Conduct Risk

What is Conduct Risk?
risk management certificate

In May 2015, the Financial Stability Board (FSB) agreed a workplan on measures to reduce misconduct risk, covering:

(1) examining whether reforms to incentives, for instance to governance and compensation structures, are having sufficient effect on reducing misconduct;

(2) examining whether steps are needed to improve global standards of conduct in the fixed income, commodities and currency (FICC) markets; and

(3) coordinating reforms to major financial benchmarks.

Collectively, these efforts aim to strengthen the resilience of the financial system by raising expectations for, as well as awareness of, good practice standards of behaviour and conduct across markets and market participants.

Ethical conduct, and compliance with both the letter and spirit of applicable laws and regulations, is critical to public trust and confidence in the financial system. Misconduct is also relevant to prudential oversight as it can potentially affect the safety and soundness of a particular financial institution and result in financial and reputational costs to that firm.

Particularly severe patterns of misconduct can damage the efficient functioning of financial markets and may raise prudential concerns about broader risk management, governance and compensation practices. Furthermore, the erosion of trust in financial institutions and markets may pose even more far-reaching challenges for the financial system.

A number of post-crisis reforms are aimed, amongst other things, at strengthening incentives for good conduct. FSB jurisdictions have done much already to implement agreed reforms.

Compensation structures are important not only to provide incentives for sound risk taking, but also to disincentivise misconduct cases. The FSB agreed Principles and Standards for Compensation Practices in 2009, and monitors implementation of through its Compensation Monitoring Contact Group (CMCG). The FSB’s fourth progress report on implementation, published in November 2015, concluded that almost all FSB jurisdictions have now fully implemented the Principles and Standards for banks.

Both firms and supervisors are of the view that the existing tools, if appropriately calibrated and used in practice, should enable firms to more effectively prevent or deter misconduct. If applied rigorously, deferrals aligned with the time horizon of risks (particularly for employees in roles where the risks are harder to measure or will be realised over a longer time frame), as well as adjustments to variable pay (e.g. “zeroing out” current-year bonus if misconduct is detected, or ex post risk adjustments such as malus and clawback) can be effective in demonstrating a firm’s intent to take action in the event of misconduct.

However, the effectiveness of these mechanisms remains largely untested and more analysis is needed to assess whether tools such as malus and clawbacks are sufficiently developed and effectively used to deter conduct risks. Supervisors have only sparse information at this stage on the use of malus, and this is insufficient for them to properly assess whether there is any direct evidence that compensation has been appropriately adjusted in cases of misconduct. The evidence on the application of clawback to vested awards is even more scant given the scarcity of experience and jurisprudence, which is often due to legal impediments (mainly labour law and tax-related).

Establishing a more direct, transparent and immediate link between conduct issues and the award of variable remuneration could help to reduce the incidence of misconduct. The FSB through its CMCG will continue to collect information and examine the case for strengthening disincentives to misconduct through compensation-related tools and if appropriate will make proposals. In particular, the CMCG will continue its current study of malus and clawback practices and the use of different instruments as an element of deferred compensation and if appropriate will make recommendations on steps to incentivise better practices for significant firms, while recognising that individual jurisdictions also may want to consider application to a broader range of firms, in the next progress report in 2017.

More generally, firms and supervisors point out that compensation is not the only tool for management to address misconduct. A combination of strong leadership and governance processes, robust risk and control environments independent from inappropriate influence by lines of business, and consideration of conduct-related performance when deciding upon promotion are seen as key drivers of firm culture. All these aspects, together with compensation awards, have an important role to play in demonstrating the extent of firm’s intolerance for certain behaviour.

A strong governance framework is essential to determining the allocation of authority and responsibilities in a company, in particular its board and senior management; monitoring performance, including incentives and decision-making at all levels of the firm; and ensuring that employees in all parts of the institution conduct business in a legal and ethical manner.

The governance weaknesses exposed by events in recent years included weak processes for defining, detecting and addressing misconduct risks. Many of these weaknesses have been identified in the FSB thematic peer review of risk governance frameworks at banks, which also set out a list of sound practices.

Learning from the Annual Reports

Conduct Risk, important parts from the 2021 Annual Report, Scotiabank

Audit and Conduct Review Committee of the Board

It assists the Board by providing oversight on the effectiveness of the Bank’s system of internal controls. The Committee oversees the integrity of the Bank’s consolidated financial statements and related quarterly results. This includes oversight of climate-change related disclosure as part of the Bank’s financial reporting of ESG matters as well as the external auditor’s qualifications, independence and performance.

This Committee assists the Board in fulfilling its oversight responsibilities for setting standards of conduct and ethical behaviour, and the oversight of conduct review, risk culture and conduct risk management. The Committee also oversees the Bank’s compliance with legal and regulatory requirements, and oversees the Global Finance, Global Compliance and Audit Department functions at the Bank.

The Committee also oversees the independence of each of these control functions, including the effectiveness of the heads of these functions, as well as the functions themselves.

Human Capital and Compensation Committee of the Board

In conjunction with the Risk Committee of the Board, satisfies itself that adequate procedures are in place to identify, assess and manage the risks (including conduct risk) associated with the Bank’s material compensation programs and that such procedures are consistent with the Bank’s risk management programs. The Committee has further responsibilities relating to leadership, succession planning and total rewards.

Risk Culture

Effective risk management requires a strong, robust, and pervasive risk culture where every Bank employee is a risk manager and is responsible for managing risks.

The Bank’s risk culture is influenced by numerous factors including the interdependent relationship amongst the Bank’s risk governance structure, risk appetite, strategy, organizational culture, and risk management tools.

A strong risk culture is a key driver of conduct. It promotes behaviours that align to the Bank’s values and enables employees to identify risk taking activities that are beyond the established risk appetite.

The Bank’s Risk Culture program is based on four indicators of a strong risk culture:

1. Tone from the Top – Leading by example including clear and consistent communication on risk behaviour expectations, the importance of Scotiabank’s values, and fostering an environment where everyone has ownership and responsibility for “doing the right thing”.

2. Accountability – All employees are accountable for risk management. There is an environment of open communication where employees feel safe to speak-up and raise concerns without fear of retaliation and consequences for not adhering to the desired behaviours.

3. Risk Management – Risk taking activities are consistent with the Bank’s strategies and risk appetite. Risk appetite considerations are embedded in key decision making processes.

4. People Management – Performance and compensation structures encourage desired behaviours and reinforce the Bank’s values and risk culture. Employees are rewarded for ‘how’ results are achieved in addition to ‘what’ is achieved.

Compliance Risk

Compliance Risk is the risk of an activity not being conducted in conformity with applicable laws, rules, regulations and prescribed practices (“regulatory requirements”), as well as compliance related internal policies and procedures, and ethical standards expected by regulators, customers, investors, employees and other stakeholders. Compliance Risk includes Regulatory Compliance Risk, Conduct Risk, and Privacy Risk.

The Bank conducts business in many jurisdictions around the world and provides a wide variety of financial products and services through its various lines of business and operations. It is subject to, and must comply with, many and changing Regulations by governmental agencies, supervisory authorities and self-regulatory organizations in all the jurisdictions in which the Bank operates. The regulatory bar is constantly rising with Regulations being more vigorously enforced and new Regulations being enacted. The bar of public expectations is also constantly rising. Regulators and customers expect the Bank and its employees will operate its business in compliance with applicable laws and will refrain from unethical practices.

Compliance risk is managed on an enterprise-wide basis throughout the Bank via the operation of the Scotiabank Compliance Program (“the Program”) which is led by the Bank’s Chief Compliance Officer (CCO) who is responsible for overseeing Compliance Risk Management within the Bank. The CCO is responsible for assessing the adequacy of, adherence to and effectiveness of the Program, as well as for the development and application of written compliance policies and procedures that are kept up to date and approved by senior management, assessing and documenting compliance risks, developing and maintaining a written compliance training program, which in each case is performed either directly or indirectly by other departments within the Bank in coordination with Global Compliance. This program and these ancillary activities are subject to the Audit Department’s periodic review to assess the effectiveness of the Program.

The Board-approved Compliance Risk Summary Framework describes the general policies and principles applicable to compliance risk management within Scotiabank and encompasses the Bank’s Regulatory Compliance Management Framework (RCMF) as contemplated by OSFI Guideline E-13. The Compliance Risk Summary Framework is an integral part of the enterprise-wide framework, policies and procedures that collectively articulate the Bank’s governance and control structure. Other more specifically focused compliance risk management policies and procedures may be developed within the Compliance Risk Summary Framework where necessary or appropriate.

Conduct Risk, important parts from the 2021 Annual Report, Citigroup Inc.

U.S. and non-U.S. regulators have been increasingly focused on “conduct risk,” a term used to describe the risks associated with behavior by employees and agents, including third parties, that could harm clients, customers, employees or the integrity of the markets, such as improperly creating, selling, marketing or managing products and services or improper incentive compensation programs with respect thereto, failures to safeguard a party’s personal information, or failures to identify and manage conflicts of interest.

In addition to the greater focus on conduct risk, the general heightened scrutiny and expectations from regulators could lead to investigations and other inquiries, as well as remediation requirements, more regulatory or other enforcement proceedings, civil litigation and higher compliance and other risks and costs.

Further, while Citi takes numerous steps to prevent and detect conduct by employees and agents that could potentially harm clients, customers, employees or the integrity of the markets, such behavior may not always be deterred or prevented. Banking regulators have also focused on the overall culture of financial services firms, including Citi.

In addition to regulatory restrictions or structural changes that could result from perceived deficiencies in Citi’s culture, such focus could also lead to additional regulatory proceedings. Furthermore, the severity of the remedies sought in legal and regulatory proceedings to which Citi is subject has remained elevated.

U.S. and certain non-U.S. governmental entities have increasingly brought criminal actions against, or have sought criminal convictions from, financial institutions and individual employees, and criminal prosecutors in the U.S. have increasingly sought and obtained criminal guilty pleas or deferred prosecution agreements against corporate entities and individuals and other criminal sanctions for those institutions and individuals.

These types of actions by U.S. and international governmental entities may, in the future, have significant collateral consequences for a financial institution, including loss of customers and business, and the inability to offer certain products or services and/or operate certain businesses.

Citi may be required to accept or be subject to similar types of criminal remedies, consent orders, sanctions, substantial fines and penalties, remediation and other financial costs or other requirements in the future, including for matters or practices not yet known to Citi, any of which could materially and negatively affect Citi’s businesses, business practices, financial condition or results of operations, require material changes in Citi’s operations or cause Citi reputational harm.

For Citi, effective risk management is of primary importance to its overall operations. Accordingly, Citi’s risk management process has been designed to monitor, evaluate and manage the principal risks it assumes in conducting its activities. Specifically, the activities that Citi engages in, and the risks those activities generate, must be consistent with Citi’s Mission and Value Proposition and the key principles that guide it, as well as Citi’s risk appetite.

Risk management must be built on a foundation of ethical culture. Under Citi’s Mission and Value Proposition, which was developed by its senior leadership and distributed throughout the Company, Citi strives to serve its clients as a trusted partner by responsibly providing financial services that enable growth and economic progress while earning and maintaining the public’s trust by constantly adhering to the highest ethical standards. As such, Citi asks all colleagues to ensure that their decisions pass three tests: they are in Citi’s clients’ interests, create economic value and are always systemically responsible.

In addition, Citi evaluates colleagues’ performance against behavioral expectations set out in Citi’s Leadership Principles, which were designed in part to effectuate Citi’s Mission and Value Proposition. Other culture-related efforts in connection with conduct risk, ethics and leadership, escalation and treating customers fairly help Citi to execute its Mission and Value Proposition.

Citi has established an Enterprise Risk Management (ERM) Framework to ensure that all of Citi’s risks are managed appropriately and consistently across Citi and at an aggregate, enterprise-wide level. The ERM Framework details the principles used to support effective enterprise-wide risk management across the end-to-end risk management lifecycle. The ERM Framework also provides clarity on the expected activities in relation to risk management of the Citigroup Board of Directors (the Board), Citi’s Executive Management Team and employees across the lines of defense.

The underlying pillars of the framework encompass:

• Culture—the core principles and behaviors that underpin a strong culture of risk awareness, in line with Citi’s Mission and Value Proposition, and Leadership Principles;

• Governance—the committee structure and reporting arrangements that support the appropriate oversight of risk management activities at the Board and Executive Management Team levels;

• Risk Management—the end-to-end risk management cycle including the identification, measurement, monitoring, controlling and reporting of all risks including emerging, growing, idiosyncratic or otherwise material risks, and aggregated to an enterprise-wide level; and

• Enterprise Programs—the key risk management programs performed across the risk management lifecycle for all risk categories; these programs also outline the specific roles played by each of the lines of defense in these processes.

Each of these pillars is underpinned by Supporting Capabilities, which are the infrastructure, people, technology and data, and modelling and analytical capabilities that are in place to enable the execution of the ERM Framework.

You may also visit:

The Role of the Risk Officer:

Credit Risk:

Market Risk:

Operational Risk:

Systemic Risk:

Political Risk:

Strategic Risk:

Conduct Risk:

Reputation Risk:

Liquidity Risk:

Cyber Risk:

Climate Risk:

Emerging Risk:

Membership and certification

Become a standard, premium or lifetime member. Get certified.


In the Reading Room (RR) of the association you can find our weekly newsletter - "Top risk and compliance management news stories and world events, that (for better or for worse) shaped the week's agenda, and what is next". Our Reading Room

contact us

Lyn Spooner


George Lekatis

President of the International Association of Risk and Compliance Professionals (IARCP)

1200 G Street NW Suite 800, Washington DC 20005, USA - Tel: (202) 449-9750


Privacy, legal, impressum