The Culture of Risk The importance of managing conduct risk and maintaining an effective risk culture across the business

Private and confidential | May 2016

Second line optional lorem ipsum B Subhead lorem ipsum, date quatueriure Contents

1. Introduction 2 2. Structuring the conduct risk framework 4 3. Establishing the risk culture in the operating model 7

1 1. Introduction

The emergence of conduct risk and its impact on the cultural norms since the financial crisis. This has Areas of potential conduct risks across the business and operating model of the financial services sector culminated in reputational damage, regulatory fines, financial institutions and penalties. Moreover, a major impact on unhealthy Since the financial crisis of 2008-2009, banks and Conduct risk cannot be pinpointed to a single function or business of a financial cultural norms has led to a loss of public trust. The financial institutions across the world have been facing institution as it can run deep within the business and operating model if not addressed 2016 Edelman Trust Barometer report illustrated the financial and reputational difficulties. The cultural effectively. A summary of the typical areas where conduct risk arises in a financial public’s lack of interest in financial service institutions as foundation and failure in maintaining an effective risk institution is given below: compared with other institutions from the technology, culture is considered a major driver for the failure of energy, and pharmaceutical industries respectively. banks. The last few years have highlighted various While efforts have been made by the financial services scandals not just in India, but from around the world – regulators, banks and financial institutions to improve from the recent advance export remittance scandal in Improper Inadequate public perception and trust, the financial services India to the LIBOR fixing scandals in the global markets customer on- transparency in Fraudulent industry continues to lag behind its peers from other – which highlight how banks are unable to remediate boarding fees and activities industries. practices charges

80%80%

75%75%

70%70% Insider trading/ Improper Collusion with front-running/ financial advice market 65%65% rogue trading to customers participants

60%60%

55%55%

50%50% Inaccurate Mis-selling financial and 45% financial Tax avoidance 45% regulatory products disclosures 40%40% 2012 2013 2014 2015 2016 2012 2013 2014 2015 2016 TechnologyTechnology F&BF&B ConsumerConsumer Goods Goods TelecommunicationsTelecommunications Automotive Energy Pharmaceutical Financial Services Automotive Energy Pharmaceutical Financial Services It is therefore imperative for financial institutions to establish a risk culture that not

Source: 2016 Edelman Trust Barometer – Respondents were asked how much they trust businesses to do what is right. 2016 witnessed an improvement in public trust on financial only addresses the risk of misconduct but also highlights clear accountability of actions services however it continues to lag behind other industries through a preventive approach.

Given the persistent issues around maintaining an Board’s letter to the G20 Finance Ministers and effective culture, there have been several global Central Bank Governors highlighted that ‘the scale initiatives by financial services regulators and industry of misconduct in some financial institutions has risen bodies to address the issue of ‘Conduct Risk’ or to a level that has the potential to create systemic ‘Misconduct Risk’. These are often considered as the risk risks. Fundamentally, it threatens to undermine trust that a financial institution is not dealing and engaging in financial institutions and markets, thereby limiting in fair practices to customers, to the regulator, to some of the hard-won benefits of the initial reforms… market participants, and overall to the global markets. The FSB will consider reforms to reduce the likelihood Further, several bodies such as the Group of Thirty, of misconduct including by a) assessing reforms to risk the Financial Stability Board, the IOSCO, the European governance, compensation structures and benchmarks Systemic Risk Board, and the Basel Committee have and, where appropriate, proposing additional measures recognized conduct risk to be of significant importance in these areas and b) considering ways to improve to the overall systemic stability of the financial markets. market structure, standards of practice and incentives Furthermore, the February 2015 Financial Stability for good conduct in financial markets more broadly.’

2 3 2. Structuring the conduct risk framework

Conduct risk - A new approach to ‘Treat Customers Fairly’ (‘TCF’) Essential components for addressing conduct risk

Traditional TCF approach used by global Embedding the TCF into the drivers of 1. Defining the conduct risk strategy 2. Developing the conduct risk framework financial services companies ‘Conduct Risk’ of the company • Summarizing the corporate strategy in terms of growth • Framework that clearly references and appropriately areas, priorities regarding existing customers, covers the conduct risks faced by the firm (i.e. people, distribution model and organization competencies process, system and external events) Confidence of customers Marketing and sale of Inherent factors when dealing with firms financial products to be • Establishing the risks of misconduct which emanate • Objectively defining the components of the conduct risk where fair treatment of designed to meet the Information asymmetries, biases and from the strategy framework across the three lines of defense and customers is central to the needs of the identified structuring a defined communication plan corporate culture customer groups inadequate financial capacity • Clearly specifying the target outcomes in relation to each conduct risk i.e. – what does good look like? • Roles and responsibilities in relation to the implementation of and compliance with the framework • Measures of whether the conduct risk strategy is successful or not are defined Advice provided to the Transparency and customer takes into Structures and behaviour appropriateness of account the customer 4. Establishing the conduct risk appetite 3. Developing the Conduct Risk Policy information provided to information and the customer, during point Ineffective competition, culture and circumstances affecting the incentives and conflicts of interest • Conduct risk appetite gives consideration to the whole • Comprises: of sale and after sale customer lifecycle customer ‒ Firm’s conduct risk strategy and objectives • Each statement is specific enough so that it is not open ‒ Firm’s conduct risk universe across the operating model to misinterpretation ‒ Tools and processes for the management of conduct risks Financial products sold to Minimization of post sale • Takes into account the firm’s strategy and key output of customers are expected to barriers imposed by the Environmental factors the conduct risk framework ‒ Governance arrangements that are in place for oversight of conduct risk and associated reporting framework perform as expected by the financial service provider to • Qualitative and quantitative measures for monitoring ‒ Board mandate in relation of conduct risk customer and standards of change product, switch Economic, regulatory and technological performance of the risk appetite charges are acceptable and provider, submit a claim or trends expected by the customer make a complaint Source: Deloitte perspective on Conduct risk – developing and maintaining an effective framework Integrating stakeholder management with internal conduct risk framework of the firm The conduct risk framework remains an essential does good behaviour look like for our firm?’ and ‘What component of the firm’s overall risk management do we need to communicate internally and externally The initiative to deal fairly with external stakeholders has a) accountability and, b) monitor it strategically to framework – it is the arm that caters to dealing with on our tolerance to misconduct and poor behaviour?’. existed since the time banks and financial institutions avoid reputational or financial impact on the business external stakeholders and embeds in it the manner in In summary, the conduct risk strategy also establishes were created. The Financial Conduct Authority (‘FCA’) of the firm. Conduct risk forms an essential part of the which the desired brand recall and reputation of the the manner in which the conduct risk management of the United Kingdom, in 2006, summarized the six firm’s risk universe whereby the risk factors include the firm is to be established with the external stakeholders. framework is to be established within the financial approaches that banks and financial institutions must following: Various foreign banks today have enhanced their brand institution. maintain with their customers and external stakeholders. and values committee to factor in conduct management • information asymmetries across various groups within Consequently, developing the conduct risk framework Similarly, banks and financial institutions in India, and re-establish it as a ‘Conduct Risk Committee’ so as the firm with the external stakeholders essentially deals with the following things: too ,maintained similar practices with customers and to constantly monitor reputational vulnerabilities and external stakeholders which were driven either through • not dealing with internal conflicts of interest or lack of behaviours expressed by the employees of the firm with • identifying the various exposures to misconduct that regulatory directives or self-maintained codes of fair incentives around doing the right thing, and the external stakeholders. the financial institution can express internally and practices. externally, • responding to external and environmental change Establishing the right manner in dealing with conduct While these approaches continue to be applicable today, emanating from the economy, the financial markets, risk requires a consistent approach to address it. An • the channels and platforms across the three lines of dealing with conduct risk requires a firm to embed it technological disruptions, and changing market essential component required to cater to the consistency defence of the firm in which poor behaviour can be within their internal risk framework so as to bring about dynamics is the ‘conduct risk strategy’. This strategy highlights expressed, and the strategic directives to manage conduct risk and • the manner in which these risk exposures need to be also specifies the governance and oversight or manner addressed so as to ensure minimal-to-no form of gap in which the ‘tone at the top’ is established by the identified across the operating model when dealing Board of Directors and senior management of the with conduct risk. financial institution to arrive at; for example – ‘What

4 5 3. Establishing the risk culture in the operating model

Establishing the components for dealing with conduct managing conduct risk across these tree lines of defence Challenges in maintaining an effective risk culture risk, structuring roles and responsibilities, and defining are critical success factors for maintaining an effective compliance measures for stakeholders responsible in conduct risk management framework. Poor risk governance Inadequate metric monitoring Third line of defense Second line of defense First line of defense • Unclear governance structures and • Metrics without clearly defined unclear or poorly defined risk appetite tolerances or clear audit trail back to with supporting metrics for monitoring source data; poorly defined measures Remuneration conduct risk metrics and acceptance of performance in terms of delivery of and customer outcomes Governance relationship Leadership Effectiveness Accountability with stakeholders Clarity across three Barriers in Unstructured firm behaviour Evaluation lines of defense establishing • Lack of understanding of the required Risk culture behaviour across the firm; not and external Lack of robust outcomes testing in the Strategy and Risk Risk appetite • undertaking root cause analysis and environment Risk transfer Risk limits first line of defense; 2nd line assurance Appetite statement an effective risk addressing issues on a proactive basis and often undertaking first line activity conditions culture

Enterprise risk Product People Market focus Management quality Governance and Specific risk specific Policies • Lack of focus organizationally on target • Inadequate skills, knowledge and policies compliance policies policies/ market and design of products to suit experience within the senior policies guidelines customer needs management teams

Risk Risk Risk reporting Risk measurement, Processes and identification and mitigation aggregation Controls Internal and concurrent audit and Training monitoring plans and categorization and When undergoing the risk transformation of the Defining the culture External stakeholders and regulators prioritization operating model to strengthen the risk culture and knowledge The November 2015 Group Thirty report on ‘Banking Risk models governance within the financial institution, it is essential Enterprise- Transaction Conduct and Culture’ defines culture as ‘the mechanism for capital to identify the existing challenges around the current wide risk Local risk recording and that delivers the values and behaviours that shape Systems management management systems processing form of risk governance maintained within the firm. and stress conduct and contribute to creating trust in banks and a system system Challenges can stem from poor risk governance, testing positive reputation for banks among key stakeholders, management quality, market focus, firm behaviour, both internal and external.’ Culture is considered as effective monitoring, or duplication of efforts across the Framework component Third line of defense Second line of defense First line of defense the standardized framework for establishing ethical three lines of defence. behaviour and sound business practices. Culture is

Source: Deloitte’s framework for the three-lines of defence model for an effective enterprise risk management framework The culture of risk of a financial institution becomes required to be maintained at the firm, management and the USP to an external stakeholder and the DNA of the individual levels. internal stakeholders; establishing the risk culture and Operationalizing the conduct risk management Establishing a consistent approach to conduct risk at governance is thus of paramount importance and must framework can be performed only with the each area within the operating model can be performed be dealt with in the right manner. establishment of a conduct risk policy. The policy brings by way of the conduct risk appetite framework. The together the following things: risk appetite statement demonstrates the manner in which the identified internal stakeholder, for a • the mandate from the Board and strategic direction of particular function within the operating model, the firm around managing risks of misconduct, addresses conduct risk and implements the mandates • the governance framework and components of of the conduct risk policy within their daily operations. the conduct risk management framework that are This statement allows for consistent deployment and required to be deployed across the three lines of removes any exposure to mis-interpretation around defence the implementation of the firm’s conduct risk strategy. • the operating model of the firm Quantitative and qualitative approaches towards measuring and monitoring the effectiveness of the The policy also covers the kind of tools, metrics and conduct risk strategy are documented within the risk processes required for enabling a consistent approach to appetite statement and approved by the Board of address conduct risk throughout the operating model. Directors of the firm.

6 7 Defining the elements required to maintain an effective culture The importance of a risk-intelligent culture To establish an effective culture within the financial institution, it is important Prior to the financial crisis, the risk culture of a financial institution was reactive in to identify the key elements that would help define the desired culture of the approach where the rigor and frequency of review was driven by the prevalence of organization. Typically, there are four key elements that help devise the culture of an reported risk events and issues. Intervention by compliance and key management organization. stakeholders was only in case of specific issues that were driven either by external events impacting the financial institution or an intimation from the regulator.

Ethics and Behaviour Risk Intelligence • Ethics relates to the manner in which • Continuous surveillance of potential Pre 2011 trends 2011 – 2014 trends 2015 onwards the culture is established. An ethical exposure to misconduct and non- culture highlights cognizance with compliance stakeholder requirements and • Anticipating and addressing Limited and Implementation of Extensive use of data addressing them in a fair and consistent vulnerabilities to fraud and unethical Extensive use of basis sporadic Reactive risk and compliance Compliance testing and analytics to behaviour early warning • Behaviour relates to the approach in • Anticipating and aligning the culture in a regulatory compliance culture technologies and programs support risk and which the culture is required to be systems dynamic regulatory environment. executed. oversight tools compliance functions

Values and Strategy Tolerance Silo approach Compliance Close integration Transitioning Embedding • Setting the ‘tone at the top’ with respect • Minimizing tolerance where strategy towards risk, intervention only Automation of between risk, towards a risk to kind of perception that needs to be does not align with the value of the firm compliance within maintained with the internal and compliance and in case of specific regulatory reporting compliance and based supervision • Highlighting and communication low business functions external stakeholders tolerance to activities that expose the audit issues audit framework • Establishing strategies that align with firm to conduct risk the values of the establishment • Penalizing actions that cause the firm to Pre-emptive be exposed to conduct risk and negative Move towards Move towards Leveraging GRC tools perception from the stakeholders compliance Increased system- Robust transaction putting in place robust financial for efficient self control embedded based transaction and risk surveillance compliance fraud & assessment and in transaction monitoring framework frameworks investigation units exception reporting systems 1. Ethics and behaviour – Ethics define the manner in which the desired culture is to be maintained within an organization. This would refer to the ways in dealing with . The culture of risk and compliance today is expected to transform into a pre-emptive stakeholders, the transparency required to increase trust, and the method in which monitoring and surveillance function stakeholder management is to be responded to. The demonstration of action . An effective way of transitioning towards a risk-intelligent culture is to become would be the behaviour of the firm with the internal and external stakeholders. streamlined through increased work-flow based automation 2. Values and strategy – A key requirement for establishing an effective culture within the firm is the manner in which the ‘tone at the top’ is established. It is the way in which the Board and senior management addresses their firm towards culture and compliance. The manner in which the tone at the top is established typically emerges from the strategic directives of the senior management of the firm. 3. Risk intelligence – It serves as the monitoring or surveillance function for anticipating and addressing risks of misconduct from a preventive basis in order to protect the firm from any vulnerabilities around non-compliance, fraud and general market behaviour. 4. Tolerance – Tolerance demonstrates the acceptance levels of the Board and senior management on demonstrated actions and behaviours that cause misconduct and which may threaten the financial institution from a financial, regulatory or reputational perspective. It is imperative that tolerance be communicated throughout the operating model so as to demonstrate the desired culture to be established within the financial institution.

8 9 The financial crisis caused banks and financial institutions to to re-think their approach Transitioning towards a risk-intelligent culture within the operating model towards compliance and risk where the need to establish it within the first line of of a financial institution defence became a priority. As a result, since the financial crisis, banks and financial An important feature while moving towards the establishment of a risk-intelligent institutions have begun to transition towards a risk-intelligent approach where the culture is the manner in which the focus on risk and compliance events transforms— emphasis on early-warning systems, integration between risk, compliance and audit, from a reactive basis, towards a policy-driven risk and compliance framework, automation of reporting and monitoring activities has been integral within the culture enhancing the frequency and scope of risk monitoring towards finally arriving at a of the financial institutions. dynamic risk monitoring culture.

Moving across the risk culture maturity levels Stages of transformation of the risk culture Maturity Level I Maturity Level II Maturity Level III . Legacy system landscape, reliance on manual controls and reconciliations Institutional risk and Risk-based compliance Reactive risk culture Reactive risk culture Risk-intelligent culture compliance management . Large scale transactional volumes - Focus on up-front remediation post risk or compliance . Operational complexity and dependencies event . Rigor and frequency of . Framework institutionalized . High risk, high impact areas . Systemic risk surveillance - Multiple adhoc reviews and testing identified based on the framework instituted over on documentations

review driven by the through a governance Complexities in the operating framework operating prevalence of reported risk framework, policy- evaluation of the results from and above the existing the existing GRC framework compliance self- events/ issues requirements and standard . Emphasis on embedding assessments and testing operating procedures Institutional risk and compliance culture

controls within the dealing isk . No central repository of r . Compliance evaluation - Policy-driven risk and compliance framework . Repository of regulatory processes for daily internal/ . Lack of adequate monitoring of operational policy/ risk/ regulatory based on inputs from the requirements, existing risks regulatory compliances risks within the dealing room - Warehousing of operational and regulatory requirements/ requirements existing GRC, the central . Reliance on a central volume-based testing and controls and regular testing data warehouse and . Siloed risk management function . Unstructured testing gap self-assessments repository of testing results the transaction recording to optimize the cost of . Regulatory expectation of pre-emptive risk framework leading to platforms

. management Existence of governance, Infrastructure compliance and compliance monitoring multiple adhoc reviews Risk enabled compliance management risk and compliance . Continuous updation of the . Dynamic updation of risk infrastructure (‘GRC’) for scenarios and stress on of the Limitations - Focus enhanced to also cover low-frequency high-impact . Cost escalation on account evaluation parameters within ongoing monitoring the GRC early warning indicators risk events of duplication of effort . Complex / overlapping regulatory - Information ware-housing and static analysis requirements . The nature of risk culture among financial institutions in India are currently established within Maturity Level II with the objective towards achieving risk-based compliance. . Need to monitor all changes to

Existing business imperatives and systemic limitations Risk-intelligent culture regulations and additions of new . Creating a risk-intelligent culture within the dealing room by way of leveraging technology for a preventive - Dynamic risk monitoring framework regulations - Real-time data mining and financial surveillance surveillance system will be the cornerstone of future enhancements Environment . Assess the impact of changes on the - Predictive analysis of risk-events Complex Regulatory Regulatory Complex operational activities

10 11

Key contacts

Muzammil Patel, Abhinava Bajpai, Partner Partner Deloitte Touche Tohmatsu India LLP Deloitte Touche Tohmatsu India LLP [email protected] [email protected] Phone: +91 99200 28365 Phone: +91 99676 59145

Rahul Murthi, Senior Manager Deloitte Touche Tohmatsu India LLP [email protected] Phone: +91 99200 12453

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.

©2016 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

Deloitte Touche Tohmatsu India Private Limited (U74140MH199 5PTC093339), a private company limited by shares, was converted into Deloitte Touche Tohmatsu India LLP, a limited liability partnership (LLP Identification No. AAE-8458),with effect from October 1, 2015.