Royal Commission

What are the repercussions of the Banking Royal Commission you are observing within the financial services industry? What kinds of advice are companies requesting?

It’s too early to say what the full repercussions of the Royal Commission will be and many organisations are waiting for the final report to be issued, before they react and respond to the issues raised.

Given the revelations to date, we’ve fielded a number of questions from clients wanting to get on the front foot and review their current arrangements.

The issues raised apply across the industry.

Directors and Boards should be asking some hard questions of senior managers as to the reliability and application of:

  • Existing policies
  • Controls
  • Complaints handling and related root cause analysis
  • Remuneration and consequence management.

What are the key lessons for board directors in the banking, superannuation, financial services and insurance sectors?

Boards need to take note that now, more than ever, there is a clear difference between the legal view of what “can be done”, and what the regulator and public view as what “should be done”.

The shock stemming from the [Royal] Commission’s findings has resulted in brand damage and an erosion of trust. It’s also been a case of personal brand damage for certain individuals who have been called before the [Royal] Commission, and there may be more to come.

Directors should be acutely aware of their personal accountability and with further implementations of the Banking Executive Accountability Regime (BEAR) next year the focus on boards and senior management will only increase.

An environment that demands more transparency will result in better consumer protection and continued probing and questioning from the regulators, the media and the wider community.

Boards should move forward with a clear operational mantra to:

  • Feel confident to challenge management and drive a “show me not tell me” approach to reviewing board reporting
  • Drive management to remediate issues or potential breaches with a sense of urgency and accountability
  • Not let reporting limitations, data quality issues or organisational or product complexity be an excuse to understanding the risk in the business and measuring against board set risk appetite.

Across the financial services industry, improvements can be made in the following areas:

  • Organisational culture - its understanding and measurement and early warning signs
  • Governance - policies, controls and reporting
  • Accountability and ownership of compliance and remediation activity
  • Review of executive and management remuneration structures, including to identify any that incentivise short term, non-customer centric behaviour.

Australian Governance Summit 2019

In the wake of the Royal Commission’s revelations, how should organisations update or reform their investigation or remediation activities?

Operational risk and compliance is back on the agenda.

No longer are compliance and risk seen as the domain of a small ‘light-touch’ team who do little but tick-the-boxes.

The task of identifying, monitoring and managing risk should be a priority.

This won’t necessarily eliminate the risks, but will increase awareness of risks the company is exposed to, and the choices available to manage and avoid them.

Key steps to undertake are:

  • Review the ‘three lines of defence model’ within the business
  • Assess the capability and capacity of the risk remediation and investigations teams
  • Review current policies and practices related to remediation and investigation
  • Challenge the level of reporting that boards receive on incidents and complaints
  • Consider how directors obtain information that would enable views to be formed on emerging risks.

Why is organisational culture an important topic for directors to consider in light of the Banking Royal Commission? What is its relationship to risk management?

Organisational culture remains the foundation of trust from which the whole system of a business operates. If the culture and value of an organisation are not clear or the policies, procedures, mechanisms and rewards don’t drive the right behaviours, then it’s only a matter of ‘when’ rather than ‘if’ there will be an issue.

Directors may feel that they understand the vision and desired culture of an organisation, and are setting the right tone from the top. This belief is held as there is consensus at the board table and the vision is communicated to the business through various channels. There is nothing wrong with this, but the challenge lies with the feedback loop and methodology for measuring and monitoring the success of these actions through the business. Understanding the perceptions of those people on the front line and considering whether they understand and believe in the organisational culture and values is key.

The fundamental concept to grasp is the link between management and the concept of ‘risk culture.’ This has been a theme raised by APRA and ASIC for some time. The level of the appetite for risk within the culture is key to the prevention and detection of actions and behaviours. Essentially risk culture is an organisation’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management.

Risk culture is not like typical policies or processes that you can design and execute, but a result of a series of trade-offs across a number of attributes.

Increasingly, boards are wanting to understand their organisation’s risk culture and have a basis for which it is assessed and monitored, including understanding the:

  • Balance between risk-taking and control
  • level of ownership and understanding of risk on the front line
  • Levers which drive behavioural change.

Prior to the Royal Commission, APRA and ASIC had indicated that institutions are facing three main challenges regarding risk culture:

  1. Articulating a desired risk culture state
  2. Identifying current weaknesses in risk culture
  3. Having tangible actions to address any weaknesses.

Currently we find ourselves working with Boards to help them with all of the above, but particularly we’re asked to create a methodology and approach to monitoring risk culture over time to facilitate actions being taken where required.

What kind of regulation should directors be prepared for government to pursue in order to reduce the misconduct identified? How do directors prepare?

While there will be changes stemming from the Royal Commission, at this time I don’t expect there to be wholesale changes or sweeping new laws applicable to the financial services industry.

As Commissioner Hayne states in the interim report, “the law already requires entities to ‘do all things necessary to ensure’ that the services they are licensed to provide are provided ‘efficiently, honestly and fairly’.”

The core outcome is much more likely to be tightening up of the administration and supervision of the existing law, with more budget allocation and resources for the regulators, increased fines and court proceedings.

Directors need to be aware of this, be ready, and change the way that compliance requirements are identified, monitored and managed from end to end. In addition, boards should challenge existing regulatory engagement models, to see if they are fit-for-purpose in the brave new world beyond the Royal Commission.

Considerations should include:

  • Centralised vs decentralised models
  • Level of business lead contact vs compliance and legal lead engagement with regulators
  • Nature and frequency of interactions i.e. When and how do we want to communicate with the regulators? Who are the right people to be involved?