I said in the first chapter of this Report that there can be no doubt that the primary responsibility for misconduct in the financial services industry lies with the entities concerned and those who managed and controlled those entities: their boards and senior management. Nothing that is said in this Report can be understood as diminishing that responsibility. Everything that is said in this Report is to be understood in the light of that one undeniable fact: it is those who engaged in misconduct who are responsible for what they did and for the consequences that followed.
Because that is so, every financial services entity, named in the Commission’s reports or not, must look to its culture. Every financial services entity must look again at the way in which it governs itself and manages not only its employees but also the entities and individuals who act as its intermediaries or are seen by consumers as representing or associated in some other way with the entity. In looking at culture and governance, every entity must consider how it manages regulatory, compliance and conduct risks. And it must give close attention to the connections between compensation, incentive and remuneration practices and regulatory, compliance and conduct risks.
Every entity must ask the questions provoked by the Prudential Inquiry into CBA:
- Is there adequate oversight and challenge by the board and its gatekeeper committees of emerging non‑financial risks?
- Is it clear who is accountable for risks and how they are to be held accountable?
- Are issues, incidents and risks identified quickly, referred up the management chain, and then managed and resolved urgently? Or is bureaucracy getting in the way?
- Is enough attention being given to compliance? Is it working in practice? Or is it just ‘box‑ticking’?
- Do compensation, incentive or remuneration practices recognise and penalise poor conduct? How does the remuneration framework apply when there are poor risk outcomes or there are poor customer outcomes? Do senior managers and above feel the sting?
Those questions direct attention to three topics – culture, governance and remuneration. Each of those words can provoke a torrent of clichés. Each can provoke serious debate about definition. But there is no other vocabulary available to discuss issues that lie at the centre of what has happened in Australia’s financial services entities and with which this Report must deal.
The culture of an entity can be described as the ‘shared values and norms that shape behaviours and mindsets’ within the entity. It has been described as ‘what people do when no‑one is watching’ and that description captures what might be called the essentially ‘internalised’ or ‘instinctive’ application of shared values and norms. The shared values and norms can be seen as both reflecting and constituting the culture of an entity. It is evident that culture can drive or discourage misconduct.
Governance refers to the entirety of structures and processes by which an entity is run. By shaping how the business is run, governance shapes culture. The systems, controls and risk management processes of the business affect its culture. But governance is not limited to questions of risk. Nor is it defined only by reference to how the board operates or what matters the board deals with. It embraces not only how, and by whom, decisions are made, but also the values or norms that the processes of governance are intended to effect. Hence, it is rightly said that the ‘tone’ of the entity is, and must be, set at the top. But that tone must also be echoed from the bottom and reinforced at every level of the entity’s management and supervision; it must always ‘sound from above’. And a culture that fosters poor leadership, poor decision–making or poor behaviour will undermine the governance framework of the entity.
Remuneration and incentives, especially variable remuneration programs, tell staff what the entity rewards. Hence, remuneration and incentives tell staff what the entity values. Remuneration both affects and reflects culture. As the Commission’s work has shown, and is now not disputed, poor remuneration and incentive programs can lead, and have led, to poor customer outcomes.
If what has happened in the past is to be avoided in the future, entities have no choice but to grapple with culture, governance and remuneration. All three are related. Culture obviously affects governance but it also affects remuneration (because remuneration will be structured to reward what the entity values). Governance obviously affects culture but governance will not only affect, it will ultimately determine, how remuneration and incentive arrangements are given practical effect. And remuneration and governance inform and reinforce the culture of the entity.
The relationships between culture, governance, remuneration and misconduct have been the subject of increasing attention since the Global Financial Crisis (GFC). Particular attention has been directed to what role prudential supervision may have in the formation and maintenance of sound culture, governance and remuneration practices.
In this chapter, I will consider culture, governance and remuneration separately. I will examine the attention that each has been given since the GFC – both in Australia and overseas – as well as the failings identified in relation to culture, governance and remuneration and the ways in which those failings can be met.
While I will consider culture, governance and remuneration separately, that separate consideration should not be taken as denying the close connections between all three. Positive steps taken in one area will reinforce positive steps taken in the others. Failings in one area will undermine progress in the others.
 CBA Prudential Inquiry, Final Report, 3.
 Cf CBA Prudential Inquiry, Final Report, 81. I deliberately omit reference to a ‘system’ of shared values and norms if only to emphasise that culture is observed and described, not created apart from, or imposed on, the entity.
 G30, Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, July 2015, 17.
 See generally FSB, Toolkit.
 FSB, Toolkit, 9. See also APRA, Information Paper, Risk Culture, October 2016, 8.
 FSB, Toolkit, 8.