Why do corporate scandals keep happening? The answer may be culture and conduct risk...
The risk role of the boards and management has been subjected to much discussion and scrutiny over the past few years as a result of a variety of corporate scandals. Examples have included underpayment of employees, inappropriate sales force behaviour, blatant disregard for the law and inappropriate treatment of customers, in addition to behaviours identified in the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry1 and in the Australian Prudential Regulation Authority Prudential Inquiry into the Commonwealth Bank of Australia.2
Between the corporate and prudential regulators, Australian Securities Exchange, proxy advisors, investor representative bodies, the media and the community, there have never been more eyes critically examining the risk operations of boards and their management teams. The question arises: “How do organisations with robust risk management frameworks and boards and management teams strongly focused on oversight get blindsided by corporate scandals?”
Conduct risk is not just a problem for the finance industry...
While recent focus may have been mainly on the financial services and insurance industries, culture and conduct risk is not confined to only these sectors.
The aged care industry is likely to assume the spotlight when the final report of the Royal Commission into Aged Care Quality and Safety is handed down in February 2021. In addition, the education sector, motor-vehicle industry, sporting bodies and all levels of government have experienced their own problems and cultural challenges. While cultural problems may have always existed within organisations, they may not have received the level of public attention and scrutiny that more recent cases have. The combination of a strong mainstream and social media attention and ever-increasing stakeholder expectations mean that transgressions are likely to have significant negative impacts for the affected organisations.
Forward-thinking boards and risk professionals, irrespective of their industry, are reflecting upon the insights gained from the negative experiences of other organisations and the Australian Securities and Investments Commission’s Corporate Governance Taskforce’s report on operational risk management,3 and are adapting their risk frameworks to incorporate a focus on culture and conduct risk.
What is culture and conduct risk?
Culture and conduct risk is the uncertainty and potential for loss or failure which is caused by human behaviour or the decisions of employees – and it is a risk which appears to slip through the majority of existing risk management systems. As a result, many boards and management teams do not focus on mitigating it.
Although governance frameworks are well-established to have oversight of financial, strategic and some aspects of operational risk, many risk frameworks do not specifically address conduct risk as boards and management often believe that culture is the responsibility of the human resources team. Until it is recognised that oversight of conduct risk is a key component of a risk management framework — and a shared responsibility between risk and human resources teams – organisations cannot start to proactively mitigate potential corporate scandals.
Culture change is not the answer
Many people focus on poor corporate culture as the cause of scandals, and in large part, this may well be true. The most commonly identified solution to these problems is a culture change program. However, while it can be a major lever, a culture change program does not provide meaningful insight into the potential risks facing the organisation at any given point during the cultural change program.
Why is this so? Corporate culture is ethereal, difficult to measure and even more difficult to change. It is not suggested that a corporate culture change program is not a viable solution, but it is a medium- to long-term project and comes with its own set of risks and challenges. Despite the protests of change consultants, real cultural change is a 3 to 5-year program (at a minimum) which requires absolute and unwavering consistency and focus over the total journey – and many of them still fail.
So, what can boards and risk professionals do to get insight into the current culture in order to mitigate risk for the organisation while it is waiting for the cultural change to occur? The answer lies in understanding that the organisation’s culture drives the behaviour of people and that this behaviour, in turn, can create conduct risk.
So, what can be done?
Firstly, the boards and management need to understand what conduct risks the organisation is facing. This is a new area of governance risk and requires specialist, independent advice to accurately diagnose each organisation’s individual risks. Due to its complexity, conduct risk assessment and analysis does not fall within the remit of in-house risk or human resources teams.
Once identified, to effectively manage conduct risks, a number of elements must operate in unison to provide a comprehensive solution. These include:
- clear guidance from the board to management on its conduct risk tolerance;
- meaningful and multi-factor data reporting by management to the board, in accordance with board-set guidance;
- genuinely transparent discussions between the board and executive team; and
- an independent, periodic/pulse evaluation process to assess progress.
Without these four elements operating concurrently, management is at risk of operating in a vacuum and the board is at risk of operating in the dark.
The bottom line
As with any risk, without proactive governance and mitigation, it is only luck that dictates if, or when, a board is blindsided.
1 K Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry Final Report (2019) www.royalcommission.gov.au/royal-commission-misconduct-banking-superannuation-and-financial-services-industry.
2 J Laker, J Broadbent and G Samuel Prudential Inquiry into the Commonwealth Bank of Australia Final Report (2018) www.apra.gov.au/sites/default/files/CBA-Prudential-Inquiry_Final-
3 Australian Securities and Investments Commission Corporate Governance Taskforce Director and Offıcer Oversight of Non-financial Risk Report (2019) https://download.asic.gov.au/media/5290879/rep631-published-2-10-2019.pdf.