Following the results of its conduct risk questionnaire, ASIC has announced its ‘3 C’s’ message on conduct risk covering communication, challenge and complacency.
ASIC’s focus on conduct risk was reinforced at the ASIC Annual Forum where conduct and culture were key themes.
ASIC is undertaking to continue work in this area including the roll out of an initial conduct risk pilot project amongst certain institutions, and therefore conduct risk is likely to be a key theme over the coming year.
What is conduct risk?
ASIC has described conduct risk as the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees which can be caused by deliberate actions or may be inadvertent and caused by inadequacies in an organisation’s practices, frameworks or education programs.
ASIC’S 3 C’s
Conduct risk is a concept which was initially developed by the UK’s Financial Conduct Authority (FCA) and is now part of the basic regulatory framework in both the retail and wholesale markets in the UK. In light of this, ASIC has been increasingly focusing on conduct risk and launched a conduct risk questionnaire in 2014. The results of this questionnaire have informed ASIC’s “3 C’s message on conduct risk” which it recently published:
Communication
- Communication of conduct expectations needs to be clear, concise, proactive and regularly reiterated across all levels of the organisation, to ensure it is “front of mind”.
- Organisations’ communication strategies should identify meaningful bottom-up validation to ensure the message is embedded.
- Messaging needs to be linked to the importance of the reputation of the individual, organisation and broader financial markets.
Challenge
Organisations should:
- challenge existing practices to determine whether current conduct and behaviours are appropriate; and
- foster an environment where employees are encouraged to escalate concerns and consider rewarding staff for speaking up.
Complacency
- There is a danger in thinking that because something hasn’t happened yet, it won’t happen.
- Conduct risk should be continually reviewed, enforced and validated the same way as other key risks are.
- Conduct risk is avoidable. It is every organisation’s responsibility to provide frameworks to empower their employees to recognise, prevent, escalate and respond to conduct risks.
Impact for regulated firms
The requirement for financial institutions in Australia to have in place adequate risk management arrangements is not new. APRA regulated institutions are subject to CPS220, which requires the Board to ensure there is a sound risk management culture maintained throughout the institution. AFSL holders are also subject to licence conditions which require them to have in place adequate risk management arrangements.
Recent public focus on areas such as alleged manipulation of interest rate benchmarks and FX markets, and issues in the financial planning sector, has led to a heightened awareness of what conduct risk management means for a regulated institution.
ASIC reinforced its focus on conduct risk at the ASIC Annual Forum where Greg Medcraft noted in his opening address that “At ASIC, poor culture is like a red rag to a bull, and tells us there are likely to be other regulatory problems within an organisation.”.
ASIC has also rolled out an initial conduct risk pilot project amongst certain institutions and therefore this is likely to be a key theme over the coming year. Accordingly, although questions remain around the precise meaning of conduct risk and how it is measured, assessed and controlled, firms should still ensure that they have a framework in place to address these requirements.
