FSC 2023 Detailed Thematic Review: Conduct Risk Framework

insight featured image
The FSC recently shared the good and bad practices identified from their February 2023 Conduct Risk thematic review of insurance firms.

The desk-based and on-site review aimed to determine the quality of Conduct Risk Frameworks in place in the insurance sector, with five insurance companies and three insurance intermediaries selected and sampled as part of the review.

Defining and capturing conduct risk

A regulated entity is expected to define the conduct risks relevant to its business activities and to ensure it is appropriately captured in a risk register or separate conduct risk register. This register needs to be reviewed regularly and included in the data presented to senior management.

Good practice Bad practice
  • Firms had identified and defined conduct risks relating to business activities, had recorded these conduct risks in their risk registers and assigned risk owners.
  • Firms internal controls, policies and procedures included conduct risk issues.
  • A firm failed to define conduct risk anywhere in either its Risk Register or its policies or procedures. The firm told the FSC that conduct risk was captured its operational risks. A subsequent review of the operational risks did not include consideration of conduct-related subcategories.
  • A firm could not confirm which Committee was responsible for its conduct risk oversight and the firm could not articulate how conduct related issues, if identified, would be addressed/remediated.

Conduct risk appetite

FSC expects firms to develop a clear risk appetite and risk metrics (including tolerances) that are used in monitoring risk, risk mitigation and other decisions.

Good practice Bad practice
  • Some firms had created a Conduct Risk Appetite Statement with both qualitative and quantitative tolerances which were communicated throughout the firm to ensure it was understood and consistently adopted.
  • Some firms had defined their tolerances for conduct risk exposure in their Risk Appetite Statement but were unable to evidence the ongoing review and follow-up of out of appetite conduct tolerances. 

Own risk & solvency assessment (ORSA)

FSC expects firms to discuss and address their key risks within the ORSA and with Consumer Duty rules, setting a new standard for treating customers fairly.

Good practice Bad practice
  • Firms produced ORSAs which demonstrated a competent understanding of conduct risks and challenges and described its evolution and improvement actions.  
  • Some firms did not factor conduct risk as a relevant risk in its ORSA.
  • Some firms just listed conduct risk as a high-risk without providing any assessment as to why this was a key risk in their ORSA.

Management information/key performance indicators

FSC expects senior managers to make data-driven decisions based upon KPIs and MI and each firm to have a robust system of monitoring conduct risks.

Good practice Bad practice
  • Firms with conduct risks embedded into their overall governance framework are producing detailed conduct risk MI and KPIs which are being used by decision making committees.
  • Firms understand how to use conduct risk data to measure its performance in relation to its conduct risk appetite and thresholds.  
  • When reporting to different committees, some companies' complaints MI had disparities.
  • Certain firms lacked a procedure for examining MI obtained for conduct risk and as a result they were not documenting any corrective measures.
  • Some firms only had MI that was produced for or on an ad-hoc or infrequent basis.


FSC expect to see senior committee packs include granular MI relating to conduct risks and for conduct risk issues to be escalated to the Board for discussion when required. The FSC also expect for these to be recorded in board minutes, including any challenges from Executive Directors and Non-Executive Directors.

Good practice Bad practice
  • Firms had recorded discussion of conduct risk issues and actions in their Board meetings and senior committee meetings.
  • The best firm had revised the relevant committee meetings Terms of Reference to include conduct risk issues and had established clear lines of responsibility and accountability.
  • Customer interests and conduct risk issues were not a priority for senior management compared to the commercial interests of the firm.
  • Firms have a tick-box approach to conduct risk and it was not included in any reporting or escalation to the Board or senior management.
  • Firms had conduct risk in the overall Risk Management Framework but there was no ownership of remediation actions and evidence that those actions had been completed.

What does this mean for your firm?

The Regulator has emphasized the need for a stronger focus on conduct and that firms must be able to effectively demonstrate the capture and management of conduct risk within their organisational frameworks, and that conduct risk and consumer outcomes are not treated as a tick-box exercise.  

Improving conduct risk management is vital for regulatory compliance and overall risk mitigation. Conduct risk encompasses various firm activities beyond customer interactions and requires proactive management. 

How can we help?

Grant Thornton can assist you in navigating the conduct risk maze. Often, determining the starting point for designing and implementing a conduct risk framework is the hardest part of the journey. But whether it is advising on a starting point, undertaking a conduct risk assessment for your business, or seeking advice on how to gain insights from all the customer data you have to hand, Grant Thornton has the skills and expertise to support your firm to achieve its conduct objectives.

By collaborating with Grant Thornton, firms can effectively address the challenges highlighted by the review, enhance their conduct risk management practices, and position themselves for long-term success in the insurance sector.