3.2 Priorities

Proper governance requires setting priorities. Setting priorities requires choices. Sometimes the choice is between conflicting goals or conflicting courses of action; often the choice is about application of resources, timing or relative importance.

In the present context, two different, but closely related choices are considered:

  • first, the choice to pursue profit above all else – in particular, above the interests of customers, and above compliance with the law; and
  • second, when financial services entities have had regard to risks, the choice to give priority to financial risks, leaving their frameworks for management of non-financial risks underdeveloped.

3.2.1The pursuit of profit

As I said in the Interim Report, many of the case studies considered in the Commission showed that the financial services entity involved had chosen to give priority to the pursuit of profit over the interests of customers and above compliance with the law.[1]

Some have sought to explain this emphasis on the pursuit of profit as reflecting the fact that a financial services entity is ultimately accountable to its shareholders. That proposition requires close examination.

All entities that are incorporated and have a share capital have responsibilities, and are accountable, to their shareholders. It is shareholders who will elect directors and, in the case of publicly listed companies, will vote to adopt, or not adopt, remuneration reports. It is shareholders who will give effect to the ‘two strikes rule’ that may see the entire board spilled.[2]

These forms of accountability are, of course, important. But they do not mark the boundaries of the matters that the boards of financial services entities must consider in the course of performing their duties and exercising their powers. That other considerations bear upon those decisions is most evident in the case of the largest financial services entities.

Each of the largest entities is systemically important. The longterm stability and performance of each is important to the proper performance of the national economy. It follows, therefore, that the boards of those entities must have regard to those enduring requirements. And the requirements are neither wholly captured by nor completely reflected in the daytoday share price of the entity or some measurement of ‘total shareholder return’ over some period. The horizon of these larger entities must lie well beyond the next announcement of results.

This gives rise to a further point about the nature and extent of directors’ duties. Directors must exercise their powers and discharge their duties in good faith in the best interests of the corporation, and for a proper purpose.[3] That is, it is the corporation that is the focus of their duties. And that demands consideration of more than the financial returns that will be available to shareholders in any particular period. Financial returns to shareholders (or ‘value’ to shareholders) will always be an important consideration but it is not the only matter to be considered. The best interests of the corporation cannot be determined by reference only to the current or most recent accounting period. They cannot be determined by reference only to the economic advantage of those shareholders on the register at some record date. Nor can they be judged by reference to whatever period some of those shareholders think appropriate for determining their results.

It is not right to treat the interests of shareholders and customers as opposed. Some shareholders may have interests that are opposed to the interests of other shareholders or the interests of customers. But that opposition will almost always be founded in differences between a short term and a longerterm view of prospects and events. Some shareholders may think it right to look only to the short term.

The longer the period of reference, the more likely it is that the interests of shareholders, customers, employees and all associated with any corporation will be seen as converging on the corporation’s continued longterm financial advantage. And longterm financial advantage will more likely follow if the entity conducts its business according to proper standards, treats its employees well and seeks to provide financial results to shareholders that, in the long run, are better than other investments of broadly similar risk.

Financial services entities are no different. In the longer term, the interests of all stakeholders associated with the entity converge. And the burden of the evidence from the chief executives of all four large banks was that a bank’s best earnings opportunity comes from longterm relationships with its customers. That is why, as Mr Hartzer said: ‘banking is an annuity business’.[4]

Regardless of the period of reference, the best interests of a company cannot be reduced to a binary choice. And financial services entities are no different. Pursuit of the best interests of a financial services entity is a more complicated task than choosing between the interests of shareholders and the interests of customers.

3.2.2The importance of non-financial risks

When financial services entities have considered risk and risk management, they have focused on financial risks, rather than non-financial risks.

Mr Comyn said that one of the key things that CBA had learned from the report of the Prudential Inquiry was that there was ‘[n]ot enough capability in the management of non-financial risk, particularly in operational risk and in … compliance’.[5] He acknowledged that CBA had ‘an enormous amount of work to do to improve our management of non-financial risk’.[6] Dr Henry also accepted that at NAB there was ‘insufficient attention given to the management’ of non-financial risks.[7]

Given the focus on financial soundness and stability in the wake of the GFC, it is not surprising that after 2009, financial services entities placed significant emphasis on the management of financial risk.

This emphasis was also apparent in APRA’s prudential standard about risk management, CPS 220, which was released in January 2015. As well as introducing the requirement for boards to ‘form a view’ of an institution’s risk culture, mentioned earlier, CPS 220 requires APRA-regulated institutions[8] to take various steps associated with the prudent management of risk, including maintaining a risk management framework and a risk appetite statement.[9] Although an entity’s risk management framework and risk appetite statement must deal with all material risks, including non-financial risks, the apparent focus of CPS 220 is on financial risks. Of the different types of risk enumerated in CPS 220, only one – operational risk – specifically directs attention to the non-financial risks referred to above.

As discussed earlier in this chapter, from about 2015, the focus internationally shifted to misconduct in financial institutions, and the ways in which the risk of misconduct could be reduced.

The types of risk associated with misconduct – compliance risk, conduct risk, regulatory risk, operational risk – are more difficult to measure than most types of financial risk. In the period following the introduction of CPS 220, many financial services entities struggled to develop frameworks for the effective management of these types of risks (and other non-financial risks).

So, for example, in November 2015, APRA conducted a review of CBA’s operational risk management framework.[10] APRA expressed concern that CBA’s existing framework was not effectively identifying, escalating and addressing significant operational risks, and required CBA to take steps to improve that framework.[11] And, by the time of the Prudential Inquiry in 2017 and 2018, APRA still had concerns about the effectiveness of CBA’s systems and processes for the management of operational and compliance risk.

The Prudential Inquiry into CBA recommended that CBA establish a ‘non-financial risk committee’ at the Group Executive level. One aim of the committee is to ‘increase the visibility of operational risk and compliance at senior management and Board level’.[12] CBA has established that committee[13] with Mr Comyn saying that:[14]

All of the participants would say that it’s invaluable and, obviously, there was a clear deficiency and gap in the way we operated previously.

Some financial services entities devoted inadequate resources to compliance, and did not give compliance staff a strong enough voice in the business. But this, too, is changing.

One example makes the point sufficiently. Allianz’s Chief Risk Officer, Ms Lori Callahan, accepted that in the past, Allianz had not devoted adequate resources to compliance.[15] She noted that Allianz had taken steps to increase the seniority of some risk and compliance roles and she emphasised the importance of risk and compliance staff having sufficient seniority to challenge management.[16]

Paragraph 43 of CPS 220 requires entities to have a designated compliance function that assists senior management of the institution in effectively managing compliance risks’,[17] and provides that the compliance function ‘must be adequately staffed by appropriately trained and competent persons who have sufficient authority to perform their role effectively, and have a reporting line independent from business lines’.[18]

Mr Byres accepted that the references to compliance and internal audit in the prudential standards were ‘fairly cursory and short’, and that APRA would ‘need to think about how we give them more prominence in our assessment of risk management because it has traditionally been … [assessed from a] financial soundness perspective’.[19] He said that his reflection on the instances of misconduct reported to the Commission in response to the requests for information sent in January 2018 was that ‘compliance and audit functions are not strong enough in organisations’.[20]

Obviously, the prudent management of financial risks by financial services entities is and will always remain important. But financial services entities must now accept that financial risks are not the only risks that matter. The prudent management of non-financial risks is equally important. Financial services entities must give sufficient attention, and devote sufficient resources, to the effective management of non-financial risks. APRA should give consideration to how that requirement can be made more prominent in its prudential standards.


[1] To give only one example, see Transcript, Michael Winter, 17 September 2018, 5955.

[2] Corporations Act ss 250U250Y.

[3] Corporations Act s 181(1). See also the ‘business judgment rule’ in s 180(2), which depends, among other things, on the director or other officer rationally believing that the judgment made ‘is in the best interests of the corporation’.

[4] Transcript, Brian Hartzer, 22 November 2018, 6863: ‘So the way we think about this business is that banking is ultimately an annuity business, the value comes from having longterm relationships with customers, and that, that is – it’s best thought of as a service business rather than a product business.’

[5] Transcript, Matthew Comyn, 19 November 2018, 6523. See CBA Prudential Inquiry, Final Report, 6.

[6] Transcript, Matthew Comyn, 19 November 2018, 6521.

[7] Transcript, Kenneth Henry, 26 November 2018, 7101.

[8] Defined for the purposes of CPS 220 as not including an RSE licensee. Prudential Standard SPS 220 applies to RSE licensees.

[9] APRA, Prudential Standard CPS 220, July 2017, 3–4 [13].

[10] Transcript, Catherine Livingstone, 20 November 2018, 6710.

[11] Transcript, Catherine Livingstone, 20 November 2018, 6710.

[12] CBA Prudential Inquiry, Final Report, 25–6.

[13] Transcript, Matthew Comyn, 20 November 2018, 6667.

[14] Transcript, Matthew Comyn, 20 November 2018, 6670.

[15] Transcript, Lori Callahan, 18 September 2018, 5991. See also Transcript, Lori Callahan, 18 September 2018, 6057.

[16] Transcript, Lori Callahan, 18 September 2018, 5989, 6021.

[17] APRA, Prudential Standard CPS 220, April 2018, 11 [43].

[18] APRA, Prudential Standard CPS 220, April 2018, 11 [43].

[19] Transcript, Wayne Byres, 30 November 2018, 7443.

[20] Transcript, Wayne Byres, 30 November 2018, 7443.