Skip to content

The banking royal commission final report: Culture and governance implications

  • The central objective in the final report is to examine what can be done to avoid the misconduct in the financial sectors being repeated.
  • The banking royal commission final report recommendations have application for all entities, not just within the financial sectors, especially on culture and governance.
  • Culture and governance practices must focus on non-financial risk, as well as financial risk.

The Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was released on Monday 4 February 2019.

As predicted, Commissioner Hayne delivered a lengthy report and a comprehensive set of recommendations across the banking, financial advice, superannuation and insurance sectors (FS sectors) as well as on culture, governance and remuneration (CG&R) and on the regulators. These have already been, and will remain, the subject of intense scrutiny by all stakeholders in the weeks and months ahead.

In light of the principles and issues that Commissioner Hayne has outlined in his report, his recommendations and supporting commentary should be viewed as relevant, not only, of course, to financial service entities but also to entities operating in the non-financial corporate space. The content of the report has universal application, especially on culture and governance.

Importantly, any interpretation of what Hayne is recommending or requiring, whether on CG&R or in relation to the FS sectors, must be informed by the clear approach that he has taken to key questions, underlying principles and general rules.

Hayne’s approach

The Commissioner’s central objective in the final report is to examine what can be done to avoid the misconduct in the FS sectors being repeated.

He starts with some key observations that have guided the Commission’s work. In the context of CG&R, he observes that:

  • The misconduct was driven by the relevant entity’s pursuit of profit and also by the individual’s pursuit of gain, whether in the form of remuneration for the individual or profit for the individual’s business

He identifies a number of key questions that will be the basis of any policy response to the misconduct and shortcomings that prevailed in the FS sectors and which the Commission has publicly exposed. On the subject of CG&R, he asks what more can be done to achieve effective leadership, good governance and appropriate culture within financial services firms so that firms comply with six basic norms of conduct:

  1. Obey the law
  2. Do not mislead or deceive
  3. Be fair
  4. Provide services that are fit for purpose
  5. Deliver services with reasonable care and skill
  6. When acting for another, act in the best interests of that other

Hayne sees these six ‘very simple ideas’ as being the building blocks for the proper conduct of financial service entities. They also support a number of general rules including, in the CG&R space, that ‘culture and governance practices (including remuneration arrangements), both in the industry generally and in individual entities, must focus on non-financial risk1, as well as financial risk’.

The report’s recommendations all relate to, and respond to, one or more of his key questions and reflect one or more of the six norms. This is especially so in his commentary and recommendations on CG&R.

The Commissioner makes it very clear with whom primary responsibility for misconduct should lie — this is with the entities concerned and those who managed and controlled those entities: their boards and senior management.

Primary responsibility

Hayne’s final preliminary observation is stark. The Commissioner makes it very clear with whom primary responsibility for misconduct should lie — this is with the entities concerned and those who managed and controlled those entities: their boards and senior management.

He therefore sees the serious misconduct uncovered before and during the Commission hearings as resulting from a significant failure in corporate culture and governance. 

Culture, governance and remuneration

Hayne explains his recommendations on CG&R in Chapter 6 of the report.

He starts by stating that every entity must ask itself the questions provoked by APRA’s Prudential Inquiry into CBA (the final report of which is very much aligned with the recommendations that Hayne makes):

  • Is there adequate oversight and challenge by the board of emerging non-financial risks?
  • Is it clear who is accountable for risks and how they are to be held accountable?
  • Are issues and risks identified quickly, referred up the management chain and then managed and resolved urgently? Or does bureaucracy get in the way?
  • Is enough attention being given to compliance? Or is it just ‘box ticking’?
  • Do remuneration practices recognise and penalise poor conduct? How does remuneration apply when there are poor risk or customer outcomes? Does senior management feel the sting?

These are questions that any corporate entity could, and should, honestly ask itself on a continuous basis.

‘Culture, governance and remuneration march together. Improvements in one area will reinforce improvements in others; inaction in one area will undermine progress in others.’

Hayne analyses with great clarity the interlinked nature of culture (‘what people do when no-one is watching’), governance (‘the structure and processes by which an entity is run’) and remuneration (something, he says, that ‘tell[s] staff what the entity rewards’). He concludes with a thought that may resonate for some time:

‘Culture, governance and remuneration march together. Improvements in one area will reinforce improvements in others; inaction in one area will undermine progress in others.’

In short, if what has happened in the past is to be avoided in the future, then entities have no choice but to continuously grapple with CG&R. All three are inextricably linked. Each works with the others as a driver of behaviour (good or bad).

We will now look at some specific matters of culture and governance to assess the meaning and significance of Commissioner Hayne’s recommendations and commentary on these critical topics.


In Hayne’s view, there is no single ‘best practice’ for creating a good culture, but one necessary aspect of a good culture is adherence to his fundamental six norms (a very good example of Hayne making an important comment and tying it back to a straightforward point of principle).

Culture may not be prescribed or legislated but it can — and must — be assessed both by the financial service entities themselves and also by the appropriate regulators, in this case ASIC and APRA. This is a clear message to those who have claimed that matters of culture are not the preserve of regulators.

Recommendation 5.6 states that all financial service entities should, as often as reasonably possible, take proper steps to assess the entity’s culture, identify any problems with that culture, deal with those problems and determine whether the changes it has made have been effective.

These steps must be taken by the board and senior management.

Hayne emphasises that these steps should be taken by every financial services entity, named or not named in the Commission proceedings. A key point here is that these are actions to be taken continuously (‘as often as reasonably possible’). Culture is never ‘fixed’ — entities must keep on examining their culture.

Recommendation 5.7 deals with the external supervision of culture and governance on financial service entities. This states that APRA should set up a supervisory program around how APRA-regulated institutions build culture that mitigates misconduct risk and that APRA should assess the cultural drivers of misconduct in entities.

This is a clear requirement for this financial regulator to include consideration of organisational culture in its supervision activities.


Recommendation 5.6 makes the same point about governance — boards and senior management must constantly assess the quality of their organisation’s governance.

And, as with matters of culture, Hayne is concerned that some external supervision is exercised over governance. So, Recommendation 5.7 requires APRA to encourage entities to give proper attention to the sound management of conduct risk and improving entity governance. His choice of words here is instructive — he uses the term ‘improving’ because there is always room for improvement. Again, he is implying that the task of working on governance is never complete.

This suggests that entities should reserve a continuous board agenda item on the assessment of culture and governance. Alternatively, boards may need to widen the customary remuneration committee to include matters of culture and governance, to ensure continuous monitoring over these interlinked issues. It would also focus the minds of committee members on the particular information they will need to monitor an organisation’s performance in these areas. It should also ensure that questions of remuneration are firmly tied into relevant questions of culture and governance.

A crucial element in the assessment that Hayne recommends is whether a company has been effective in managing the organisation’s risks — both financial and non-financial. It is, of course, the responsibility of the board and senior management to identify, assess and manage risks to the organisation.

Hayne hones in on two very practical features of governance that are critical to managing risk and that were particularly lacking in a number of financial services entities:

  1. The need for boards to get the right information about emerging non-financial risks. This requires the board to:
    (a) seek further or better information if what they have is deficient; and
    (b) use that information properly in order to robustly challenge management’s approach to managing these risks.

    If the board does not have the right information, it simply cannot effectively challenge management and properly discharge its functions.

    He notes that the evidence before the Commission showed that boards frequently did not get the right information about emerging non-financial risks. He also emphasises the need for the right information and not more information — quality not quantity.

    Hayne firmly lays the responsibility for getting the right information on boards and senior management.

  2. The need for boards and senior management to be clear who within the financial services entity was accountable for what. 

The evidence before the Commission showed frequent uncertainty or ignorance within financial service entities as to who was responsible for what actions or tasks. Such uncertainty destroys any form of effective accountability.

Clear accountability is intrinsic to good governance. It ensures that problems are resolved effectively. It fosters a culture where risks are managed soundly.  It is accountability that determines what consequences must follow when things go wrong (and where credit is due where things go right).

These are matters of importance for any corporate entity. The consequences of not properly addressing these two needs can be, and were in the case of certain financial services entities, particularly adverse.

The Commissioner ends the chapter on CG&R by commenting on the willingness (or not) of certain boards to recognise and accept responsibility for the misconduct that occurred. He comments that there is a reluctance in some entities to form and then give practical effect to their understanding of what is ethical, of what is honest and fair, and of what is the ‘right thing to do’.

The point he is making here is that boards and senior management:

  • have to make judgments, or arrive at views, on what is ethical, honest and fair, and indeed on all aspects of non-financial risk — they cannot subcontract this responsibility to advisers and by so doing seek to avoid it; and
  • must authentically accept responsibility for misconduct that has occurred in an entity which they have a duty to supervise — and then take effective steps to address that misconduct. 

Closing points

In the same way that the APRA CBA report could be usefully read by all corporate entities for clear guidance on culture and governance matters, Hayne’s Final report and particularly his recommendations and comments on CG&R provide firm guidance for all of corporate Australia.

Hayne is not advocating a novel or revolutionary approach, whether through changes in the law or changes in the conventional view of what amounts to good practice. Rather, he has re-emphasised the areas of good governance that were either ignored or de-prioritised by experienced boards who were responsible for overseeing financial services businesses.

He is clearly saying in his recommendations and his explanations that the board’s and senior management’s task of developing good culture and governance is never complete and is constantly evolving. Continual assessment of the fundamental pillars of good governance must happen. In short, complacency in the ranks of the board and senior management must be identified and addressed.

We should finish with some words from the Commissioner. He recognises that the necessary generality of the words of a recommendation (for example, Recommendations 5.6 and 5.7 referred to above) might allow some to too easily say that it ‘does not apply to us’.

‘But it does’, he says, and ‘to ignore the recommendations…would be ignorant because those who will not learn from history will repeat it.’

  1. By non-financial risk, we mean operational risk (the risk of loss arising from inadequate processes, people and systems or from external events), compliance risk (the risk of legal or regulatory sanctions, material financial loss or reputational loss arising from breaches of laws, regulations, rules, codes of conduct and other standards) and conduct risk (the risk of inappropriate, unlawful or unethical behaviour by employees of an organisation).

Scott Atkins can be contacted on (02) 9330 8015 or by email at
Phil Charlton can be contacted on (02) 9330 8367

Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.

How can Australian boards mitigate workforce risk?

Next article