Internal auditors play a crucial role in any bank – in fact, it's fundamentally important to assess that the risk and control infrastructure functions properly. In an industry which has been through so much change and is evolving faster than ever through technological developments, it's also a position that requires increasing flexibility and adaptability.

Most recently, because of enhanced scrutiny from the Financial Conduct Authority (FCA), retail banks' internal auditors have seen another area come into their purview: conduct risk.

First, a quick definition: conduct risk, in its most basic sense, focusses on the steps a bank, or any organisation regulated by the FCA, takes to ensure the right products are sold to the right people and that these provide value for money i.e. customers are only sold products from which they'll actually derive some benefit. A high-profile example of this going wrong would be PPI-misselling.

As with any type of risk, the risk should be owned by the business, with risk and compliance functions providing oversight. However, since the financial crisis the FCA has increased its focus on the internal audit function, looking at how it exercises its responsibilities in ensuring a firm delivers fair customer outcomes.

This may represent a point of departure for many internal auditors, requiring them to think beyond a traditional linear approach. They will need to demonstrate clearly that they have considered conduct risk issues and assess events in a multifaceted way.

Take a computer systems failure, for example. It's tempting to think of this as solely being a challenge for IT; but, it has implications for customers too. It might prevent them from accessing their accounts at a critical time – giving it clear relevance to conduct risk.

Bringing conduct risk under the internal audit umbrella can add additional colour to the areas under review by its practitioners. To make sure they are capturing that on their already complex tableau, there are three questions internal audit teams should reflect upon:

1.    Do you understand what conduct risk means for your business?

Many organisations will know what conduct risk means, but won't have thought specifically about what it entails for their business. It won't be the same for every company; sometimes it can be incredibly subjective. You need to know who is responsible within your organisation for managing conduct risk and ensure the internal audit team understands how it manifests itself within the firm. Consider what the firm's appetite is for conduct risk, and what impact that has on your overall audit plan and strategy. You'll also need to think strategically about how you can provide appropriate and proportionate assurance around conduct risks.

 2.    How do you want to tackle it?

There are several ways you can tackle conduct risk. Each organisation will need to think about the best way they can do this – it might mean including specific conduct risk assessments in audits or conducting more focussed reviews to identify specific customer-centric issues. Think about how you're going to make sure the appropriate risks are covered off and how you can demonstrate to the Audit Committee, and possibly the FCA, that you've thought about conduct risk within reviews. A good way of making sure you've got all bases covered is to create a "conduct" step at planning stages.

3.    Do you have the right skills in the business?

I mentioned above that traditionally conduct risk hasn't been something the audit function would have examined. In some instances, that could mean there's a lack of necessary expertise or skills. To tackle this, we're seeing a lot of organisations bring in dedicated conduct risk specialists to help with audits. But there are other options too, such as providing appropriate training to staff.

Ultimately, you need to consider whether you have the right tools at hand to undertake a conduct risk review and make the correct decisions. There's no one-size-fits-all approach, so think about your organisation and how conduct risk fits into how it operates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.