Governance gaps exposed businesses and their customers to serious risk and harm.

Kenneth Hayne

Managing conduct risk with accountability, coaching and the right culture


What is conduct risk?

Conduct risk is ‘the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees. That conduct can be caused by deliberate actions or may be inadvertent, because of inadequacies in an organisation’s practices, frameworks, or education programs.’

This was Greg Medcraft’s definition of conduct risk in his speech to the Institute of Internal Auditors Australia, as chairman of ASIC, titled ‘The human factor: is conduct risk on your radar?’

Conduct risk exists in almost every part of a business. For this reason, it is essential for firms in highly regulated industries (financial, insurance, energy, superannuation and managed funds) to be able to identify, assess, control, manage, monitor, and test conduct risk across three main lines of defence: governance, risk management and compliance (GRC).



The rise of conduct risk

Over the last few years, there has been increasing pressure for transparent governance, culminating in an unpreceded swath of royal commissions, reviews, recommendations, and new regulations. As a result, multiple sectors in Australia (and internationally) are in crisis, in large part driven by challenges to set up appropriate risk management systems and respond in line with community expectations.

Commissioner Hayne in his Final Report relating to the financial services industry asks business groups to improve management of compliance risk, conduct risk, regulatory risk, and operational risk.

“There exists a culture of complacency and a lack of capability in addressing material matters of (non-financial) risk, including early indicators of emerging risk. These governance gaps exposed businesses and their customers to serious risk and harm.”

Kenneth Hayne, Royal Commission into Financial Services Industry

The Banking Executive Accountability Regime (BEAR) was established in February 2018 to establish clear and heightened expectations of accountability for authorised deposit-taking institutions (ADI’s), their directors and senior executives, and to ensure there are clear consequences in the event of a material failure to meet those expectations. This is yet another example of the scrutiny that these financial firms and the conduct of their people receive.


Tightrope walker represents the balance of people, performance and culture that helps minimise risk.
The balance of people, performance and culture helps mitigate conduct risk.

What are the impacts of getting management of compliance wrong?

Regulatory requirements around managing conduct risk are not going away and the impact of firms getting it wrong is severe.

Greg Medcraft from ASIC also asserts that misconduct can result in significant financial costs, including the cost of customer remediation, compensation, and fines. Boston Consulting Group has estimated that banks have paid over US$321 billion in fines since the global financial crisis.

Don’t let conduct risk damage your firm’s brand, reputation or bottom line. The reputational damage misconduct can cause is perhaps even greater than the fines, given some reports suggest intangible assets such as IP and brand now account for over 80% of a firm’s value versus 20% forty years ago.

Put that statistic next to AON’s most recent Global Risk Management Survey that shows that the number one risk for an organisation in APAC is damage to reputation or brand, and it is clear there is a compelling argument to make sure your company gets the management and minimisation of conduct risk right. Mismanagement of conduct risks can have a serious impact on Australian firms.


Barista making coffee represents company culture that can help guide employee behaviour.
Culture is key for employees and company performance.

Culture always wins

According to ASIC, culture is a key driver influencing why people conduct themselves in a certain way, along with incentives (what people are paid to do) and also deterrence (the likelihood of being caught doing something wrong and the consequences if you are caught). Your firm’s culture can help mitigate conduct risk.

So, what impact could the added scrutiny around conduct risk have on an organisation’s culture, performance and the people on the frontline who need to implement the changes?

Culture should be the centre of an organisation’s GRC system. Without a culture of integrity, organisations are likely to view their compliance programs as a set of tick-the-box activities. Even worse, some firms see it as ‘just another thing I have to do’ or a roadblock to achieving business objectives and performance, as we have sometimes seen.

In their article, ‘Corporate culture: The second ingredient in a world-class ethics and compliance program’, Deloitte outlines nine key characteristics in building a culture to support managing compliance and conduct risk:


  1. Organisational values: A set of clear values emphasises a commitment to legal and regulatory compliance, integrity, and business ethics.
  2. Tone at the top: Executive leadership and senior managers encourage employees to conduct themselves legally and ethically, and in accordance with compliance and policy requirements.
  3. Consistency of messaging: Operational directives and business imperatives align with the messages from leadership related to ethics and compliance.
  4. Middle managers who carry the banner: Frontline and mid-level management turn principles into practice. Their conduct sets a standard. They often use the power of stories and symbols to promote ethical behaviours.
  5. Comfort speaking up: Employees across the organisation are comfortable coming forward with legal, compliance, and ethics questions and concerns without fear of retaliation.
  6. Accountability: Senior leaders hold the conduct of themselves and those reporting to them accountable for complying with the law and organisational policy as well as adhering to shared values.
  7. The hire-to-retire life cycle: The organisation recruits and screens employees based on character as well as competence. The on-boarding process steeps new employees in organisational values and monitoring also reflects those values. Employees are well treated when they leave or retire, creating supporters for life.
  8. Incentives and rewards: The organisation rewards and promotes people based, in part, on their conduct and adherence to ethical values. It is not only clear that good behaviour is rewarded, but that bad behaviour can have negative consequences.
  9. Procedural justice: Internal matters are adjudicated equitably at all levels of the organisation. Employees may not always agree with decisions, but they will accept them if they believe a process has been fairly administered.


The conduct challenge for business

As is well documented, conduct risk breaches (in other words, misconduct on the part of employees in financial organisations) were the main causes of the global financial crisis. Many financial firms were subsequently fined for misconduct. Adding to the challenge is the skill shortage of qualified compliance professionals. This exposes a company and the financial system to greater risk, including increased conduct risk.

Due to COVID-19, there has been an acceleration in change towards long-term trends such as working from home. Organisations that had been considering remote working for a decade were up and running within two weeks and firms now must adapt to the biggest dislocation in the business environment seen in decades.

The resulting challenge for leaders of customer-focused firms operating in highly regulated industries is to change rapidly. At the same time, firms must make sure they comply with escalating regulation and oversight and continue to manage conduct risk. They have to do all of this without effective learning and development on the job, where 90% of learning occurs.

Finding the right software services and systems to support this challenge is…a challenge in itself.


Screenshot of a graph demonstrates YakTraks real-time reporting of employee performance and conduct.
YakTrak provides real-time insights into employee performance and conduct risk.

Challenge accepted

There is an immediate appetite in Australian enterprise and government organisations for the transparency and audit trails, as well as coaching for appropriate behaviours to mitigate conduct risk, provided by YakTrak in several industry verticals including Aged Care, Financial Services, Insurance, Energy, Superannuation and managed funds.

Regulators in Australia are particularly interested in the key origins of conduct failures such as the sales and service frameworks and conversations had with customers, product disclosures, how complaints and remediation are handled and ability to report on the entire risk ecosystem.

YakTrak products and services provide the board, leaders, and teams with real-time insights into the conduct of people, how this compares to what should be done and the tools to close the gaps. YakTrak can help shed light on your firm’s conduct risk.


YakTrak will get you going quickly with low effort, while minimising your financial and organisational risk

YakTrak’s unique products and services provide companies with end-to-end risk management software services. From flagging the risk to employee coaching and customer remediation workflows, YakTrak can support your firm when managing conduct risk.

Medium-to-large businesses in Australia are currently using YakTrak to assist them in managing conduct risk of their customer-facing employees and management teams.

Legal and regulatory requirements are changing constantly. Software that evolves and changes as quickly as organisations and firms do is imperative. YakTrak workflows require minimum time and effort to set up and maintain, unlike other software that is expensive to build and time-consuming to maintain.


We co-create the best outcome for managing conduct risk:

  • Our rapid ideation means we’ll get you a solution quick smart
  • YakTrak is easy to implement for both ‘out of the box’ and tailored solutions for your business
  • Cost-effective to customise and simple to maintain
  • YakTrak conduct risk tools effortlessly integrate with your company
  • Customisable workflows track the information that is most important to your company
  • We’ll build an agile solution that can grow and shape to your needs
  • It’s safe and secure – with all data kept in Australia-based data centres or any international location as required
  • We provide additional data leakage protection (DLP) to ensure management of more sensitive information and data is adequately protected
  • On top of our risk management features, YakTrak also looks after the management of the daily interactions that your leaders are having with your people and customers every day


Use YakTrak’s conduct risk solution to leverage industry best practices

YakTrak is a SaaS solution developed on a single line of code. That means quick, easy, and cost-effective customisation. YakTrak’s services cover three crucial functions of GRC and continually evolve as we grow our user base and gather client feedback.

So, what does that mean for you? Simply, your organisation benefits from every other organisation’s suggestions and requests for improvement. This means YakTrak constantly stays up to date with cross-industry best practice around the management of conduct risk. It’s efficient for us and makes good financial sense for you and the other firms we work with by keeping costs down.


How are other organisations using YakTrak to manage GRC?

YakTrak’s conduct risk and GRC solution incorporate a ‘many-to-many’ workflow which means one form can be passed off to multiple areas within your organisation, or to a third party outside your organisation, for action. This provides broad oversight of key details across the business.


Analogue workflow board demonstrates YakTrak's compliance and risk management workflow services that provide a framework for regulatory and compliance overview.
YakTrak allows you to create a customised workflow to track and remediate a conduct risk breach.

How does a customised workflow work for your business?

Let’s say you look after the compliance and conduct risk requirements for four thousand sales and service contact centre or retail customer-facing employees either in Australia or in international teams:

  • Start by defining all the key compliance and risk framework elements you want employees to demonstrate and build them into an observation workflow in YakTrak.
  • A compliance team member observes or listens to a staff member interaction with a customer and enters the details of outcomes into YakTrak. YakTrak springs to life behind the scenes and gets to work.
  • In this example, the outcome of the interaction has determined a risk identified where a customer has been advised incorrect information. The data the compliance team member has entered indicates the employee has breached conduct risk guidelines.
  • The form is then sent to multiple users within YakTrak for further action:
    1. Firstly, the employee’s leader to advise of the conduct risk identified and coaching requirements. The team leader will then coach the employee and track the outcome in the YakTrak workflow.
    2. Secondly, the customer remediation team who then contacts the customer with the correct information, and documents the outcome in YakTrak.
    3. Thirdly, the governance team who will then document the contact to the regulator if required.
  • The originating compliance team keeps track of all interactions using their very own status dashboard providing an overview and real time status update of all ‘open’ risks identified.


Screenshot of a reporting dashboard demonstrating the key data and information for managing conduct risk while improving people culture, employees and business performance.
Contact YakTrak to find out how we can help you manage conduct risk in your organisation.

What can YakTrak do to help you manage the conduct of your people?

Our advisory team works closely with enterprise business management teams to ensure we are providing the right services and customising YakTrak to their needs. We also check that we are providing the type of data required to report on conduct and performance daily, in real time, all the way to senior management and the board of directors.

We have recently customised a series of new dashboards to align with specific client reporting requirements relating to conduct. Gain insight into:

  • Risk volume details and key conduct categories
  • Risk breakdown reporting and trends over time
  • Trend information and advice on key risks that require coaching and development
  • Regulatory information for reporting
  • Key activities undertaken to close an identified risk such as remediation and coaching