The interim report of the Royal Commission into Financial Services (released on September 28) was certainly damning. It paints the picture of a financial services industry focussed on the pursuit of short-term profit at the expense of basic standards of honesty.
Of course, not all Australia’s financial services institutions have been guilty of such poor conduct, and in fact many institutions whose conduct has come into question were doing the right thing by many clients – just not all of them.
However, any business operating in the sector should take this opportunity to think deeply about its culture and how it treats clients. Are the right governance, risk management, and compliance processes in place to ensure the business always does the right thing? And once they are in place they cannot be taken for granted – ensuring the right risk and compliance culture exists is an ongoing process.
Culture
1) Are employees doing the right thing by their customers?
It’s up to the business itself to create a culture where the self-interest of the business or the individual employee does not overwhelm the fundamental obligation to do the right thing. The Royal Commission uncovered many instances – some of them systemic – where this did not occur.
2) What behaviours are you incentivising?
The crucial question here is how important is making money in your culture? You can break this down by asking further questions. For example, are you incentivising your sales staff to do right by their customers or simply to sell more products? Are your employees paid commission for selling certain products, despite having the title of advisers?
It’s also helpful to review remuneration and promotion practices; are revenue and profit generated the sole criteria for success, or are people rewarded and promoted on the basis of other things such as sound management of risk?
3) Are people encouraged to challenge others?
When APRA reviewed misconduct at the Commonwealth Bank of Australia (CBA), one of its key findings was that CBA had too collaborative a culture. This meant that there was insufficient challenge – as the Commission put it, there was a “pervasive sense of chronic ease.”
Effective risk management cultures are driven by unease – it is never assumed that everything is okay. There need to always be challenges, in order to pre-empt issues rather than reacting to them after they have arisen, when it may be too late.
Governance
Culture is of course driven from the top down, so you should also be questioning your governance practices:
1) Is the board getting the right information?
Boards must proactively seek information and ensure no-one is sanitising it before it reaches the top. Linked to this is ensuring that issues are brought to the attention of the right people.
2) Is risk management driven from the top?
Is your board setting the right example? Are they sensitive to conflicts of interest and duties, and to reward and remuneration issues, amongst themselves, as well as employees? Are they the ones that are really driving risk management and culture in your organisation?
Risk Management
1) How far does your risk management go?
The Commission threw a lot of light onto the seemingly shallow nature of some financial institutions’ risk management processes. Is risk management seen as simply a compliance or box ticking exercise? Or is it really part of how you do business and make decisions? Is it focussed on people and culture, not just following process?
2) How user-friendly is your risk management process?
Was your risk management framework created with the end users in mind? Is it easy to view, understand and interact with – at all levels of the organisation?
3) What are the systems in place for punishing poor conduct?
Another key concern the Commission raised was the lack of disincentives for doing the wrong thing. What processes do you have in place for punishing misconduct, and do they actually get used when someone does do something wrong? Are these processes enough to genuinely put someone off wrongdoing?
4) How frequently – and deeply – do you review your risk management processes?
Are they fit for purpose and tailored to your business? Have they been reviewed following or preceding significant strategic or operational changes?
5) Are your risk management processes reactive or proactive?
Is your organisation in a position where all levels can proactively manage risk? Is everyone encouraged to come forward and raise issues?
Preparing for the Royal Commission
The Royal Commission will throw up more questions as it continues its work, but it’s important financial services companies make a start now in order to be fully prepared for the Commission’s final report and the policies that will follow.
PFS Consulting has years of experience helping financial services institutions with their governance, risk management and culture. Contact us today to find out more.