The UK regulator has castigated insurers for not having a clear conduct risk appetite for their delegated authority business. Some firms might be tempted to quickly rush off and assemble one in response. While the intentions might be worthwhile, the output will not be. Think of a conduct risk appetite as a table: it needs four strong legs to stand up. So in preparing your firm’s conduct risk appetite, it makes sense to work on these four legs first.
You need to have developed a relatively detailed understanding of the ethical risks for the overall firm and for its principle lines of business. Such risks emerge from three sources: the firm itself, the markets it operates in and the individuals who work for it. To be suitably robust, such ethical risk assessments need to have been either developed independently of operational management, or done in-house and then checked by an external ‘critical friend’. This avoids their scope being too narrow, or a ‘business as usual’ mindset holding way.
You need to have identified the ethics objectives for your firm. These should have been built upon two things: the firm’s wider strategic objectives and those aforementioned ethical risks. Within clear objectives, the firm would lack clarity about what the conduct risk appetite was there to achieve.
You need to have some way of expressing the firm’s appetite for accepting a certain level of ethical risk. Without such quantitative or qualitative measures, the conduct risk appetite would be aspirational at best, vague and fluffy at worst. In lines of business such as big-ticket commercial, good metrics may be a challenge to find, but for SME and personal lines, they’re pretty straightforward.
A rather grand term, but important for bringing clarity around the responsibilities and controls that will deliver the conduct risk appetite that’s been set. If the FCA’s review of delegated authority is reflective of the wider market, a challenge for most firms will be finding managers with sufficient skills, knowledge and experience to be able to deliver on those responsibilities.
It’s all too easy to set out the ‘four legs’ I have outlined above in a neat diagram for inclusion in a board report: it’s another thing to be sure that they’ve contributed what you wanted from each of them. That’s where consideration of the gross/net spread comes in handy: it allows you to explore the extent to which your conduct risk appetite is reliant on particular inputs, and then act to strengthen those of systemic importance. Several firms have incurred large fines for relying on little more than those neat diagrams.
There’s many things I like about conduct risk appetites: for example, they’re structured, mirror other types of risk appetite and are good for board oversight. Yet there are two sides to them and in the next post, I will look at some of the problems they can give firms.