Setting the Scene
Headed by Commissioner Kenneth Hayne AC QC, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was established in 2017 to inquire into and report on misconduct in the banking, superannuation and financial services industries. The Commission was given the power to recommend changes to the Australian Government that is necessary to improve:
- the legislative framework of the banking, superannuation and financial services industries;
- the practices within those industries; and
- the powers of the industry regulators, i.e. Australian Prudential Regulation Authority (APRA) and Australian Securities and Investment Commission (ASIC).
The Commission can also refer instances of misconduct by the banks and its officers or employees to relevant Commonwealth, State or Territory agencies who may pursue criminal or other legal proceedings.
Given the failings uncovered by the Commission since it began its hearings in February 2018, these industries should be prepared for a shakeup, from both a legal and governance standpoint, like never before. For example, Treasurer Scott Morrison warned wealth management company AMP Limited (AMP) that its executives could face ‘penalties which include jail time’ after misconduct involving overcharging customers and lying to ASIC was revealed. The CEO of AMP subsequently resigned and there are now calls for the AMP board to be held accountable for misconduct it had known about since at least May 2017.
One theme that continues to arise at the Royal Commission is ‘culture’. For example, a senior executive admitted that the culture in ANZ’s financial planning business had put growth ahead of clients’ interests. Both ASIC and APRA have previously recognised that an inappropriate culture is at the root of many cases of corporate malfeasance, as this 2015 speech by then chair of ASIC, Greg Medcraft, reveals:
Culture matters to ASIC because poor culture can be a driver of poor conduct. Culture has been at the root of some of the worst misconduct we’ve seen in the financial sector. Looking at cultural problems can give us an early warning of where things might be going wrong to help us disrupt bad behaviour before it happens and catch misconduct early. Importantly, it helps with identifying not just individual instances of misconduct but broader, more pervasive, problems.
Medcraft went on to say to directors that, if they did not fix the culture within their organisations, they left themselves open to law changes that would enforce it.
The Schedule to the Criminal Code Act 1995 (Cth) (Criminal Code) sets out the general principles of criminal responsibility as it applies to corporations. Under the Criminal Code, a company can be convicted of criminal offences which have an ‘intent’ element. Importantly for boards, a conviction can result if it is established that the company had a ‘corporate culture’ that directed or encouraged, tolerated or led to non-compliance, or that the body failed to maintain a culture that required compliance with relevant legislation. However, it is likely that the Royal Commission will recommend establishing further legislation and regulation around culture, so company directors will be actually held to account for any future failures, and not just let off with a reprimand. For example, for serious criminal misconduct, directors could be liable for a breach of the duty of care and diligence, if the organisation’s culture contributed to that conduct.
We predict the focus on cultural accountability by directors will receive even more scrutiny than the harmonisation of work health and safety (WHS) legislation across the Commonwealth, states and territories, which began in January 2012. This legislation placed increased liability on directors, who must exercise a greater range of due diligence in relation to WHS, such as ensuring the organisation has appropriate resources and processes available to eliminate or minimise WHS risks arising from any work being done, and ensuring WHS and legal compliance.
The challenge for boards is to demonstrate proactive oversight of their organisation’s culture and the risks associated with that culture. As the Royal Commission is highlighting, rather than merely thinking about ‘corporate culture’, which can mean different things to different people, what boards should be focusing on is ‘people risk’, which specifically refers to the hidden attitudes and behaviours of employees and managers that can be found at the heart of all corporate scandals. A high people risk exposure can result in significant financial and reputational damage to an organisation. Indeed, we contend that effectively managing people risk, not undertaking staff engagement surveys, is the key for directors to demonstrate that they have oversight of their organisation’s culture.
Identifying an organisation’s ‘people risk’ requires advanced analytic techniques to unearth risky behavioural patterns that are hidden from the eyes of management and the board. Understanding your ‘people risk’ can expose the ‘shadow culture’ of informal social rules and system-gaming by digging into the day-to-day attitudes of employees to identify clusters of high risk factors that could exist in any part of the organisation. Oversight of your ‘people risk’ requires specialised risk reports for boards and management, along with targeted remedial strategies to address areas of concern. The result is a more robust governance system that not only provides oversight for financial, regulatory and strategic risks, but also monitors the less visible risks within an organisation’s people and social systems that cannot be found in regular culture or employee engagement surveys.
This is the first of a corporate culture series produced by the experienced lawyers and governance professionals of HopgoodGanim and Effective Governance, that will provide directors and executives with practical legal and governance solutions to address the upcoming fiduciary duty of ‘cultural care’.
How did we get here?
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has thrown the spotlight on corporate governance and culture at some of Australia’s largest and oldest companies. The almost daily acknowledgement of errors (or worse) by senior executives and CEOs for a litany of issues has exposed serious concerns, not only about how these companies are governed, but also about the people working for them. Against this backdrop, we have to ask ourselves how corporate Australia got into this position.
As with the crash of an airplane, there are typically multiple factors contributing to the issues being brought up at the Royal Commission. Most concerning, are the claims that boards and even CEOs did not know about the issues, the most obvious inference being that internal controls have, to some extent, broken down within those companies.
In almost every instance, you can be sure that there was a policy, procedure or code of conduct covering the issues raised by the Royal Commission, but these were not followed and the breaches were not reported within the organisation to the requisite extent. Such behaviour indicates two things: first, that people were taking action in opposition to stated company policy (‘people risk’); and second, that accountability is lacking within those organisations.
‘People risk’ arises when an individual has an incentive to act in a certain way with a perceived low level of risk, often collectively referred to as the ‘shadow culture’ of an organisation. The most obvious example of people risk uncovered by the Royal Commission has been the remuneration of financial planners, which has created an incentive to sell products which pay them the greatest commission, rather than what is best for the client. Examples of $30,000 individual commissions lay bare the powerful personal incentives, but also the relatively low level of perceived risk of detection and prosecution in giving bad advice.
The failure of detection is itself, a complex issue. It is (in part) the result of years of cost cutting post GFC, which has seen middle management roles whittled away, as well as a reduction in the level of internal oversight. Most importantly, it has reduced the number of people needed to participate in a course of behaviour, thereby making it more probable. If you add the drive for revenue at an organisational level to this, its impact on career prospects at a personal level via the individualisation of revenue targets and the general failure of whistleblowing, it becomes easy to see why some of these practises were able to occur.
But these organisations are not operating in a vacuum, indeed they are regulated by both the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) and are subject to annual audits by the latter, so why have they failed here? Part of the answer is that, like the boards of the companies involved, the regulators rely on the information provided as they did in 20 instances with AMP. Shadow culture will do that; it relies on breakdowns in processes in specific areas and particularly a lack of direct oversight.
The other part of the answer is that neither the regulators nor the financial institutions have a sufficient incentive to address problems being raised by the public. Regulators are not sufficiently funded, with the government actually cutting ASIC’s funding by $28 million over three years in this year’s budget, to either adequately review complaints or prioritise these cases of seemingly ad hoc individual harm versus issues of broader malfeasance. Financial institutions appear to have viewed these issues as isolated examples, tending to settle with complainants rather than recognise them as an indicator of potential systemic issues. As a result, they have often been unaware of the risks they have been running within their businesses and the potential for reputational and financial damage.
So where does that leave us now?
The most likely answer is with greater regulation. With the introduction of the Banking Executive Accountability Regime (BEAR), which comes into effect this year, we have already seen the Australian Government announce greater penalties—both personal and corporate—with more to come after the Royal Commission has delivered its recommendations, but detection remains the key. Huge penalties are ineffective if the perceived risk of detection is low. Boards and regulators need to find proactive ways to measure people risk and manage it accordingly. Until they do, the events of the Royal Commission will continue to play out across the whole community, not just the banks and the finance sector.
This is the tip of the iceberg.
For more information or discussion, please contact James Beck, Managing Director of our Effective Governance team.
 Frost, J., 2018, ‘Scott Morrison, ASIC warn AMP conduct could attract “jail time”’, Australian Financial Review, 18 April, accessed 20 April 2018, http://www.afr.com/business/banking-and-finance/financial-services/scomo-and-asic-we-will-throw-book-at-amp-20180418-h0yx86.
 Chanticleer, 2018, ‘Banking royal commission: Time for AMP to show board accountability’, Australian Financial Review, 20 April, accessed 23 April 2018, http://www.afr.com/brand/chanticleer/banking-royal-commission-time-for-amp-to-show-board-accountability-20180419-h0z0m1.
 Neil, M., 2018, ‘ANZ put growth ahead of clients’ interests’, news.com.au, 23 April, accessed 23 April 2018, http://www.news.com.au/national/breaking-news/anz-put-growth-ahead-of-clients-interests/news-story/f9f3f7ed740a200505779922df2adddd.
 Medcraft, G., 2015, ‘Corporate culture and corporate regulation’, A speech by Greg Medcraft, Chairman, Australian Securities and Investments Commission, Law Council of Australia BLS AGM seminar (Melbourne, Victoria) 20 November 2015, accessed 23 April 2018, http://asic.gov.au/about-asic/media-centre/speeches/corporate-culture-and-corporate-regulation/.
 Criminal Code, Part 2.5.
 Corporate culture is defined in s 12.3(6) of the Criminal Code as ‘an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities takes place’.
 Blacker, K. & McConnell, P., 2015, People Risk Management: A Practical Approach to Managing the Human Factors That Could Harm Your Business, London: Kogan Page.
 Egan, G., 1994, Working the Shadow Side: A Guide to Positive Behind-the-Scenes Management, San Francisco: Jossey-Bass.
 See, for example, Danckert, S., 2018, ‘Absolutely and utterly disgusting’: Westpac’s advice led to couple’s ruin’, Sydney Morning Herald, 19 April, accessed 8 May 2018, https://www.smh.com.au/business/banking-and-finance/absolutely-and-utterly-disgusting-westpac-s-advice-led-to-couple-s-ruin-20180419-p4zail.html.
 Han, M., 2018, ‘Banking royal commission: AMP’s misleading of ASIC explained’, Australian Financial Review, 30 April, accessed 8 May 2018, http://www.afr.com/business/banking-and-finance/banking-royal-commission-amps-misleading-of-asic-explained-20180430-h0zfy9.
 As an example, see Australian Prudential Regulation Authority (APRA), 2018, Prudential Inquiry into the Commonwealth Bank of Australia (April 2018), accessed 1 May 2018, http://www.apra.gov.au/AboutAPRA/Documents/CBA-Prudential-Inquiry_Final-Report_30042018.pdf.
 Lowrey, T. & Janda, M., ‘Budget 2018: Funding reduced at corporate regulator ASIC amid banking royal commission revelations’, ABC News, 10 May, accessed 17 May 2018, http://www.abc.net.au/news/2018-05-10/budget-2018-cuts-to-asic/9746374.
 Under BEAR, Australian deposit-taking institutions (ADIs) and their subsidiaries have additional obligations to conduct their businesses with integrity and report on any compliance failures, face restrictions in relation to variable remuneration of directors and senior executives, and are subject to a greater range of penalties under the increased powers of APRA, i.e. the regulator will be able to impose substantial fines on ADIs, more easily disqualify accountable persons, and ensure that ADIs’ remuneration policies result in financial consequences for individuals.