Proposals from the UK financial regulators aimed at improving diversity and inclusion (D&I) in the UK financial services sector include an explicit expectation for all
in-scope firms to consider a lack of D&I as a non-financial risk. The regulators consider a lack of D&I can expose firms to various operational, strategic, reputational and regulatory risks, and impair their ability to attract and retain talent, customers and investors. Therefore, the regulators expect the second and third lines of defence to assist firms in monitoring progress on D&I, and ensuring the associated risks of poor D&I are effectively managed. This is a change from the position set out in the regulators’
2021 consultation, which only looked at the role of internal audit.
The role of control functions in addressing D&I as a non-financial risk
While many firms already have initiatives in place to enhance D&I, the proposals from the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) bring a clear expectation that D&I should be integrated into the risk management frameworks and processes of firms, and that control functions should play a key role in overseeing and challenging the D&I performance and culture. This may require some adjustments and enhancements in the way that the second and third lines of defence approach D&I as a non-financial risk.
Risk and Compliance functions
Risk and Compliance functions will be expected to support the Board and senior management in managing D&I risk, both by assessing the operational effectiveness of the D&I strategy and compliance with the new regulatory requirements, and also by ensuring that D&I risk is managed alongside other non-financial risks in the risk framework. A key responsibility for the second line will be reporting on the outcomes of any risk assessments and monitoring activity, which will be crucial in supporting the Board and senior management’s risk oversight of D&I.
Some of the challenges and considerations for the second line of defence include:
- Embedding consideration of D&I risk into the risk management framework. As owners of the risk management framework, second line will need to ensure that D&I is explicitly built into the risk taxonomy for non-financial risk, establishing a consistent approach to defining, identifying and measuring risks related to poor D&I. As part of the firm’s risk activities, risk teams should ensure that relevant quantitative and qualitative D&I factors are assessed, such as the composition of the workforce across key diversity attributes, and culture and behaviours within the organisation. The effectiveness of relevant policies, procedures and controls will need to be considered as part of risk oversight activity. This may be challenging given the complexity and cross-cutting nature of D&I and the need for alignment with other non-financial risks (avoiding overlap or double counting), as well as potential limitations in the available data and information.
- Monitoring and reporting. Having defined the risk and embedded it into the risk framework, second line will need to consider appropriate risk metrics to monitor the position. Reporting to senior management and the Board on the firm’s progress with respect to D&I might incorporate information on leading and lagging indicators, such as diversity data, employee surveys, exit interviews and incident reports. For sustainable change, it is important that reporting goes beyond the organisation’s employee composition, and assesses factors such as career advancement and promotion levels across diverse talent, as well as whether the culture is perceived as inclusive by employees. The reporting should support assessment of whether the D&I strategy is achieving its intended outcomes, and identification of any adjustments or change in priorities needed.
- Providing challenge to senior management. Given the potential for resistance or inertia towards prioritising D&I as a non-financial risk, the second line should play a key role in supporting senior management in assessing the adequacy and effectiveness of the D&I strategy, governance, risk management and controls, such as providing challenge where appropriate and identifying any required remediation areas.
Internal Audit
Internal Audit functions will need to provide objective and independent assurance to the Board and senior management on the effectiveness of the management of D&I as a non-financial risk, and the alignment of the D&I strategy and culture with the firm's values, objectives and expectations. The third line should also identify and report on any gaps, weaknesses or issues in the firm’s approach to D&I, and follow up on any remediation items.
Some of the challenges and considerations for the third line of defence include:
- Independent assurance on D&I. Internal Audit has a key role to play in assessing the operational effectiveness of efforts to improve D&I and compliance with the new regulatory requirements. Internal Audit functions will need to consider how to ensure coverage of D&I in the audit plan which might include assessment of the D&I strategy, controls, and any specific D&I initiatives, such as efforts to strengthen diverse pipelines for progression.
- Quality of D&I data. Internal Audit might also have a role to play in providing assurance on the quality of D&I data being gathered and reported in line with the new requirements, including any barriers to achieving a complete and accurate set of data, which may include how willing employees are to speak up.
- Applying a D&I lens to wider business audits. The audit of business areas and processes should be approached with a D&I lens, including strategy, governance, customer service, product design, performance management, and culture and conduct. This will give insights into the embeddedness of D&I across the organisation and help identify any areas of the business which require improvement or focus. Many audit functions already look at culture and conduct as themes across their audit activities; D&I considerations could now be approached in a similar way.
- Stakeholder engagement. Given its position as the third line of defence, Internal Audit can provide objective feedback and insights to leadership, the wider business, and control functions, to ensure the momentum and progress on D&I is sustained and any areas of improvement required are addressed in line with expectations.
The regulators have emphasised that D&I is not a tick-box exercise, but a strategic and operational priority that requires ongoing commitment, engagement, and accountability from all levels and functions of the firm, including the board. Whilst D&I is not a straight-forward risk to assess or manage, there is also an opportunity for control functions to consider the adoption of new tools and approaches, which can add significant value to the firm’s D&I agenda and help achieve sustainable change.