Organisations are surging into an increasingly competitive, global future, where the unspoken rules that govern how people act internally and with customers will matter more than ever. Therefore, risk functions must innovate to manage culture and conduct risk across multiple businesses and jurisdictions.
Culture – the way people think and perform, and conduct – the actions they take, have a powerful impact on an organisation’s exposure to risk.
These areas must be tackled by risk functions as they confront a rapidly changing, digital and competitive future. The risk function of the future must be open minded to unprecedented culture and conduct risk, and innovate to solve challenges.
Traditionally, the risk function reviews the articulation, communication, measurement and management of risks, considering how culture and conduct could lead to damage. While this won’t change, the way the risk function explores these aspects must adapt.
“What has been done in the past is not going to keep organisations and their customers safe in the future,” says Jacinta Munro, Partner, Advisory, KPMG. “Expectations of customers, regulators, media and the public have changed and businesses must respond.”
Steve Clark, Director, People and Change, KPMG says that with the Australian Securities and Investment Commission’s (ASIC) increased focus on banking and insurance products, risk functions will have even more reason to improve their approach to culture and conduct risk.
“More regulation could encourage firms to take a holistic approach to the customer,” Clark says. “Examples in Europe show it’s about establishing governance that looks at the whole cycle, so businesses can focus on assuring customer outcomes – moving away from a focus on just financial outcomes for shareholders and the firm.”
Broadly defined, culture refers to the underlying assumptions held by employees about the way things are done. It can reach from leadership to staff selection and promotion, performance measurement, management of competing interests, and the beliefs that drive actions. Risk culture indicates how an organisation values risk, such as the risk controls, its appetite for taking risks, its training and how issues are communicated and resolved.
Conduct relates to actions – which can be ingrained in business strategy, productive governance, employee incentives and how new products and services are governed. The combination of culture and conduct ultimately impacts customer experiences.
Despite this link, Clark says many organisations lack a “joined up approach,” to tackling customer and conduct risk.
“They won’t necessarily recognise these risks in the same way they recognise other risks types, like market liquidity or credit risk,” he says.
As companies look to compete, grow their markets, expand internationally or quickly acquire skillsets, the risk of being in multiple locations and taking on board conduct and culture through strategic partnerships with other organisations increases.
“The risks the organisations face will not be consistent,” Clark says. “At the bleeding edge of the product (e.g. in financial services), we will see new risks introduced. So if they are partnering with a fintech start-up or an established organisation, the traditional market risks will apply, but the nature of the propositions means that the products could be composites of several parts of a business, or several businesses. This will add to the complexity of the risks associated with those products.”
Technology will increasingly become a double-edged sword for managing conduct risk. On one side, technology offers the risk function insightful data and analytics capabilities, helping it to monitor risk more robustly than the manual approach of the past. On the other, it introduces unprecedented risks.
“The risk function must quickly understand the benefits and the limitations of new technology,” Munro says.
Clark says risk functions will need to review how customers are interacting with technology platforms, and review all the points where risk could infiltrate.
“In a simple insurance product, there are probably only two or three times in the customer journey when they actually have a personal interaction with the insurer,” he says.
Technology platforms that are set up to entice customers could trigger a previously unexpected conduct risk issue, particularly when it comes to signing up for products or services.
“The customer can tick a box that says they have read a particular document, but have they actually read it? Are they more or less likely to read it in a digital environment? How many customers just tick ‘accept’ without reading the terms and conditions at renewal stage?” Clark says.
He calls this “click-through risk”.
“In the digital sales process, it feels quite virtual, yet customers are actually making important decisions which have a big impact,” he says.
While risk functions continually strive to achieve a holistic view of risk culture and conduct risk, they are working within the confines of cost and resources.
“A challenge faced by the banks and many other organisations is to do more with less. They have to manage more complicated risks, more effectively, with less cost, and likely with less people,” Munro says.
Clark adds that the risk function must become more diverse in its capabilities, and avoid having risk professionals operating in silos.
“It will need to be more changeable with more flexible people in it,” he says. “People who traditionally identify as ‘I am a credit risk professional’, or ‘I am a market risk professional’, are going to have to be a lot more comfortable addressing risks outside of their vertical.”
Munro says this means risk professionals will need to be both “broad and deep” in their knowledge, exploring how different risks are connected. The risk function will have to expand its view outside of just being a control function, to also be a business partner.
Despite the extra complexities faced by the risk function, it must innovate without dramatically boosting costs or resources. Clark says technology is one combatant, as is adopting a ‘principles approach’.
“Overarching principles can guide risk management processes and people, and the risk function can apply them in a variety of contexts. To be broad and deep, you need to take a principles oriented view – it offers a consistent way to think holistically,” Clark says.
In summary, preventing conduct and culture risk in a competitive, digitised and global world will require innovation and pro-activeness from the risk function, and support from the organisation more broadly.
“It’s about being agile, and it is setting up the organisation to look towards the horizon to prepare for what is happening,” Munro says. “The risk function of the future must be more curious and adaptable.”
The risk function is benefiting, but also facing unprecedented risks from new technologies. Find out more in our article Risk and technology – change from all angles.