2. Feedback on the COSO Enterprise Risk Management Public Exposure Page 2 of 10 October 2016
management throughout an organization to include decision‑making in governance, strategy, objective‑setting,
and day-to-day operations.
¶ 1-2, 22, 36, 65 – discussions on uncertainty
Our view is that the concept of uncertainty is broader than the aspect discussed within the paper which outlines
the potential relationship with risk and uncertainty. In the wider concept of uncertainty, it would not be possible
to determine how much uncertainty is present because the outcomes are completely unknown. In general, our
understanding from the paper is that there is a level of uncertainty related to a particular objective – such as the
example with the airline provided on page 17. However, we believe that one should consider the broader aspect
of uncertainty in that it is not just that “risk involves uncertainty” but also it is uncertainty that affects risk. For
instance, an alternative way of presenting the second sentence point 2 on page 3 would be:
“Uncertainty may affect the severity or materialisation of risk and as such affects an organisation’s ability to
achieve its strategy and business objectives. In determining how much risk the organisation is prepared and
able to take, management should consider how potential unknown elements caused by uncertainty could
disrupt the achievement of their objectives”.
The difference to us is that risk implies some level of certainty and that there is an understanding on the possible
outcomes to make a somewhat appropriate assessment of the impact and likelihood (such as rolling a die for
money). In the broader view of uncertainty, it suggests that you do not know what the outcomes will be and as
such cannot make an appropriate assessment such as the case with businesses within the United Kingdom
following the vote to leave the European Union. For the risks that businesses manage within the United
Kingdom, there is no view on what will actually happen because there is no certainty on what the post exit deal
will be. This means, that companies cannot effectively implement controls to manage the exposure.
As such, a key difference between risk and uncertainty is the ability for a risk/ business manager to apply specific
targeted controls to reduce the impact (which is contrary to the view given on page 6 in relation to the potential
decline in future demand). The view is contrary because of the aspect of uncertainty portrayed in the paper
which blurs the boundaries between risk and uncertainty rather than seeing uncertainty as a completely
unknown element – such as the case with the emergence of autonomous vehicles and how consumers,
governments, suppliers, and insurers might be affected by the numerous potential business models, regulatory
possibilities, and societal pressures – thereby rendering specific, targeted controls as mostly inappropriate.
We hope that you will include this broader view of uncertainty within the paper and not just the aspect that is a
function of a specific risk and objective.
¶ 271 – discussions around likelihood
There is good guidance on what likelihood means. It would be good to delve deeper into the theory and
differentiate from the concept of frequency (which you have included as one of the expressions of likelihood).
Our view is that likelihood and frequency are separate concepts. Likelihood suggests that the measurement
relates to the future and is related to probability whereas frequency suggests previous occurrences. For
instance, you can look at the frequency of a risk materialising over time to determine what the likelihood might
be in the next 5 years.
Also, with frequency, the relationship with risk presents itself on a curve and suggests that there is a direct
dependency with the impact of the risk. An example being a one in two hundred year event occurring results in
a high impact. This is common practice in the financial risk world such as around catastrophe risk. However,
the suggestion that likelihood is related to probability does not mean that a connection with impact exists. For
instance, ‘what is the likelihood that this risk will materialise in the next year?’ Hopefully this question illustrates
the fundamental difference between frequency and likelihood.
We will appreciate a more in-depth look at these two concepts in the measurement of risk because this is a key
component in what drives the assessment of severity. If companies do not understand the intricacies of the
4. Feedback on the COSO Enterprise Risk Management Public Exposure Page 4 of 10 October 2016
Structure
The conduct risk paradigm is composed of the following five pillars or components that are subjected to
regulatory scrutiny:
• Strategy, in particular focusing on ethics, values and cultures
• Firm-wide conduct risk framework incorporating governance, ownership & accountability, programme/
implementation and audit
• Quantitative components incorporating conduct risk identification, key performance/ risk indicators and
monitoring/ reporting
• Qualitative components addressing standards/ comms, training, personnel and external expertise
• Regulatory interaction and dependencies.
The following section explains these pillars and the individual elements in more detail. A diagram of the
paradigm is included at the end of this paper.
Strategy
The regulatory lens within the strategy pillar is aimed at better understanding the ethics, values and culture at
regulated firms.
Regulatory analysis of the following elements and due diligence questions are used in order to determine a
firm’s conduct risk maturity and also the level of embedment of conduct risk into the firm’s cultural fabric.
• Conduct risk definition. Has the firm got a specific conduct risk definition (Y/N?) and if so, how does it
define conduct risk (evidence? e.g. policy/ procedure and evidence of implementation).
• Five questions approach. What is the firms overall strategy to translate the five questions (identification/
responsibilities/ enabling mechanisms/ board and exec oversight/ incentives) into its conduct risk strategy?
What is the chosen approach? How granular is this?
• Culture clusters. Culture clusters help supervisors such as the UK FCA to join the dots and become more
consistent in its approach to measuring effectiveness. The UK FCA defines and focusses on the following
“culture clusters” in order to consistently understand conduct risk: Business model and strategy/ Leadership/
Purpose & Values/ People/ Stakeholders/ Intangibles/ Running the business.
• Strategy embedment: Analyses how well conduct risk has been embedded into the firms’ strategy and
business model. In particular, it will question whether this is due to a push (by Compliance for instance) for
a pull (driven by the business desire to having a strong conduct risk framework).
• Committee(s) linkage. Looks to understand how well relevant committees are linked to the 5 questions
approach.
Firm-wide conduct risk framework
The firm-wide conduct risk framework is the largest pillar and contains a large variety of areas facing regulatory
scrutiny with a focus on how the firm is governed, who is responsible, how the conduct risk framework is
managed and implemented (1LoD and 2LoD) and finally, how this is all audited (3LoD).
The following section explains these focal points further.
a. Governance
• Conduct risk policy and procedures: essentially articulates how the firm is aiming to manage its conduct
risk throughout.
• Board engagement: means how involved and engaged is the board, ExCo and Non Execs and how
embedded is this into the overall governance structure of the firm.
• Strategy implications: looks into how the strategy of the firm permeates via its business model both across
global businesses and functions.
5. Feedback on the COSO Enterprise Risk Management Public Exposure Page 5 of 10 October 2016
• OpRisk and ERM framework embedment: is important as conduct risk is not a stand-alone risk and as
such must be deeply embedded into the OpRisk framework/ risk register as well as the over-arching
enterprise-wide risk management framework.
• Group/ Regional/ Local oversight: shows the level of conduct risk management incorporation throughout
the firm.
• Conduct risk committee (incl. board/ ExCo): identifies delegated authorities and escalation routes from
conduct risk and/or risk committee to the board and vice versa.
• Integration with related (risk) committees: shows the level of information exchange and intelligence
sharing within the firm and evidences the level of alignment/ mis-alignment throughout the firm’s risk
space.
• Role of committee(s): takes a look at the empowerment and capabilities of risk committee with a focus
on conduct risk. What is the committee’s ability to drive strategy and are decisions taken followed
through?
• Role of control functions (1/2/3LoD): aims to develop a better understanding of the demarcation and
collaboration across the three lines of defence within a firm.
b. Ownership & Accountability
• Clearly defined: ownership and accountability are paramount for every individual, team and department
to know what they can and cannot do. As such, it is important for instance to have clear job descriptions
or a job catalogue that helps determining individuals’ responsibilities.
• Business ownership/ engagement: Conduct risk is not a one-way street and requires proactive
engagement and continuous involvement of the business (e.g. the areas generating revenue).
• Accountable executives: are very important from a regulatory perspective as this will be the key contact
points between firm and regulator, particularly crucial if remedial action is required.
• Delegated authorities: are crucial to understand how the strategy, translated into the business model
breaks down right to a very granular level for each individual.
• Escalation routes: is looking at the opposite direction of delegated authorities and explains both formal
and informal routes for staff to “speak up” if necessary.
• Frequency of committee(s) and conduct risk reviews: are important as proper conduct risk management
on a quarterly basis for instance may have the tendency to become too much of a point-in-time
assessment. Ideally, some KPIs/KRIs should be identified that enable continuous monitoring, for instance
behavioural pattern recognition.
c. Programme/ Implementation
• Programme overview/ structure: will provide the regulator with a comprehensive summary of the firm’s
conduct risk programme.
• Programme work streams: go into more granular detail and provide the nature of each work stream,
schedule and any current issues leading to “Red” on the work streams’ RAG status
• Mapping - Themes vs. Strategy: gives the regulator a view whether all areas of the chosen strategy have
been addressed within the conduct risk programme and helps identifying any gaps within the
implementation plans.
• Operating model integration: looks beyond implementation of conduct risk and BAU integration into the
firm’s target operating model.
• Processes: need to be documented as part of desk-top instruction manuals or similar and documentary
evidence needs to be provided.
• Business involvement: looks to understand how much the business is actively involved in developing
conduct risk and the level of interaction between different business areas.
6. Feedback on the COSO Enterprise Risk Management Public Exposure Page 6 of 10 October 2016
• Push/Pull: aims at understanding the key drivers behind the conduct risk implementation programme and
whether this overall effort is more a push (i.e. driven by the compliance teams) or a pull (i.e. by the
business itself).
d. Audit
• 3LoD involvement: is an important element as part of the firm-wide conduct risk framework.
• Programme audit: will have to be conducted by the audit team to understand whether the programme
and implementation is both on track and effective.
• Thematic reviews: are becoming an increasingly important analytical tool deployed to identify patterns,
for instance in sale staff behaviour and to understand areas that require mitigations.
• Deep dives: are often used to inform thematic reviews, particularly in data-rich environments by looking
at big data sets at a fairly granular level, e.g. at individual staff or customer level.
Quantitative components
a. Identification
• Risk taxonomy: looks to understand whether a firm-wide risk taxonomy exists and whether or not this
includes conduct risk and people risk related definitions.
• Risk drivers: are the drivers of conduct risk exposure within firms and need to be articulated by the firm
guiding the discussion with the regulator.
• Forward/ backward-looking: both are important as analysis is only possible based on historical data.
However, it is more so important to use historical data/ analysis and overlay this on a forward-looking
timing horizon enabling better risk prediction.
• Self-assessment process: is the process firms deploy to assess themselves in how good/ bad they are
doing at managing conduct risk effectively.
• Self-assessment validation: same as previous point, but giving the firm an opportunity to validate its
self-assessments.
• Whistleblowing and complaints handling: are closely linked to conduct risk and hence need to be
integrated within the overall conduct processes.
• Approach: the firm’s conduct risk management approach, following from the completion of the conduct
risk programme.
• Point-in-time or continuous process: aimed understanding the analytical/ timing horizon of conduct risk
management within a firm.
b. KPIs & KRIs
• Severity (Risk/ Misconduct): identifies the risk of the misconduct/ misbehaviour for the firm (e.g. Low,
Medium, High, Very High) as well as the nature of the misconduct (e.g. similar scale as to risk)
• OpRisk losses due to breaches: record the firm’s actual losses caused by misconduct within the firm.
• Training stats: can give a detailed picture of the number of staff failing mandatory training exercises
• Categories: of misconduct for instance whether the misconduct is due to staff fraud, bullying, harassment
and discrimination or regulatory compliance breaches
• Nature of the KxIs: provides for each KxI whether it is a leading or lagging indicators
• Consequences – for individual: identifies whether or not the individual(s) involved in misconduct cases
have been disciplined and gives more detail about the actual consequence, i.e. verbal warning, written
warning, summary dismissal, bonus claw back etc.
• Consequences – for the firm: provides detail as to how the firm has responded, for instance improving a
badly worded policy or some additional supervisory staff has been added.
7. Feedback on the COSO Enterprise Risk Management Public Exposure Page 7 of 10 October 2016
c. Monitoring/ Reporting
• Dashboard/ Heat maps: will form part of the regulatory assessment and as such some current examples
will be required for further analysis.
• Reports: same for conduct risk-specific reports
• Recipients (incl. Board/ ExCo): the regulator with closely look at the recipients of each of these reports to
ensure this is aligned with other information given.
• Effectiveness of the MIS: by understanding the number of and detail used for KxIs as well as reporting
frequency and the horizon of the reporting.
Qualitative components
a. Standards & Communications
• Tone from the Top (Delegation): is important for embedding a solid and robust culture breathed and lived
by the board and cascaded downwards.
• Tone from the Tail (Escalation): is equally, if not more, important to inform senior management of issues
giving rise for early escalation with a view of containing the issue at hand.
• Comms campaigns/ Message cascading: looks at how messages are conveyed throughout the firm, in
particular at how conduct risk is explained and how these messages permeate the cultural fabric.
• Comms effectiveness: looks at measuring the comms feedback, participation levels in town halls and
team meetings.
• Fostering a “speaking up” culture.
b. Training
• Mandatory training: needs to include a strong focus on conduct risk and the regulator may look at
eLearning and face-to-face course materials.
• Ongoing mentoring: is difficulty to audit on an individual basis, but some random samples of annual
performance review records may give an indication as to how much (or how little) mentoring on conduct
happens.
• Training effectiveness.
c. Staff related
• Senior Managers & Certification Regime (SMCR): informs the regulator of how integrated SMCR is into
the firm’s governance.
• Attestation process: details thereof need to be provided to the regulator.
• HR policies/ procedures: that refer to conduct risk and consequence management need to be provided
to the regulator.
• Career progression/ reward: details of which need to be provided to the regulator in order to understand
the firms general approach on staff incentives.
• Consequence management: similarly to the previous point, needs to be provided to the regulator in order
to understand how misbehaviour is managed.
d. External expertise
• External consultants: for instance the percentage of contractors and consultants that are deployed to
provide services primarily aimed at conduct risk management.
• Reliance on external expertise: similar to previous point, this would be a percentage that indicates overall
contractor/ consultant levels at the firm.
8. Feedback on the COSO Enterprise Risk Management Public Exposure Page 8 of 10 October 2016
• SLAs/ controls: give an indication of how well external consults are managed and the regulator may
request some sample contracts.
• Vendor conduct/ third party risk management: is equally important as a third party’s negligence or
misconduct may equally threaten the firm and contribute to additional reputational risk.
Regulatory Interaction/ Dependencies
• Day-to-day relationship with the regulator: looks at whether the firm is confrontational or collaborative in the
way it works with the regulator as this may be an indicator of the firms underlying culture.
• Co-ordination/ Global alignment of requirements: is particularly important as some firms are operating in a
global environment across many jurisdictions where regulatory initiatives may not always be aligned,
potentially increasing systemic risk.
• Industry-wide working groups and lessons learnt: This is a tricky one as firms may not be willing to share
lessons learnt with competitors, although there is benefit in sharing intelligence and mistakes made across
firms.
• Peer reviews/ thematic reviews/ data & intelligence: this is really a task for the regulator to ensure all
information available to them is used in the most efficient fashion.
• Regulatory KPIs: similarly, this is one for the regulator to understand and tricky as the best KPIs for
regulators are “absence-based”, i.e. no fines and/or reduced fines, less frequency of events and lesser
severity may all mean that the regulator has performed better.
3. Practical considerations
¶ 4 - We wondered whether the “value” definitions in paragraph 4 may confuse people as value at risk is a
market risk term used often in risk management. It might be worth putting a short sentence to differentiate
between the two.
Section 7 – there may be scope to refer to KRIs here.
¶ 266 & 275 (Example 8.2 and Figure 8.7) – typically once the target residual rating is reached, an entity is
unlikely to expend further resource decreasing the risk. The word ‘target’ suggests that they are comfortable
with the extent the risk is mitigated. For Example 8.2, please consider re-wording the sentence to “while the
existing manual process has mitigated some of the risk exposure, the actual residual risk is still more than the
target residual risk. The automated workflow system could offer an additional risk response to lower the risk
within the target residual range, and would do so in a cost effective manner”.
For Figure 8.7, the same argument applies, for management, if they are at their target residual rating, they are
unlikely to use resources to further reduce the risk. Doing so may imply that they may be over cautious and
foregoing other opportunities. As such, for this diagram we suggest changing the positions of residual risk rating
and target residual risk rating (example shown below).
9. Feedback on the COSO Enterprise Risk Management Public Exposure Page 9 of 10 October 2016
¶ 73-75 & Principle 8: Defines Risk Appetite – in the definition and discussion of risk appetite, the use of the
word ‘accept’ suggest a one dimensional view of risk i.e. negative. Given that risk can also be an opportunity it would be
better to describe it as the risk that an organisation is willing to seek/ take. The use of “acceptable” in the context of
variation does not carry the same connotation and is therefore appropriate.
¶ 78 – consider expanding on the risk appetite discussion to bring out the link to informed decision making,
which is relevant in the running of the business more broadly than just setting performance targets. Although,
there is coverage later in the paper on this, it is worth noting here. The additional detail should portray the
importance of finding the right balance and continuously adjusting this, both with short-term (liquidity) and long-
term (capital) lenses, as well as generating a long-term sustainable benefit and, ultimately, on-going survival of
the organisation.
¶ 179 - although the paragraph brings out the point around the maturity of an organisation enterprise risk
management, our view is that the use of ‘low’ or ‘high’ appetite should not be recommended for any organisation
– regardless of their maturity. As you noted, such terms are vague and could potentially encourage inappropriate
decision making due to individual interpretations based on individual predispositions to risk. If you choose to
retain the suggestion that it may be sufficient, we recommend that you qualify it by stating that the organisation
should define what low and high mean in its own context.
¶ 181 – our view is that the critical point around risk capacity and prospect of failure should be made more
prominent and not hidden as part of a series of bulleted points. Success and failure is the underlying premise
for getting your risk appetite correct. This concept should be promoted to earlier in this section and added to
Section 4 in line with the feedback on ¶ 78 above.
¶ 183 (Example 7.5) – the example given for high appetite in the diagram on the risk appetite continuum should
be changed. It would irresponsible for any management team to convey a ‘high’ appetite, implying acceptance
of high degree of uncertainty, if they are seeking operational efficiency. An alternative example that suggests a
more appropriate balance between potential gain and loss might be:
“A high appetite for collaborating with other universities recognising that our intellectual property might be
compromised”.
4. Minor changes
¶ 244 Figure 8.2 – typo in potential root causes section – moral instead of morale.
¶ 245 – the standard sentence structure provided can be more simply defined as: event, cause, and impact.
This keeps definitions in line with other risk management guidance.
Thank you
Our group is available and would be interested in being actively involved in further consultations. Should you
wish to contact us please do not hesitate to do so on either of the details below.
Raza Sadiq – raza.sadiq@coveainsurance.co.uk
Darius Mayhew – Darius.sjm@live.com
ERM in Banking & Financial Services Special Interest Group.
10. Feedback on the COSO Enterprise Risk Management Public Exposure Page 10 of 10 October 2016
i Why ‘paradigm’ - not ‘model’?
A conceptual model is a representation of a system, made of the composition of concepts which are used to
help people know, understand, or simulate a subject the model represents. Conceptual models are often
abstractions of things in the real world whether physical or social.
In contrast, a paradigm is a distinct set of concepts or thought patterns, including theories, research methods,
postulates, and standards for what constitutes legitimate contributions to a field.
Although, on paper, the new global conduct risk paradigm resembles a method, an approach or a model, given
its genesis and the fact that it is based on an interpretation of discussions rather than hard evidential
documentation, the author felt it most appropriate to describe the result of his work as a “paradigm” rather than
model and hopes that going forward it will be seen contributory to the risk management area, in particular the
management and mitigation of conduct risk.