Article Two – How did we get here?

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has thrown the spotlight on corporate governance and culture at some of Australia’s largest and oldest companies. The almost daily acknowledgement of errors (or worse) by senior executives and CEOs for a litany of issues has exposed serious concerns, not only about how these companies are governed, but also about the people working for them. Against this backdrop, we have to ask ourselves how corporate Australia got into this position.

As with the crash of an airplane, there are typically multiple factors contributing to the issues being brought up at the Royal Commission. Most concerning, are the claims that boards and even CEOs did not know about the issues, the most obvious inference being that internal controls have, to some extent, broken down within those companies. In almost every instance, you can be sure that there was a policy, procedure or code of conduct covering the issues raised by the Royal Commission, but these were not followed and the breaches were not reported within the organisation to the requisite extent. Such behaviour indicates two things: first, that people were taking action in opposition to stated company policy (‘people risk’); and second, that accountability is lacking within those organisations.

‘People risk’ arises when an individual has an incentive to act in a certain way with a perceived low level of risk, often collectively referred to as the ‘shadow culture’ of an organisation. The most obvious example of people risk uncovered by the Royal Commission has been the remuneration of financial planners, which has created an incentive to sell products which pay them the greatest commission, rather than what is best for the client. Examples of $30,000 individual commissions lay bare the powerful personal incentives, but also the relatively low level of perceived risk of detection and prosecution in giving bad advice.1

The failure of detection is itself, a complex issue. It is (in part) the result of years of cost cutting post GFC, which has seen middle management roles whittled away, as well as a reduction in the level of internal oversight. Most importantly, it has reduced the number of people needed to participate in a course of behaviour, thereby making it more probable. If you add the drive for revenue at an organisational level to this, its impact on career prospects at a personal level via the individualisation of revenue targets and the general failure of whistleblowing, it becomes easy to see why some of these practises were able to occur.

But these organisations are not operating in a vacuum, indeed they are regulated by both the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) and are subject to annual audits by the latter, so why have they failed here? Part of the answer is that, like the boards of the companies involved, the regulators rely on the information provided as they did in 20 instances with AMP.2 Shadow culture will do that; it relies on breakdowns in processes in specific areas and particularly a lack of direct oversight.

The other part of the answer is that neither the regulators nor the financial institutions have a sufficient incentive to address problems being raised by the public.3 Regulators are not sufficiently funded, with the government actually cutting ASIC’s funding by $28 million over three years in this year’s budget,4 to either adequately review complaints or prioritise these cases of seemingly ad hoc individual harm versus issues of broader malfeasance. Financial institutions appear to have viewed these issues as isolated examples, tending to settle with complainants rather than recognise them as an indicator of potential systemic issues. As a result, they have often been unaware of the risks they have been running within their businesses and the potential for reputational and financial damage.

So where does that leave us now?

The most likely answer is with greater regulation. With the introduction of the Banking Executive Accountability Regime (BEAR), which comes into effect this year,5 we have already seen the Australian Government announce greater penalties—both personal and corporate—with more to come after the Royal Commission has delivered its recommendations, but detection remains the key. Huge penalties are ineffective if the perceived risk of detection is low. Boards and regulators need to find proactive ways to measure people risk and manage it accordingly. Until they do, the events of the Royal Commission will continue to play out across the whole community, not just the banks and the finance sector.

This is the tip of the iceberg.