Financial Services Alert 08 Apr 2019 Joining the culture club

What you need to do

• The Final Report sets out a series of lessons on how financial services entities can and should improve culture and governance frameworks.
• The Final Report did not prescribe a single 'best practice' for creating and maintaining a desirable culture but did emphasise that one necessary aspect of a desirable culture is adherence to "six basic norms of behaviour".
• Culture and governance can either drive or discourage misconduct. If issues are identified early, steps can be taken before misconduct eventuates.

What you need to know

• Take steps to properly understand and regularly review your workplace culture. Consider whether the standards you aspire to are actually being achieved.

• Ensure your board is being provided with the right information to challenge management effectively on key issues.

• Establish clear expectations and accountabilities.

• Focus not just on the prudent management of financial risks, but the prudent management of non-financial risks.

Over the course of seven rounds of public hearings, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry shone a spotlight on the internal workings of financial services entities.

A persistent theme throughout the hearings — and the chief focus of the final round, where senior executives and board members from major financial services entities and regulators were called to give evidence — was the importance of culture and governance.

The Final Report, released on 4 February 2019, concluded that failings of remuneration practices, culture and governance were the root cause of much of the misconduct examined by the Commission.

After making this finding, the Commissioner set out a series of lessons (including some express recommendations) as to how entities can and must do better. While necessarily focussed on the financial services industry, these lessons have broader application to other industries and corporate entities.

We have separately considered the recommendations made in relation to frontline and executive remuneration in a previous article in the insight series. In this article, we turn our attention to culture and governance.

Defining culture and governance

What is culture and governance? As acknowledged in the Final Report, the topics of culture and governance "can provoke a torrent of clichés" and "serious debate about definition".

Some suggested definitions of culture include: "Shared values and norms that shape behaviours and mindsets"; "Essentially 'internalised' or 'instinctive' application of shared values and norms"; and, a favourite of these authors: "What people do when no-one is watching".

In turn, governance arrangements are defined as "the structures and processes by which an entity is run", including "the values and norms to which the processes of governance are intended to give effect".

There is no single, agreed meaning. However, any of these characterisations can be used by organisations as working definitions to review and reflect on their own culture and governance frameworks.

Culture and misconduct

The Final Report drew a clear link between organisational culture and governance arrangements and the misconduct examined by the Commission. For example, it was found that the 'fee for no service' issue arose as a result of unacceptable culture and lack of professional conduct on the part of both financial advisers and their managers.

More generally, in the Final Report, as well as the Interim Report released on 28 September 2018, it was found that many of the case studies examined by the Commission demonstrated an emphasis on the pursuit of profit above all else, including the interests of customers and compliance with the law.

The Final Report makes it clear that culture and governance can either drive or discourage misconduct. If issues are identified early, steps can be taken before misconduct eventuates. Conversely, an unwillingness or failure by an organisation to deal with these types of issues may permit or drive misconduct.

Creating and maintaining a desirable culture

It is common for larger corporations to have a list of agreed values and norms, usually set out in policies or codes of conduct, which are intended to both shape and reflect their culture and governance arrangements.

The culture of an organisation is unique. It can vary widely between organisations, and even within organisations. For this reason, the Final Report did not seek to prescribe a single 'best practice" for creating and maintaining a desirable culture.

However, the Final Report did emphasise that one necessary aspect of a desirable culture is adherence to "six basic norms of behaviour". These norms are:

1. obey the law;
2. do not mislead or deceive;
3. act fairly;
4. provide services that are fit for purpose;
5. deliver services with reasonable care and skill; and
6. when acting for another, act in the best interests of that other.

The Final Report also recommended that entities and regulators broaden their focus on risk culture and the management of risk.

In doing so, the Final Report cautioned entities against a shareholder versus customer mindset. It was observed that the interests of shareholders and customers are not necessarily opposed. In the longer term, the interests of all stakeholders associated with an organisation will converge.

What should entities be doing?

The Final Report makes it clear that primary responsibility for misconduct in the financial services industry lies with the entities concerned and with those who manage and control them: their boards and senior management.

One express recommendation in the Final Report was that all financial services entities should, as often as reasonably possible, take proper steps to:

• assess the entity's culture and its governance;
• identify any problems with that culture and governance;
• deal with those problems; and
• determine whether the changes it has made have been effective.

What can organisations, and their senior leadership, do to further these objectives?

• Whilst policies and codes of conduct can reflect the standards an organisation strives to achieve, management should consider if those standards are actually being achieved. Reflect on what has happened, why it happened, and what can be done to prevent it from happening again.
• Focus not just on the prudent management of financial risks, but the prudent management of non-financial risks.
• Consider the connection between remuneration practices and regulatory, compliance and conduct risks.
• Ensure that boards are provided with sufficient information to challenge management effectively on key issues.
• Establish clear expectations and accountabilities. Who will be held responsible for issues when they arise, and why?

Ultimately, organisations should seek to understand their workplace cultures, have processes to identify problems, and have the resolve to take steps to deal with any problems that are identified.

Doing this takes time and effort. As acknowledged in the Final Report, it will not always be easy. But the next steps forward will be critical in shaping culture and managing risk.

Authors: George Cooper, Partner; Daniel Fawcett, Lawyer; and Lucy Cameron, Lawyer.