Enhancing conduct risks and controls

We identified and assessed conduct risks and controls for an insurance business to enable consistent delivery of fair outcomes to customers

The challenge

Our client - a company offering general insurance, travel and personal finance & healthcare products - asked PEN to identify and assess conduct risk and controls across their insurance business.

Over the 18 months prior to project kick-off, a number of incidents had taken place which led to customer detriment, necessitating customer remediation activity and increasing regulatory risk profile. These also resulted in material unplanned costs for the business e.g. multiple breaches of FCA requirements.

The Path to Green programme was stood up to “deliver the necessary improvements to consistently deliver fair outcomes to our customers”. One of the identified driving factors of customer detriment was an issue with the business’ understanding and management of key internal control effectiveness. 

Our approach

Our team worked in partnership with our client on this engagement with the commercial, control and operational teams to map out the processes that could drive customer detriment; highlight the key conduct risks and controls; and identify the design effectiveness of said controls.

We held workshops to understand not only design effectiveness, but also the coverage and scale of opportunity around controls. This informed a list of remedial actions for “getting to green”, as well as opportunities to enhance controls/processes even further. Finance and Technology teams were also engaged, to ensure the control dependencies on these teams were clearly understood and joined up with the wider business processes.

We also identified over-arching themes for further exploration e.g. an over-dependency on manual controls; data integrity issues invalidating controls; lack of consistent customer journeys. 

The outcome

We created a set of Risk and Control Self-Assessments (RCSAs) that were easy to maintain in BAU and upload into the newly implemented risk management system. We also provided clear next steps to improving control effectiveness.

Our client has since uploaded all RCSAs as the risk and control baseline. They have also progressed with control remediation activities such as more specific testing criteria, clear control ownership. The business have also moved onto testing the operational effectiveness controls, using the data captured in RCSAs.

Having seen the value of these workshops and outputs, the client requested our support to conduct a similar exercise with 2nd line business teams, covering all types of risks. These were successfully carried out, and insights have been used to improve the risk management position since our departure.