Conduct risk frameworks: design principles and common gaps
Conduct risk — the risk that the behaviour of a firm or its employees will result in consumer detriment, market disruption, or reputational damage — has been a central supervisory concern of the FCA since the post-financial crisis era. The FCA's focus has evolved from individual mis-selling cases to systemic conduct risk, and from retrospective enforcement to prospective identification and prevention of harm. The introduction of SMCR and Consumer Duty has given the conduct risk framework new formal architecture, but the core challenge remains: designing a framework that actually changes behaviour, rather than one that generates compliance documentation without affecting how decisions are made at the front line.
The most effective conduct risk frameworks are built around a clear articulation of the conduct risks specific to the firm's business model — not a generic list of conduct risk categories copied from industry guidance. This requires a conduct risk assessment process that considers: the nature of the products and services the firm provides and the potential for harm in each; the characteristics of the customer base, including vulnerability and financial sophistication; the incentive structures that drive front-office behaviour and whether they create conduct risk; the quality of management information about customer outcomes; and the culture and governance environment in which conduct decisions are made. A conduct risk framework that identifies 'mis-selling' as a risk without specifying the specific features of the firm's products, distribution channels, and incentive structures that create that risk is not a genuine risk assessment.
Integration with governance is essential. The conduct risk framework must feed into the firm's three lines of defence structure in a meaningful way: the first line must own conduct risk in their business areas and have access to conduct risk data that supports genuine oversight; the second line compliance function must have independence, authority, and resources to challenge conduct risk and require remediation; and internal audit must test the effectiveness of conduct risk controls as part of its risk-based audit programme. Conduct risk committees, where they exist, should be genuinely empowered rather than being forums for passive information sharing.
A persistent gap in many firms' conduct risk frameworks is the quality of conduct risk data and MI. Effective conduct risk management requires access to data about customer outcomes — complaints, cancellation rates, arrears rates, product usage patterns, suitability assessment quality, and outcomes for different customer segments. Many firms have adequate policies but inadequate data infrastructure to monitor whether conduct risk is actually being controlled. Investment in conduct risk MI — including the data systems, analytical capabilities, and reporting frameworks needed to turn raw customer data into actionable conduct risk insight — is as important as investment in policy documentation.
Culture as a conduct risk indicator
The FCA's assessment of a firm's culture — its values, behaviours, and leadership — is increasingly central to its supervisory approach. Firms where senior leaders demonstrate that commercial results take priority over customer interests, where compliance is treated as an obstacle rather than an enabler, or where concerns raised through whistleblowing or speak-up channels are not acted on, present a materially elevated conduct risk profile. Boards should consider whether their governance processes give them genuine visibility of cultural health — through employee surveys, exit interview data, speak-up reports, and management information — rather than curated presentations of a sanitised version of cultural reality.