens. After all, what is reputational risk other than what happens to your reputation as a consequence of something else going wrong? he asked.
“My pitch is that, as asset managers we should dispense with conduct risk,” urged Andrew. “Or, if we keep it, have conduct risk defined along the lines of losses due to employees not adhering to internal compliance and ethical processes and procedures. In other words, something else went wrong.
“Conduct risk is an excellent example of how, if we let the banking industry drive how we are regulated and how we behave, it will cost us and will achieve almost nothing.”
What is operational resilience and why do we care?
From battling to define conduct risk and arguing the case against it, we swiftly moved on to hearing about a whole new paradigm for operational risk. Barbara Diette, SVP & Chief Risk Officer at EMEA at State Street Corporation told us how State Street had built a risk practice around operational resiliency.
“I think this is the future of the operational risk profession,” she boldy stated.
You only have to look at recent headlines – failures in technology, cyber attacks, multiple financial institutions in trouble, to know that operational and technological failures happen. Because they often entail systemic risk, there has been a rise in concern about operational risk, particularly by regulators.
Partly, explained Barbara, this is due to the fact that since 2008, financial institutions have had to cut costs and have outsourced a lot of functions. State Street’s answer was to build a new framework of operational resilience.
Traditional risk frameworks needed a shift, she said. American banks had done a lot of work to prepare resolution plans, which put them in a strong position regarding understanding their own business. But it now needed to go one step further.
“So we do what we did before, but with a shift to assuming that something bad is going to happen, and exercising how well prepared we are. It’s a new type of cycle, and an important one.” It starts with risk appetite - how much can you tolerate – and understanding where all the critical processes are, explained Barbara. Then you have to perform a scenario analysis - “where is this tail risk event going to hit us, and let’s walk through what we would do if it did.” Finally, it involves a layer of oversight models showing who is overseeing the controls.
The tricky part was pulling all the risk functions together, she said. “This problem is interdisciplinary. If you don’t have them all together you won’t know what the holes are that you need to plug.”
But the ultimate result, whilst not altogether new, represented a refreshing way of looking at operational risk. “We are building a big map and figuring out if the systems and controls in that map are working well,” she explained. “There isn’t much that is new. We’re taking existing building blocks and putting them together in a more systematic way. “It’s very effective, and one which will effectively make the market stronger.”
