Coming now to the third of the principal themes of this chapter, as I said earlier, governance refers to all of the structures and processes by which an entity is run. It embraces not only by whom, and how, decisions are made, but also the values or norms to which the processes of governance are intended to give effect. Notions of accountability lie at the heart of governance. Who is to be held accountable for what is done or not done? How are those who are accountable held to account?
In 2006, in response to major corporate collapses, both in Australia (HIH Insurance) and overseas (Enron, Worldcom), APRA published prudential standards about governance.[1] The increased regulation of corporate governance in response to those collapses:[2]
sought to ensure that companies [would] operate in a way that is transparent and open and that minimises the risk of loss to stakeholders from mismanagement, fraud and conflicts of interest, as well as other factors that may motivate directors and managers of companies to operate in a manner that is detrimental to the interests of stakeholders.
Failings of corporate governance received less direct attention in the wake of the GFC than did failings in compensation practices and organisational culture (in particular, attitudes to risk). The GFC was seen as having been precipitated by compensation practices and problems of culture that contributed to the poor management of financial risks.
More recently, however, issues of governance have again received explicit attention.
In particular, the Prudential Inquiry into CBA highlighted the ways in which governance failings at CBA contributed to the reputational damage it had suffered. The panel concluded that:[3]
- there was inadequate oversight and challenge by the CBA Board and its gatekeeper committees of emerging non‑financial risks;
- it was unclear who in CBA was accountable for risks, and how they were to be held accountable;
- issues, incidents and risks were not identified quickly, and were not managed and resolved with sufficient urgency; and
- not enough attention was being given to compliance.
The introduction of the BEAR for large ADIs in July 2018 has intensified the attention given to accountability.
Connections between failings in governance and the occurrence of misconduct can be examined under three headings: the role of the board, the entity’s priorities and accountability.
The evidence before the Commission showed that too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks.
The evidence also showed that too often, financial services entities put the pursuit of profit above all else and, in particular, above the interests of their customers, and above compliance with the law. When financial services entities did have regard to risks, they gave priority to financial risks, leaving their frameworks for the management of non-financial risks underdeveloped.
The evidence further showed that too often, it was unclear who within a financial services entity was accountable for what. Without clear lines of accountability, consequences were not applied, and outstanding issues were left unresolved.
[1] Prudential Standards APS 510, GPS 510 and LPS 510 were all introduced in May 2006 and took effect from 1 October 2006. Prudential Standard CPS 510 was introduced in 2011, consolidating the three earlier Prudential Standards.
[2] Explanatory Statement, Banking (Prudential Standard) Determination No 2 of 2006 (Cth); Explanatory Statement, Insurance (Prudential Standard) Determination No 5 of 2006 (Cth).
[3] CBA Prudential Inquiry, Final Report, 3.