In the FCA’s Notice to Provide Information letter of 6th February, it launched a sector-wide information gathering exercise to assess the volume of incidents being reported by individual firms related to acts of non-financial misconduct (“NFM”).
It referenced its portfolio letter of September 2023, which stated that:
“the wholesale insurance market in particular has a long way to go in having an inclusive culture…. Areas for improvement include… preventing and handling non-financial misconduct, including discrimination, harassment, victimisation, and bullying.”
And it clarified its belief that non-financial misconduct is misconduct and not an additional principle, and as such is equal in importance for companies to manage alongside financial conduct responsibilities.
Having addressed similar cultural issues in the banking industry ten years ago, the FCA will have a clear understanding of what is required to drive change in this regard in the insurance industry and have an expectation that firms have effective systems in place to identify and mitigate risks relating to NFM. Should allegations or evidence of NFM become known, it is expected that a regulated firm takes them seriously, has the appropriate internal procedures to investigate them promptly and fairly, and to take appropriate action when allegations are upheld. There are also very clear reporting obligations where the NFM relates to a Senior Management Function Holder or a Certified Individual.
Publishing their letter in such a manner, i.e. very publicly rather than privately to firms, also suggests that the FCA wishes to make it clear that NFM will not be tolerated in any industry under its watch and despite the industry’s own attempts to address its cultural norms around discrimination, harassment and bullying, not enough progress has been achieved. A view clearly held by the regulator and driving its investigation.
What Action Should Firms Have Taken?
Firms were required to identify the number and nature of NFM incidents for the last three years, identifying those that involved both SMF and non-SMF role holders. Depending on the maturity of the framework in place to record such incidents, it may have required some firms to manually search through files to identify reportable cases – so not a quick or easy task, but an opportunity to create, or more fully embed, processes which will provide important information to the Boards of companies on this subject. There is a strong possibility, for example, that issues which should have been dealt with by disciplinary proceedings might have been resolved by an agreed exit. Such instances will still involve NFM and firms will be expected to be able to identify them and report them.
A Policy Statement on Diversity & Inclusivity is promised in H2 2024 and the FCA will use this initial exercise to determine the type of MI they will want firms to report periodically, related to NFM specifically and on company culture more generally. This will give the regulator a broad view of the industry profile and identify outlier firms, to whom it will focus its initial attention to understand how the risk is best addressed.
As a word of caution, firms would be foolish to assume the reporting of minimal incidents will ensure they avoid outlier status. A large firm declaring very low or no instances of grievances or disciplinary proceedings is likely to get as much attention as a large firm which has too many of them because both could be evidence of an inappropriate culture.
The HR function is going to be key to addressing this information requirement and should take this opportunity to push any cultural concerns up the agenda, using it to initiate as much positive change as is possible in understanding, mitigating and reporting on NFM in companies.
Our experience suggests that culture reviews and the development of metrics to monitor culture is regularly focussed on quantifiable measures such as turnover by tenure, appraisal and training completion rates (by all employees), operational incident reporting and the number of grievance/disciplinary proceedings and issues and the resolutions, as well as D & I metrics. Understandable, as these are more easily reportable than some of the more qualitative metrics which seek to appreciate leadership behaviour and employee engagement and they do provide a view of the corporate culture which is an important foundation.
The qualitative metrics need to be carefully thought through and developed such that they add greater transparency to the foundational picture. They should be able to be used to assess positive developments in the culture of companies. This is likely to come in the form of objective and appraisal setting involving behavioural standards, which will also be built into the firm’s remuneration framework. Metrics which pick up proposed awards of remuneration based on behavioural standards will become increasingly important as a driver of appropriate behaviour and thereby the right culture. It will be this level of maturity which will be expected by the FCA in due course, by the industry as a whole, to support their ongoing review of NFM.
While HR functions are central to implementing policies and procedures to develop and mature an appropriate corporate culture, which must be driven by the Board and emulated by the C-Suite, the second line functions also have a key role to play in this, something the PRA have expressly proposed in CP18/23 – Diversity and inclusion in PRA-regulated firms.
The active development and monitoring of culture metrics is inconsistent across the insurance industry with many firms yet to comprehensively embed reporting on this subject into its periodic governance schedule. As the ownership of Data Governance is often a hot potato for firms given its all-encompassing remit, ownership for monitoring culture is also often disjointed and segmented across departments, creating the potential for cohesive oversight to be compromised.
One pertinent example of this is the adoption and development of frameworks to address the requirements of the SMCR regulation.
The Compliance department plays a crucial role in understanding the SMCR regulations, interpreting them for the firm and collaboratively with the HR function developing policies and procedures that ensure compliance. HR is commonly responsible for implementing many of SMCRs requirements within a firm’s recruitment, onboarding, performance management and disciplinary processes. HR’s responsibilities may include identifying those individuals who require certification, conducting fit and proper assessments, maintaining comprehensive staff records and managing the certification renewal process.
As SMCR frameworks are embedded in company processes, the delineation of responsibilities between HR and Compliance should be become clearer and appropriate written procedures will assist with this. However, anecdotal evidence suggests there is still somewhat of a challenge between the two functions to agree where certain ownership lies and this will hinder full and proper adoption of the requirements.
From a second line of defence point of view, the Risk function should be actively identifying and monitoring the risks associated with cultural practices for the purposes of recognising and reporting on risks and the effectiveness of mitigating controls around NFM. This requires Culture Risks to be included within the Risk Framework via a Risk Policy and appropriate risk appetites set with KRI’s to be determined as an element of the monitoring. It follows that the Risk Function need to include risk assessment of Culture Risks within its planning and annual activities.
While Risk may be looking at the matter from the point of view of risks to the company, Compliance not only has its advisory role but must also be considering the matter from the point of view of second line monitoring. How does Compliance ensure that the first line is complying with the Policies which apply to all employees. Experience indicates that historically Compliance have not considered, as a part of their monitoring plans, whether the first line is complying with company policies relating to culture or employee practices designed to ensure compliance with company policies. Compliance Functions likewise therefore need to ensure that monitoring of compliance with suitable policies including but not limited to SMCR and appropriate HR policies and procedures is appropriately planned, undertaken and reported upon. For example, the Compliance Function would need to consider and ensure that grievances and whistleblowing are treated as such and that the outcome is not for the matter to be buried with any responsible individual or individuals being let go on full pay or in similar circumstances.
That rounds neatly back to HR and senior management ensuring that the Remuneration arrangements are appropriate and permit malus and clawback for poor conduct and that the objective and appraisal process includes culture objectives which are linked to reward. Many firms treat arrangements linking culture with reward as an element of the risk mitigation for Culture Risk and therefore include them as an element of the Risk Framework and assessment process.
There is a lot to be thinking about and getting on with.
ICSR Support And Guidance
ICSR has significant experience in helping firms assess their existing risk and corporate cultures, assisting in issues relatively minor in nature to the more systemic concerns of a culture that requires material improvement.
This is complemented by the work we do supporting SMCR framework builds and SMF applications through their full life cycle for organisations.
The reality of NFM in the insurance industry is not disputed, but we believe there is also a genuine motivation to address it. With the efforts to address diversity and inclusion inequalities already making some progress, the hope can only be that the FCA’s information request will galvanise the direction of travel to considerably improve cultural norms where it is needed.
If you have any questions about the issues raised in this article, please speak with the author or your usual ICSR contact.
Webinar recording: IUA event – Non Financial Misconduct and D&I
On 26th June, Kenneth Underhill delivered a webinar for IUA members on Non-Financial Misconduct and the FCA & PRA action on Diversity & Inclusivity. A recording of that webinar is available to watch on our YouTube channel via the link below.