Many insurance firms will be checking their conduct risk appetites after the UK regulator emphasised their importance in a recent thematic review. While they do bring together several conduct tools in a neat way (more here), is there also another side to these conduct risk appetites that firms should take care around? Could they be a ‘double edged sword’.
There’s a side to me that responds positively to the neatness with which a conduct risk appetite brings together those strategies, objectives, risks, processes and metrics for conduct, in holistic overviews from which the detail can be hung. They bring things together and show how they’re linked. Yet they can also hide as much as they illuminate.
Firstly, conduct risk appetites are much more likely to reflect the ethical culture you want for your firm, rather than the one your people are actually working to. Of course, if there’s little difference, then you’re fine, but if the differences are material, then you’re sailing in choppy waters with the wrong chart. That’s the great challenge with ethical culture: getting into the heart of how decisions are really taken, rather than how the processes and tolerances say they are being taken. Some will point to conduct metrics as a means to correct your course, but they’re invariably backwards looking and not always that robust.
We know that being ethical can be hard at times. We sometimes get things wrong and need to learn how to do it better next time. But conduct risk appetites seem to crystalise that shortfall and build a leeway for unethical behaviour into how a business is managed. This is particularly so around conduct risk tolerances. And businesses being what they are, it doesn’t take much for a tolerance to be turned into a target. When you see an upper tolerance for a conduct risk, is it an indicator of someone more focused on processes than results?
And their very neatness and ‘togetherness’ also risk them being seen as complete (in other words, job done), when they will often be works in progress, especially around conduct metrics. If your business is going to brave a reputational storm at some point, better to recognise from the outset that your conduct risk appetite may have elements in it built more from sticks and straw, than from bricks. Just ask the first and second little piggies how realistic their risk appetite turned out.
Assembling a conduct risk appetite is quite an involved process, yet surveys indicate that management teams sometimes lack the skills, knowledge and experience for doing so. That often results in their implementation being handed to one of the big consultancy firms, who love this type of systems implementation. Yet in doing so, the insurance firm would be in danger of effectively outsourcing its management of conduct risk, with all the dangers that ‘out of sight, out of mind’ brings. Much better to build that in-house knowledge and experience, than buy it in.
And finally, a conduct risk appetite is really only worth its salt if it has two things permeating it: a speaking up process that is fully respected and utilised, and a culture willing to learn from mistakes. These are vital feedback loops that bind a conduct risk appetite together.
A conduct risk appetite helps a firm’s leadership set its ethical vision and formulate the means by which they’re going to achieve it. And it’s the character of that vision, and the willingness of those in charge to roll up their sleeves and deliver it, that distinquishes a true leader from somone who is just good at managing things.