Insight,

Cause and effect – what you need to know about consequence management frameworks

26 September 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Consequence management frameworks (CMFs) are documents which set out how an entity ought to respond to instances of misconduct and risk management failures.  The necessity for entities to implement CMFs has arisen particularly since the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, where instances of identified misconduct were permitted to perpetuate without adequate consequence. 

As Commissioner Hayne said on the opening day of the Commission:

A part of what I've got to do eventually, I think, may be to assess what ADIs and other financial service entities have made of complaints and revelations. The industry is a large industry, large participants, lots of people. Things go wrong. It's a human system, therefore things go wrong. Sometimes things go wrong through dishonesty. Sometimes things go wrong because of neglect, carelessness, or just sheer coincidence. 

A CMF assists firms manage incidents that ‘go wrong’, apply proportionate consequences to conduct that falls below the standards expected, and respond to instances of neglectful or careless risk management.

A CMF enables entities to systematically respond to incidents through a robust fact-finding process that identifies what factually happened, who was responsible for the conduct or risk management failure, and provides guidance to help determine a proportionate financial and non-financial consequence.  CMFs should enable Boards and other decision-makers to make informed decisions about proportionate consequences based on clear guidance and procedure.

Why CMFs?

CMFs are a practical method of complying with a firm’s regulatory obligations to ensure that risks are managed effectively, and that remuneration reflects conduct and risk outcomes.  In the financial service sector this has been codified in the Banking Executive Accountability Regime (BEAR) (and the forthcoming Financial Accountability Regime).  Specifically:

  • The BEAR and FAR require firms to take reasonable steps to ensure that they comply with their ‘accountability obligations’, which include ensuring that each of their accountable persons meets their own accountability obligations. Where there has been an accountability failure by an accountable persons, firms must reduce the accountable person’s variable remuneration by an amount proportionate to the failure; and
  • APRA’s CPS 511 Remuneration requires firms to describe in their remuneration policies the systems and process that support the firm’s approach to conduct and consequence management, and which specifically require financial consequences (downward adjustment of variable remuneration) to be applied in the event of identified instances of misconduct and failures in risk management . Downward adjustment of variable remuneration must be proportionate to the severity of the risk or conduct outcome.

More generally, a substantial number of APRA prudential standards place obligations on firms to manage risks effectively.  For example, APRA’s CPS 230 Operational Risk Management requires firms, as a ‘key principle’, to:

… identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events.  

All entities, particularly listed companies, should be interested in ensuring that conduct and risk management failures are addressed in a systemic fashion.  Modern principles of corporate stakeholder management place a premium on delivering results through accountability.  A CMF is an effective tool to assist in that process.

Not just misconduct

A common misperception about CMFs is that they are just a fancy name for a HR disciplinary policy and are concerned only with employee misconduct.

A CMF should deal with both employee misconduct and broader behaviours and actions (or inactions) that lead to risk management failures.  A risk management failure occurs when an entity fails to comply with an underlying legal or prudential obligation, fails to control an identified risk, fails to identify a previously unidentified risk, or engages in business activities beyond the tolerate risk appetite of the firm.

Risk management failures tend to occur when one or more of the following factors are present:

  • there is insufficient monitoring and oversight of business activities that create operational risk;
  • there is insufficient supervision of first line business operations to determine whether specified risk management procedures are being complied with in practice, or whether there are gaps in the existing approaches to risk management;
  • the existing controls are designed ineffectively to detect and report non-compliance with the underlying legal obligation, or fail to control the underlying risk. A common controls failure arises where there are ‘gaps’ in the control environment – where the existing controls are insufficiently robust to control for all obligations and risks, or there is a mismatch between what the control actually verifies and what it is described as verifying;
  • there is unclear accountability for controls and risk management obligations particularly obligations particularly across end-to-end value chains;
  • insufficient escalation of concerns;
  • an immature risk culture is present;
  • individuals fail to comply with governance requirements, risk standards and controls; and
  • individuals fail to take reasonable steps to assess risks including identify unknown risks, fail to escalate known risk issues for remediation, and fail to act on information about known about analogous risks.

A CMF enables a firm to holistically assess the root cause of a conduct or risk management failure (including whether one or more of the matters above occurred) to determine individual responsibility to ensure that an appropriate consequences is able to be applied.  When operating effectively, a CMF should enable a firm to determine individual responsibility not just at the first business/operational level but also at the second and third oversight and audit levels.

What a good CMF looks like

In our experience, a good CMF has the following elements:
A good CMF will:
INDIVIDUAL
Example uses 2
Identification and escalation
  • Identify the sources of reports of conduct or risk management issues which may be considered as part of a CMF process. These can include: audit reports, culture surveys, internal complaints, whistleblower reports, external complaints, and regulator reports/notifications.
  • Provide guidance to enable a preliminary assessment of the reported incidents to determine the appropriate course. Ordinarily this assessment will be carried out by a specialist team who can triage incidents and who have the skill and experience to determine whether the conduct or risk incident should be escalated.
  • Determine whether an incident should be escalated for senior stakeholder oversight (including to the Board).  A determination should also be made about whether the incident is sufficiently serious to warrant external investigation.  External investigation might be considered prudent where the incident might amount to a breach under FAR or BEAR, involve serious misconduct or a significant risk management failure, a breach of law or regulatory/prudential requirements, involve multiple employees acting in concert, or impact a business licence or qualification.
Investigation and assessment
  • Require the assessment of consequence to consider the root cause of the incident. This is core to any CMF process and will require an investigation involving interviews with key individuals, and review of key documents (including the firm’s policies and procedures, and individuals’ email inboxes, etc.).
  • Consideration of the objective severity of the incident. This will ordinarily be assessed with reference to the impact of the incident on the firm, its customers, its stakeholders (including shareholders), and its employees.
  • Consideration of each relevant individual’s responsibility in relation to the incident.  This involves a complex web of considerations depending on the nature of the incident including: the person’s intention, knowledge, whether they were personally non-compliant, whether they took reasonable steps to monitor and remediate unknown and known risks, whether they asked relevant questions and made relevant enquiries, and whether they acted on information and escalated issues appropriately.
Consequence management outcomes – financial and non-financial
  • Provide guidance on the application of financial and non-financial consequences for the incident. Guidance can be in the form of an overall rating for the individual so that a proportionate response can be determined.  Heat maps and examples can provide helpful guidance.
    • Financial consequences include: downwards adjustment of variable remuneration through in-period, malus and clawback adjustments. CPS 511 obligations should be considered as part of this step.
    • Non-financial consequences include: termination of employment, other disciplinary consequence, performance management, and compulsory training requirements.
  • APRA recently commented in their pre-implementation review of CPS 511 that insufficient rigour is applied to consequence decisions to ensure financial (i.e. remuneration) consequences result from poor risk management outcomes.  This is clearly an area of regulatory focus.
Documentation and recording of decisions taken
  • Require documentation of key decisions taken at each step, the core documents created (e.g., the investigation and accountability report).
  • Provide scope for a summary of the matter to be created and added to a consequence library for future reference.  This step will assist future Boards and decision-makers make decisions on a consistent basis.

CMFs involve the complex intersection of risk management, remuneration governance, and stakeholder management.  They are sensitive documents that have attracted substantial regulatory scrutiny in recent times, including in APRA’s recent commentary in their pre-implementation review of CPS 511. 

We have substantial expertise in advising APRA-regulated entities in the design of CMFs and their execution in practice.

Categories

MEET THE AUTHORS

LATEST THINKING
Insight
Top 10 Trends for Private Capital in an uncertain world
With sophisticated investors quickly seeking diversification in response to geopolitical risk, Asia Pacific markets are well-positioned to become an attractive hedge.

17 April 2025

Insight
Private Capital Leading the Surge into Data Centres - What have we learned and what next?
Australia and the Asia Pacific Region emerge as a hotbed for data centre investment, as the AI revolution and resulting demand for digital infrastructure surges.

17 April 2025

Insight
Cov-What? Financial covenants in leveraged finance deals
A short primer on the different approaches being taken to financial covenants in leveraged finance deals

17 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies