In this episode, guest host Andrew Strange is joined by Stephen Pegge, Managing Director at UK Finance, and Katy Bennett, a Director leading PwC’s Diversity, Equity and Inclusion consulting business, to explore how the financial services sector is embracing diversity and inclusion (D&I).
Our expert guests reflect on the enhanced regulatory focus on D&I in the sector, and discuss the challenges facing firms in meeting the proposed new regulations. Our guests also share insights on the steps firms are taking to drive positive change within the industry, including through data gathering and enhanced governance and accountability, and consider what a supervisory regime could look like.
Andrew Strange: Hello everyone, welcome to the latest episode of Risk & Regulation Rundown, the podcast where we share our views and insights on hot topics in financial services risk and regulation. I'm Andrew Strange and I'm standing in as your host for the second month running, lucky people. This episode I'm delighted, though, that we're going to be talking about diversity and inclusion. I'm really pleased to welcome our two expert guests, we have Stephen Pegge, Managing Director of UK Finance, the representative body for the banking and finance industry and Katy Bennett, a Director in PwC's diversity, equity and inclusion consulting business, welcome to the podcast. Now, we know that D&I's been rising up the firms' and regulators' agendas for a number of years and that journey is now entering a new phase with both the PRA and FCA consulting on their proposals for a new regulatory framework for financial services firms back in September. These are wide ranging proposals which will mean a significant change for firms. Before we get into the detail of the changes and what they mean, Katy, can you start by giving some context in terms of where the industry is currently on D&I, and what progress have you seen over the last few years and where are some of the gaps which perhaps have prompted regulators to believe further action is needed?
Katy Bennett: Yes, of course. I think it's fair to say that the industry has been on a journey around D&I for some time. There have absolutely been improvements and there are some examples of firms really doing a huge amount of work to try and improve diversity and inclusion in the industry, recognising there are a lot of external challenges and contexts within that. I think where there are still challenges and really where the regulation tries to get to the heart of, is to say, 'Actually, first of all, we don't have the data to know how well we're doing.' There's no data out there beyond on sex or gender that contextualises diversity right now, and without that data it's really hard to know what progress has been made but also where more progress can be made.
Andrew: Stephen, does that fit with your members' experience and what's your take on why the regulators feel these changes are needed?
Stephen Pegge: Well, a first thing to recognise is that this isn't entirely new ground for regulation, we already have some requirements around board gender representation and culture of firms is clearly of interest to regulators. But the proposals do formalise certain existing standard and expectations, and I think having the data that Katy talked about gives us an opportunity to benchmark, see what good looks like and will hopefully build and support further progress for the industry. I think the rationale that the regulators have emphasised is that it helps to have diverse representation and leadership for good governance and cultures, it can reduce group think, you can get better decisions and ultimately, of course, you're fishing in a wider pool for skills and talent.
Andrew: Yes, absolutely agree and I think I can reflect on that even in my own team here at PwC actually, that diversity of thought is really important. And what's been the initial reaction to the proposals from the industry? Stephen, what are your members saying to you about this?
Stephen: Well, I think in broad terms they support the principles and they welcome the involvement, you know, there could be some real benefits that come out of it. At the moment, reporting where it does exist, not necessarily in a format which is comparable, so it's quite difficult to see where you sit compared with others and indeed the progress that's being made is probably not as consistent across the industry as it might be. But members have certainly asked a lot of questions, so they're thinking about the practicalities. I mean the great thing is there's huge engagement, so most of our members have put their hands up and had representatives come along to a whole series of workshops which PwC have done a fantastic job in working with us to facilitate. But those impacts are going to be different for different cohorts of firms. So for international firms there are question marks over how this fits with their group structures and business models, boards etc., for smaller firms there is a degree of proportionality that's been built into it but many questions to work through.
Andrew: That's great. And even from my own trade body background I know sometimes getting engagement on things can be challenging, and with the current regulatory agenda and so much going on it's heartening to hear that so many of your members are so over-enamoured with PwC's support on this, so great. So Katy, I mean, in terms of the biggest challenges and where firms should start, Stephen referenced data is going to be a big area of focus and getting the right data as a prerequisite for many of the other proposals, such as targets, how should firms go about approaching that?
Katy: Yes, I think you're right that data is really at the heart of this regulation and without that data it is going to be very challenging to even begin preparing for compliance. So, a message is absolutely around, 'Well, start with something.' Collecting diversity data is complicated, you do need to think about data privacy law, employment law, law of systems if you have them, how are you actually going to collect and protect this data? So those practical questions do need to be thought about, but once you've got over those hurdles it's really around thinking about how you engage with employees, this is also a trust exercise, how do you get people to share what may be very personal data, may be very private data they've never shared before. That communications piece is really critical because the regulator's been clear that they expect response rates to be good, that if they are not that, actually they'll be asking, 'Well, could this be an indicator of a culture issue?' What is being done to improve response rates, to improve data quality so that you can really drive insight, drive change and action through your D&I strategy?'
Andrew: I have to say, reflecting again on my experience at PwC where I had a D&I role some years previously, getting some of that data on issues is really challenging. So I think about sexuality, for example, I was quite happy to tick the box on that but, at the same time, there were a lot of people out there for a variety of reasons who weren't so comfortable with it.
Katy: Yes, absolutely. And Stephen mentioned international firms and I think that can be even more challenging. There are many territories in the world where it's not legal to ask these questions, where asking them could be incredibly culturally sensitive, how do you manage as a global organisation? How do you make sure your UK employees feel safe that that data will not be shared in other territories?
Andrew: Agreed. So, Stephen, it's really easy, any other reflections from you?
Stephen: Well, many firms do collect some of this data already, and if you've been at it for a while and that trust has been built and the understanding of what's being done with it makes people comfortable, then it's easier. But there's no question there are many more fields of data that are going to be required now, just in demographic characteristics between the mandatory and the voluntary there are eleven different ones and I'm not sure there are any firms that are currently collecting quite that many. We've all heard stories about cyberattacks where data has been lost, some of this data is going to be attached to employment records, and whilst it wont' be reported in a way where people can be identified, nevertheless, people are going to have to be confident as to how it's going to be held and then understand and support the way in which it's going to be used. As well as demographic data, the other thing, and I think this is a positive thing that's been proposed, the regulators are keen to see that inclusion, and attitudes and experience are captured too. Because raw statistics are one thing, but actually how people feel in their workplace is another one. And again, there is information that's being collected at the moment, but it may not be quite in the right format. So, one of things that members have been juggling with is how does that fit? How can be make sure that this doesn't interfere too much with the engagement processes they've already got?
Andrew: Yes, I can imagine that, that's great. So, Katy, I mean, clearly this is around sequencing and the fact that data is key to so many of the other requirements, such as the strategies and targets, so what's the next logical step after data gathering? Where should firms focus to meet those requirements around strategies and targets?
Katy: So, the regulations as drafted, are very clear that that data should drive, should inform your strategy and your targets. So what firms should be doing once they have that data, once they're comfortable with the quality and the accuracy of it, is to really interrogate, 'Well, where do we need to improve? Where do we need to focus our activity? Some of that's about analysing that data more, so asking questions to gain insight, data on its own won't tell you much. But actually when you begin to look at things like rates of promotion, hiring rates, retention rates, who gets access to training, who is getting access to those key roles that maybe mean you get to speak to the board? When you start to look at questions like that through a diversity lens, and indeed where you can through an inclusion lens, you begin to identify perhaps where there are gaps that need to be addressed. And, actually if I take a step back and look at what this regulation's saying, it's very aligned with a lot of the work we do within PwC and with our clients which is to say, 'Let's use a bottom-up approach where data drives the conversation. Where are we behind, perhaps, the UK, from a contextual perspective? Where could we do more, where are our gaps? And where, if we do more, will we be able to achieve a target?' So taking that data as your starting point to set a strategy, to set targets and then to use that throughout your governance process.
Andrew: Okay, that's great. And, you were touching there on global businesses and things, just out of interest, Katy, are there any other jurisdictions in the world where you're seeing something similar or even a step ahead of us?
Katy: So, thinking about the specifics of the FCA and PRA proposals, I'm not aware of a territory that has gone quite that far. You do see other bodies who have introduced similar, so I'm thinking of the Law Society and some of the regulation for the legal sector, but certainly not at a government level. Now what will be interesting to see is we know that sustainability reporting is bringing in a lot more disclosure requirements around diversity. Not all of those are yet drafted, but how that all comes together and how global firms begin to juggle all of these different reporting requirements is definitely a challenge for the future.
Andrew: That's really interesting, thank you. Okay, so let's delve into the proposals relating to embedding the D&I considerations within regulatory frameworks, so things such as non-financial misconduct, governance, accountability, and risk management. Of those, I think non-financial misconduct seems to be attracting an awful lot of attention at the moment, what are some of the messages you're hearing from firms on that, Stephen?
Stephen: Well, this is the element that will apply to every firm, so it has a really far-reaching impact. And to a certain extent there are responsibilities around that at the moment, but they're not called out separately in the way that is proposed here now. First of all, firms are going to need to think about how and to what degree they will be able to demonstrate that they've taken reasonable steps to identify issues. Then they need to think about the thresholds that apply for action, and then how in dealing with these situations they ensure consistency and fairness. So, there are question marks over, I think, at the moment, the way that the consultation talks about the borderline between business and personal behaviour and what constitutes serious levels of non-financial misconduct. But firms are probably going to ask for more clarity on, with greater examples so they're able to calibrate that. And I think in doing that we should be able to ensure we balance this in proportionate terms. The other question will be how do supervisors review this? How will they manage it? You have risk teams, I guess, who are used to having not just data to go on but clear examples of what's compliant and what's not compliant. This is inevitably a little bit more subjective, so having an approach which does keep people's confidence and doesn't actually detract from people, perhaps revealing issues which need to be investigated is going to be important.
Andrew: Yes, and I think that calibration point's really interesting. I think about the review we've currently got of the senior managers and certification regime, where actually I think one of the criticisms people have found is there isn't the calibration around things like conduct rule breaches being reported. Actually getting this right from the start I think will be really important. Okay, so on governance and accountability then, so boards and senior leadership will have to take an active role in defining D&I strategy and objectives, goals and targets and reviewing some of this great data. And for the PRA regulated firms there will be an individual actual accountable for D&I with an SMF title. So what do firms need to do to ensure they're meeting those expectations, Katy?
Katy: There's probably a few different things and, of course, all of this will depend on an individual firm's governance structure, the complexity of their operations and actually where they are comfortable and, indeed, those individual SMFs are comfortable. There is probably a piece around upskilling, so actually if we are moving responsibilities and asking for a more in-depth oversight role for certain individuals, do they have the skills and knowledge that they need in order to be able to do that? Do they have the tools? We've talked about this amazing data, it is data that's quite different to financial data, it comes from a different system, it might have a different level of accuracy and it might be more complex or different to interpret, so how do you get that support? How do you get the monitoring and the governance around that to really give them the tools they need? I think there's then a broader point around what is the expectation from the regulator, going back to this supervisor point, of how involved the board and executives need to be? At the moment, quite often we'll see a D&I policy or a strategy be rubber stamped at the board level, I suspect that's not going to be enough, but actually how often do they need to be reviewing this? To what level of detail should interrogation happen? And if targets aren't being met how much should they be getting into the detail, sorting that out?
Stephen: And Andrew, I think the other question that many members have raised is a question of scope. So, this is regulation which is currently proposed to work on an employing entity basis, which might involve several companies within a group. And as a result of that, is the expectation that there should be separate strategies, data collection exercises, reviews done at all sorts of levels within an organisation? And for those international firms that Katy talked about, how does that fit with, perhaps a European or even a global strategy that a firm naturally would wish to align to? So those sorts of questions are important considerations but I completely agree with Katy that boards are going to need to be much more engaged really in the development of strategies in driving this as an opportunity and a business risk in a way which is much more than just being presented with something and signing it off.
Andrew: Yes, and governance is such an important aspect of the regulatory agenda in different parts of it at the moment. I mean, are there any parallels that it's helpful to draw with other recent things, maybe consumer duty?
Stephen: Well, consumer duty has involved a lot more work, I think, for many firms than they were initially expecting when we discussed them. I mean, we're going to take a similar approach, I suppose, to doing that to try and help to shape and support the right outcomes from these changes to regulations. But at some stage it needs to be pinned down so that firms have time to implement it and do that right. I think there was a very interesting point that Katy made around sequencing, how do you set a strategy, define the targets and start to take action on the basis of monitoring data until you've got that data in the first place? And it will involve systems change, it will involve quite a lot of communication. We've already talked about warming staff up for the kind of information that they're going to be asked for, and I think consumer duty is not a bad example. It will be a journey over a period of time, and I suspect that points of particular focus, and they might be topical issues that rise out of important cases will inevitably drive supervisor and regulator action in the first place.
Andrew: Yes, I think that kind of evolving approach to what is arguably a static set of regulations we're seeing lots of across the world. I think about assessment of value in the asset management space, set of rules, but the expectations of the regulator develop over time and so it is a journey, very much so. So, as well governance another aspect of the proposals which is crucial to so many other regulatory issues is risk management. Both regulators are emphasising that D&I should be treated as a non-financial risk in risk management processes and reference the role of risk and control functions, but I don't think the regulators are prescriptive on how firms should approach this are they Katy? What are you hearing in terms of the implications for the proposals for risk functions?
Katy: So, you're right, Andrew, that they aren't specific and, they keep the requirement on this at quite a high level. I think the result is that a lot of firms are still thinking through what this might mean and there are questions around, 'Well, does this mean that some of our risk reporting needs to change? Do we need to re-look at the monitoring processes, the risk governance we already go through. Should this be going up to risk committee? How do we do that?' I think there's a lot of questions that organisations really need to think through to make a decision on, within their existing framework, where does this fit? How do they demonstrate that they are taking it seriously? That they're bringing in all this amazing data that they now have and thinking about it, without disrupting an already existing governance process?
Stephen: And I think, from a risk point of view, there's a right approach and a wrong approach to doing this. The wrong approach, I suppose, would be to see this as an exercise of hitting targets come what may. And some firms have expressed concern that, actually, there may be two steps forward and one step backwards, the uncertainties, and in the end you're talking about managing human behaviour, means sometimes things won't always go exactly in the same direction. If you do force targets you could be in a situation where you step beyond positive action into positive discrimination. But equally the right way, I think, can really support the strategic importance of D&I in running the business and a focus, really on culture and ways of working, which ultimately are important. I think some people have said, 'Well, how are risk teams going to manage this if they don't have everything defined in exact terms?' But that's not entirely unprecedented in risk management, we talk about resilience, don't we? Which is very much a strategic risk in the way that this is.
Andrew: Yes, absolutely. And, of course this is a consultation at the moment so we're a little bit away from implementation, but I'm sure our listeners will be beginning to think about what to expect from regulators once this is in force. And we've already talked a little bit about some of that supervisory agenda. What are your thoughts on that and how do you think it might differ by firm size and type? Also Katy, I wondered, reflecting on Stephen's comments around the challenges of this being at an entity level, what do we think of the 250-employee threshold point in terms of the future trajectory of these rules?
Katy: On that supervisory point and, as you say, we've touched on it already, it's so hard to say, at this moment exactly how it will be supervised. And I suspect there is a bit of a journey for the regulators to go on on that too. You know, to the point Stephen just made around targets and those not being just a goal to him but something a little bit more complex to understand, and we'll be thinking through what that might mean. Certainly, when we think about the regulatory reporting the regulators are clear that they're thinking about the ability to benchmark, the ability to see what's going on across the sector, but what they'll do with that is not at this point clear. On the entity point, this is a really complex area, it is one where I wonder if we may get greater clarity in any policy statement particularly because I know there are some organisations who may choose to or may hire most of their employees through a service company that's not regulated. It's not quite clear how this regulation would apply appropriately to them. So, I think there's a lot to still think through there and I wonder if we will see some clarity or changes.
Andrew: That's the delight of a consultation. So Stephen?
Stephen: Yes, I mean, from this perspective I think it's quite important that firms aren't put in a position where all they're able to show are raw numbers, I think the narrative, and the context and the explanation is tremendously important. And will mean that in the end you take a much more balanced approach to it, both in terms of reporting but also publication. And there's probably more to be thought about as to how this is best presented and what it takes to support the right approach. I agree with Katy that we'll see, initially, supervisors testing the waters to a certain extent. I'm hoping that if there's a phased approach to this, you initially start with a sort of thematic review as an annual report rather than league tables, which has been something that doesn't always give fair comparisons.
Andrew: Okay, well thank you both very much, this has been a really interesting conversation actually and it spans so much, from strategy through to execution but also thinking about data, the impact on people and so on. It's really interesting and I'm sure we're going to return to it over the coming months and years as these proposals develop. To our listeners, I hope you've also enjoyed this conversation and thank you for joining us. As always, please subscribe to future episodes and rate and review the series as it helps other listeners to find us. If you'd like to hear more from us on risk and regulation please look out for our regular publications on our website, which we'll link to in the show notes, and we'll be back next month with our next episode.