Measuring conduct risk in South African banks

Antje Hargarter (Department of Risk Management, North-West University, Potchefstroom, South Africa and School of Investment and Banking, Milpark Education, Johannesburg, South Africa)
Gary Van Vuuren (Department of Risk Management, Faculty of Economics and Management Sciences, North West University, Potchefstroom, South Africa)

Qualitative Research in Financial Markets

ISSN: 1755-4179

Article publication date: 3 June 2019

Issue publication date: 13 August 2019



This paper aims to examine the problem of conduct-risk measurement for banks, using South Africa as an example of a developing market. Conduct risk is a new and complex phenomenon in global financial services and could negatively impact various stakeholders. There are concerns about new regulations and potential misconduct fines affecting profitability and sustainability for banks. While presenting a serious problem, especially in developing markets, with the added challenge of financial inclusion, conduct risk and its measurement have not been researched sufficiently. If the measurement problem could be solved, the management could be facilitated.


Based on a literature review, existing surveys and new interviews, a best-practice proposal for measuring conduct risk was developed. The approach was exploratory and inductive and added primary insights.


Measuring concepts like conduct is a global challenge. This aside, South African banking customers are concerned about fraud and safety and administrative service hassles, rather than conduct in the regulatory sense. Best-practice measurement must account for these findings by working with a scoring for behavioural, organisational/procedural and perception indicators and with suggestions for specific surveys.

Research limitations/implications

Analysing the data measured and deciding what action should be taken if conduct risk is detected could be considered for additional research.

Practical implications

South African banks are guided in measuring a difficult and unique concept at a time of regulatory change, stakeholder pressures and limited existing knowledge.


The authors believe this is the first study on a critical and new challenge in banking risk measurement in a developing market.



Hargarter, A. and Van Vuuren, G. (2019), "Measuring conduct risk in South African banks", Qualitative Research in Financial Markets, Vol. 11 No. 3, pp. 282-304.



Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited

1. Introduction

Conduct risk is a new and complex risk in the financial services sector, which emerged after the last global financial crisis. Conduct risk arises when financial services companies sell products that are unsuitable for customers, with the goal of meeting specific sales targets (Financial Conduct Authority [FCA], 2013). This can lead to negative outcomes for customers and have an undesirable economic impact. It may also have indirect, detrimental financial consequences for banks, even though the effect may be delayed. As a result, there have been efforts to regulate and manage conduct risk in different countries (The Organisation for Economic Co-operation and Development [OECD], 2011, 2013). Figure 1 indicates that many developed-economy regulators have imposed heavy penalties on global banks for conduct failure (CCP Research Foundation, 2017; FCA, 2015; European Systemic Risk Board [ESRB], 2015), leading to a substantial rise in conduct costs; although, not in the provisions for conduct costs in the banking sector over the past 10 years. Although this may suggest that banks underestimate costs and deliberately accept a portion of conduct risk, it may also indicate that banks believe their conduct is being effectively managed, and they will not take action until proven incorrect.

Fines for misconduct are not restricted to developed economies. Developing countries, such as South Africa, have also received penalties (SARB, 2014, 2015, 2016a, 2016b, 2017), as has Asia (Oliver Wyman, 2014).

The discussion concerning appropriate conduct is intensified by calls for sustainability of banks as businesses (Schaltegger and Wagner, 2006; AON, 2007; Galamadien, 2011; McKinsey, 2013 and The United Nations Environment Programme [UNEP], 2015) and the theme of financial inclusion and education, particularly in developing banking markets (Alliance for Financial Inclusion, 2015).

2. Background

As conduct risk was the defining cause of the financial crisis (The Financial Standards Board, 2013), it is almost certain that a suitable approach to measuring conduct risk will become mandatory for all banks. The following is assumed: if the measurement of conduct risk is approached correctly, then conduct risk can be more successfully managed; relevant pieces of information would be measured, and those could then be used to better manage and mitigate conduct risk. Ultimately, banks need to be aware of and be able to demonstrate to various stakeholders the progress made in the measurement and management of conduct risk to convince them that the new phenomenon is under control.

The issue, however, is that global banks are currently (2018) struggling to measure and mitigate conduct risk (Thomson Reuters, 2017). Various stakeholders could be negatively affected by this problem: banks’ profits could be reduced by regulatory penalties or by losing customers (thereby affecting shareholders), customers could lose money by purchasing unsuitable financial services products and the relevant government could fail in its role to protect its citizens, as consumers and the country could suffer economically because banks failed to fulfil their financial intermediation role.

Banks in developing markets are more adversely affected, and the problem might therefore be more pronounced. If bank customers are less financially educated (Klapper et al., 2015), and hence more vulnerable to misselling, the measurement of conduct risk could be more cumbersome and may need to be amended.

South Africa, as one example of an emerging market, is ranked 37th (out of 138) for soundness of banks in the Global Competitiveness Report (World Economic Forum, 2017), while 16 per cent (5.7 million) of South African adults are financially excluded from the banking system (Banking Association of South Africa [BASA], 2014). This dichotomy makes for an interesting case study. Apart from this, financial market regulation is changing in South Africa and clarity around conduct risk is essential to overcome uncertainty.

A new Financial Sector Regulation (FSR) Bill was signed into law in South Africa (FSR Act No. 9 of 2017) on 21 August 2017 (Parliamentary Monitoring Group, 2017). The Prudential Authority (PA) and the Financial Services Conduct Authority (FSCA) were, as a result, configured as new, distinct units in an attempt to establish a twin peaks model. The new Conduct of Financial Institutions Act (CoFI Act) will be signed into law in 2018 or 2019 (Parliamentary Monitoring Group, 2017). Until then, the FSCA will work according to existing laws. Currently (2018), National Treasury is engaging with different financial services sectors around licensing based on activities, and is also working on high-level principles for conduct. The regulator plans to look for best-practice approaches within the industry, and to request industry members to learn from them (National Treasury, 2018). It seems the regulation will be outcomes-based, and will build on the existing ‘Treating Customers Fairly’ [TCF] approach to financial consumer protection (FSB, 2015). This could mean that the regulator has to influence the outcome for the customer indirectly so – which might be difficult (Hargarter and van Vuuren, 2017). One of the future challenges for the regulation could be whether bigger and smaller banks will be treated in the same way.

3. Research problem

Unfortunately, measuring concepts like culture and conduct remains difficult for banks, for various reasons. First, it has qualitative aspects and is not easily measured using quantitative tools (Thomson Reuters, 2017). Second, distinct perceptions of different stakeholders play an important role. Thirdly, not all events that may have actually taken place end up being reported. Last, it may be that conduct risk is hidden in the bigger “system” of banks, but has not yet “reared its head”, and so there is no evidence of it. The pressure of finding a suitable approach to the measurement of conduct risk is exacerbated by the fact that limited formal knowledge is available and the situation is dire for developing countries. The few existing studies (as discussed in the literature review) do not focus on developing markets, and they also lack depth about the measurement problem. Other obtainable information consists of popular press articles and reports from consulting companies. These facts contributed to the reason that this research was conducted.

In summary, the problem is that there is little knowledge available on how to overcome these serious measuring challenges to ensure banks are managing conduct risk appropriately, with positive consequences for all stakeholders. There is, therefore, a need to explore possible solutions regarding the measurement of conduct risk for South African banks, as an example of a developing market. The authors believe this study is the first to do so.

Based on this research problem, the research question was: how should South African banks approach the measurement of conduct risk? For the purposes of this work, conduct risk comes about when South African banks sell products that are unsuitable for their customers, with the goal of meeting specific sales targets (Financial Conduct Authority [FCA], 2013). For this study, means are measured to ascertain the specific degree of conduct risk within an organisation by using a measurement system marked in standard units, using scores. An outcome-based approach, as recommended by the South African regulator and defined as assessing the extent to which an approach has achieved its intended result, has to be applied to this study. It is assumed that conduct risk cannot be solely assessed with mathematical models (such as PfIug and Römisch, 2007; Barsalou, 2015; Hassani, 2016b) or with behavioural approaches (such as Ewen, 2014; Miles, 2017).

The research objective was to develop a first best-practice proposal of how to approach the measurement of conduct risk in South African banks. Given the limited knowledge that exists regarding the concept, but also the approach of the regulator looking for best-practice approaches from the various banks, this study proposes a best-practice approach, defined as a standard, which could lead to optimal results. The preliminary best-practice proposal consists of a scoring model as a measurement system. It also includes suggestions around specific surveys to enable a specific allocation of scores.

Information from South African bank customers and staff members about their understanding of what conduct risk is and how it can be measured, and similar information from other countries and/or on similar concepts (such as ethics and business conduct), was required to answer the research question. The information was obtained from worldwide secondary data and selected primary data in South Africa in 2017/2018. As the research question asks about the “how”, sourced information was mainly qualitative.

There are numerous role-players that have an interest in the conduct-risk measurement problem and its solution. However, South African banks are the main beneficiaries of this research. Banks have the resources to influence the progress of the research and its solution. The government, the new FSCA and bank customers and shareholders could also profit from the study.

4. Research methodology

4.1 Research approach and strategy

This research prescribes to the following research approach and strategy (Saunders et al., 2015), based on the research question: inductive – understand the nature of the problem better and develop a first best-practice proposal, collect qualitative data; cross-sectional – measure conduct risk at a particular time; and exploratory – interrogate literature and subject-matter experts’ opinions, conduct interviews and/or initial surveys.

4.2 Data collection

The researchers are not aware of any publications about conduct risk in the South African banking sector, other than their own published work. Besides this, data from bank customers and bank staff are confidential and difficult to access.

Selected secondary data in the form of existing surveys of staff from the banking sector and from other industries were collected electronically from consulting companies and interest groups. Even though they only considered the global situation, the surveys were considered and analysed by interpreting the results.

Primary data were collected through interviews with selected banking customers in 2017. Interviews were conducted in person or via video conference or telephone, depending on where the interviewees were located and their availability. Interviewees were based in Cape Town and Johannesburg, with an equal split. The interviews were voice-recorded and transcripts were produced in spreadsheets (with augmented notes and comments).

An interview guide was used, mainly with open-ended questions (Appendix), given the nature of the study. The goal was to attain a deep understanding of the experiences and stories of the individuals to get guidance on how a positive outcome for a customer could look like and how it could be measured. To allow this, the interviewees were left to guide the conversation as far as possible. Questions for the interviews with existing bank customers were put together based on findings from the literature analysis and the research question.

4.3 Data sampling

It was assumed that all 241 employees at Milpark Education, a South African private higher-education provider and the researcher’s current employer, consisted of a representative sample of existing banking customers in South Africa. The staff complement of Milpark was sufficiently diverse. It was assumed that they all have a banking relationship and no adverse effects were expected in terms of them working in the educational sector. Twelve interviewees were randomly selected by identifying the 20th person on an alphabetical list of names (Goddard and Melville, 2001). Where individuals were not available or were not comfortable being interviewed, the 21st person was selected. This was the case for two individuals. The number of individuals interviewed was suitable for this qualitative, exploratory study (Saunders et al., 2015).

4.4 Data analysis

Primary data were coded and analysed through thematic data coding (Attride-Stirling, 2001). All answers were categorised into various themes per question, and it was recorded how many interviewees’ answers fitted into those themes. Themes were developed by the researchers while listening to the recordings, making notes and transcribing interviews, and the themes were allowed to evolve during the course of this process. An example of this is found in Appendix B3. The number of answers recorded for the different themes was interpreted and trends were summarised. Primary data were reported on by citing selected statements, summarising trends and through graphical representation.

4.5 Ethical considerations

The role of the interviewer, the scope of the project and an introduction to the research topic were explained to all interviewees before each interview. Ethical clearance was applied for and approval was obtained from the research committee at Milpark Education (thereby ensuring compliance with the institution’s research policy). A plain language statement was issued and consent forms were signed prior to each interview. Interviews were recorded and summarised in individual documents.

5. Literature review

5.1 Definitions

According to Green (2015, p. 15), “risk management is the coordinated set of principles, processes, activities, roles and responsibilities, and infrastructure, combined into a system and used to control the actions of an organization in light of the risks it faces”. The author also specifies that the term ‘risk mitigation’ is used if risks that have negative consequences are treated, which involves improving or modifying risk controls. Last, Green (2015, p. 6) gives an example of how different organisations might measure or quantify risks: “For example, one organization may choose to classify risks as ‘high’, ‘medium’, and ‘low’; another to rank them from highest to lowest; and a third to assign a number, based on likelihood and consequences, to each.”

5.2 General risk management literature

Conduct risk is new and challenging to quantify. It must be incorporated into the general enterprise risk management (ERM) strategy of the organisation and it also requires different ways of thinking compared to traditional risk management (Raj and Sindhu, 2013). However, there is not much evidence in the existing literature about the ‘how’.

McCormack et al. (2014) point out that systematic risk management only evolved in the past 15 years or so (since 1999), as pressure from stakeholders and from the regulator – in the case of banks – increased. In this realm, ‘the three-lines-of-defense’ approach to risk management was born: the first line of defense consists of the respective business units; the second is represented by a centralised risk function, which guides the first; and the third line entails the internal audit function. In the case of conduct risk, this defense model is important, as good conduct should run through the business from strategy to product design, and on to selling and after-sales. The model would affect the measurement of conduct risk in that all different lines of defense have to be included.

Taylor (2014) presents a summary of supporting documents needed for embedding ERM into the organisation. Measuring conduct risk would hence necessitate proper documentation, especially at risk-appetite, risk-register and dashboard level.

As a specialist in fraud, Koletar (2010) invites risk practitioners to re-think risk management. Below is a summary of some of his suggestions regarding where traditional risk management goes wrong and what this could mean for conduct-risk measurement:

  • “The highway to hell is traveled in small steps” (Koletar, 2010, p. 96). Measurement needs to incorporate the idea of repeatedly scoring at a low level of concern, but not at zero, when it comes to conduct risk.

  • “If you guys found something bad, it could be a deal killer” (Koletar, 2010, p. 98). Measurement needs to understand that not all departments are interested in finding fault.

  • It is important for firms to use the ABC principle, especially for behavioural risk, and find out whether the firm has one bad apple, a bad bushel or a bad crop. Measurement needs to be able to detect As, Bs and Cs, and not only focus on Cs.

  • While documentation is crucial in risk management, there are many cases where documentation is forged or altered. Measurement needs to detect those cases.

  • Many firms prescribe to zero-tolerance programmes. These are often problematic, as it is extremely difficult to ensure uniform enforcement, plus there is a great need for additional (and expensive) reporting resources. Measurement needs to differentiate between small warning signals that are serious and others that are not as worrisome.

  • With IT technology getting more complex daily, making actionable intelligence out of a multitude of data is challenging; this will be especially true for conduct-risk measurement.

  • Firms should pay attention to words: is someone going to be more discreet without changing their behaviour? Measurement should leave room for individual and freely formulated responses, rather than focussing only on ticking boxes in surveys.

  • Sometimes, in risk management practice, possible causes are diagnosed quickly and solutions to risk sought early. For conduct risk cases, which often have specific tipping points, this might make the situation more difficult.

5.3 Literature on concepts similar to conduct risk

It can be argued that conduct risk is equal to people risk. However, as Blacker and McConnell (2015, p. 136) point out: “While one could argue that [conduct risk] […] is indeed a wholly People Risk issue (‘poor governance’), there is obviously a process dimension that must be taken into account”. Ewen (2014) states that personalities can show a wide range of stable human behaviours. However, some aspects of personalities are observable and some unobservable, some conscious and some unconscious. This makes conduct risk difficult to measure.

Fitzsimmons and Atkins (2017) examine new developments in reputational risk. First, they state that it is important to set risk appetite and tolerance and think about acceptable levels of reputational risk. Interestingly, they quote the US insurer Berkshire Hathaway as having decided that their tolerance is going to be zero. Second, they recommend that behavioural and organisational risks which underlie reputational risk are identified. They bring in the work of Nobel-prize winner and psychologist Daniel Kahnemann (Kahnemann, 2003, 2011) and suggest that reputation is driven by the perceptions of stakeholders. Behavioural and organisational risks have to be taken into account when measuring conduct risk and perceptions need to be considered carefully; the focus cannot only be on real events.

Deutsche Bank (2014, p. 1), a bank that operates globally, is convinced that being sustainable and profitable is not a contradiction: “Short-term strategies that are aimed exclusively at quick profits are not consistent with the expectations of society, which wants to see responsible financial institutions anchoring the economy”. Chibba (2009) states that the global financial crisis has made financial-inclusion programmes more imperative.

5.4 Specific conduct-risk literature

Hassani (2016a) is one of several authors who believe that data science, proper segmentation, product design and control alone will assist firms to greatly minimise conduct risk. He does not see measurement as a separate challenge. Miles (2017) and Thomson Reuters (2017), who have been running an annual conduct-risk survey for a number of years, are of the opinion that measurement is problematic. It would seem that more emphasis should be placed on the opinions of Miles (2017), as he is one of the few conduct-risk specialists, and on Thomson Reuters (2017), because their conclusions have been achieved by actively engaging with the industry for a number of years.

Miles (2017, p. 150) recommends a simple strategy for financial institutions to measure conduct risk: “Ask, and keep asking, simple questions about the behavior that customers look for”. He proposes the following measurement tools for conduct risk: questionnaires, mystery shopping, online complaint forums, and customers’ advocacy groups. He feels that customers’ views need to be incorporated throughout the value chain and recommends that the risk team should have full sight of the value chain, from “A to Z”.

Two other arguments he makes are the importance of noting the tipping point in an organisation and striking a balance between the company’s “big picture” and individual employee experiences. Soares (2003, p. 147) agrees “that the notion of a corporation cannot be reduced to the mere behavior of individuals (who are also abstract in character)”.

Miles’ (2017) model is based on behavioural science, decision theory and political science of regulatory design. However, there is no detailed explanation of how exactly those theories were built into this model, which is problematic. Similarly to Fitzsimmons and Atkins (2017), Miles refers to Daniel Kahnemann’s work in his research. Miles’ model consists of two parts. The first part entails a five-factor model. The model works with questions that companies should ask to gain clarity around conduct risk. The second part of the model entails three viewpoints, with which Miles (2017) recommends individuals should look at the questions in model one.

While Miles’s model is valuable as an overall approach to managing and mitigating conduct risk, it delivers no answers on how exactly to measure conduct risk. Miles (2017) expresses his concerns about so-called grey areas. These could exist where, for example, regulators change their approach and penalise a bank in retrospect. He provides limited guidance on how companies could prepare for such an occurrence.

6. Results/findings

6.1 Existing surveys

The Ethics and Compliance Initiative (2016), in a multi-country inquiry into worker conduct and workplace integrity, found that the narrow definition of doing the right thing in the form of avoiding corruption and complying with the law is no longer relevant. The survey published four different metrics of ethical issues, with a percentage of how many workers experienced those: pressure (22 per cent), observed misconduct (33 per cent), reported misconduct (59 per cent) and experienced retaliation (36 per cent).

More employees in three of the BRICS countries (Brazil, India and Russia) experienced pressure to compromise standards, and have observed misconduct, than in the other ten countries surveyed (South Africa was not part of the survey). Furthermore, employees of multinational companies are more likely to be affected than employees of companies that operate in only one country.

Thomson Reuters (2017, p. 42) believe that with regard to conduct risk “one size rarely fits all, and there is unlikely to be a single measure that can provide the information required. Firms need to develop and refine a range of measures to capture the context and the quantum of culture and conduct-risk issues in their business.” They recommend extensive evidence and documentation on parameters, assumptions and data. They offer the example of complaints analysis: while the number of complaints might be an appropriate quantitative measure for the purpose of measuring conduct risk, the data would have to cover various indicators, such as timeliness of response, customer satisfaction, product governance issues, review of sales process, training needs and compensation implications.

While various tools could be used to assess conduct risk, Pitts and Grourk (2014) stress the importance of an employee survey that is forensic in nature and which allows employees to fully express themselves in a confidential way. They recommend responses to statements using scorings such as, for example, Likert scales, and also free expression (similar to Koletar, 2010). They advocate that employees need to understand why the survey is being conducted and what the benefits are for them.

6.2 Interviews with existing banking customers

The age of the interviewees was evenly distributed, with the biggest group aged between 30 and 40. Respondents were employed in entry-level, middle management and senior management roles, with junior management roles slightly underrepresented. Interviewees banked with ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank (SBSA), and some make use of two or more banks’ services.

In the older and more senior group of respondents, longstanding relationships were important. Statements like, “the banker helped me through difficult times and sees the bigger picture” and “if the banker doesn’t see grey and just sticks to rules, this is a problem for me”, support this. Respondents also stated that “it’s all about relationships” and “the bank should be a partner”.

In the younger and less senior group of respondents, rewards were important. Statements like, “if fees rise dramatically, I will change” and “if it was easier to switch, people would switch”, play into a similar theme. Interestingly, one young respondent said that “banks need us, they need to keep customers happy at all times”, Younger respondents also said that customers would switch for rates or more reward points, as “[financial] struggles are real”. Innovative products, like pocket savings and eBucks that show the customer he is valued, create loyalty.

Throughout the sample, respondents raised the question: “What’s my alternative?”, and felt that “all banks can give you hassles”. In total, 25 per cent of respondents said they would not leave their bank, even if they were dissatisfied with the bank’s conduct. Another trend across the sample was that most respondents were either very happy or very unhappy with a specific bank, but the majority were very satisfied. Respondents stated, however, that new disruptors are coming to the market, which will make people switch more frequently. Moreover, not every customer immediately leaves their bank if they are unhappy, and it seems that often customers only threaten to switch banks.

Most individuals thought it possible for a bank to have a good reputation, but bad conduct. Most respondents felt strongly that it should be possible for banks to conduct themselves ethically and be profitable.

Many individuals understood the gist of what conduct is, and how it is defined, and added safety and customer-centricity to the mix when defining conduct. Interestingly, when asked to provide examples of good or bad conduct, very few respondents spoke about advice as such. Many respondents put emphasis on the “hoops you need to jump through” to get anything done in a bank; a very transactional approach. Few respondents felt that banks push products onto the customer or that they oversell, and there was confusion around various banking products and services for some respondents.

Respondents stressed that providing their consent to the bank’s activities was important. Their perceptions around safety were also discussed. Most respondents noted that the tipping point (to leave the bank) would be if there was a safety issue. There is also a need for clarification with regard to fraud, which was raised as a major concern.

Graphical representations of some of the main outcomes of the interviews are provided in the Appendix.

7. Discussion and analysis

7.1 Discussion of themes

7.1.1 General risk management.

According to general risk management literature, conduct risk should be incorporated into the ERM framework. Some facts such as conduct risk needing to be measured at different levels of the organisation with concrete documentation are also true for other risks. Also, certain traps that risk practitioners can fall into (i.e. Koletar, 2010) are true for conduct risk to the same extent. However, the measurement for conduct risk remains more difficult than for other risks based on conduct falling into a human behavior category.

7.1.2 Concepts close to conduct risk.

People and reputational risk seem to be very similar to conduct risk. At the same time, there are behavioural and organisational risks which could be part of conduct risk (Fitzsimmons and Atkins, 2017).

Interviews with bank customers in South Africa, an example of a developing country, showed that individuals struggle to differentiate between conduct risk as a regulatory issue and conduct in the professional business-conduct sense. The main concerns among bank customers seem to be around fraud and safety, and administrative hassles. This aside, customers seem uneducated in the vagaries of bank jargon, and hence more vulnerable to misselling.

7.1.3 Conduct risk.

The results from the questionnaire have shown that perception about conduct (as opposed to only hard facts) is one of the factors to be considered when measuring conduct risk.

It appears that good service and good conduct are understood as being the same concept. This may link back to the Global Ethics Survey by the Ethics and Compliance Initiative (2016) that has witnessed a move away from a regulatory approach to a more professional business-conduct approach.

Seemingly, consumers need to be educated in terms of what conduct is and what customers should expect in terms of advice. This point, specifically, could be related to the fact that interviews were held in South Africa, a developing country. As the average customer is less wealthy than a developed market customer, further investigation would be necessary to ascertain whether the type of product sold in the retail market was a loan product or an investment product.

7.2 Best-practice approach for measurement

7.2.1 General considerations for the approach.

One would assume that all banks attempt to minimise conduct risk to avoid paying penalties and losing customers. Some banks entertain certain levels of conduct-risk appetite (Thomson Reuters, 2017). Koletar (2010) argues that zero-tolerance programmes are difficult to enforce in a uniform way. These facts were considered when the suggested best-practice proposal was developed, by working with a potential scenario where some degree of conduct risk might be acceptable.

Although the interviews with bank customers revealed that only half the customers who want to switch banks end up doing so, the conversations showed that certain factors would make customers leave immediately, such as fraud and loss of money. Generally, 50 per cent of the respondents were not sure or would not leave the bank, even if they were dissatisfied with their bank’s conduct, and the other 50 per cent said they would leave. There appears to be a shift of power from the bank to the customer, as more disruptors come to the market and compete with traditional banking services. A survey may indicate that a client is dissatisfied, but the client may not necessarily leave the bank. This will not have an immediate effect on the bank’s bottom line. However, the client might speak negatively about the bank and thereby influence perceptions. Perception indicators therefore need to be considered in the proposal.

Koletar (2010) is convinced that making actionable intelligence out of a multitude of data is challenging, and it may therefore make sense to first think about how conduct-risk measurement could be understood and viewed. Based on the earlier, outcome-based definition of conduct risk, the ideal outcome for the regulator (and all other stakeholders) would be the sale of suitable products to all clients, while simultaneously meeting sales targets. In this situation, the probability of fines or losing major customers as a result of inappropriate conduct would be zero. If, on the contrary, conduct risk was higher than zero, there would be some probability that the bank is paying fines or losing major customers, and this would have a negative impact on the profit and sustainability – ceteris paribus. For example, if conduct risk is at 20 per cent within a bank, the probability that this specific bank is either going to pay a penalty, with major negative press, or lose major customers would be 20 per cent. Multiple indicators (Thomson Reuters, 2017) that should not be changed or adapted too frequently (Koletar, 2010) will influence this probability, and these need to be measured – as suggested by Koletar (2010) and Taylor (2014) – using careful documentation that cannot be forged, and taking recommended tools into consideration (for example, Miles, 2017 and Thomson Reuters, 2017). Of utmost importance is the forensic nature and free-expression style of the survey for employees, as the choice of words is often very telling (Koletar, 2010 and Pitts and Grourk, 2014). The proposal should therefore work with some open-ended questions, where interviewees must give examples, instead of solely working with quantitative scores.

7.2.2 Description of approach overall.

For this research, conduct-risk indicators are grouped into the following three areas: behavioural indicators, organisational/procedural indicators and perception indicators. This is based on the findings of the data collection, the literature review (Fitzsimmons and Atkins, 2017) and the fact that conduct risk is rooted in both behaviour and procedures, while perception can play a major role in conduct risk.

The three areas will have to be weighted to produce a combined conduct-risk measurement score (CORIME) on a scale of 1 to 5, with 1 representing a situation where no conduct risk is evident according to the indicators, and 5 representing a situation where it is at its peak according to the indicators. Weightings could be adjusted, depending on the individual bank or the situation. The score will increase with probability. While, at the overall level, a repeated low score might not be worrying, continuous low scores need to be carefully monitored at the group-indicators’ level, according to Koletar (2010). Koletar warns of tipping points that are difficult to manage successfully as an organisation. This argument could influence the shape of the relationship between conduct-risk scores and probability.

The best-practice proposal is illustrated in Figure 2. Assume, for example, that the following scores were allocated based on the data gathered and the following weightings applied: perception (10 per cent) = 4, organisational/procedural (60 per cent) = 2, behavioural (30 per cent) = 3. The overall rating would be 2.5, so the conduct risk would be measured at just under 20 per cent, lying between “manageable” and “concerning”. This should be a sign for the bank to take action and tackle the different areas of concern. The tipping point could appear at a CORIME score of 3.

A scale of five points was chosen to allow for various degrees of conduct risk, starting with a situation that is perfect, moving to a situation that might still be manageable, and then going to the tipping point, followed by a high alert and then a situation that is disastrous. A score of 3 does not represent an average score, but indicates to the bank that there is a concern. The goal was to create a measurement tool. The action that should be taken for the different levels of conduct risk, once measured, was therefore not explored.

Below is a more detailed description of the group indicators, with Appendix 3 providing a detailed example of how surveys, as one of the tools of measurement, could look. The setup of the surveys incorporates the various findings of the literature review, existing surveys and new interviews. The same scale of 5 was chosen for the surveys to link the results for the different categories to the overall score. The naming of the scale was adjusted slightly: 1 – good, 2 – acceptable, 3 – concerning, 4 – high alert, 5 – disastrous. It will be important to interpret different scores within one category, as they cover different themes (as well as staff/employees/other stakeholders), and to compare the overall scores for the three categories. Tools other than surveys were not considered in this research; while other tools may indicate conduct risk, their focus is not on measuring it. Surveys could be conducted on the phone for clients and other stakeholders, and online with staff members. Surveys should not take longer than 20 minutes. Unfortunately, to gain the insights required, the surveys cannot be shorter. However, banks can work with samples of customers rather than interviewing all customers. Even though individual customers have their own stories to tell, this study found the results of the interviews based on a relatively small sample fairly representative, in that general trends were easy to detect.

7.2.3 Description of three different indicators as part of the approach.

Behavioural indicators: Behavioural indicators need to be categorised according to the behaviour of the organisation and at individual level (Koletar, 2010; Soares, 2013; Miles, 2017). There must be a distinction between real events and attitudes that can be witnessed. These indicators should be surveyed at staff and customer level, differentiated between different levels and departments of staff (not all staff from all departments have the same interest in scoring low on conduct risk, as voiced by Koletar, 2010) and also retail versus private banking customers – based on the interviews conducted. Behaviour would not only encompass ethical conduct in the legal sense but also in a professional, business-conduct sense. Interviews verified that behaviour is understood in this way.

Organisational/procedural indicators: As conduct risk is not a pure people risk, organisational/procedural indicators play a role in gauging the level of conduct risk in a bank’s system. Existing conduct-risk policies and adherence and attitudes towards them should be surveyed at staff level. Customers should be surveyed about whether they are aware of procedures and have witnessed any process breakdowns. Three lines of defense, as recommended by McCormack et al. (2014), must be incorporated at this stage. The survey needs to reveal whether business units, centralised risk function and the internal audit function can manage and mitigate conduct risk from an organisational point of view. Based on the interviews, procedures that ensure safety and deflect fraud are essential to customers. Furthermore, customers believe good administration and good service means good conduct, and vice versa. This suggests that conduct must be tackled from a misselling point of view, as well as a service and administration point of view.

Perception indicators: While the first two indicators might show positive results (and hence low CORIME scores), the perception about conduct might be different, or the other way round. Various stakeholders should be surveyed for their pure perception of the bank’s and its employees’ conduct. Most individuals interviewed believe that a situation is possible where perceptions of a bank are good, but the conduct is unacceptable. The survey would reveal a situation like this if results for the different groups of indicators were compared. Rewards could positively influence customers’ perceptions, according to the interviews conducted with bank customers, and thus, rewards should form part of the survey. Last, interviewees seem to believe that it is possible for a bank to be both ethical and profitable. Whether this was wishful thinking (one of the respondents said: “I have to believe it is possible”) or genuine belief was not investigated. A bank may not agree with this perception, but it is a difficult perception to fight. Banks must display ethical behaviour and be profitable, so as not to lose clients.

8. Conclusion

In attempting to answer the research question and fulfil the research objective, this study proposed a best-practice proposal that takes into consideration where South African banks are at, especially given the uncertainty around the new regulation and the difficulty of measuring a concept like conduct.

The proposal partly overcomes the measurement complexity of the concept by breaking it into three categories (behavioural, organisational/procedural and perception indicators) and then further into specific topics of interest, with a survey for different stakeholders suggested for each category. An overall score is achieved per group of indicators, and this score is weighted and added up to a total conduct-risk measurement score. A higher score represents a higher probability of conduct risk existing in the organisation. The so-called tipping point requires careful consideration, as conduct risk will accelerate from this point onwards. Scores within the three categories must be compared on a continual basis if banks want to address the slightly different concerns that developing market customers may have.

9. Significance and practical implications

This study adds significant knowledge about how to tackle a serious problem that South African banks as an example of developing market banks must confront, given the continuous threat of drastic fines, the call for sustainable business practices and the challenge of financial exclusion. At the same time, the study fills a research gap based on the fact that there is limited information available and that measuring conduct risk as a new phenomenon in bank risk management is challenging but of great importance to many stakeholders. The proposal accomplishes this by developing a best-practice proposal for South African banks to measure conduct risk.

The proposal could have the following practical implications: assist banks to assess their measurement problems in a time of uncertainty around conduct-risk regulation and to prove to the regulator that they are being proactive and leading by example; assist in situations where many customers seem oblivious to conduct risk in the regulatory sense, and are less financially educated than in a developing environment; and provide insight to the newly formed regulator in South Africa (FSCA), and other stakeholders.

10. Recommendations, limitations and further research

This research paves the way for South African banks to measure and mitigate conduct risk, and potentially solve a real-world problem that negatively affects all stakeholders.

It is recommended that South African banks consider the best-practice proposal to conduct-risk measurement as a first point of reference, given the difficulty of measuring this complex concept. It should allow them to formulate an initial idea of what information needs to be collected to gauge the level of conduct risk and will enable them to monitor scores over a certain period, draw necessary conclusions and take action.

The limitations of this study could potentially lie in the researchers having used existing, global surveys for employee data instead of collecting additional, primary data from bank staff in South Africa. This could be solved by using the staff surveys suggested as part of the best-practice proposal to gain a better understanding of local staff issues.

More research is necessary with regard to which steps to take once a conduct-risk measurement score (CORIME) has been calculated, especially in the case of a medium to high score. Furthermore, additional measurement tools could be considered and assessed, apart from stakeholder surveys. This additional research would need to offer suggestions on how to incorporate different assessment tools, and how to deal with a situation where conflicting messages are found from the various instruments.

Further research could also be conducted on how to interpret the data collected in surveys and on what measures to take within the banking organisation once the data are analysed. More specifically, further studies could be undertaken around how to educate customers and staff in such a way that conduct is understood, lived and appreciated daily, while at the same time meeting customers’ concerns around safety and administrative hassles and staying sustainable as a business. Additional measurement tools, like complaint forums and performance management surveys, as suggested by Thomson Reuters (2017), could be examined further.


Grand total of conduct costs for a given period (i.e. costs crystallised during the period, plus provisions as at 31 December of the previous year) and the provision sums for that period

Figure 1.

Grand total of conduct costs for a given period (i.e. costs crystallised during the period, plus provisions as at 31 December of the previous year) and the provision sums for that period

Conduct-risk measurement model

Figure 2.

Conduct-risk measurement model

Interview guide for primary data

Question Comment Type of question
0 What is your age? Age might influence client attitude and expectations Closed
Which financial institution do you bank with? There might be differences across different banks Closed, option to name specific bank under “other”
What is the level of seniority in your job? Seniority might influence client experience and expectations Closed
1 What do you understand by conduct in a banking context? Do clients have any understanding of the new concept? If so, what is it? Open
Can you provide feedback on your banking experience in the past three years, with regard to the conduct of your bank and its employees? Do you feel that the outcome of your interactions was positive? Get as much information as possible about the experience and the personal stories to understand examples of good and bad conduct and how to measure it Open
If your interaction was positive, how would this influence your bank’s (financial) success? Is there a relationship between conduct and financial success? Open
2 If your feedback was negative with regard to conduct, would you switch banks? What happens to the client relationship if conduct is negative? Hence, does conduct really have an influence on switching behaviour with a negative consequence on banks? Closed
If not, why not? Ditto Closed, but option to explain other
How quickly would you leave? Ditto Closed
If there was a tipping point for you in switching banks, what would it be? Ditto Open
How many banking customers frequently plan to switch banks because they do not feel they receive a positive outcome, but in actual fact never do? What do you think? Can you give a number out of 10? Ditto Closed
3 Give two concrete examples of an employee behaviour and/or mishaps of a procedural event that would make you leave your bank as a customer Ditto Open
4 Give two concrete examples of employee behaviour and/or policies you would like to see in your bank for you to feel that you are in good hands How could good conduct be measured? Open
5 Which role do you think perceptions/reputations play in client feedback surveys of banks? For example, is it possible that the perception about a bank is very good, but the actual experience of customers is bad; however because the reputation is good, customers do not complain? Or the other way round? How is measurement of conduct influenced? Do perceptions play a role? If so, this might confirm that measurement of conduct is difficult and hence individuals rely on intuition or perception Open
6 Do you think it is possible for a bank to display acceptable conduct at all times and at the same time be profitable? Is there a relationship between conduct and profit? Closed
Can you motivate your answer? Understand the relationship Open

Appendix 1

Table AI

Appendix 2. Illustrations from primary data

B1: Basic information on respondents

Figure A1

B2: Answers to selected closed questions

Figure A2

B3: What do you understand by conduct in the banking context? Answers grouped into themes

Figure A3

B4: Can you provide feedback on your banking experience in the past three years, with regard to the conduct of your bank and its employees?

Figure A4

B5: Summary of what interviewees understood by good/bad examples of conduct

Figure A5

B6: If there was a tipping point for you in switching banks, what would it be?

Figure A6

Appendix 3: Possible survey for conduct-risk measurement

Figure A7

Figure A8

Figure A9


Alliance for Financial Inclusion (2015), “Consumer empowerment and market conduct (CEMC) working group”, available at: (accessed 28 February 2015).

AON (2007), “Industry update: sustainability – beyond enterprise risk management”, available at: (accessed 2 December 2015).

Attride-Stirling, J. (2001), “Thematic networks: an analytic tool for qualitative research”, Qualitative Research, Vol. 1 No. 3, pp. 385-405.

Barsalou, M.A. (2015), Root Cause Analysis, CRC Press: Taylor and Francis Group, Boca Raton.

BASA (2014), “South African banking sector overview”, available at: (acceessed 9 May 2017).

Blacker, K. and McConnell, P. (2015), People Risk Management – a Practical Approach to Managing the Human Factors That Could Harm Your Business, Kogan Page, London.

CCP Research Foundation (2017), “Conduct costs project report 2017”, available at: (accessed 24 October 2017).

Chibba, M. (2009), “Financial inclusion, poverty reduction and the millennium development goals”, The European Journal of Development Research, Vol. 2009 No. 21, pp. 213-230.

Deutsche Bank (2014), “Sustainable and profitable – not a contradiction”, available at: (accessed 28 February 2018).

Ethics and Compliance Initiative (2016), “Global business ethics survey”, available at: (accessed 28 January 2018).

European Systemic Risk Board [ESRB] (2015), “Report on misconduct risk in the banking sector”, available at: (accessed 4 August 2015).

Ewen, B.R. (2014), An Introduction to Theories of Personality, 7th ed., Taylor and Francis, New York, NY.

Financial Conduct Authority [FCA] (2013), “Final guidance: risks to customers from financial incentives”, available at: (accessed 27 July 2015).

Financial Conduct Authority [FCA] (2015), “2015 Fines”, available at: (accessed 29 March 2015).

Financial Standards Board (2013), “Thematic review on risk governance”, available at (accessed 28 February 2018).

Fitzsimmons, A. and Atkins, D. (2017), Rethinking Reputational Risk: How to Manage the Risks That Can Ruin Your Business, Your Reputation and You, Kogan Page, London.

Galamadien, P.A. (2011), “Sustainability and triple bottom line reporting in the banking industry”, Unpublished MBA Dissertation, North-West University, available at: (accessed 23 March 2016).

Goddard, W. and Melville, S. (2001), Research Methodology, Lansdowne, Juta.

Green, P.E.J. (2015), Enterprise Risk Management, Butterworth-Heinemann, Oxford.

Hargarter, A. and van Vuuren, G. (2017), “Assembly of a conduct-risk regulatory model for developing market banks”, South African Journal of Economic and Management Sciences, Vol. 20 No. 1, pp. 1-11.

Hassani, B. (2016a), “Bringing the customer back to the foreground: the end of conduct risk?”, Documents de travail du Centre d’Economie de la Sorbonne 2016.67 - ISSN: 1955-611X. 2016, available at: (accessed 20 June 2017).

Hassani, B. (2016b), Scenario Analysis in Risk Management: Theory and Practice in Finance, Springer, Berlin.

Kahnemann, D. (2003), “Maps of bounded rationality: psychology for behavioral economics”, The American Economic Review, Vol. 93 No. 5, pp. 1449-1475.

Kahnemann, D. (2011), Thinking Fast and Slow, Farrar, Straus and Giroux, New York, NY.

Klapper, L., Lusardi, A. and Van Oudheusden, P. (2015), “Financial literacy around the world. standard and poor’s ratings services global financial literacy survey”, available at: (accessed 15 January 2018).

Koletar, J.W. (2010), Rethinking Risk: How Companies Sabotage Themselves and What They Must Do, AMACOM, New York, NY.

McCormack, P., Sheen, A. and Umande, P. (2014), “Managing operational risk: moving towards the advanced measurement approach”, Journal of Risk Management in Financial Institutions, Vol. 7 No. 3, pp. 239-256.

McKinsey (2013), “The search for a sustainable banking model”, available at: (accessed 11 July 2014).

Miles, R. (2017), Conduct Risk Management, Kogan Page, London.

National Treasury (2018), Private Communication, South Africa.

Oliver Wyman (2014), “Conduct risk management in the asia pacific region”, available at: (accessed 9 February 2018).

Parliamentary Monitoring Group (2017), “Financial sector regulation bill”, available at: (accessed 30 August 2017).

PfIug, G.C. and Römisch, W. (2007), Modelling, Measuring and Managing Risk, World Scientific Publishing Company, Singapore.

Pitts, G. and Grourk, T. (2014), “Chasing shadows? The FCA and the measurement of ‘culture’”, Journal of Securities Operations and Custody, Vol. 7 No. 2, pp. 128-138.

Raj, B. and Sindhu, (2013), “Managing non-financial risks: business and growth”, SCMS Journal of Indian Management, Vol. 10 No. 4, pp. 63-74.

Saunders, M.N.K., Lewis, P. and Thornhill, A. (2015), Research Methods for Business Students, 7th ed., Pearson, Harlow.

Schaltegger, S. and Wagner, M. (eds.). (2006), Managing the Business Case of Sustainability, Greenleaf, Sheffield.

Soares, C. (2003), “Corporate versus individual moral responsibility”, Journal of Business Ethics, Vol. 46 No. 2, pp. 143-150.

South African Reserve Bank [SARB] (2014), “The South African reserve bank imposes administrative sanctions on banks”, available at: (accessed 18 December 2017).

South African Reserve Bank [SARB] (2015), “Administrative sanctions imposed on deutsche bank AG johannesburg branch and capitec bank limited”, available at: (accessed 18 December 2017).

South African Reserve Bank [SARB] (2016a), “South African reserve bank imposes administrative sanctions on two banks”, available at: (accessed 18 December 2017).

South African Reserve Bank [SARB] (2016b), “South African reserve bank imposes administrative sanctions on banks”, available at: (accessed 18 December 2017).

South African Reserve Bank [SARB] (2017), “South African reserve bank imposes administrative sanctions on VBS mutual bank”, available at: (accessed 18 December 2017).

Taylor, L. (2014), Practical Enterprise Risk Management: how to Optimize Business Strategies through Managed Risk Taking, Kogan Page, London.

The Organisation for Economic Co-operation and Development [OECD] (2011), “G20 high-level principles on financial consumer protection”, available at: (accessed 25 February 2015).

The Organisation for Economic Co-operation and Development [OECD] (2013), “Update report on the work to support the implementation of the G20 high-level principles on financial consumer protection”, available at: (accessed 25 February 2015).

The Organisation for Economic Co-operation and Development [UNEP] (2015), “UNEP environmental, social and economic sustainability framework”, available at: (accessed 4 December 2015).

Thomson Reuters (2017), “Culture and conduct risk 2017”, available at: (accessed 20 June 2017).

World Economic Forum (2017), “Global competitiveness report 2017/18”, available at: (accessed 15 January 2018).

Corresponding author

Antje Hargarter can be contacted at:

About the authors

Antje Hargarter is the Dean of the School of Investment and Banking at Milpark Education, one of the private higher education providers in South Africa. She holds a Master of Science in Management from the University of Mainz (Germany), as well as a Master of Business Administration from the Graduate School of Business at the University of Cape Town (South Africa). Antje will a graduate with a PhD in Risk Management from North West University (South Africa) in October this year (2018). She gained over 10 years’ practical experience in banking, asset management and financial training in Europe and South Africa before she joined Milpark Education in 2009.

Gary van Vuuren is an Extraordinary Professor at the Faculty of Economics and Management Sciences at North-West University (South Africa). He holds a PhD in Risk Management and a PhD in Nuclear Physics, as well as Masters degree in Astrophysics and Market Risk Management. Gary has held various senior positions in the financial services industry in Europe and South Africa and specialises in model validation and quantitative analysis. He is also a valued Guest Lecturer and postgraduate supervisor at various universities in Europe and South Africa.