Conduct Risk Framework – what the FCA expects

Home / FINANCIAL CRIME / Conduct Risk Framework – what the FCA expects

Conduct risk continues to be a focus for the FCA. As it is not an FCA defined term, firms need to understand what it means. The FCA expects firms to develop their own conduct risk definition and strategies and put in place a tailored conduct risk framework to address the specific risks that their business is exposed to.

The FCA introduced the 5 Conduct Questions programme in 2015 and the leading wholesale banking firms operating in the UK and subsequently published feedback papers in 2018 and 2019.

The five questions were:

  1. What proactive steps does the firm take to identify conduct risks in its business? 
  2. How does the firm encourage people in front, middle, back office, control and support functions to feel responsible for managing conduct?
  3. What support does the firm put in place to help its people improve the conduct of their business or function?
  4. How does the firm’s board and executive committee get oversight of conduct in the organisation? And how do employees bring information into their discussions?
  5. Has the firm looked at where there are any business activities it is engaged in that undermine its work to improve conduct?

The 2019/20 Business Plan sets out the FCA’s overall objective of how to improve the way financial markets operate with respect to the protection of consumers, the integrity of markets and the promotion of competition. Among other things, the 5 Conduct Questions programme clearly supports their cross-sector efforts on firms’ culture and governance.

What is conduct risk?

Conduct risk is broadly defined as any action of a regulated firm or individual that leads to customer detriment or has an adverse effect on market stability or effective competition, these are a reflection of the FCA’s three statutory objectives:

  • Protect consumers – securing an appropriate degree of protection
  • Protect financial markets – protect and enhance the integrity of the UK financial system
  • Promote competition – promote effective competition in the interests of consumers

Firms should seek good behaviour across all aspects of their organisation and develop a culture in which it is clear that there is no room for misconduct. Although treating customers fairly (TCF) has long been part of the retail regulatory framework, conduct risk should not be seen as merely an extension of this. Linked to this is the commonly held misconception that conduct risk is only a retail client issue.

Firms need to consider what conduct risk means and ensure that there is a consistent definition and understanding throughout all levels of the firm including overseas entities.

How should firms identify the key conduct risks within the business?

Conduct risk drivers stem from the firms’ structures and behaviours which could create a risk of harm to consumers or market integrity. Firms that understand the drivers of conduct risk can better understand whether their conduct risk frameworks are robust enough to mitigate against the risk of harm originating from its activities or individual behaviours. Firms need to consider:

  • The conduct risks that the firm is exposed to. Examples of key risks may include insider dealing, conflicts of interest, product design or mis-selling through inappropriate incentive and bonus schemes;
  • The controls in place to monitor and mitigate these risks on an on-going basis. How it will be ensured that these controls remain fit for purpose;
  • Changes needed to be made within the organisation from a cultural/values perspective and how these can be tracked: and
  • The periodic refreshment of the conduct risk assessment.

We recommend a gap analysis be conducted to assess any additional controls that need to be put in place, to ensure that all risks are mitigated prior to putting in place a conduct risk assessment. Conduct risks need to be treated separately from other types of risk such as market and operational risk.


A clear relationship between conduct risk and business strategy should be established. The FCA expects firms to be able to demonstrate and evidence how conduct risk matters are driving business strategy and decision making.

Questions which need to be asked are:

  • What is the firm looking to achieve from a conduct risk perspective; and
  • What does success look like?

Risk Appetite

The overall risk appetite for conduct risk should be informed by the key outcomes from the conduct risk assessment and the firm’s conduct risk strategy. We recommend linking the risk appetite to the FCA’s key objectives of good customer outcomes and market integrity.

Governance and Accountability

A firm which has poor governance arrangements cannot effectively identify and mitigate risks of harm caused by its business activities. For example, if a firm has many layers of management and committees which receive similar and overlapping Management Information (MI), it may be difficult to ensure that risks identified through reporting are being addressed correctly. Additionally, effective oversight in terms of how issues are being handled and by whom need consideration Firms may want to appoint a specific Conduct Risk Committee.

Conflicts of interest

A review of the business models and the assessment of potential conflicts of interest that may be present should be carried out. Areas to focus on could be:

  • The existence of a vertically integrated business model;
  • The manufacture and distribution of products;
  • Staff incentive schemes; and
  • The firm’s PA dealing policy.

Systems and controls

A firm which has inadequate systems and controls cannot effectively identify risks of harm caused by its activities. MI is a key form of control and, if not designed properly, can lead to risks not being properly identified. Senior management needs to keep the design of MI under regular review to ensure that it continues to be fit for purpose in highlighting risk areas. Training is another important form of control and rather than adopting a tick box approach, the FCA expects firms to develop training in order to embed awareness of conduct risk at all levels of the organisation. The Senior Managers and Certification Regime aims to strengthen accountability and provides firms with a great opportunity to roll out new conduct risk training programmes to all staff so that they truly understand the risks attached to their specific roles and how they should behave.

Business model

A firm’s business model can itself be a driver for conduct risk, for example in the design and delivery of products/services. Taking the example of consumers’ search for yield in a low interest rate environment, often encourages firms to try and design more complex and risky products to try to meet this demand. But that may present key conduct risks, like consumers not fully understanding the products, which in themselves are wholly unsuitable.


A key indicator of culture is the tone from the top:

  • Senior management must act in accordance with the firm’s policies and procedures;
  • Senior management should not reward bad behaviour which can come about through employee remuneration set against financial targets only;
  • A blame culture when things go wrong can often discourage people from speaking up and admitting they have made a mistake, thereby preventing problems from being rectified;
  • Employees turning a blind eye to misconduct in the workplace for fear of speaking up; and
  • Elements of indecision within the firm, where difficult decisions are put off. This can lead to long-running failings not being addressed through prompt and decisive action.

Firms should seek to promote good behaviour across all aspects of their organisation and develop a culture in which it is clear that there is no room for misconduct. Although TCF has long been part of the retail regulatory framework, Conduct Risk should not be seen as merely an extension of this.

Further Resources

How we can help

If you are creating or reviewing the conduct risk framework within your firm and would like us to review or to assist, please contact us to discuss. We offer a number of services including gap analysis, implementation of conduct risk frameworks and management information packs.