Corporate governance: general
Introduction
- This chapter outlines corporate governance best practice. First, it will discuss the underlying principles of good corporate governance. Then it will deal with two important aspects of corporate governance: risk management and culture.
What is corporate governance?
- At its simplest, corporate governance is the system by which corporations are directed and controlled. The system:
specifies the distribution of rights and responsibilities among different participants in the corporation, such as, the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs.1
- Corporate governance is different from managing a corporation. Managing a corporation is concerned with running the corporation’s business affairs. Governance is concerned with running the enterprise: making sure that it is ‘running in the right direction and being run well’.2
- Although corporate governance is about the power exercised over the activities of a corporation, corporate governance principles do not explain how, or in whose interests, that power should be exercised. That will depend upon the view taken about the role of a corporation.
- There is an ongoing debate about whether a corporation should be run solely in the interests of shareholders or whether it should take into account other interests. Those interests might be those of different stakeholders (those affected by the activities of the corporation) or an even broader class.
The traditional view
- The classic or traditional view is that the management of a corporation (directors and senior executives) is the agent of the shareholders. Under this approach, the shareholders’ interests are paramount.
- Professor Milton Friedman is the principal proponent of this view. In a famous article published in the New York Times Magazine on 13 September 1970, Professor Friedman criticised those in the business community who proposed that a corporation should promote desirable sociable ends. He wrote:
[T]he manager [of a corporation] is the agent of the individuals who own the corporation or establish the eleemosynary institution, and his primary responsibility is to them.3
- According to this view, the job of a corporation’s management is to maximise shareholder value.
The financier’s view
- Another approach, developed by economists Mr Andrei Shleifer and Mr Robert Vishny, regards corporate governance as ‘the ways in which suppliers of finance to corporations assure themselves of getting a return on their investment’.4 This approach is concerned with the economic efficiency of the corporation.
- The traditional and financier’s views both hold that good corporate governance is concerned with securing the economic wellbeing of those who have a direct stake in the corporation. Good governance does not require other considerations to be taken into account.
The stakeholder view
- Since the 1980s, the objective of corporate governance has moved away from the narrow interests of shareholders and financiers to those of the stakeholder. From this perspective, corporate governance is concerned not only with the relationship between the corporation and its shareholders and financiers, but also its relationship with other stakeholders. The stakeholders are those groups without whose support the corporation would cease to exist. They include employees, customers, suppliers, banks and, where appropriate, government and governmental agencies.
The socially responsible corporation
- Many organisations contend that a corporation (and, therefore, corporate governance) should also have regard to the role the corporation plays in society at large.
- Sir Adrian Cadbury, writing in the foreword to the World Bank Group report on corporate governance in 2000, said:
Corporate governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations, and society.5
- In 2019, the Business Roundtable, a trade association of chief executives of leading United States of America corporations, issued its ‘Statement on the Purpose of a Corporation’. The Business Roundtable has issued statements since 1997 that have endorsed principles of shareholder primacy. The 2019 statement, however, superseded the previous statements and instead outlined a broader, modern standard for corporate responsibility. The standard requires commitment to:
- delivering value to customers
- investing in employees through training, education, diversity and inclusion, dignity and respect
- dealing fairly and ethically with suppliers
- supporting the community in which the corporation works
- generating long-term value for shareholders.6
- To summarise, corporate governance requires a commitment to all stakeholders (including local communities and country).
- Many nations have adopted this broad approach to corporate governance. For example, the Organisation for Economic Co-Operation and Development has published principles, directed to policymakers, that aim to provide a benchmark for good corporate governance.7
- These principles state that a corporate governance framework should:
- recognise the rights of stakeholders established by law or through mutual agreements and encourage active cooperation between corporations and stakeholders in creating wealth, jobs and sustainable, financially sound enterprises
- ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership and governance of the company
- ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board’s accountability to the company and the shareholders.8
- This broad approach has been adopted by many institutional investors when setting the benchmarks against which investment decisions should be made. For example, the Australian Council of Superannuation Investors (ACSI) is a group of 36 Australian and international asset owners and institutional investors who collectively manage around $1 trillion in assets. ACSI has published guidelines concerning the governance practices of the corporations in which ACSI members may invest their funds. These guidelines place emphasis on the engagement of the corporation with its stakeholders.
- The ACSI guidelines are underpinned by the following core principles:
- Good governance requires boards to consider and manage all material risks facing their company, including environmental, social and governance (ESG) risks.
- Board governance should contribute to shareholder value and create the conditions in which sustainable long-term investment can prosper.
- Company owners should influence the governance, policies, practices and management of the investee entity in order to improve investment outcomes. Material ESG factors should be analysed by company owners when deciding how to exercise their ownership rights, and also when deciding whether to invest.
- Companies should properly disclose their performance in relation to material ESG factors that could affect the value of shareholders’ investment in the company.
- Companies rely on a range of stakeholders to operate and succeed, including governments, employees, communities, investors, consumers and suppliers. Effectively engaging with stakeholders is key to maintaining this social licence to operate.9
- The broad perspective of corporate governance is now widely accepted. For example, the Companies Act 2006 (UK) now provides that a company director must act in a way that promotes the success of the company, taking into account various matters including: (a) the interests of the company’s employees; (b) the company’s business relationships; and (c) the company’s impact on the community and environment.10
- Under this broad approach, a corporation must take into account the consequences of its actions not only on its shareholders and stakeholders, but on all people outside the corporation whose interests could be affected. According to Professor Ian Ramsay, Director of the Melbourne Law School’s Centre for Corporate Law, this requires corporations to be ‘“socially responsible” and often subordinat[e] profit maximisation to other goals’.11
The legal framework: general
- The framework for corporate governance is found in legislation, in self-regulating arrangements, in voluntary commitments and in business practices that have developed over time. These practices can be specific to industry sectors as well as to regions and countries.
Corporations Act
- The Corporations Act sets minimum standards for corporate governance and does not purport to recommend or enforce a model of best practice. It does, however, impose standards of transparency, accountability, fairness and responsibility.
- The responsibility for managing a corporation is given to its directors. The directors must act diligently and in good faith. They must not act for an improper purpose. They are under a duty to disclose any material personal interest in a matter that is before the board. Subject to certain exceptions, they must not vote on matters in which they may have a material personal interest. For benefits that fall outside the exceptions, there is a rigorous disclosure regime.12
- Shareholders are given protections. There are extensive provisions that regulate takeovers and grant remedies for oppressive conduct. Shareholders must approve related party transactions and may bring proceedings on behalf of a corporation or seek compensation from a corporation.13
Guidelines
- A number of government and private organisations have developed corporate governance guidelines. These do not lay down binding rules; rather, their purpose is to assist the management of the corporation by identifying the key issues to which attention should be given. It is convenient, briefly, to refer to the most significant examples of these.
- A listed corporation must comply with the ASX Listing Rules (Listing Rules). The Listing Rules recommend use of the good governance standards found in the ASX Principles and Recommendations. The ASX Principles and Recommendations were first introduced in 2003. There were eight key principles (from 10), and separate recommendations for each principle. The original eight key principles were:
- The corporation should clearly delineate the respective roles and responsibilities of the board and management.
- The board should be of an appropriate size and have the skills, commitment and knowledge to enable it to discharge its duties effectively.
- The corporation should instil and continually reinforce a culture across the organisation of acting lawfully, ethically and responsibly.
- The corporation should have appropriate processes to verify the integrity of its corporate reports.
- The corporation should make timely and balanced disclosure of all matters having a material effect on the price or value of its securities.
- The corporation should provide its security holders with appropriate information to allow them to exercise their rights.
- The corporation should establish a sound risk management framework and periodically review that framework.
- The corporation should pay directors and executives remuneration sufficient to attract and retain high-quality directors and executives.14
- In 2003, the third principle (which at the time was to act ‘ethically and responsibly’) had only one key recommendation (from two), which was that the corporation should have and disclose a code of conduct for its directors, senior executives and employees.15
- In 2019, the third principle was changed to state that the corporation should ‘instil … a culture … of acting lawfully, ethically and responsibly’. This change brought with it new recommendations, which were that the corporation should:
- articulate and disclose its values
- ensure that the board or a committee thereof is informed of any material breaches of the code of conduct for directors, senior executives or employees
- have and disclose whistleblower and anti-bribery and corruption policies, and ensure that the board or a committee of the board is informed of any material breaches of these policies.16
- In addition, the Listing Rules require the corporation to prepare a corporate governance statement that discloses the extent to which the corporation has followed the corporate governance guidelines. This statement must be included in the corporation’s annual report. If the corporation has not followed a recommendation, the statement must identify that recommendation and provide reasons why it was not followed.17
- The Australian Securities and Investments Commission (ASIC) has published a number of regulatory guides and reports on corporate governance. They deal with:
- managing conflicts
- shareholder engagement
- director oversight of financials and audit
- emerging risk management
- handling corporate information
- executive remuneration
- corporate actions involving share capital
- directors as gatekeepers.18
- The Australian Prudential Regulatory Authority (APRA) has developed a number of prudential standards with which regulated firms (authorised deposit-taking institutions, general insurers, life insurers and private health insurers) must comply.
- The APRA standards are not significantly different from the ASX and ASIC guidelines. They do, however, impose mandatory obligations on the regulated firms.
- Examination of guidelines discussed above reveals that the dominant focus is on boards and board-related issues. They deal with topics such as board membership criteria, board size, the proportion of inside and outside (independent) directors and the structure of board committees.
- The guidelines have resulted in a mass of guidance statements from corporations, and the creation of many new jobs (such as ‘Head of Corporate Governance’). Their effectiveness is another matter.
The legal framework: gaming sector
- In addition to the requirements set out above, corporations operating in the gaming sector have additional obligations, including those set out in the Gambling Regulation Act and their Gambling Code.
- The Gambling Regulation Act imposes standards of responsible gambling on gaming venue operators, including to minimise harm caused by problem gambling; to accommodate those who gamble without harming themselves or others; to ensure that minors are not allowed to gamble; and to ensure that gaming is conducted honestly and free of criminal influence and that the management of gaming machines is free of criminal influence.19
- It is a condition of a casino licence that the casino operator implements a Gambling Code.20
- A Gambling Code must include, among other matters:
- a responsible gambling message identifying the commitment of the casino operator to responsible gambling
- responsible gambling information including information on how to gamble responsibly and on self-exclusion programs
- the process for interacting with customers who have requested information regarding problem gambling and who are displaying indicators of distress that may be related to problem gambling
- what the casino operator will do to discourage extended and intensive gambling.21
- Since February 2020, a Gambling Code for gaming venues other than a casino must:
- provide that the venue operator has a duty to take reasonable steps to prevent and minimise harm arising from the operation of gaming machines
- identify how the venue operator will monitor behaviour consistent with gambling harm and take steps to discourage intensive and prolonged gambling
- include certain provisions that discourage playing multiple machines or reserving a gaming machine in order to play another gaming machine in the gaming machine area.22
Risk management
- Risk management is the process of identifying, assessing and controlling risks to a corporation in order to minimise the harm the corporation may suffer or to maximise its opportunities.23 It is a key component of corporate governance and a crucial responsibility of the board and management.24 Risk is properly managed when the corporation is clear about its strategic objectives, understands the ways in which there may be positive or negative deviations from those objectives, and takes action to control those deviations.
Risk appetite
- Risk is inherent in commercial activity. The risk appetite of an organisation sets the boundaries for risk it is willing to accept in pursuit of strategic objectives.25
- The board of the corporation is responsible for setting the risk appetite.26 This establishes the parameters within which management is to operate.27 The factors to be taken into account when setting risk appetite include:
- the mission and vision of the corporation
- the strategic direction of the corporation and what risks are required to achieve the desired level of performance
- the principal risks faced by the corporation and its capacity to deal with them
- the views and expectations of stakeholders.28
- An effective risk appetite must be:
- clear and appropriately balanced between risk taking and risk aversion
- supported and understood by management
- well communicated throughout all levels of the corporation
- consistently applied in key decisions
- monitored to detect when the corporation is acting outside the risk appetite.29
- Ensuring that the risks taken by management are consistent with the corporation’s risk appetite is critical to effective risk management. When management operates outside the risk appetite, action should be taken to stop the activity.30
Risk management process
- In broad terms, the process of risk management involves the following steps:
- First, identify all the categories or types of risk that the corporation might face.
- Second, analyse and evaluate the risks to understand their causes and potential consequences. The risks can then be prioritised and subject to risk treatment (that is, putting in place actions and controls to mitigate a risk).
- Third, take the required action to address the risk. The action should be consistent with the risk appetite of the corporation. The object of the action might be to avoid the risk, to remove the source of the risk, or to accept the risk after making an informed decision.31
Risk governance
- Risk governance, in its broadest sense, is the manner in which risk management is undertaken in a corporation, including how it manages risk, makes decisions taking into account the risks, and allocates the necessary resources so that appropriate action may be taken.
- The ASX Corporate Governance Council has recommended that a listed entity should have a board subcommittee dedicated to overseeing risk. A risk subcommittee can:
- monitor management’s performance against the corporation’s risk management framework, including its risk appetite
- review breakdowns of material risks and ascertain what needs to be changed or improved in the risk management framework
- review management reports about new and emerging sources of risk and the measures management are taking to deal with those risks.32
- The Hon. Kenneth M Hayne, AC, QC observed that a board cannot properly oversee risk without having the right information and without challenging management.33 In 2019, the ASIC Corporate Governance Taskforce published its review into the governance of Australia’s largest financial institutions. It found that material information about the risk faced by those institutions was often contained in dense board packs or reports to the board where the key risks were difficult to identify.34 It recommended that a large corporation should ensure that:
- the risk committee has sufficient resources to discharge its mandate
- the risk committee provides informed oversight and ensures that information received from management is adequate
- the board engages in active oversight of management by probing and analysing information provided by management
- clear and effective processes exist to escalate and deal with urgent material risks.35
- A recognised (though not universally accepted) framework for risk governance is the ‘three lines model’.36 The board must oversee this model.37
- A brief explanation of the model follows.
- The first line is the part of the organisation that provides the products or services to clients: the frontline team.38 They are responsible for identifying, analysing, evaluating and treating risks to achieve the corporation’s objectives, and for escalating information about risk.
- The second line comprises those responsible for overseeing the risk management compliance function. Their function is to ensure all appropriate risk factors are being implemented in accordance with policies. They should also analyse and report on the adequacy and effectiveness of risk management procedures.39
- The third line is an internal audit team that is independent of management. They provide independent and objective advice to management and the board on the adequacy and effectiveness of the corporation’s governance and risk management.40
Root cause analysis
- Root cause analysis is any systematic process that identifies the cause of an undesired event.41 The objective of the analysis is to determine whether the likelihood of the undesired event occurring, or the impact of the event if it does occur, can be tolerated.
- The ASIC Corporate Governance Taskforce considers that root cause analysis is important for effective risk management. It recommends that management should undertake root cause analysis to identify underlying causes of recurring breaches of risk appetite.42
- The steps required to undertake root cause analysis are:
- First, determine the need, purpose and scope of the analysis.
- Second, collect information to establish the facts that led to the undesired event.
- Third, analyse the potential causes.
- Fourth, once the analysis is complete, validate the findings.
Risk culture
- Risk culture is a term describing the norms and traditions of individual and group behaviour within an organisation that determine the way the organisation identifies, understands, discusses and acts on the risks the organisation confronts, and the risks it takes.43
- Risk culture influences the actions and decisions taken by individuals within an organisation and shapes the attitude of the organisation towards its stakeholders.
- A sound risk culture supports appropriate risk awareness, behaviours and judgements about risk-taking in an organisation. It bolsters effective risk management, promotes sound risk-taking decisions and ensures emerging risks or risk-taking activities beyond a corporation’s risk appetite are recognised, assessed, escalated and addressed in a timely manner.44 It is part of the broader culture of a corporation.
Culture
- Culture is comprised of the shared values and norms that shape behaviours and mindsets within a corporation.45 It influences how people operate within the corporation.
- Culture is often considered at three intersecting levels:
- the visible organisational structures and processes of the corporation
- the espoused values: the strategies, goals and philosophies of the corporation
- the tacit underlying assumptions (sometimes called ‘unwritten ground rules’) of the corporation.46
- These three levels are the essence of culture. They are comprised of the jointly learned values and beliefs that are taken for granted within a corporation.
- Mr Hayne, QC, in his Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Banking Royal Commission Final Report), made the following general points about culture:
- The culture of each corporation is unique and varies widely within different parts of the organisation.
- There is no single ‘best practice’ for creating or maintaining a desirable culture.
- Culture cannot be prescribed or legislated.47
What is the right culture?
- A good culture aims to create an environment that:
- ensures adherence to basic norms of behaviour, including a requirement to obey the law, not to mislead or deceive, and to act fairly
- reinforces judicious decision making that takes into account the interests of multiple stakeholders.48
- Second, a good culture will tend to be characterised by a shared sense of purpose across the organisation. There should be a strong alignment between this purpose and the values, incentives, structures and other policies and procedures of the organisation. This purpose must take into account changing societal expectations. Corporations are now expected to make a broader positive contribution to society and must do more than deliver a financial outcome.49
- Satisfying this expectation will require the corporation to minimise the harm caused by its activities. On the other hand, a toxic culture leading to corporate misconduct can affect consumer confidence in an industry. This can impede the overall performance of participants in that industry and the broader economy.50
- Third, a good culture is one where the directors and senior management clearly set out the expectations of the organisation and lead by example.
- Fourth, a good culture stems from the capacity of management to appropriately manage, reward, incentivise, equip and communicate with those who work in the organisation.
Good culture in a casino
- Unacceptable or unethical behaviour that violates social norms may well benefit a casino in the short term. Research indicates, however, that an ethical climate and a good organisational culture that reduces instances of inappropriate behaviour will produce long-term benefits.51
- Evidence also indicates that cultural norms supporting an ethical climate contribute positively to the implementation of responsible gambling practices by employees. This also has positive flow-on effects for a casino. In an ethical climate, employees are more likely to be motivated and engaged in their work, and customers are more likely to gamble there.52
- If a casino takes seriously the pursuit of responsible gambling, first it develops a safety-oriented culture that has a forward-looking focus on the potential harms or risks resulting from its decision making. Second, it integrates responsible gambling into its business decisions so that those decisions are made having regard to the potential harm arising from gambling.53
What makes a culture toxic?
- A corporation has a toxic culture where it engages in long-term and systemic rule-breaking and damaging behaviour. Toxic behaviour is not limited to illegal conduct. It includes conduct that is plainly damaging or that promotes misbehaviour.54
- There are various reasons why a toxic culture might come about. First, a corporation may develop practices that normalise deviance from accepted standards. For instance, a corporation may be aware of the potential deviation from acceptable norms of conduct, but regard the action as ‘an acceptable risk’.55 Deviations are particularly prevalent where the observable practices of the corporation diverge from what is formally expected of people within the organisation, whether under relevant laws or under the organisation’s formal policies or procedures.56
- Second, a corporation may enable toxic behaviour by neutralising unacceptable conduct. This occurs when the corporation denies that harm is caused by its actions or denies responsibility for that harm. It will also occur if the corporation asserts that the victim deserves the harm.57
- Third, a corporation may make it easier to engage in toxic behaviour. This occurs when the impugned conduct is concealed within the structure of the corporation or where there is inadequate internal oversight. It may also occur where employees are left with substantial discretionary power and rule-breaking is condoned or rewarded.58
- Fourth, a corporation may obstruct rule-following when the culture is toxic and the corporation:
- is unwilling to act when misconduct or harm-causing action occurs (allowing rule-breaking to occur without critique); or
- fails to assess the causes of misconduct or harm-causing actions and fails to implement the changes necessary to prevent the misconduct or action occurring in the future.59
- Fifth, a corporation may impose undue stress on its employees, which can lead to employees engaging in toxic behaviour. Stress may arise from pressure to meet the objectives of the corporation or an inability for employees to meet those objectives without resorting to toxic behaviour.60
How can culture be changed?
- Cultural norms provide predictability about how a corporation operates. The innate human desire for stability suggests that culture can be difficult to change.61
- To bring about change, a corporation must form a view of its culture, identify problems, develop and implement a plan to deal with them, and determine whether the planned changes can be effective.62 These are the steps that should be followed:
- Undertake a deep analysis of the structures, values and practices that contributed to the toxic behaviour, in order to understand their causes.
- Develop an ethical and compliant tone at the top of the organisational hierarchy (the board) with a clear and specific cultural direction that the corporation must pursue. This may require the recruitment and promotion of managers who will pursue this direction, and clear communication throughout the corporation that reinforces the new norms.
- Change the tangible structures (for example, artefacts) in the corporation to reinforce the new norms.
- Change the values and practices of existing employees.63
- This last step is one of the most critical. A toxic culture cannot be repaired merely by punishing or replacing the executives and the actual wrongdoers. There must be a true change in the values and practices of the corporation. This will require the corporation to demonstrate to employees that it is ready to learn new values and practices. It may be appropriate for employees to participate in decision making regarding issues that concern corporate culture.64
- Cultural change is unlikely to occur if employees doubt whether their leaders are capable of effecting change.65 Initiatives to change culture need to take place at all levels within the organisation and may, accordingly, take years to bring into effect.
- This highlights how important it is for the leadership to speak honestly and responsibly about the need for cultural change. This will be a difficult task if the leadership (including senior management) was responsible for creating the toxic culture.66 Nonetheless, if those leaders cannot be open and honest about their conduct, it may only be possible to bring about cultural change by changing the leadership.
What culture should a casino operator adopt?
- This is not a difficult question. It simply requires a statement of the appropriate norms of conduct to which a casino operator should conform. It will include norms of conduct or standards imposed by the law and norms of conduct that are expected by the community. They are to:
- obey the law
- act honestly
- deter illegal and immoral behaviour that might take place in a casino
- not exploit people who come to the casino to gamble
- take active measures to minimise the harm caused by gambling
- cooperate fully and candidly with the regulator and with government.
Endnotes
1 Exhibit RC1599 Andrew Lumsden and Kylie McPherson, Australian Corporation Practice: Chapter 31 Corporate Governance, September 2017, [31.005].
2 Bob Tricker, Corporate Governance: Principles, Policies and Practices (Oxford University Press, 3rd ed, 2015) 4.
3 Exhibit RC1602 Article: A Friedman Doctrine—The Social Responsibility of Business is to Increase its Profits, 13 September 1970, 2.
4 Andrei Shleifer and Robert Vishny, ‘A Survey of Corporate Governance’ (Working Paper No 5554, National Bureau of Economic Research, 1996) 2.
5 Adrian Cadbury, ‘Foreword’ in Magdi Iskander and Nadereh Chamlou, Corporate Governance: A Framework for Implementation (The World Bank Group, 2000) vi.
6 ‘Statement on the Purpose of a Corporation’, Business Roundtable (Web Page, 2021) < >.
7 Organisation for Economic Co-Operation and Development, G20/OECD Principles of Corporate Governance (Report, 2015) 7.
8 Organisation for Economic Co-Operation and Development, G20/OECD Principles of Corporate Governance (Report, 2015) 34, 37, 45.
9 ‘ACSI Governance Guidelines’, ACSI (Web Page, 2020) < >.
10 Companies Act 2006 (UK) s 172(1).
11 Ian M Ramsay (ed), ‘Corporate Governance and the Duties of Company Directors’ (Centre for Corporate Law and Securities Regulation, 1997) 3.
12 Corporations Act 2001 (Cth) ss 198A, 180–1, 191–2, 195.
13 Corporations Act 2001 (Cth) ch 6, ss 232–7, ch 2E.
14 ASX Corporate Governance Council, Principles of Good Corporate Governance and Best Practice Recommendations (1st ed, March 2003) 11.
15 ASX Corporate Governance Council, Principles of Good Corporate Governance and Best Practice Recommendations (1st ed, March 2003) 25.
16 ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (4th ed, February 2019) 16–17.
17 ASX, Listing Rules (at 1 December 2019) r 4.10.
18 ‘Corporate governance’, ASIC (Web Page, 2014) < >.
19 Gambling Regulation Act 2003 (Vic) s 1.1(2).
20 Casino Control Act 1991 (Vic) s 69.
21 Exhibit RC0508 Ministerial Direction No S 430, 17 September 2018, 4–6.
22 Exhibit RC0163 Ministerial Direction No S 85, 21 February 2020, 2–4.
23 The Commission acknowledges the assistance provided by ERM International in the preparation of this section.
24 ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (4th ed, February 2019) 26.
25 ASIC, Corporate Governance Taskforce: Director and Officer Oversight of Non-Financial Risk (Report, October 2019) 11.
26 ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (4th ed, February 2019) 26.
27 ASIC, Corporate Governance Taskforce: Director and Officer Oversight of Non-Financial Risk (Report, October 2019) 11.
28 Committee of Sponsoring Organizations of the Treadway Commission, Risk Appetite—Critical to Success (Report, May 2020) 9–13.
29 Committee of Sponsoring Organizations of the Treadway Commission, Risk Appetite—Critical to Success (Report, May 2020) 19–23.
30 ASIC Corporate Governance Taskforce, Director and Officer Oversight of Non-Financial Risk (Report, October 2019) 16.
31 Exhibit RC1606 Australian Standard: Risk Management—Guidelines, 2018, 8–15 [6].
32 ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (4th ed, February 2019) 26.
33 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019) vol 1, 396.
34 ASIC, Corporate Governance Taskforce: Director and Officer Oversight of Non-Financial Risk (Report, October 2019) 3.
35 ASIC, Corporate Governance Taskforce: Director and Officer Oversight of Non-Financial Risk (Report, October 2019) 43–50.
36 The Institute of Internal Auditors, The IIA’s Three Lines Model (Report, July 2020).
37 The Institute of Internal Auditors, The IIA’s Three Lines Model (Report, July 2020) 5.
38 The Institute of Internal Auditors, The IIA’s Three Lines Model (Report, July 2020) 4–5.
39 The Institute of Internal Auditors, The IIA’s Three Lines Model (Report, July 2020) 6.
40 The Institute of Internal Auditors, The IIA’s Three Lines Model (Report, July 2020) 6.
41 International Electrotechnical Commission Electropedia (online at 7 September 2021) ‘root cause analysis’ (def 192-12-05).
42 ASIC, Corporate Governance Taskforce: Director and Officer Oversight of Non-Financial Risk (Report, October 2019) 16.
43 APRA, Risk Culture (Information Paper, October 2016) 8.
44 Financial Stability Board, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture (Report, 7 April 2014) 1.
45 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019) vol 1, 375.
46 Edgar Schein and Peter Schein, The Corporate Culture Survival Guide (Wiley, 3rd ed, 2019) 21–7; Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 5.
47 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019) vol 1, 375–6.
48 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019) vol 1, 376.
49 Financial Conduct Authority, ‘Transforming Culture in Financial Services’ (Discussion Paper No 18/2, March 2018) 22, 31.
50 Kevin Stiroh, ‘The Economics of Why Companies Don’t Fix Their Toxic Cultures’, Harvard Business Review (online, 22 March 2018) < >.
51 Exhibit RC1605 Article: The Role of Risk Climate and Ethical Self-Interest Climate in Predicting Unethical Pro-Organisational Behaviour, 2020, 16–17.
52 Kahlil S Philander, ‘Future-Proofing the Industry: Organizational Culture and Responsible Gambling’ (Conference Paper, New Horizons in Responsible Gambling Conference, 10–12 March 2020) 9–10.
53 Kahlil S Philander, ‘Future-Proofing the Industry: Organizational Culture and Responsible Gambling’ (Conference Paper, New Horizons in Responsible Gambling Conference, 10–12 March 2020) 6.
54 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 4.
55 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 6.
56 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 7, 25–6; Kevin Stiroh, ‘The Economics of Why Companies Don’t Fix Their Toxic Cultures’, Harvard Business Review (online, 22 March 2018) < ;.
57 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 8, 22–3.
58 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 8–9, 17–18.
59 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019) vol 1, 377; Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 15, 17.
60 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 8, 13, 15, 26.
61 Edgar Schein and Peter Schein, The Corporate Culture Survival Guide (Wiley, 3rd ed, 2019) 34–5.
62 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019) vol 1, 388.
63 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 28–31; Kahlil S Philander, ‘Future-Proofing the Industry: Organizational Culture and Responsible Gambling’ (Conference Paper, New Horizons in Responsible Gambling Conference, 10–12 March 2020) 10–11.
64 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 30–1.
65 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 25, 31 (in what the authors termed ‘corporate cognitive dissonance’).
66 Exhibit RC1613 Article: Toxic Corporate Culture: Assessing Organizational Processes of Deviancy, 22 June 2018, 25, 31.
Reviewed 25 October 2021