The 4Cs of risky business


Keynote address by ASIC Deputy Chair Karen Chester at Risk Australia 2021, Wednesday 25 August 2021.

Check against delivery


Thank you for inviting me to join you and speak today.

Let me start by acknowledging that it is a very character-building time to be a risk professional, especially in the financial services industry. For most, you’ve been hit by a perfect storm of risk events.

  1. The first to make landfall in this confluence was the Hayne Royal Commission – specifically, the mismanagement of non-financial risk.
  2. Second the now widely acknowledged ongoing legacy risk from underinvestment in systems and data.
  3. The third wave consists of the October legislative step change in regulatory obligations. Six in total. Three being front and centre for today. Namely the design and distribution obligations, the new requirements around how breaches are reported to ASIC, and how disputes are managed internally in firms.
    Now, some may see this wave as a tsunami. But as risk professionals, I hope you will view them collectively as a roadmap to risk management. Empowering you with better risk mapping and fit-for-purpose KRIs.
  4. The fourth, and an enduring driver behind the October reforms are expectations around ESG – particularly social conduct and behaviour. As well as the environmental imperatives around climate change.
  5. Fifth, and finally, the universal and most challenging risk event, the pandemic itself, turning the waters of this perfect storm completely opaque.

It’s no wonder that demand for risk professionals is today more akin to one of my favourite 1960’s hits: ‘Ain’t No Mountain High Enough’. You’ve certainly picked the right profession if you want to be in mountain-high demand.

A recent global survey of risk professionals found 69% expected their career opportunities to increase over the next 18 months, while nearly one-third said they anticipate a significant increase in opportunities.[1]

The RMIA echoes this sentiment, with the two hottest topics in our risk community being competition for you, and how best to retain you.[2]

So when you’re having a character-building day – just remind yourself you’re a member of the ‘Ain’t No Mountain High Enough’ profession.

ASIC’s risk maturity journey

Now, I want to make it clear from the outset that I am not a risk professional. I am an Economist by training – the normative science of incentives. But an Economist with the good fortune of having worked across the private and public sectors, with both domestic and global entities, and across four distinct career streams (the latest being poacher-turned-gamekeeper as a regulator).

From that experience, I can empathise with firms that have had to play catch‑up on risk maturity. Twenty years ago when I was the CEO of what is now Deloitte Access Economics, we were the first corporate to report a cyber-crime incident under the Cybercrime Act 2001. We were successful, but the matter consumed 18 months of my time and focus, and caused much distraction to the Board.

So I’ve been there. And I know that standing on that ‘thin black line’ between risk and reputational damage is a daunting place to be.

Over the past two-and-half years ASIC has developed and advanced its own risk management framework informed by the governance findings of the 2017 ASIC Capability Review.

But as risk professionals you know it’s one thing to have recommendations to improve governance arrangements. It’s a whole other world (and an arduous one at that) to implement governance changes. And that’s the journey that ASIC has been on with expert assistance from Oliver Wyman in 2019 and into 2020.

In my mind, the real game-changer for implementation was ASIC’s decision to establish a CRO role in late 2019 to directly report to the Chair. And in early 2020, my colleague (Commissioner Sean Hughes) and I had the good fortune to recruit Zack Gurdon, ASIC’s inaugural CRO.

Zack, along with his team of risk professionals, made implementation a reality, with the support of Commission and ultimately Zack’s executive colleagues. It’s been a risk culture and change-management journey. And one well championed by Zack and his team.

Through this journey we enhanced ASIC’s governance and oversight by establishing an Executive Risk Committee and Commission Risk Committee, which now form the backbone of our new governance structure. We strengthened our risk management accountabilities through the Management Accountability Regime, and established Three Lines of Accountability to introduce clear risk-management roles and responsibilities. We also adopted a new Risk Appetite Statement.

But as you all know, risk-management governance is a never-ending journey. More recently, we have further matured our Risk Management Framework following the lessons learned from the reports of the ANAO and the Thom Review late last year.

Using an Enterprise Risk Management taxonomy

Now, when risk professionals think of ASIC, we fall under the broad category of ’non-financial’ risk. Like any other organisation, we must navigate strategic risks, operational risks, reputational risks, compliance risks and people risks. All of which have the potential to impact on our effectiveness and capabilities as a regulator.

What makes our risk universe unique is ASIC’s regulatory oversight and our focus on ‘conduct risk’. We define ‘conduct risk’ as: ‘the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’.[3]

For us, the end-game on ‘conduct risk’ is consumer outcomes. ‘Consumer’ includes investors, be they retail or wholesale these days. And this brings me to what for me are today’s 4Cs of conduct risk:

  1. consumer outcomes
  2. culture
  3. cyber
  4. climate.

Today, I’m going to unpack 1 and 2. But to afford time for some real risky business – live Q&A – I’ll set some PD homework for 3 and 4.

The end-game: consumer outcomes

So turning to ‘C’ number 1, consumer outcomes. Top of the pops for a conduct regulator like ASIC. And it ought to be an end-game for all of you.

If Hayne taught us anything, it’s this one simple fact: good consumer outcomes make good business sense.

The last three years rammed home the fact that non-financial risks can crystalise into very real and very big financial risks. Such that measuring consumer outcomes (and doing so well) is perhaps the new Holy Grail for risk professionals. Let me explain why so.

Poor conduct has serious financial implications for companies, their investors, and their customers. Not to mention the costly lag and drag of remediation and reputational damage. I need not remind you of the provisioning for remediation costs over the past two years.

Right now, ASIC is monitoring 71 remediations that will see the return of over $5.2 billion to consumers upon finalisation. That’s the total estimated amount upon finalisation. Over $2 billon has been returned so far for those active remediations.

That’s why you, as risk professionals, have a pivotal role to play: by evaluating the impact of your firm’s governance practices on consumers and investors (through fit-for-purpose KRIs). Especially now in the world of our confluence of five risk events, alongside consumers and investors shimmying up the risk curve in the hunt for yield as low risk-free rates endure through the pandemic.

Most (if not all) of October’s step-change in regulatory obligations can provide you with the roadmap and data to help you in this evaluation. They can be your key risk indicators for consumer harm.

The three heavy-lifters here are the design and distribution obligations, internal dispute resolution and better breach reporting. These issues are top-of-mind for ASIC and I’m sure they are for all of you.

Design and distribution obligations

Design and distribution obligations (or DDOs) is first and indeed foremost for industry.  And it’s no secret that it’s an ASIC favourite. A long time in the making, with its genesis back in the 2014 Financial System Inquiry.

For quite some time, the primary root-cause of the risk trifecta of reputational damage, consumer complaints and remediation programs has been the sale of products that are simply not fit for purpose.

And in the case of some insurance products – evidence showed not fit for anyone. The sale of junk consumer credit insurance led to $160 million in remediation for close to half a million consumers in 2020 alone, in addition to the reputational damage suffered by entities when those practices came to light.[4]

DDOs require firms to design financial products to meet the needs of consumers and retail investors, and to distribute those products in a more targeted manner. They reflect similar obligations placed on financial product issuers in the UK, the Netherlands and the European Union.

In short, DDOs are your process-mitigant to prevent harm happening in the first place. DDOs let you chisel and tweak the design of the products before they are put out to the market.They provide assurance to the Board and senior management that some rigour has been applied and the design has been informed by facts.

DDOs also provide firms with a way of placing less reliance on disclosure to mitigate consumer harms. For all of you as risk professionals, the long-play benefits will emerge in the form of a clear line of sight. DDOs will give you confidence that you’re not going to hit a reputational or regulatory risk event. They clearly show what your firm will find acceptable in terms of product design. And they give your Board hard metrics for product assessment prior to launch. And ongoing monitoring – a form of risk assurance. Are your products reaching your target markets through whatever distribution channels you choose, today and in the future? These are all valuable lead indicators, as opposed to sub-optimal lag indicators such as complaints.

Internal dispute resolution

The same goes for internal dispute resolution (or IDR). Updated standards and requirements for IDR will assist in improving timeliness of complaints handling, clearer messaging to consumers, and consistent recording of complaints. The updates also clarify the enforceability of ASIC's IDR standards and ensure that firms are identifying systemic issues that arise from complaints.

From a CRO’s perspective, these will be another valuable source of lead KRIs on consumer harm. You can combine these new IDR requirements with existing requirements for external dispute resolution, and you’ll have a full 360-degree dispute resolution data dashboard.

Product labelling and advertising

Leaving the October regulatory changes to one side for a moment, legislative divides for investors have become porous over time from a risk perspective. The financial and reputational risks attached to misleading and deceptive marketing are very real. The good news for CROs is that they can be mitigated fir retail investors by a robust DDO framework.

The wholesale-versus-retail investor classification is an area where the data divide has become form-over-substance from a risk-management perspective. Here I’ll highlight ASIC’s Federal Court wins against Mayfair 101 and Mr Mawhinney, and our 2020 ‘true to label’ project.

The Mayfair case illustrates the financial and reputational risks attached to product advertising. Marketing must be true-to-label, regardless of whether the customers are retail or wholesale, or a bit of both.

ASIC’s win against Mayfair was a wake-up call for firms that it does not matter what medium is used to misleadingly promote products – including use of search-engine advertising and sponsored links.

Our ‘true to label’ project elevated in importance during the pandemic with the growing pool of vulnerable investors to whom more lightly regulated, wholesale products can be marketed to.

Our concern is the impact prolonged search for yield has on existing investors who may not understand the attendant higher risks, and where these investors classify themselves (or are classified by others) as wholesale rather than retail investors.

For example, think of a retired farmer in regional Victoria, whose house price and super balance deems them to be a wholesale investor. These thresholds are not and have not been indexed, and have not changed since at least 2001. A wholesale investor has net assets of at least $2.5 million; income of at least $250,000; and/or is investing at least $500,000.

If these thresholds had been indexed by (for example) housing prices and average weekly earnings respectively; today’s equivalent thresholds would be about $7 million in net assets and annual income of at least $530,000.[5]

This illustration – along with ASIC’s action against Mayfair – highlights that marketing and product suitability are not the exclusive concern of the retail market. The regulatory risk of not being ‘true to label’ clearly spans both retail and wholesale investors when seen through the lens of our action here.


Turning to ‘C’ number 2 – culture. Here, there are newer regulatory obligations that relate to accountability, remuneration and incentives, and breach reporting. These obligations can act as your KRIs on culture and culture-driven risks.

Financial Accountability Regime

It’s a truth universally acknowledged that a cornerstone driver of culture in an organisation is its accountability arrangements – how transparent, robust and meaningful they are in practice. So the new Financial Accountability Regime (or FAR) is no doubt on your risk-management radar.

The Government’s FAR implements the Royal Commission’s recommendation that the Banking Executive Accountability Regime (or BEAR), be extended to all APRA-regulated financial services institutions. By extending the existing accountability regime in BEAR, Australia will again be more closely aligned with other jurisdictions.

The FAR is an important way for firms to establish a culture of accountability for conduct that aligns with ASIC’s regulatory mandate to change behaviours and drive good consumer and investor outcomes.

The FAR imposes four core sets of obligations:

  1. Accountability obligations (which require accountable entities and accountable persons to conduct their business in a certain manner).
  2. Key personnel obligations (which require accountable entities to attribute all areas of the operations to an accountable person).
  3. Deferred remuneration obligations (which require accountable entities to defer at least 40% of variable remuneration of their accountable persons, and for this remuneration to be reduced where accountability obligations are breached).
  4. Notification obligations (which require accountable entities to provide the regulator with certain information about them and their accountable persons and, for entities above a certain threshold, to submit accountability maps and statements).

The consultation period for the FAR Bill closed two weeks ago. So it’s early days, but as risk professionals I know your preparatory work will be underway.

These FAR reforms can act as your KRIs on culture because the four core sets of obligations require data on accountability to be mapped. And as you know, what gets mapped gets managed. It’s a great source of data to be presented to your Board through your impactful risk lens.

Remuneration and incentives

The other truth universally acknowledged is that other critical drivers of culture include remuneration and incentives.

It was great to see Steve Sedgwick’s recent 2021 assessment that the recommendations he made in his 2017 review around retail banking remuneration have, for the most part, now been adopted by the industry.[6] The recommendations in the original review were designed to address the “unacceptable risk of promoting behaviour that is inconsistent with the interests of customers”.

Steve found that some remuneration and incentive practices were driving poor behaviour towards customers, and recommended the banks change or eliminate those practices. It’s a reminder for risk professionals like yourselves that even with the best controls, incentives and culture are powerful drivers of misconduct.

The banking industry has changed in response to this review. Those changes resulted in:

  • maximum variable pay being reduced
  • performance measurement being directed away from sales
  • an improved, customer-focused culture in the industry.

Of course, there is always a chance these poor incentive remuneration practices creep back in. Which is why it’s terrific the Australian Banking Association will be monitoring remuneration practices. It will leave us to benefit from that monitoring, and to stay attuned to the role of incentives in driving customer outcomes.

Notably, Steve’s 2021 report called out one of your foundational roles – the challenge role – as essential in ensuring that performance measurement and management are appropriately calibrated and customer-oriented.

Breach reporting

Let’s now turn to breach reporting reforms, which are starting in October. Firms should already be using this data (which is being reported to ASIC) to identify any systemic issues to perform root-cause analysis.

Breach reporting reforms seek to address longstanding concerns about inconsistent, inadequate and delayed reporting of breaches by licensees.

Systems underinvestment has increased exposures. We know this from our supervisory work on consumer and small-business complaints under internal dispute resolution procedures[7], and from our statistics on breach reporting.

In the six months between July and December 2020, a breach-report sample review by ASIC revealed that ‘under-investment in technology systems’ was the main root cause of the reported breaches in a significant number of cases.

‘System deficiency’ was the second most common root cause of all breach reports submitted by ASIC’s Close and Continuous Monitoring Institutions (or CCMIs) through ASIC’s Regulatory Portal. Between April 2020 and February 2021, on average, a ‘system deficiency’ was identified as a root cause of 20% of all breaches reported by CCMIs through the Regulatory Portal. One CCMI identified ‘system deficiencies’ as the main root cause of half (50%) of all of their lodged breaches in this period.

Compliance breaches happen in all organisations and businesses. But ASIC is looking to firms to shift their culture, to act faster on breaches and ensure they are given the attention they deserve. Under the new law, firms are obliged to identify and report breaches and remediate consumers in a timelier manner. The regime is also extended to credit licensees for the first time.

For risk professionals, these reforms could actually make your job easier. They create consistency and clear lines of sight for better benchmarking of your firm’s performance.

And as I said earlier, what gets mapped gets managed.

Cyber and climate

For our third and fourth ‘Cs’: cyber and climate (hand-in-hand with ESG investing), I’ve decided to make some time to take questions. So as not to disappoint, let me leave you some homework reading.

On cyber, we have outlined some ‘health-check prompts’ in our Report 429 Cyber resilience health check, and published key questions for Boards to consider on our website at asic.gov.au/cybergovernance.

ASIC is also taking deterrence-based enforcement action, as evidenced by ASIC’s August 2020 case against RI Advice Group under section 912A of the Corporations Act. This is an important one for you to watch, and it won’t be our last.

My ‘top-hit’ hint: not only do entities need to be cyber resilient, but their operations must be resilient to other technical outages.

The November 2020 outage after the major upgrade to ASX’s equity trading platform, ASX Trade, is a good example of the need to be operationally resilient also.

While the focus to date has been on what ASX needs to do, it’s a timely reminder that participants’ duties to their clients – including the obligation to take reasonable steps to obtain best execution – do not fall away where there has been a market outage or disruption.

On climate and ESG investing, your homework is to read my colleague Commissioner Cathie Armour’s two cracker articles in the July issue of Company Director Magazine: What is greenwashing and what are its potential threats? and Managing climate risk for directors. And it’d be remiss of me not to also mention ASIC’s Report 593, Climate risk disclosure by Australia’s listed companies.


Finally, onto your program for today’s conference. To me it looks like it captures three other ‘Cs’: it’s ‘contemporary’, it’s ‘comprehensive’ (covers all the risk bases that matter) and it’s about to be presented by a well ‘curated’ collection of speakers, bringing risk perspectives from a diverse set of firms.

I know that it’s a challenging time to be a risk professional, especially in the financial services industry. But I hope that’s what makes it all the more professionally rewarding for each of you.

For each of you has the twin challenge of championing meaningful risk-management systems.

And then challenging form-over-substance risk management. Jettisoning old-world, tick-the-box compliance and calling out the tough commercial truths.

So perhaps today’s tough-truth is the legacy underinvestment in data and systems. For we know from our work that this is proving to be the root-cause of Boards missing risk landmines. And recent history tells us many firms missed these landmines, with commercial reputations blown up in public inquiries and Royal Commissions. And ones that are more recent than Mr Hayne’s.

So in wrapping up, I hope I’ve helped forge two enduring links. The first, between recent and soon-to-be introduced regulatory obligations, and your professional risk endeavour going forward. To provide you with the roadmaps, the data-informed analysis and KRIs to be the ‘agents for challenge and change’.

Second, the single common running through conduct risk today is the end-game of good consumer outcomes – fertile ground for your contemporary, fit-for-purpose KRIs for consumer harm.

And to do so may require you calling out the need for investment in data and systems.

Because, with both thanks and apologies to Jane Austen, ‘It is a truth universally acknowledged that a firm in possession of a good fortune must not be in want of good consumer outcomes.’

Thank you for your time today.

[1] Yahoo News, Majority of Risk Managers Optimistic About Profession’s 2021 Outlook, March 2021.

[2] RMIA, Outlook on the job market for risk professionals, October 2020.

[3] ASIC REP 631Director and officer oversight of non-financial risk report, October 2019, page 9.

[4] 20-115MR ASIC secures over $160 million in remediation for junk consumer credit insurance.

[5] Australian Bureau of Statistics. Residential property price index; greater Melbourne (Sept 2003–Mar 2021): $2.5M becomes $6.7M; Residential Property Price Indexes: Eight Capital Cities, March 2021. Median price of attached dwelling transfers (unstratified); Rest of Victoria; (Sept 2003–Mar 2021): $2.5M becomes $7.4M; Average Weekly Earnings, Australia, May 2021. Earnings; Males; Full time; Adult; Ordinary time earnings; All industries; (May 2001–May 2021): $250,000 becomes $529,000; Average Weekly Earnings, Australia, May 2021. Index numbers; All groups CPI; Melbourne; (Mar 2001–June 2021): $250,000 becomes $399,000, $2.5M becomes $4M; Consumer Price Index, Australia, June 2021. Index numbers; All groups CPI; Australia; (Mar 2001–June 2021): $250,000 becomes $402,000; $2.5M becomes $4M; Consumer Price Index, Australia, June 2021.

[6] Remuneration Review, Australian Banking Association 2021.

[7] Under-investment evident from IDR reviews: Under-recording of complaints was identified as a common problem in our IDR reviews. Systems under-investment has been identified as one of the key contributing factors – e.g. relying on multiple or legacy systems or in some cases, limited access to complaint recording systems.

Media enquiries: Contact ASIC Media Unit