Commissioner Hayne pulled no punches when commenting on the responsibility that all boards have where misconduct occurs within an organisation:
“Primary responsibility for misconduct…lies with the entities concerned and those who managed and controlled those entities: their boards and senior management”
How should boards and senior management of both financial services entities and other corporate entities address that responsibility and respond to Hayne’s recommendations and observations regarding organisational governance?
Focus on the right risks
Boards and senior management must strike the right balance in their assessment of:
- financial risk, in effect, the key risks that contribute to a company’s financial performance, and
- non-financial risk – that is, operational, regulatory, compliance and conduct risks.
The proper balancing of the consideration of various risks also needs to permeate down and throughout organisations’ management structures. Importantly, the board and senior management must take the lead in ensuring that this balanced assessment is followed throughout the organisation.
Responsibility and accountability
Hayne comments that “too often, it was unclear who within a financial services entity was accountable for what.”
He further warns that “without clear lines of accountability, consequences were not applied, and outstanding issues were left unresolved.”
Organisations must delineate:
- clear responsibility for internal tasks or functions; and
- the accompanying accountability for whether those tasks or functions have been performed well (or less well).
This is critical to good corporate governance (“Notions of accountability lie at the heart of governance”). It is also apparent that some financial service entities struggled with this. Addressing accountability is essential to avoid similar examples of failure arising in the future.
So, a key action for boards and senior management is to honestly question whether their organisation is clear about who is responsible for what and how accountability should work in practice. There will be much to be said about this in the months to come, but the solutions to this should include:
- Understand very clearly the material risks (both financial and non-financial) your business is exposed to and ensure that those risks have an internal and senior “owner”.
- Constantly assess and re-assess that “risk map’ to ensure nothing material is omitted – in other words, follow Hayne’s Recommendation 5.6
- Be very clear about how you expect the management of those risks to be performed – including the technical identification of those risks and the communication of those risks and their consequences (if not mitigated) throughout the organisation
- Be very careful about over-complicating risk management structures: Hayne sees complicated laws leading to a failure to grasp underlying principles and purposes. This leads to staff asking “Can I?” rather than “Should I?” The same applies to layering complex structures onto risk management organisation, with the result that underlying purposes are lost. That said, no-one should assume that a focus on simplification will be easy.
Boards and senior managers must ensure that the right levels of an organisation are aware of particular issues or challenges that the business faces, from the perspective of financial and non-financial risk.
Ultimately, the board needs to be aware of the principal issues that an organisation is facing, whether in terms of the business’ financial performance or in terms of non-financial risk, for example, in the areas of compliance or employee behaviour and conduct.
Hayne observed that “too often, boards did not get the right information about emerging non-financial risks.”
To establish effective escalation frameworks, the board and senior managers need to:
- set clear expectations about the nature of the information they need and how it should be shared; and
- be clear about the consequences for that information not being escalated. Performance in this area should form part of the key criteria for assessing an individual’s contribution to the organisation and to remuneration outcomes.
Intrinsic to this is the ability of managers throughout the organisation and the board to make the right judgment about the nature and quality of the information they need. In short, as Hayne states “it is the quality not the quantity, of information that must increase”. It follows that, often, improving the quality of the information “will require giving directors less material and more information”.
Hayne is not advocating a revolutionary approach, either through changes in the law on governance or directors’ duties or new thinking on what amounts to good governance.
Rather, he is reminding even experienced boards and senior management about those fundamental areas of governance where you need to get it right and the dangers that can occur if these are ignored.