Conduct risk touches every part of an enterprise’s framework. Financial services organizations, in particular, hold themselves to very high standards of market integrity and behavior. In recent years, Financial Service Industry (FSI) regulators have increased their attention on reducing misconduct by emphasizing the need to manage conduct risk effectively throughout the entire organization.
While there is no universally defined way to manage conduct risk, there are 2 key risks that are critical to consider:
- The risk that FSI institutions and their employees will negatively harm customers or negatively impact financial market integrity
- The risk of a public relations incident that will negatively impact an institution’s reputation
Central to understanding ‘conduct’ is the employee who is entrusted with responsibilities to drive positive outcomes for both the institution and the customers that rely on an institution’s products and services. Most employees fulfill these responsibilities in good faith, and yet history has demonstrated numerous examples to the contrary. In those cases, the employee diverted from value creation to risk contribution – i.e. their conduct presented a risk to the organization by damaging the customer, the market, and the institution’s reputation.
In response, many security leaders would propose developing or strengthening their Insider Threat programs. In this situation, a risk management colleague might also propose taking steps to strengthen their Conduct Risk program. Both roles are charged with protecting the organization, and both are focused on the employee to reduce risk exposure. Precedence would suggest that these distinct and sometimes siloed efforts would proceed along an uneven but parallel path. In reality, these are complementary efforts that when combined can be more effective and explicitly drive towards their shared goal – protecting the institutions and their customers.
How do we do this?
Bottom line – security leaders must take the initiative by reframing the Insider Threat problem through the Conduct Risk lens.
- Redefine the unit of measurement – Employees (i.e. users or Insiders) cannot be viewed as an inherent threat to the institution. By shifting the focus to understanding conduct, instead of measuring policy violations and events, leaders acknowledge the dynamic nature of employee activities that move between value creation and risk contribution
- Evolve collection coverage – Leverage existing User Activity Monitoring (UAM) capabilities to continuously understand employees’ actions and potential impact on business. Collaborate closely with risk managers to identify new sources of data typically outside of security that can help build a more comprehensive understanding of the employee. This can include data derived from business applications, other monitoring sources like trade surveillance, as well as HR performance data
- Better understand risk through context – Leverage thoughtfully designed analytics to correlate and draw meaningful relationships between otherwise disparate data points. This enables the institutions to increase their understanding by surfacing risk indicators at their earliest point of detection. Make investments in analytics solutions that extensively research human behavior and fraudulent activity/misconduct data, enabling “bread crumb” and early warning indicators that are usually only found through post-incident investigative activities
- Move from a reactive to proactive posture – Instrument controls based on understanding risk at the individual employee level. Security leaders should automate graduated enforcement (and reduction) of security policies across the environment, while also enabling risk managers at the first line of defense to make more informed decisions
- Security – Nest the Insider Threat program into the Conduct Risk framework. Champion executive buy-in and ensure security investments and business processes are aligned accordingly.
- Compliance – Owns the Conduct Risk framework. Security leaders should proactively and collaboratively work with compliance and business units to determine value-added roles into the operational lines of defense.
- 1st line: risk measurement, correlation/aggregation, and prioritization, controls
- 2nd line: enterprise risk reporting, governance, policy development
- 3rd line: Internal audit
- Chief Risk Officer - Responsible for overall risk posture mitigation
As security leaders continue to evolve their strategies, they are increasingly required to develop clear paths in justifying how related investments are providing demonstrable business value across the organization. By mapping security initiatives to the broader Conduct Risk strategy, we can prove value not only to the institution, but also the regulatory bodies that provide oversight.