In 2020, Wells Fargo faced a class-action lawsuit alleging racial discrimination in its mortgage lending practices. Filed in the Northern District of California, the lawsuit claimed the bank approved more white applicants for mortgage loans compared to Black applicants, even when applicants had comparable qualifications and credit scores. Additionally, Black customers were reportedly given higher average interest rates than white customers, despite similar credit profiles. This led to significant public backlash, regulatory inquiries, and reputational damage for the bank.
The consequences went beyond monetary loss and became a prime example of "people risk"—the risk that arises when a business fails to consider the impact of human behaviour, decision-making, and corporate culture on its overall stability and reputation. In the financial services sector, where trust and credibility are paramount, this risk has profound implications.
The FCA's CP23/20 emphasises the importance of integrating diversity and inclusion (D&I) into governance structures, reinforcing that organisational culture risk is no longer a secondary consideration but a core component of risk management. This article explores how financial firms can manage people risk, the associated challenges, and the regulatory expectations under CP23/20.
TABLE OF CONTENTS
What is People Risk?
People risk, recognised by risk professionals as a critical business consideration, refers to the potential for human behaviour, attitudes, and organisational culture to undermine an organisation's objectives, reputation, or financial stability. This risk encompasses everything from unconscious bias and discriminatory practices to broader issues within workplace culture, such as the potential for groupthink or non-inclusive environments.
This risk category encompasses:
Behavioural Risks: Actions that may contravene company values or codes of conduct.
Cultural Risks: Norms and practices that tolerate or perpetuate non-inclusive behaviours, discrimination, or other forms of misconduct.
Decision-Making Risks: Flawed decision-making, often stemming from "groupthink" or lack of diverse perspectives, leading to poor strategic outcomes.
In financial services, this risk is particularly critical as firms rely heavily on their employees to uphold regulatory standards, ethical practices, and sound decision-making.
Why is it particularly relevant for financial institutions?
Financial services rely heavily on public trust and credibility. Customers, investors, and regulators expect these institutions to operate ethically and inclusively. A misstep in handling diversity and inclusion—or worse, instances of discrimination or non-financial misconduct—can lead to reputational damage, loss of customer confidence, and even regulatory scrutiny.
In this environment, the way people behave and interact directly impacts the institution's ability to maintain trust. This risk, therefore, is not merely an HR or compliance issue but a core business risk that affects the organisation’s reputation, customer loyalty, and ultimately, its financial performance.
The Wells Fargo incidents underscore the concept of people and Cultural and Behavioral Risk — the risk arising from the behaviours, practices, and cultural attitudes within an organisation. For financial institutions, these risks can directly affect customer trust, lead to potential financial losses, and invite regulatory scrutiny, as seen with Wells Fargo. The incident illustrates that D&I failings and discriminatory practices aren’t just ethical issues but core business risks that demand proactive management.
The Impact of People Risk in Financial Services
Financial institutions depend on public confidence, and failure to address D&I within the workplace can severely impact customer trust, investor relations, and regulatory standing. Neglecting D&I and cultural inclusivity can also lead to negative impacts on employee health, increased turnover, and decreased morale, all of which exacerbate people connected risks and hinder an organsation’s long-term stability.
For instance, if a bank faces accusations of discrimination or cultural exclusion, it could experience:
Reputational Damage: Public outrage, negative media coverage, and potential loss of business.
Financial Consequences: Drop in share price, increased costs for compliance and training, or potential fines.
Regulatory Scrutiny: Intensified oversight, especially considering the FCA’s growing focus on D&I.
The Wells Fargo incident serves as a reminder that people risk is not just theoretical but can lead to tangible financial and reputational damage.
How People Risk Manifests in Financial Institutions
It can arise in numerous ways within financial firms:
Lack of Diversity and Inclusion: Homogeneous teams are more susceptible to "groupthink," where perspectives remain narrow and potentially discriminatory behaviours or biases go unchecked.
Non-Financial Misconduct: Issues like discrimination, harassment, or exclusionary practices that not only harm individuals but may also violate regulatory standards. The FCA considers non-financial misconduct an indicator of deeper cultural problems.
Insufficient Training: When employees lack adequate training on unconscious bias and D&I, they may make decisions that risk alienating customers, partners, or colleagues.
Cultural Silos: A lack of integration across different departments or teams may lead to a limited understanding of diversity’s value and its role in risk management.
Key people in the organisation, especially those in leadership positions, play a vital role in fostering an inclusive culture that mitigates people risk by demonstrating respect, transparency, and accountability.
These factors can create a toxic culture where employees do not feel valued or included, directly impacting business performance and increasing the likelihood of regulatory intervention.
How People Risk Differs from Operational Risk
While people and operational risks are closely related, they address different facets of an organisation’s vulnerability. Operational risk generally refers to risks arising from failed internal processes, systems, or external events that disrupt an organisation’s functioning. Examples include process errors, system failures, or external disruptions such as natural disasters.
People related risks, on the other hand, focuses specifically on the human elements within the organisation—such as behaviours, cultural alignment, decision-making, and ethical conduct. These factors are often shaped by an organisation’s culture and leadership, making them distinct from the more technical or procedural failures covered under operational risk.
For example, a data breach may be categorised as an operational risk if it results from a system vulnerability. However, if the breach occurs due to an employee’s deliberate misconduct or negligence, it also becomes a people issue, reflecting on the organisation’s culture, ethics, and oversight.
This distinction is essential for financial institutions, where people risk can amplify operational challenges, especially under regulatory frameworks like the FCA’s CP23/20, which emphasises governance and cultural alignment in risk management. Effective management of people risk not only addresses behaviours that could impact operations but also fosters an inclusive and ethical culture, reducing the likelihood of non-financial misconduct and reputational harm.
FCA’s Focus on D&I and Governance Under CP23/20
The FCA’s CP23/20 consultation paper emphasises the integration of D&I into governance frameworks. It identifies non-financial misconduct, including issues of exclusion or bias, as serious governance failings that firms must address.
According to CP23/20, regulated firms are expected to:
Foster Inclusive Cultures: Demonstrate active efforts to promote D&I at all organisational levels.
Hold Senior Managers Accountable: Make senior leaders responsible for implementing inclusive policies and mitigating risks arising from their workforce.
Embed D&I in Risk Management: Integrate D&I objectives into governance and reporting structures, recognising D&I as a business risk that requires regular monitoring and assessment.
This regulatory emphasis positions people risk as a crucial element of a firm’s overall risk framework, making it necessary for financial firms to manage it as rigorously as any other operational or financial risk.
Strategies to Mitigate People Risk
The pillars of people risk include diversity and inclusion, leadership accountability, and ethical governance—each crucial for fostering a culture of openness, respect, and regulatory compliance.
Mitigating this risk requires a multi-pronged approach that prioritises embedding diversity and inclusion (D&I) into the organisational culture, governance, and risk management practices. D&I plays a critical role in managing this risk by fostering inclusivity, promoting fair practices, and aligning with FCA CP23/20’s regulatory requirements.
Leadership Accountability
Senior leaders must champion D&I initiatives and hold themselves accountable for their success. Leadership accountability includes setting measurable D&I goals, integrating these into performance evaluations, and actively modelling inclusive behaviours. Leaders should understand that their commitment to D&I is essential in mitigating people risk, as it reinforces an organisational culture of fairness and respect.
Inclusive Governance Structures
Establishing governance frameworks that support D&I is critical for managing risks arising from the workforce. Inclusive governance structures demonstrate that D&I is embedded in the organisation’s DNA and aligns with the FCA’s CP23/20 framework. This can be achieved by:
Creating a dedicated D&I committee.
Setting diversity targets for board and senior management positions.
Ensuring policies and practices are fair, equitable, and transparent, reducing the likelihood of regulatory issues or reputational harm.
To address HR risk effectively, organisations should ensure that human resources practices align with D&I policies, fair hiring practices, and anti-discrimination standards as part of their broader people strategy.
Continuous Training and Education
To create a culture that actively mitigates people risk, organisations should implement regular, comprehensive training programs. These should cover:
Unconscious bias and cultural competency.
D&I principles and their impact on decision-making, with a focus on preventing groupthink and promoting inclusivity.
Regulatory requirements under CP23/20 and other relevant guidelines, ensuring that staff are well-informed of D&I’s regulatory importance.
Risk Assessment and Monitoring
Embedding people risk into the broader risk assessment framework is crucial. This includes regular reporting on metrics such as turnover rates, diversity representation, and D&I training completion. Firms should develop KPIs to track D&I progress and disclose these metrics to stakeholders, enhancing transparency and aligning with FCA expectations. Regular monitoring helps identify people related risks factors early, allowing organisations to take proactive steps to mitigate them.
Fostering a Culture of Openness and Respect
A strong D&I culture requires policies that promote openness, respect, and mutual understanding. Establishing safe, anonymous channels for reporting issues related to non-financial misconduct (e.g., discrimination, exclusionary practices) is essential. Implementing a robust whistleblowing policy can ensure that employees feel secure in reporting incidents without fear of reprisal. Transparent procedures for addressing these complaints reinforce a fair, inclusive culture and demonstrate a proactive approach to mitigating people risk.
Moreover, ensuring robust human resource health and benefit practices, along with strong health and safety standards, is fundamental to people risk management.
Implementing Accountability Mechanisms
To ensure a sustained commitment to D&I, firms should introduce accountability mechanisms, such as:
Regular audits of D&I practices to assess and address gaps.
Transparent reporting of diversity metrics and people risk factors.
Quarterly reviews with senior leaders to evaluate progress on D&I initiatives and ensure alignment with risk management objectives.
Leveraging Diversity for Strategic Advantage
D&I should be viewed as a strategic business asset that goes beyond risk mitigation. By cultivating diverse, inclusive teams, organisations not only reduce people related risks but also enhance decision-making quality, foster innovation, and improve resilience. Embracing D&I as a core element of governance can be a differentiator in attracting talent and customers, reinforcing the organisation’s competitive position.
Conclusion
People risk, often overlooked in traditional risk frameworks, has become a critical business risk, especially under the FCA’s CP23/20. Financial institutions that fail to recognise the importance of D&I in mitigating risks arising from their workforce not only risk financial losses but also face potential reputational damage, regulatory scrutiny, and loss of public trust.
By proactively addressing people related risks, financial firms can foster an inclusive culture, drive innovation, and enhance governance frameworks. In an increasingly competitive and socially conscious environment, a firm’s approach to people risk can serve as a competitive advantage, signalling to customers, investors, and regulators that the firm is committed to building a sustainable, ethical, and resilient business.
FAQs
What is people risk, and why is it important?
It refers to the potential for human behaviours, attitudes, and cultural factors within an organisation to undermine its objectives, reputation, or financial stability. In financial services, where trust and credibility are paramount, people related risks is critical because it can directly impact customer confidence, regulatory compliance, and financial performance.
How does people risk differ from operational risk?
Operational risk generally focuses on risks from failed processes, systems, or external events, while people risk centres on human factors such as behaviour, culture, and decision-making. For example, non-financial misconduct or a lack of D&I in decision-making processes would fall under people related risks, whereas a system failure due to a technical glitch is operational risk.
Why is this risk particularly relevant for financial institutions?
Financial institutions rely heavily on public trust and face high regulatory scrutiny. People risk, especially around D&I and non-financial misconduct, can lead to reputational damage, regulatory penalties, and loss of customer confidence. Addressing people risk is essential for maintaining strong governance and aligning with FCA requirements under CP23/20.
How can diversity and inclusion (D&I) mitigate this risk?
D&I reduces this risk by fostering a culture of inclusivity, minimising groupthink, and enhancing decision-making through diverse perspectives. An inclusive environment also helps attract talent, improves team cohesion, and aligns with FCA guidelines on non-financial misconduct, making it a key factor in effective people management.
What role does a whistleblowing policy play in managing this risk?
A whistleblowing policy allows employees to report unethical behaviours, discrimination, or non-financial misconduct anonymously, supporting a culture of transparency and accountability. By offering safe reporting channels, firms can address issues early, reducing the potential for reputational harm and regulatory scrutiny.
What are the consequences of failing to manage this risk?
Failing to manage people risk can lead to public backlash, loss of customer trust, regulatory penalties, increased employee turnover, and even financial losses. For example, incidents of discrimination or exclusion can damage a firm's reputation and lead to significant compliance costs and legal repercussions.
How does the FCA’s CP23/20 impact people risk management?
The FCA’s CP23/20 mandates that firms integrate D&I into governance structures and treat non-financial misconduct as a significant governance issue. By embedding D&I objectives and tracking relevant metrics, financial institutions can align with regulatory expectations and better manage their workforce.
What strategies can financial institutions use to mitigate people risk?
Key strategies include implementing robust D&I initiatives, setting up inclusive governance frameworks, conducting regular training on unconscious bias, maintaining a whistleblowing policy, and holding leaders accountable for D&I goals. Regular monitoring and transparent reporting of diversity metrics are also essential.
What metrics should be tracked to monitor this risk effectively?
Important metrics include employee turnover rates, diversity representation, D&I training completion, frequency of non-financial misconduct reports, and whistleblowing incidents. Tracking these metrics allows organisations to identify trends, address issues proactively, and demonstrate regulatory compliance.
How does people risk impact an organisation’s reputation?
It can significantly impact a firm’s reputation if issues such as discrimination or misconduct become public. Reputational damage can lead to customer attrition, negative media coverage, and investor concerns, making proactive management of this risk critical to business success.