Reporting

While the Final Report into the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry focused on the financial services sector, many of the findings have much wider implications for boards and senior management.

Relevantly, Commissioner Hayne says:

“…failings of organisational culture, governance arrangements and remuneration systems, lie at the heart of much of the misconduct examined in the Commission”.

The Commissioner’s concerns are encapsulated in Recommendation 5.6, in which he says that all financial services entities should, as often as reasonably possible, take proper steps to:

  • assess the entity’s culture and governance;
  • identify any problems with that culture and governance;
  • deal with those problems; and
  • determine whether the changes made have been effective.

While articulated only as steps to be taken by entities in the financial services sector, they have much broader application. One of the challenges boards face in fulfilling these responsibilities is whether they have enough information to do so. The Commissioner noted:

“The evidence before the Commission showed that too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks.”

In terms of challenging management, the Commissioner said that it is not enough just to ask management for assurance about the state of the company's affairs. Directors must confirm matters for themselves. In other words, they should say to management “don't just tell me it is so, show me that it is”. The Commissioner further noted:

“It is plainly not the role of the board to review every piece of correspondence that goes out the door. But it is the role of the board to be aware of significant matters arising within the business, and to set the strategic direction of the business in relation to those matters. When management is acting in a way that is delaying the remediation of customers, and damaging the bank’s relationship with regulators, it is appropriate for the board to intervene and say, ‘Enough is enough. Fix this and fix it now’.”

The Commissioner makes clear that when he refers to boards having the right information to challenge management he is not suggesting a greater quantity of information. It is the quality of the information rather than the quantity of information which should increase. He says that often, improving the quality of information given to boards will require giving directors less material but more useful information.

The question of the size and digestibility of a board pack was considered in the case of Australian Securities and Investments Commission v Healey1 (Centro case). In that case, the directors were alleged to have breached their obligation to take all reasonable steps to comply with the financial reporting obligations in the Corporations Act as a result of two material errors in the accounts. Overall, the board pack containing the accounts ran to over 1,000 pages and, while it was not expected that directors had read and understood the accounts in their entirety, the court found that they had breached their statutory obligations. In commenting on the size of the board pack, Middleton J had this to say:2

“A board can control the information it receives. If there was an information overload, it could have been prevented. If there was a huge amount of information, then more time may need to be taken to read and understand it.”

Unfortunately, apart from telling us that it is the quality rather than the quantity of information that counts, Commissioner Hayne offers little guidance about what is the 'right information'. Indeed, he says that he does not pretend to offer an answer to that question, although he does encourage boards and management to keep considering how to present information about the right issues in the right way.

“… the ‘right information’ includes information not only about matters of interest to shareholders, such as financial performance, but also information about a range of non-financial matters of significance to other stakeholders…’

That said, there are some useful learnings we can draw out from the Hayne Report. In particular, the Commissioner noted that the duty of directors to act in the best interests of a corporation requires them to be conscious that, in the longer term, the interests of all stakeholders, including shareholders, customers, employees and others associated with the corporation, converge. He concluded that those organisations which conduct their business according to appropriate standards, treat their employees and customers well, and seek to provide strong financial returns to their shareholders will, in the long run, outperform other investments with a similar risk profile. This suggests that the 'right information' includes information not only about matters of interest to shareholders, such as financial performance, but also information about a range of non-financial matters of significance to other stakeholders including how customers, staff, suppliers and other stakeholders are dealt with; whether there is a culture which encourages a profit at all costs mentality; whether there are inadequacies in IT systems that allow the law to be breached (or, indeed, to 'extract fees for no service' from customers); and whether executive KPIs may be having unintended consequences.

So, just how do boards ensure that they are getting the right kind of information to enable them to challenge management in the way the Commissioner recommends?

Some guidance can be found in the Australian Prudential Regulation Authority (APRA) Prudential Inquiry into the Commonwealth Bank of Australia in April 2018. That report reached similar conclusions to those of Commissioner Hayne in finding that the board of CBA did not have adequate information to challenge management effectively. It contains some helpful observations, not only about the kind of information which a board needs, but about creating a boardroom environment that enables the board to challenge management in an informed way. APRA makes the following observations:

  • Following the appointment of a new Chair in 2017, there were increased levels of interaction between the CEO and Chair with the board agenda being recast to ensure a more robust and effective discussion of significant topics, including the most pressing risk matters. Standard business updates were abridged, and the time saved was used to undertake ‘deep dives’ into specific areas of concern.
  • The ability of the board to effectively challenge senior management is influenced by the style of the Chair, and the expertise of directors, and relies critically on boards being provided with comprehensive reporting that clearly highlights matters warranting specific attention.
  • The risk report provided to the CBA board supported a 'reactive mindset' in that it was dominated by responses to regulatory matters, and the top issues being dealt with providing very limited detail on the risk profile of the organisation, the trajectory of risks, or on new and emerging risks.
  • While the board received updates on aggregate losses from operational risk incidents, and considered specific individual cases receiving regulatory or media attention, it did not receive alerts on individual incidents or themes that might indicate an underlying or emerging risk or issue that might have reputational consequences.

APRA noted that in order to address some of these concerns, CBA was now seeking to improve board reporting with a focus on the quality of board papers and discussions, supported by an extension of time for meetings.

The APRA Report also mentioned the international focus on the provision of comprehensive and tailored content to boards to help navigate the large quantities of information routinely considered by directors.

Some of these international developments are relevant.

McKinsey3 has reported that in order to gain a thorough understanding of a company’s risks, the board needs to interact with the managers who know the risks best. It says that directors are increasingly interacting directly with senior executives (line management and risk officers) to get greater insights into risk, as opposed to relying merely on the reports of the CEO or CFO. Further, risk-minded directors tend to favour a risk dialogue centred on specific business issues rather than a discussion of high-level generalities about risk. Those directors also dislike rigid and bureaucratic risk processes and identify the handful of executives who have the best perspectives on the company’s key risks, and then ensure that the board interacts with them directly.

The Corporate Governance Principles for Banks published by the Basel Committee on Banking Supervision4 also contain some useful ideas. The Principles say that for a board to be able to carry out its responsibilities of supervising senior management and assessing the quality of senior management's performance, the board needs to receive reports on5:

  • changes in business strategy, risk strategy/risk appetite;
  • the bank's performance and financial condition;
  • breaches of risk limits or compliance rules;
  • internal control failures;
  • legal or regulatory concerns; and
  • issues raised through the whistleblowing process.

The Principles note that the information provided by management to the board should not be so voluminous as to make it difficult for the board to identify key issues. The Principles also encourage management to prioritise what is put before the board and to ensure that it is provided in a concise and fully contextualised manner. The board should assess the relevance, and the process for maintaining the accuracy, of the information it receives and determine if more or less information is required.6

The Principles note that sometimes, in the case of material risks which require an immediate decision or reaction, there is a need for ad hoc reporting to the board so that it can be involved at an early stage in addressing the risk.

Concern is also expressed about organisational silos in banks which can impede effective sharing of information and create challenges for senior management and boards to make proper decisions on an organisation-wide basis.

Boards in Australia have not been complacent in the face of the kinds of challenges identified by the Financial Services Royal Commission. Some examples of what Australian boards are doing include:

  • Gaining a better understanding of KPIs and incentive schemes. Many boards are starting to ask for more information to enable them to examine critically KPIs and incentive schemes which are too focused on financial returns and have unintended consequences by encouraging poor culture and behaviour.
  • Establishing tools and metrics for measuring culture. This could include initiatives such as:
    1. obtaining detailed staff turnover data cut in several different ways, for example, along lines of business, places of business, peer groups and gender. This can assist in gaining an understanding of where there may be emerging issues of poor culture or a breakdown of values;
    2. conducting staff surveys, including regular short, sharp pulse surveys and less regular but longer staff surveys;
    3. requiring the tabling of all material customer and stakeholder complaints, or, where multiple complaints have been lodged about similar issues, details of the theme of those complaints, together with details of how the complaints were handled; and
    4. ensuring that the organisation has a robust whistle-blower reporting regime, and/or staff complaints hot-line, and mandating the disclosure of all complaints made through these channels to the board or a board committee (on a confidential basis if necessary).
  • Taking steps to improve the quality of board papers. Directors generally think that they bring enquiring minds to the issues raised in their board papers. The problem may be more about what is not included in the board pack. Many directors are spending more time with CEOs and management to find out what they don’t know and educating management in the detail they need to know. There is often a significant disconnect between what boards think they need to know and what management thinks boards need to know.
  • In order to reform board papers, some boards have made it a KPI of the CEO to ensure that board packs are presented in a clear, concise and comprehensive format.
  • Obtaining reporting on dealings with regulators. The Financial Services Royal Commission highlighted the need for boards to be intimately aware of all material dealings with regulators, potential breaches of the law, and material breaches of codes of conduct. To enable boards to be better placed to do that, it is not unreasonable to think that they should at least have a high-level understanding of the relevant laws and regulator policies so they can ask the right questions.
  • Board paper templates. Many boards have established reporting templates designed to ensure that management provides the kind of information which the board believes it needs.
  • NEDs meetings held pre-board meeting. Some boards hold a meeting of non-executive directors in advance of the board meeting to discuss the adequacy of the board pack, so that feedback can be provided to the CEO and to allow time to seek clarification or further information.
  • Post meeting analysis. Some boards confer at the end of their meeting to discuss the way the meeting was conducted, and the adequacy of papers presented, to help them to continually improve the way their meetings are conducted and to encourage better board reporting.
  • Investing in and empowering internal auditors and risk managers. Some boards provide the internal auditors and the head of risk with direct access to the board, or a board committee, by-passing senior management where necessary if they need to raise issues of concern quickly.
  • Stronger focus on values. Many boards are encouraging re-engagement with values across their organisation. This might include by making compliance with organisational values a threshold to staff receiving any part of their 'at risk' remuneration; through ethics training; and by encouraging an organisation-wide 'should we' approach to decision-making. The intention is that through becoming a much more values-driven organisation, staff will be encouraged to call out behaviour inconsistent with organisational values.
  • Stakeholder engagement. Some boards make a point of having the opportunity to engage with staff across the whole organisation and not just with the CEO or other senior managers. Other boards have put in place channels for them to engage with stakeholders (such as customers, suppliers, regulators and the broader community), in some instances even establishing stakeholder advisory groups which provide feedback from the stakeholders' perspectives.

1 Australian Securities and Investments Commission v Healey (2011) 196 FCR 291.
2 Australian Securities and Investments Commission v Healey (2011) 196 FCR 291 at [229].
3 A Board Perspective on Enterprise Risk Management, McKinsey & Company, February 2010: https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/18_a_board_perspective_on_enterprise_risk_management.ashx
4 www.bis.org
5 Paragraph 94
6 Paragraphs 127 and 128