The Columbia Enterprise Risk Management (ERM) program hosted a panel discussion on the evolving landscape of conduct risk, particularly in regard to digitalization and a shifting regulatory climate.
Moderated by ERM Part-Time Lecturer Penny Cagan, the panel featured seasoned professionals in operational and conduct risk: consultant and former regulator Tom Balogh; Aarona Chou, managing director at Citi; and Karina Volvovsky, senior vice president at City National Bank.
Defining Conduct Risk
The discussion opened with a foundational question: What is conduct risk?
Balogh offered the classic regulatory definition: “behavior by a firm or its employees that is unethical, illegal, or contrary to stakeholder interests.” He emphasized that conduct risk encompasses deliberate and unintentional actions and stems from firm-level senior management decisions and individual behaviors.
Chou expanded on this by focusing on adverse client outcomes and threats to market integrity. She highlighted the importance of intentional misconduct and systemic issues, such as poor training or unclear responsibilities. Volvovsky added that conduct risk also includes omissions; failing to act or implement the necessary frameworks can be just as damaging as active wrongdoing.
Causes and Drivers of Conduct Risk
A central theme was how conduct risk often arises from conflicts of interest and flawed incentive structures. Balogh emphasized that people are inclined to do what benefits them, so governance must minimize those conflicts. Chou noted that firms must align incentives with ethical behavior, such as “levelizing” compensation structures to discourage biased product recommendations.
The panel also emphasized the need for “tone from the top.” Leaders must model the correct values and align compensation and strategy accordingly. However, Balogh introduced a nuanced concept: “tone from the middle” and “tone from within.” Middle managers must reinforce ethical norms and empower their reports to do the right thing even when it’s hard. Their compensation structures must be designed to incentivize them to do the right thing.
Monitoring and Managing Conduct Risk
The panel discussed how organizations can monitor conduct through policy breaches, client complaints, litigation, whistleblower reports, and employee surveys. Chou explained that patterns such as repeat violations in one team can signal cultural problems and may require investigation to see whether similar issues reside elsewhere.
The challenge lies in measuring what is often a behavioral and cultural risk. Volvovsky warned against relying only on financial incentives and highlighted the subtle but powerful influence of gifts and entertainment, which are areas that are often poorly enforced.
All panelists stressed the importance of root cause analysis when incidents occur. Chou advocated using tools like the “5 Whys” to investigate whether the issue stems from culture, structure, training, or controls. She cautioned against the “bad apple” narrative, pointing instead to structural failures that may enable repeated misconduct.
The Risks of New Technology and Regulatory Environments
Technology emerged as both a risk and a tool. Balogh noted that digitalization can amplify conduct risk through complexity, AI bias, and weak oversight but also offers solutions through improved surveillance, whistleblower protections, and traceability. Volvovsky championed behavioral monitoring and AI-driven compliance tools as key to detecting and preventing misconduct.
The panel acknowledged a shift in the U.S. and UK regulatory environments, with regulators pulling back from some oversight responsibilities, such as the OCC’s move away from reputational risk exams. While this could reduce compliance burdens, it also raises concerns. Balogh and Volvovsky emphasized that companies must maintain strong conduct frameworks without regulatory pressure because clients, reputations, and long-term value are at stake.
Looking to the Future
In the final section of the day, the panelists discussed the future of conduct risk management. Volvovsky hoped that conduct would become embedded in all roles, not just risk functions. Balogh noted that fewer regulatory rules can mean more freedom for risk managers to promote ethical behavior rather than just compliance. Chou closed by reminding the audience that culture and values must outlast regulatory trends or the industry could risk repeating past crises.
The panel underscored that conduct risk is more than policy violations. It’s about culture, incentives, oversight, and individual responsibility. As firms face rapid technological change and uncertain regulatory shifts, building ethical cultures and proactive controls is more critical than ever.
About the Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise. For both the full-time and part-time options, students may take all their courses on Columbia’s New York City campus or choose the synchronous online class experience.
Learn more here.
