Consequence management frameworks (CMFs) are documents which set out how an entity ought to respond to instances of misconduct and risk management failures. The necessity for entities to implement CMFs has arisen particularly since the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, where instances of identified misconduct were permitted to perpetuate without adequate consequence.
As Commissioner Hayne said on the opening day of the Commission:
A part of what I've got to do eventually, I think, may be to assess what ADIs and other financial service entities have made of complaints and revelations. The industry is a large industry, large participants, lots of people. Things go wrong. It's a human system, therefore things go wrong. Sometimes things go wrong through dishonesty. Sometimes things go wrong because of neglect, carelessness, or just sheer coincidence.
A CMF assists firms manage incidents that ‘go wrong’, apply proportionate consequences to conduct that falls below the standards expected, and respond to instances of neglectful or careless risk management.
A CMF enables entities to systematically respond to incidents through a robust fact-finding process that identifies what factually happened, who was responsible for the conduct or risk management failure, and provides guidance to help determine a proportionate financial and non-financial consequence. CMFs should enable Boards and other decision-makers to make informed decisions about proportionate consequences based on clear guidance and procedure.
CMFs are a practical method of complying with a firm’s regulatory obligations to ensure that risks are managed effectively, and that remuneration reflects conduct and risk outcomes. In the financial service sector this has been codified in the Banking Executive Accountability Regime (BEAR) (and the forthcoming Financial Accountability Regime). Specifically:
- The BEAR and FAR require firms to take reasonable steps to ensure that they comply with their ‘accountability obligations’, which include ensuring that each of their accountable persons meets their own accountability obligations. Where there has been an accountability failure by an accountable persons, firms must reduce the accountable person’s variable remuneration by an amount proportionate to the failure; and
- APRA’s CPS 511 Remuneration requires firms to describe in their remuneration policies the systems and process that support the firm’s approach to conduct and consequence management, and which specifically require financial consequences (downward adjustment of variable remuneration) to be applied in the event of identified instances of misconduct and failures in risk management . Downward adjustment of variable remuneration must be proportionate to the severity of the risk or conduct outcome.
More generally, a substantial number of APRA prudential standards place obligations on firms to manage risks effectively. For example, APRA’s CPS 230 Operational Risk Management requires firms, as a ‘key principle’, to:
… identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events.
All entities, particularly listed companies, should be interested in ensuring that conduct and risk management failures are addressed in a systemic fashion. Modern principles of corporate stakeholder management place a premium on delivering results through accountability. A CMF is an effective tool to assist in that process.
Not just misconduct
A common misperception about CMFs is that they are just a fancy name for a HR disciplinary policy and are concerned only with employee misconduct.
A CMF should deal with both employee misconduct and broader behaviours and actions (or inactions) that lead to risk management failures. A risk management failure occurs when an entity fails to comply with an underlying legal or prudential obligation, fails to control an identified risk, fails to identify a previously unidentified risk, or engages in business activities beyond the tolerate risk appetite of the firm.
Risk management failures tend to occur when one or more of the following factors are present:
- there is insufficient monitoring and oversight of business activities that create operational risk;
- there is insufficient supervision of first line business operations to determine whether specified risk management procedures are being complied with in practice, or whether there are gaps in the existing approaches to risk management;
- the existing controls are designed ineffectively to detect and report non-compliance with the underlying legal obligation, or fail to control the underlying risk. A common controls failure arises where there are ‘gaps’ in the control environment – where the existing controls are insufficiently robust to control for all obligations and risks, or there is a mismatch between what the control actually verifies and what it is described as verifying;
- there is unclear accountability for controls and risk management obligations particularly obligations particularly across end-to-end value chains;
- insufficient escalation of concerns;
- an immature risk culture is present;
- individuals fail to comply with governance requirements, risk standards and controls; and
- individuals fail to take reasonable steps to assess risks including identify unknown risks, fail to escalate known risk issues for remediation, and fail to act on information about known about analogous risks.
A CMF enables a firm to holistically assess the root cause of a conduct or risk management failure (including whether one or more of the matters above occurred) to determine individual responsibility to ensure that an appropriate consequences is able to be applied. When operating effectively, a CMF should enable a firm to determine individual responsibility not just at the first business/operational level but also at the second and third oversight and audit levels.
What a good CMF looks like
In our experience, a good CMF has the following elements:
CMFs involve the complex intersection of risk management, remuneration governance, and stakeholder management. They are sensitive documents that have attracted substantial regulatory scrutiny in recent times, including in APRA’s recent commentary in their pre-implementation review of CPS 511.