Conduct risk is the threat of financial loss to an organization caused by the poor judgment of managers and employees. Conduct risk management gained more attention in the corporate sector, and especially the financial field, after it was revealed that unethical behavior was a primary cause of the 2007 global financial crisis.
A sound governance framework should help drive a positive culture that makes compliance and ethical behavior a responsibility for every employee, at all levels. Rather than measuring or providing an opinion on culture, Internal Auditors is increasingly including substantive testing of culture, holding a mirror to the organization on what staff have shared confidentially across each individual audit, and across multiple audits across the organization.
As the third line of defense, internal audit provides an independent and end-to-end view on how those at the first line (business units) are encouraging and promoting the appropriate culture, and how the second line (risk and compliance) is monitoring and challenging the organization to keep on the right path.
Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots, unknown risks, and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct.
When we talk about ‘conduct risk’ we often go on to describe the risk of customer or client product controls failing, or maybe, 'treating customers unfairly'. And, as we know, conduct is on the radar of regulators, leading to penalties or even delicensing. This course leads you through strategies for auditing this subject.
Who should attend?
The course is open to all.
What will I learn?
Upon completion you will be able to:
- Identify and define the difference between conduct risk and other types of risk
- Understand how conduct risk can be qualitatively or quantitatively measured
- Be able to undertake an audit of conduct and culture risk within your organization.
- About conduct risk
- What constitutes conduct risk – what is different about conduct risk?
- Can you define and measure conduct risk?
- Is auditing conduct risk any different from auditing any other type of risk?
- Auditing conduct risk
- Are we considering the interests of our customers and treating them fairly?
- Can we prove we have a culture that supports customer interests?
- How do we differentiate between high and low risk customer products?
- Who challenges products from the customer's perspective?
- How are products shaped to meet customer's expectations?
- Are our controls proportionate to risk levels?
- How do we incentivise product sales and deployment?
- Do we ensure that products are correctly described for defined customer profiles?
- Do third parties market, sell or distribute our products?
- How do we control third parties?
- Do we have appropriate on-going product service arrangements for our customers?
- How do we process claims and complaints?
- Is conduct risk reassessed at routine intervals or when business strategy changes?
- Do we perform stress scenario analysis and challenge against our products?