An increasingly common scenario

It’s an ordinary Tuesday afternoon, when, picking up emails between meetings, the bad news comes in – there has been a serious issue in your business line. Details are not fully known yet, but it’s probably a breach and goes back quite some time. The corporate crisis management processes are already kicking in, but your mind turns to your own individual accountability. This isn’t the first time something has gone wrong, but now not only is your bonus and your job at risk, so is your future in the industry. Could you be disqualified for this major failure? 

You start mentally walking backwards through the cascade of events and decisions that led to this outcome – something obviously went wrong somewhere – but had the organisation, had you, taken reasonable steps to prevent it, and, importantly, can you prove it? 

What is reasonable?

Although regulators will likely provide more guidance as the Financial Accountability Regime (‘FAR’) gets closer to implementation, there will be no bright lines that enable executives to tick a box that ‘reasonable steps have been taken’. Reasonableness is a subjective test and whether steps were reasonable will be judged, in hindsight, by regulators, and ultimately by the courts. In the context of FAR, this is as yet untested, but reasonableness generally is not unfamiliar within the financial services laws, including in responsible lending and advisor representative compliance. Regulators are likely to look to the United Kingdom’s Senior Managers and Certification Regime accountability regime where the reasonable steps test is more established, to give an indication of what might amount to reasonable steps. 

Processes, frameworks, standards and guidelines are necessary but not sufficient

An overarching framework and guidance for reasonable steps is a baseline requirement, and should at the very least provide for:

  • standardisation of record-keeping; 
  • the expectation of repeatability in decision-making; and 
  • some level of objectivity around what reasonable steps look like in the particular organisational context.

Ensuring this framework is implementable, and in fact implemented, is essential. Too often we see beautiful frameworks sitting in proverbial drawers, never being used by the executives for whom they are crafted. 

Our experience suggests that in the context of accountability regimes, an implementable framework is one that is built around and into the existing governance and decision-making structures of the organisation – layering something on top is not effective. This means having a deep understanding of how things are done already, and why they are done that way – and identifying where in this process reasonable steps gaps might exist. It means asking executives to identify their vulnerabilities, which not only gives designers and developers of frameworks insights into where there are gaps but also brings those vulnerabilities to the front of mind for the executives themselves. 

Ensuring a framework is successfully implemented relies heavily on removing friction and ensuring buy-in. This means identifying and smoothing in places where doing the right thing is more difficult than not. In some cases, this will involve appropriately applied resourcing – if something isn’t being done, maybe it just needs an additional person – in other cases it might be poorly designed processes that take more time than they should, or clunky systems that no one wants to use (or fix). Obtaining broad based buy-in for a reasonable steps framework will require targeted approaches, including setting senior management expectations and providing strong incentives and clear justifications. 

What else?

Finding and fixing problems

It is telling that two of the four legislatively identified aspects of reasonable steps relate to identifying and fixing problems:

  • having appropriate procedures for identifying and remediating problems that arise or may arise in relation to that matter; and
  • taking appropriate action in response to non-compliance, or suspected non-compliance, in relation to that matter.

This can be seen as a direct response to the post-Royal Commission regulatory action which was characterised by financial organisations repeatedly failing to address problems. Regulators will look poorly on executives who have not responded quickly and thoroughly to an identified problem – including addressing root causes with sufficient depth, breadth and capability to ensure that similar issues are identified and addressed, and adequately resourcing sustainable solutions.  

Finding problems requires maintenance – it’s not glamorous, there’s no press release, no one is calling it out in their performance review – but it is as essential to compliance as it is to infrastructure. Controls testing; system maintenance and review; ensuring repeatable compliance tasks are done properly and checked and challenged. Although this seems obvious, our experience suggests that it is easy for these kinds of things to be overlooked, under-estimated or under-resourced. 

It also requires reflection on the quality of management information. A key factor in the Financial Services Authority’s (FSA) decision to disqualify and fine Peter Cummings, former Head of Corporate Banking at the now-defunct HBOS was his failure to address known “quality, reliability and utility of the available management information”. It is essential to ensure that management information is sufficient to enable reasonable steps to be taken and proven. Now is a good time to assess the quality and utility of management information: are the systems that support it sufficiently automated, are reports used to obscure bad news? Is there too little information, or, more likely, too much? For executives, the dangers of unknown unknowns are always lurking, but in reality these are usually known by someone in the business, or at the very least, they are knowable by gathering the right data or joining the right dots. Is curiosity and challenge encouraged, are bearers of bad news rewarded, are diverse views encouraged or are there ‘social silences’ and accepted practices around what people talk about – and don’t? 

Testing and challenging decisions

Executives are typically already good decision-makers – that’s why they occupy the roles that they do. But this regime asks for more than just good business outcomes – it requires justifying that these decisions are right for the business, for the customer or member, and that they are directed towards ensuring compliance. Much of executive decision-making is made under uncertainty, and bad outcomes don’t always mean bad decisions. Although we may see some examples of very clear failures to take reasonable steps, much more likely will be situations characterised by ambiguity, which will see regulators probing deeply into organisational decision-making. 

Indications from the UK, and the legislative guidance thus far, suggest this will not simply be around the actual decisions that led to a specific poor outcome, but in addition, broader decisions around: 

  • what is prioritised – where funding and executive attention is allocated;
  • how capability and capacity are managed; and
  • organisational culture settings.

Context also matters – in the Cummings decision, the FSA particularly noted that pursuing a high risk strategy alone was not unreasonable, but in the context of known weaknesses in controls and risk management, it was. Capability, experience and training should therefore focus on case studies to develop muscle memory for executives and their teams in storytelling and narrative development around what is done and what isn’t, and importantly, why. 

FAR also introduces a new complexity between boards and executives, in that boards will now be looking to understand and challenge the ‘reasonable steps’ being taken by executives in order to gain confidence that the board members themselves have taken reasonable steps. Providing this assurance to board members will likely mean justifying and relitigating decisions with people who do not have a thorough understanding of the operational realities of the business.   In the best case, this provides an opportunity to stress test decisions, but may also result in delays and (subjectively) suboptimal outcomes. Getting the most from this interface for boards will mean having a good understanding of when and where to intervene – and to have a thorough understanding of the reasonable steps framework. For executives it brings renewed importance to both what is brought to the board’s attention, and how that is done. 

Accountable executives should lean in to resources such as the board, but also risk and compliance and internal audit functions which are there to provide challenge. An unwillingness to respond to issues raised by these functions would almost certainly contribute to a failure to take reasonable steps. 

Team members matter. Delegation of responsibility, but not accountability, is envisaged under the FAR, but these delegations must be made “having safeguards against inappropriate delegation”. Increasingly, business decisions are not being made by team members, but with use (or solely by) advanced technology – but if an AI is making decisions, a human executive will still be the accountable person. This means that accountable executives must understand what both their human and machine delegates are doing, and why, in order to ensure the delegation is appropriate. 

Culture

Culture will be a critical through line in FAR implementation – in many cases poor outcomes won’t come from single decisions – they will be the result of a series of decisions about what strategy to pursue, what is funded, what is deprioritised, what is not done. How decisions are made and how well frameworks are implemented will be impacted by the culture that exists or is formed with respect to accountability and risk. 

This was made very clear in the Cummings decision, in which the FSA found he helped cultivate a culture of excessive optimism that regarded risk management as a constraint upon the business. This cannot be pinpointed to a single decision or a single set of decisions, and, in the case of culture, we would expect regulators to be looking to the steps executives have taken to both identify and mitigate against a poor risk culture, as well as to cultivate a positive culture. In the Cummings action, the regulator offers some pointers on this, including: clearly articulating risk management requirements to staff, and the importance of oversight to management, adequately resourcing the team and ensuring risk management criteria were clear, appropriate, and understood. As such, organisational cultural factors will be critical – not just in implementing a framework, but in ensuring that the organisation operates in a way that facilitates the goals of the FAR.

What next?

Ensuring that reasonable steps are taken does not require a wholesale shift in governance and management. But it should encourage reflection on what should already be the fundamental building blocks of a well-managed, compliant and prudent organisation: 

  • high-quality, defensible and holistic decision-making – in normal times and in times of crisis;
  • a culture that promotes diversity, encourages challenge and values risk management;
  • implementable processes and guidelines, and
  • excellent record-keeping

Beyond building baseline frameworks, guidelines and standards, organisational preparation should centre around decision-making capability – particularly in groups – and promoting the culture that facilitates effective decision-making dynamics. This includes psychological safety – encouraging people to speak up and challenge; welcoming discomfort; and identifying biases. 

Rhizome works with firms across the financial sector in the design, implementation and ongoing management of accountability frameworks. We support firms in demonstrating reasonable steps by designing and refining methodologies, conducting reviews and assessing how accountability works in practice at different levels within the firm, turning accountability into a meaningful competitive advantage.

Please reach out to us for more information.

This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Rhizome Advisory Group Pty Ltd shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss of damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).