Leveraging RegTech to Eliminate Conduct Risk Blind Spots
Conduct risk is a form of business risk that refers to potential misconduct of individuals associated with a firm, including employees, third-party vendors, customers or agents interacting with the firm.
Conduct risk is typically associated with human misbehavior, unlike many other forms of business risk, such as a major network outage caused by systemic failure. Conduct risk poses a growing threat to companies across industries and jurisdictions because regulators are increasingly holding senior managers accountable for the actions of individuals associated with a firm.
Regulators are making conduct risk a top examination and enforcement priority. For instance, U.S. Securities and Exchange Commission (SEC) Rule 204A-1 under the Advisers Act (the “Code of Ethics Rule”), which requires registrants to establish a standard of business conduct of all supervised persons, was one of the top areas of deficiency the agency identified in 2017. The U.K. Financial Conduct Authority (FCA) is now expanding its Senior Managers and Certification Regime (SMCR) to hold more individuals across a broader base of financial institutions accountable for their conduct.
Areas of conduct risk that most commonly occur include conflicts of interest, such as improper trading or incentive practices. The forms of misconduct that are most harmful to a firm include deliberate malfeasance, repeated infractions, or isolated breaches coupled with aggravating factors, such as injury. In some cases, a breach entails collusion among perpetrators across enterprise bounds, such as an employee working with a third-party to induce a transaction, or the sharing of material non-public information (MNPI) in advance of a transaction.
To be sure, most employees try earnestly to adhere to their organization’s conduct policies. But it takes just one unexpected infraction to damage a company’s brand and bottom line—sometimes irreparably. On top of the harm to individuals, the impact of a conduct breach can be exponentially compounded by financial and other penalties, reputational harm and regulatory sanctions.
To avoid increasingly costly fines and censure, many firms rely on compliance professionals to develop and manage codes of conduct for related entities. The most common examples are Employee Code of Ethics (often also referred to as Conduct Policies or Code of Conduct) and Supplier Code of Conduct. Qualified compliance professionals have the expertise to keep policies, procedures and documentation current as rules and regulations change. But they typically lack the technical skills needed to manage systems and data, which are an indispensable means of breaking organizational silos to connect people, processes and policies.
Moreover, it is simply not possible for compliance professionals to be privy to each and every business interaction. The compliance and senior management teams must rely on the “tone from the middle,” that critical middle layer of executive management that interacts directly with supervised persons. Furthermore, there often are blind spots across physically dispersed management teams or teams that operate differently from one another, especially insular teams that operate separately from others in the organization.
Indeed, especially in mid-tier and large companies, the left hand often does not know what the right hand is doing. For instance, an employee might be planning to give a gift to an executive at a company that, unbeknownst to the employee, is an acquisition target. A gift that would otherwise be an acceptable form of business courtesy could thus be considered a form of bribery post-merger.
To avoid increasingly costly fines and censure, a growing number of firms are using software to better manage conduct risk. Such solutions help firms track and monitor conduct-related compliance process flows, with a centralized command control dashboard, behavioral risk scoring, document management, reporting, alerts as well as comprehensive approvals processing.
Conduct risk management systems demonstrate to regulators that a company is serious about monitoring its supervised persons, and can be used in defense of a conduct breach—which can occur in even the most thoughtfully safeguarded organizations.
However, such systems are only as good as the data that nourishes them.
The moment a compliance procedure is introduced is the optimal time to define the data needed to monitor the procedure, and how it can be systematically mapped to monitorable controls before committing to the procedure. But it’s never too late to centralize and cross-reference data to eliminate conduct risk blind spots—even data in distributed data stores.
Automating process flows with relevant conduct data not only mitigates risk but offers a host of operational benefits. For instance, it reduces the manpower needed to manage compliance while tempering the impact of employee turnover.
When data and systems are configured to cross-reference the actions of supervised persons against a company’s policies and procedures, the supervisory and compliance teams can instantly view and share conduct risk insight even as compliance professionals come and go over time.
Without the ability to centrally manage conduct risk data, even leading firms that pride themselves on promoting cultures of compliance can easily overlook misconduct that could have been curtailed. Conversely, centralizing and cross-referencing conduct risk data enables firms to empower people and processes with richer, more sophisticated tools to better manage compliance.