Diversity and Inclusion (D&I) is an integral part of the ‘S’ in ESG (environmental, social and governance), and both a conduct and prudential regulatory issue. So it is not surprising that regulators are exploring how they use their central roles to drive wider change across the UK Financial Services markets.

The Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England published a joint Discussion Paper on D&I last year (DP21/2: Diversity and inclusion in the financial sector – working together to drive change). The aim was to begin a discussion with the industry on how the regulators can clarify their expectations and set higher standards on D&I. This includes how D&I data might be recorded and reported and the importance of diversity metrics and their disclosure by firms.

The goal is to increase D&I in the financial services sector, which translates into safer and sounder firms with better internal governance, risk management, innovation, and products and services that better meet the needs of diverse customers. 

DP21/2 also sets out some compelling reasons for change. The correlation between D&I and positive outcomes in governance and risk management is one such reason. Also, conversations around D&I are still very much in their infancy and most efforts to date have been on gender, which skips critical areas such as race, sexuality and socioeconomic status.

There’s acknowledgement that the focus to date has been on diversity and not on inclusion because diversity is easier to achieve and measure. In addition, COVID-19 has heightened the need for change. The pandemic has had a disproportionate impact on ethnic minorities, for example, placing them at risk of vulnerability and financial harm.

The regulators’ overall aim is to reduce the risk of what DP21/2 calls ‘groupthink’ or ‘homogenous thinking’ by promoting diversity of thought at all levels within firms.

What does this mean for internal auditors? Potentially a lot, particularly as the regulators sought views, in DP21/2, on how internal audit can best assist firms to measure and monitor diversity and inclusion. 

It is clear that internal auditors could play a major role in helping boards judge whether programmes and measures put in place by firms to support D&I and change cultures are meeting their intended objectives and actually working, as well as providing management with an evidence base for enhancing D&I in their firms. 

DP21/2 also discusses the importance of standalone diversity audits being considered, in the same way that firms undertake audits of any strategic piece of work. The regulators describe a lack of diversity as an organisational risk, which is as relevant as any other risk to which the business is exposed. Firms therefore need to ensure that the risk is embedded in their risk management strategies and recognised by internal audit as part of an IA risk assessment. 

The intention of the regulators is not to apply a one-size-fits-all approach and they are looking at how to apply proportionate requirements to smaller firms. However, they intend to monitor firms’ progress on D&I more closely as part of their supervisory approach and engagement. Firms that make good progress will, therefore, be recognised, while supervisory actions could be taken where there are shortcomings, particularly those that impact on customers and market outcomes. Internal auditors have a role to play in challenging their firm’s approach to D&I and ensuring that the pace of change is adequate and reasonable. 

Internal audit can assess D&I as part of IA planning and risk assessments, scheduling appropriate audits on an annual basis to address the risk. As D&I is a pervasive risk, it can be embedded into all audits. The outcome may be presented through a standalone paragraph in the overall audit report, individual findings or even as a root cause.

From a governance standpoint, DP21/2 makes it clear that D&I is a board-level responsibility, and boards should be monitoring and challenging progress on D&I across all levels within their firms. The regulators want to see diversity of thought at board level, supported by demographic characteristics, and an inclusive culture that encourages employees to speak up and challenge the status quo (this is described in the paper as creating ‘psychological safety’). 

Internal audit can help the board to achieve this by providing independent assurance on both their firm’s progress and the appropriateness and robustness of the firm’s D&I metrics. Internal auditors can provide assurance over D&I programmes (current and impending), just as with other regulatory areas, to assess whether these programmes are meeting intended objectives. Continuous monitoring of D&I measures can be used to help inform areas that require further attention by management, or audit prioritisation. 

Internal auditors are best placed to provide assurance over their firm’s framework and assess how well it is embedded across other organisational areas, including policies and procedures.

Regulators are considering the feasibility of introducing regulatory reporting of diversity and inclusion data on firms’ senior management and wider workforce and are exploring the extent to which firms collect and retain data across all protected characteristics and socioeconomic backgrounds. 

Data on inclusion can provide information on whether a firm’s culture is conducive to diverse views driving decision making. This will likely be one of the most challenging aspects for firms, as the data currently does not exist in a lot of firms. There is also an added complexity: if your employees do not feel safe enough to disclose their protected characteristics, how will you have robust data to report or even take meaningful action? If regulatory reporting is introduced, internal auditors will have a role to play in ensuring the accuracy and completeness of the data reported. 

The FCA and the PRA are due to consult on their final proposals in Q2 2022, however, there is much that firms and their internal audit functions can be doing right now. As set out in the recent ‘Dear CEO letters’ to UK deposit takers, insurers and international firms operating in the UK, D&I is one of the PRA’s supervisory priorities for 2022.

Although the PRA recognises that change takes time, it “expects firms to consider the themes set out in the Discussion Paper and challenge themselves to understand their gaps and consider where they can make progress”. This is likely to be a relevant message for all firms.

Given the criticality of the internal audit function to this agenda, it is important that internal audit leaders ensure that they are measuring, monitoring and promoting D&I within their functions. It is important to lead by example and now is the time to start.