ob体育

Keynote address by ob体育 Deputy Chair Karen Chester at Risk Australia 2021, Wednesday 25 August 2021.

Check against delivery

Introduction

Thank you for inviting me to join you and speak today.

Let me start by acknowledging that it is a very character-building time to be a risk professional, especially in the financial services industry. For most, you鈥檝e been hit by a perfect storm of risk events.

1. The first to make landfall in this confluence was the Hayne Royal Commission 鈥� specifically, the mismanagement of non-financial risk.
2. Second the now widely acknowledged ongoing legacy risk from underinvestment in systems and data.
3. The third wave consists of the October legislative step change in regulatory obligations. Six in total. Three being front and centre for today. Namely the design and distribution obligations, the new requirements around how breaches are reported to ob体育, and how disputes are managed internally in firms.
   Now, some may see this wave as a tsunami. But as risk professionals, I hope you will view them collectively as a roadmap to risk management. Empowering you with better risk mapping and fit-for-purpose KRIs.
4. The fourth, and an enduring driver behind the October reforms are expectations around ESG 鈥� particularly social conduct and behaviour. As well as the environmental imperatives around climate change.
5. Fifth, and finally, the universal and most challenging risk event, the pandemic itself, turning the waters of this perfect storm completely opaque.

It鈥檚 no wonder that demand for risk professionals is today more akin to one of my favourite 1960鈥檚 hits: 鈥楢in鈥檛 No Mountain High Enough鈥�. You鈥檝e certainly picked the right profession if you want to be in mountain-high demand.

A recent global survey of risk professionals found 69% expected their career opportunities to increase over the next 18 months, while nearly one-third said they anticipate a significant increase in opportunities.^[1]

The RMIA echoes this sentiment, with the two hottest topics in our risk community being competition for you, and how best to retain you.^[2]

So when you鈥檙e having a character-building day 鈥� just remind yourself you鈥檙e a member of the 鈥楢in鈥檛 No Mountain High Enough鈥� profession.

ob体育鈥檚 risk maturity journey

Now, I want to make it clear from the outset that I am not a risk professional. I am an Economist by training 鈥� the normative science of incentives. But an Economist with the good fortune of having worked across the private and public sectors, with both domestic and global entities, and across four distinct career streams (the latest being poacher-turned-gamekeeper as a regulator).

From that experience, I can empathise with firms that have had to play catch鈥憉p on risk maturity. Twenty years ago when I was the CEO of what is now Deloitte Access Economics, we were the first corporate to report a cyber-crime incident under the Cybercrime Act 2001. We were successful, but the matter consumed 18聽months of my time and focus, and caused much distraction to the Board.

So I鈥檝e been there. And I know that standing on that 鈥榯hin black line鈥� between risk and reputational damage is a daunting place to be.

Over the past two-and-half years ob体育 has developed and advanced its own risk management framework informed by the governance findings of the 2017 ob体育 Capability Review.

But as risk professionals you know it鈥檚 one thing to have recommendations to improve governance arrangements. It鈥檚 a whole other world (and an arduous one at that) to implement governance changes. And that鈥檚 the journey that ob体育 has been on with expert assistance from Oliver Wyman in 2019 and into 2020.

In my mind, the real game-changer for implementation was ob体育鈥檚 decision to establish a CRO role in late 2019 to directly report to the Chair. And in early 2020, my colleague (Commissioner Sean Hughes) and I had the good fortune to recruit Zack Gurdon, ob体育鈥檚 inaugural CRO.

Zack, along with his team of risk professionals, made implementation a reality, with the support of Commission and ultimately Zack鈥檚 executive colleagues. It鈥檚 been a risk culture and change-management journey. And one well championed by Zack and his team.

Through this journey we enhanced ob体育鈥檚 governance and oversight by establishing an Executive Risk Committee and Commission Risk Committee, which now form the backbone of our new governance structure. We strengthened our risk management accountabilities through the Management Accountability Regime, and established Three Lines of Accountability to introduce clear risk-management roles and responsibilities. We also adopted a new Risk Appetite Statement.

But as you all know, risk-management governance is a never-ending journey. More recently, we have further matured our Risk Management Framework following the lessons learned from the reports of the ANAO and the Thom Review late last year.

Using an Enterprise Risk Management taxonomy

Now, when risk professionals think of ob体育, we fall under the broad category of 鈥檔on-financial鈥� risk. Like any other organisation, we must navigate strategic risks, operational risks, reputational risks, compliance risks and people risks. All of which have the potential to impact on our effectiveness and capabilities as a regulator.

What makes our risk universe unique is ob体育鈥檚 regulatory oversight and our focus on 鈥榗onduct risk鈥�. We define 鈥榗onduct risk鈥� as: 鈥榯he risk of inappropriate, unethical or unlawful behaviour on the part of an organisation鈥檚 management or employees鈥�.^[3]

For us, the end-game on 鈥榗onduct risk鈥� is consumer outcomes. 鈥楥onsumer鈥� includes investors, be they retail or wholesale these days. And this brings me to what for me are today鈥檚 4Cs of conduct risk:

1. consumer outcomes
2. culture
3. cyber
4. climate.

Today, I鈥檓 going to unpack 1 and 2. But to afford time for some real risky business 鈥� live Q&A 鈥� I鈥檒l set some PD homework for 3 and 4.

The end-game: consumer outcomes

So turning to 鈥楥鈥� number 1, consumer outcomes. Top of the pops for a conduct regulator like ob体育. And it ought to be an end-game for all of you.

If Hayne taught us anything, it鈥檚 this one simple fact: good consumer outcomes make good business sense.

The last three years rammed home the fact that non-financial risks can crystalise into very real and very big financial risks. Such that measuring consumer outcomes (and doing so well) is perhaps the new Holy Grail for risk professionals. Let me explain why so.

Poor conduct has serious financial implications for companies, their investors, and their customers. Not to mention the costly lag and drag of remediation and reputational damage. I need not remind you of the provisioning for remediation costs over the past two years.

Right now, ob体育 is monitoring 71 remediations that will see the return of over $5.2 billion to consumers upon finalisation. That鈥檚 the total estimated amount upon finalisation. Over $2 billon has been returned so far for those active remediations.

That鈥檚 why you, as risk professionals, have a pivotal role to play: by evaluating the impact of your firm鈥檚 governance practices on consumers and investors (through fit-for-purpose KRIs). Especially now in the world of our confluence of five risk events, alongside consumers and investors shimmying up the risk curve in the hunt for yield as low risk-free rates endure through the pandemic.

Most (if not all) of October鈥檚 step-change in regulatory obligations can provide you with the roadmap and data to help you in this evaluation. They can be your key risk indicators for consumer harm.

The three heavy-lifters here are the design and distribution obligations, internal dispute resolution and better breach reporting. These issues are top-of-mind for ob体育 and I鈥檓 sure they are for all of you.

Design and distribution obligations

Design and distribution obligations (or DDOs) is first and indeed foremost for industry.聽 And it鈥檚 no secret that it鈥檚 an ob体育 favourite. A long time in the making, with its genesis back in the 2014 Financial System Inquiry.

For quite some time, the primary root-cause of the risk trifecta of reputational damage, consumer complaints and remediation programs has been the sale of products that are simply not fit for purpose.

And in the case of some insurance products 鈥� evidence showed not fit for anyone. The sale of junk consumer credit insurance led to $160 million in remediation for close to half a million consumers in 2020 alone, in addition to the reputational damage suffered by entities when those practices came to light.^[4]

DDOs require firms to design financial products to meet the needs of consumers and retail investors, and to distribute those products in a more targeted manner. They reflect similar obligations placed on financial product issuers in the UK, the Netherlands and the European Union.

In short, DDOs are your process-mitigant to prevent harm happening in the first place. DDOs let you chisel and tweak the design of the products before they are put out to the market.They provide assurance to the Board and senior management that some rigour has been applied and the design has been informed by facts.

DDOs also provide firms with a way of placing less reliance on disclosure to mitigate consumer harms. For all of you as risk professionals, the long-play benefits will emerge in the form of a clear line of sight. DDOs will give you confidence that you鈥檙e not going to hit a reputational or regulatory risk event. They clearly show what your firm will find acceptable in terms of product design. And they give your Board hard metrics for product assessment prior to launch. And ongoing monitoring 鈥� a form of risk assurance. Are your products reaching your target markets through whatever distribution channels you choose, today and in the future? These are all valuable lead indicators, as opposed to sub-optimal lag indicators such as complaints.

Internal dispute resolution

The same goes for internal dispute resolution (or IDR). Updated standards and requirements for聽IDR聽will assist in improving timeliness of complaints handling, clearer messaging to consumers, and consistent recording of complaints. The updates also clarify the enforceability of ob体育's IDR standards and ensure that firms are identifying systemic issues that arise from complaints.

From a CRO鈥檚 perspective, these will be another valuable source of lead KRIs on consumer harm. You can combine these new IDR requirements with existing requirements for external dispute resolution, and you鈥檒l have a full 360-degree dispute resolution data dashboard.

Product labelling and advertising

Leaving the October regulatory changes to one side for a moment, legislative divides for investors have become porous over time from a risk perspective. The financial and reputational risks attached to misleading and deceptive marketing are very real. The good news for CROs is that they can be mitigated fir retail investors by a robust DDO framework.

The wholesale-versus-retail investor classification is an area where the data divide has become form-over-substance from a risk-management perspective. Here I鈥檒l highlight ob体育鈥檚 Federal Court wins against Mayfair 101 and Mr Mawhinney, and our 2020 鈥榯rue to label鈥� project.

The Mayfair case illustrates the financial and reputational risks attached to product advertising. Marketing must be true-to-label, regardless of whether the customers are retail or wholesale, or a bit of both.

ob体育鈥檚 win against Mayfair was a wake-up call for firms that it does not matter what medium is used to misleadingly promote products 鈥� including use of search-engine advertising and sponsored links.

Our 鈥榯rue to label鈥� project elevated in importance during the pandemic with the growing pool of vulnerable investors to whom more lightly regulated, wholesale products can be marketed to.

Our concern is the impact prolonged search for yield has on existing investors who may not understand the attendant higher risks, and where these investors classify themselves (or are classified by others) as wholesale rather than retail investors.

For example, think of a retired farmer in regional Victoria, whose house price and super balance deems them to be a wholesale investor. These thresholds are not and have not been indexed, and have not changed since at least 2001. A wholesale investor has net assets of at least $2.5聽million; income of at least $250,000; and/or is investing at least $500,000.

If these thresholds had been indexed by (for example) housing prices and average weekly earnings respectively; today鈥檚 equivalent thresholds would be about $7 million in net assets and annual income of at least $530,000.^[5]

This illustration 鈥� along with ob体育鈥檚 action against Mayfair 鈥� highlights that marketing and product suitability are not the exclusive concern of the retail market. The regulatory risk of not being 鈥榯rue to label鈥� clearly spans both retail and wholesale investors when seen through the lens of our action here.

Culture

Turning to 鈥楥鈥� number 2 鈥� culture. Here, there are newer regulatory obligations that relate to accountability, remuneration and incentives, and breach reporting. These obligations can act as your KRIs on culture and culture-driven risks.

Financial Accountability Regime

It鈥檚 a truth universally acknowledged that a cornerstone driver of culture in an organisation is its accountability arrangements 鈥� how transparent, robust and meaningful they are in practice. So the new Financial Accountability Regime (or FAR) is no doubt on your risk-management radar.

The Government鈥檚 FAR implements the Royal Commission鈥檚 recommendation that the Banking Executive Accountability Regime (or BEAR), be extended to all APRA-regulated financial services institutions. By extending the existing accountability regime in BEAR, Australia will again be more closely aligned with other jurisdictions.

The FAR is an important way for firms to establish a culture of accountability for conduct that aligns with ob体育鈥檚 regulatory mandate to change behaviours and drive good consumer and investor outcomes.

The FAR imposes four core sets of obligations:

1. Accountability obligations (which require accountable entities and accountable persons to conduct their business in a certain manner).
2. Key personnel obligations (which require accountable entities to attribute all areas of the operations to an accountable person).
3. Deferred remuneration obligations (which require accountable entities to defer at least 40% of variable remuneration of their accountable persons, and for this remuneration to be reduced where accountability obligations are breached).
4. Notification obligations (which require accountable entities to provide the regulator with certain information about them and their accountable persons and, for entities above a certain threshold, to submit accountability maps and statements).

The consultation period for the FAR Bill closed two weeks ago. So it鈥檚 early days, but as risk professionals I know your preparatory work will be underway.

These FAR reforms can act as your KRIs on culture because the four core sets of obligations require data on accountability to be mapped. And as you know, what gets mapped gets managed. It鈥檚 a great source of data to be presented to your Board through your impactful risk lens.

Remuneration and incentives

The other truth universally acknowledged is that other critical drivers of culture include remuneration and incentives.

It was great to see Steve Sedgwick鈥檚 recent 2021 assessment that the recommendations he made in his 2017 review around retail banking remuneration have, for the most part, now been adopted by the industry.^[6] The recommendations in the original review were designed to address the 鈥渦nacceptable risk of promoting behaviour that is inconsistent with the interests of customers鈥�.

Steve found that some remuneration and incentive practices were driving poor behaviour towards customers, and recommended the banks change or eliminate those practices. It鈥檚 a reminder for risk professionals like yourselves that even with the best controls, incentives and culture are powerful drivers of misconduct.

The banking industry has changed in response to this review. Those changes resulted in:

• maximum variable pay being reduced
• performance measurement being directed away from sales
• an improved, customer-focused culture in the industry.

Of course, there is always a chance these poor incentive remuneration practices creep back in. Which is why it鈥檚 terrific the Australian Banking Association will be monitoring remuneration practices. It will leave us to benefit from that monitoring, and to stay attuned to the role of incentives in driving customer outcomes.

Notably, Steve鈥檚 2021 report called out one of your foundational roles 鈥� the challenge role 鈥� as essential in ensuring that performance measurement and management are appropriately calibrated and customer-oriented.

Breach reporting

Let鈥檚 now turn to breach reporting reforms, which are starting in October. Firms should already be using this data (which is being reported to ob体育) to identify any systemic issues to perform root-cause analysis.

Breach reporting reforms聽seek to address longstanding concerns about inconsistent, inadequate and delayed reporting of breaches by licensees.

Systems underinvestment has increased exposures. We know this from our supervisory work on consumer and small-business complaints under internal dispute resolution procedures^[7], and from our statistics on breach reporting.

In the six months between July and December 2020, a breach-report sample review by ob体育 revealed that 鈥榰nder-investment in technology systems鈥� was the main root cause of the reported breaches in a significant number of cases.

鈥楽ystem deficiency鈥� was the second most common root cause of all breach reports submitted by ob体育鈥檚 Close and Continuous Monitoring Institutions (or CCMIs) through ob体育鈥檚 Regulatory Portal. Between April 2020 and February 2021, on average, a 鈥榮ystem deficiency鈥� was identified as a root cause of 20% of all breaches reported by CCMIs through the Regulatory Portal. One CCMI identified 鈥榮ystem deficiencies鈥� as the main root cause of half (50%) of all of their lodged breaches in this period.

Compliance breaches happen in all organisations and businesses. But ob体育 is looking to firms to shift their culture, to act faster on breaches and ensure they are given the attention they deserve. Under the new law, firms are obliged to identify and report breaches and remediate consumers in a timelier manner. The regime is also extended to credit licensees for the first time.

For risk professionals, these reforms could actually make your job easier. They create consistency and clear lines of sight for better benchmarking of your firm鈥檚 performance.

And as I said earlier, what gets mapped gets managed.

Cyber and climate

For our third and fourth 鈥楥s鈥�: cyber and climate (hand-in-hand with ESG investing), I鈥檝e decided to make some time to take questions. So as not to disappoint, let me leave you some homework reading.

On cyber, we have outlined some 鈥榟ealth-check prompts鈥� in our Report 429 Cyber resilience health check, and published key questions for Boards to consider on our website at asic.gov.au/cybergovernance.

ob体育 is also taking deterrence-based enforcement action, as evidenced by ob体育鈥檚 August 2020 case against RI Advice Group under section 912A of the Corporations Act. This is an important one for you to watch, and it won鈥檛 be our last.

My 鈥榯op-hit鈥� hint: not only do entities need to be cyber resilient, but their operations must be resilient to other technical outages.

The November 2020 outage after the major upgrade to ASX鈥檚 equity trading platform, ASX Trade, is a good example of the need to be operationally resilient also.

While the focus to date has been on what ASX needs to do, it鈥檚 a timely reminder that participants鈥� duties to their clients 鈥� including the obligation to take reasonable steps to obtain best execution 鈥� do not fall away where there has been a market outage or disruption.

On climate and ESG investing, your homework is to read my colleague Commissioner Cathie Armour鈥檚 two cracker articles in the July issue of Company Director Magazine: What is greenwashing and what are its potential threats? and Managing climate risk for directors. And it鈥檇 be remiss of me not to also mention ob体育鈥檚 Report 593, Climate risk disclosure by Australia鈥檚 listed companies.

Conclusion

Finally, onto your program for today鈥檚 conference. To me it looks like it captures three other 鈥楥s鈥�: it鈥檚 鈥榗ontemporary鈥�, it鈥檚 鈥榗omprehensive鈥� (covers all the risk bases that matter) and it鈥檚 about to be presented by a well 鈥榗urated鈥� collection of speakers, bringing risk perspectives from a diverse set of firms.

I know that it鈥檚 a challenging time to be a risk professional, especially in the financial services industry. But I hope that鈥檚 what makes it all the more professionally rewarding for each of you.

For each of you has the twin challenge of championing meaningful risk-management systems.

And then challenging form-over-substance risk management. Jettisoning old-world, tick-the-box compliance and calling out the tough commercial truths.

So perhaps today鈥檚 tough-truth is the legacy underinvestment in data and systems. For we know from our work that this is proving to be the root-cause of Boards missing risk landmines. And recent history tells us many firms missed these landmines, with commercial reputations blown up in public inquiries and Royal Commissions. And ones that are more recent than Mr Hayne鈥檚.

So in wrapping up, I hope I鈥檝e helped forge two enduring links. The first, between recent and soon-to-be introduced regulatory obligations, and your professional risk endeavour going forward. To provide you with the roadmaps, the data-informed analysis and KRIs to be the 鈥榓gents for challenge and change鈥�.

Second, the single common running through conduct risk today is the end-game of good consumer outcomes 鈥� fertile ground for your contemporary, fit-for-purpose KRIs for consumer harm.

And to do so may require you calling out the need for investment in data and systems.

Because, with both thanks and apologies to Jane Austen, 鈥業t is a truth universally acknowledged that a firm in possession of a good fortune must not be in want of good consumer outcomes.鈥�

Thank you for your time today.

---

[1] Yahoo News, , March 2021.

[2] RMIA, , October 2020.

[3] ob体育 REP 631Director and officer oversight of non-financial risk report, October 2019, page 9.

[4] 20-115MR ob体育 secures over $160 million in remediation for junk consumer credit insurance.

[5] Australian Bureau of Statistics. Residential property price index; greater Melbourne (Sept 2003鈥揗ar 2021): $2.5M becomes $6.7M; Median price of attached dwelling transfers (unstratified);聽Rest of Victoria; (Sept 2003鈥揗ar聽2021): $2.5M becomes $7.4M; Earnings; Males; Full time; Adult; Ordinary time earnings;聽All industries; (May 2001鈥揗ay 2021): $250,000 becomes $529,000; . Index numbers;聽All groups CPI;聽Melbourne; (Mar 2001鈥揓une 2021): $250,000 becomes $399,000, $2.5M becomes $4M; Index numbers;聽All groups CPI;聽Australia; (Mar 2001鈥揓une 2021): $250,000 becomes $402,000; $2.5M becomes $4M;

[6] 2021.

[7] Under-investment evident from IDR reviews: Under-recording of complaints was identified as a common problem in our IDR reviews. Systems under-investment has been identified as one of the key contributing factors 鈥� e.g. relying on multiple or legacy systems or in some cases, limited access to complaint recording systems.