Data is becoming more important the more technologically advanced we become. For financial services firms, the myriad of data they have can give great insights into the performance of the business and the conduct of its staff. Yet, are we really maximising our data as a tool for identifying and preventing misconduct?
Irrespective of size and maturity, it is critical that all organisations ask themselves the following questions:
- Does senior management really receive the non-financial information that provides an insight into the conduct of their employees?
- Does the data offer full coverage of the conduct risks faced by the business?
- Is that data properly analysed and is it clear on the messages it is providing?
- Does the data consider internal and external data and data from all lines of defence?
- Does the data lead to the assessment of potential exposures as well as known issues?
- Is management provided with information from which they can make commercial and risk decisions?
It is a common challenge that boards either do not get enough relevant information about non-financial risk, or get overwhelmed with voluminous packs of data. Commonly, the focus is purely on financial measures and regulatory issues – a topic that has been called out specifically in recent regulatory investigations. However, as easy as it sounds, developing a set of relevant, structured information that actually improves governance and drives preventative risk management is challenging and requires organisations to think about:
- what this actually means in practice;
- what sort of information is actually relevant; and
- how information can be collected and synthesised in a comprehensible, repeatable format.
It is up to organisations to determine what they want to produce and for whom. Much of this will be determined by the nature of business activities, scale of the entity and key risk exposures. Irrespective of size and scale, it is important to consider all elements of the customer lifecycle, as well as product and internal control performance. The nature of the information will be different for every entity, but a common theme is the need to ensure that the data provides clear insight into the current and emerging risks, as well as current issues, conduct-related weaknesses and other factors that may give an indication of cultural weakness. Achieving this will require looking holistically at the available data and making decisions as to what is suitable. It may also include developing new information sources. The biggest mistake is not truly understanding what the data is saying in the context of risk and not blending data into a proper story and set of decision points.
There are, however, a number of challenges to achieving this.
- It is easy to "pigeon hole" data to fit specific outcomes. For example, there is commonly little use of product performance in considering conduct risk, but a lot of information on sales issues. As such, the link between sales practices and product performance can be overlooked.
- The data can be heavily focused on that produced by "control" functions (e.g. supervision, compliance and risk). If so, it becomes a summary of issues, rather than risk identification.
- The data can be voluminous, meaning that the relationships between certain data points cannot be analysed, making it hard to make risk-based decisions at management level.
- Tolerances are sometimes set without context to actual risk, limiting the ability to make accurate risk-based decisions.
Identifying, analysing and producing non-financial data is critical in delivering a preventative risk culture and supporting management in discharging their responsibilities. However, simplicity and clarity of purpose is key. Has your organisation got effective conduct risk metrics in place or a plan to develop them?