Conduct Risk and Risk Culture: APRA's Expectations, Royal Commission Lessons, and Building a Sound Risk Culture

Conduct risk — the risk that an institution's behaviour, practices, or culture leads to poor outcomes for customers, counterparties, or market integrity — has moved from a supervisory talking point to a central enforcement priority for Australian regulators. The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry exposed systemic failures in risk culture across the sector. APRA responded with intensified supervisory expectations, the CBA Prudential Inquiry set a precedent for institution-level accountability, and CPS 511 (Remuneration) now hardwires conduct outcomes into executive pay. For compliance teams, the challenge is no longer whether conduct risk matters — it is how to embed it, measure it, and demonstrate it to regulators.

This guide covers APRA's risk culture framework, the Royal Commission's conduct findings, ASIC's enforcement approach, CPS 511 remuneration linkage, and practical guidance on measuring conduct risk with leading and lagging indicators.

APRA CPS 220: The Risk Management Framework Foundation

APRA's Prudential Standard CPS 220 (Risk Management) requires all APRA-regulated entities to maintain a risk management framework (RMF) that is approved by the board and reviewed at least annually. CPS 220 does not use the term "conduct risk" explicitly, but its requirements are the structural foundation for managing it.

Under CPS 220, the RMF must include:

• Risk appetite statement — a board-approved articulation of the types and levels of risk the entity is willing to accept. A credible risk appetite statement must address non-financial risks including conduct, compliance, and operational risk — not only credit, market, and liquidity risk
• Risk culture expectations — APRA expects the RMF to address how the board and senior management will foster a risk-aware culture. The risk appetite statement should articulate the entity's expectations for risk culture in terms that can be observed and measured
• Three lines of accountability — the RMF must establish clear accountability across business lines (first line), risk and compliance functions (second line), and internal audit (third line). Conduct risk failures frequently originate in unclear or contested accountability between the first and second lines
• Material risk identification — entities must identify all material risks, including conduct risk, and ensure each has an accountable owner, defined limits or tolerances, and monitoring arrangements

APRA's Risk Culture Framework: The Four Indicators

In March 2016, APRA published its landmark Information Paper on Risk Culture, which established the supervisory framework that continues to govern APRA's assessment of risk culture across the prudential sector. The paper identified four interlocking indicators that APRA uses to assess whether an entity's risk culture is sound.

1. Tone from the Top

The board and senior management set the risk culture through their decisions, communications, and — critically — their behaviour when risk events occur. APRA assesses tone from the top by examining: whether the board challenges management on risk matters or passively accepts risk reporting; whether senior leaders model the risk behaviours they espouse (including escalation of bad news); and whether there is a visible gap between stated risk appetite and actual business decisions. The CBA Prudential Inquiry found that CBA's board and senior management had allowed an "overconfidence in the Group's management of non-financial risks" that permeated the organisation.

2. Accountability

Individuals at all levels must understand and accept accountability for managing risks within their areas of responsibility. APRA looks for: clear assignment of risk ownership to named individuals (not committees); consequence management that is applied consistently — meaning that poor risk outcomes result in genuine consequences for accountable individuals; and escalation pathways that are used in practice, not merely documented. The Financial Accountability Regime (FAR), which commenced for ADIs on 15 March 2024, formalises accountability obligations for senior executives and directors.

3. Effective Challenge

A sound risk culture requires that decisions are challenged — by the second line, by internal audit, by the board, and by peers. APRA assesses whether: the risk function has genuine independence and sufficient authority to challenge business decisions; board risk committees receive information in a form and timeframe that allows meaningful challenge (not just approval of pre-determined outcomes); dissenting views are documented and considered; and lessons from risk events are embedded in decision-making processes.

4. Incentives

Remuneration and incentive structures must reinforce — not undermine — the risk culture. APRA expects: that variable remuneration is genuinely linked to risk outcomes, not merely financial performance; that incentive structures do not create perverse incentives to take excessive risk or to deprioritise customer outcomes; and that clawback and malus provisions are not merely documented but are exercised when warranted. CPS 511 (Remuneration) has since codified these expectations into binding prudential requirements.

Royal Commission Findings: Profit Over Compliance

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Hayne Royal Commission, 2017-2019) was the most significant examination of conduct risk in Australian financial services history. Commissioner Hayne's final report identified systemic conduct failures that traced directly back to risk culture deficiencies.

Key Conduct Failures Identified

• Fees for no service — AMP, ANZ, CBA, NAB, and Westpac all charged customers ongoing advice fees without providing the advice. The total cost to consumers exceeded $1 billion in remediation. The root cause was not a system error — it was a business model that prioritised revenue retention over customer outcomes, compounded by inadequate compliance monitoring and a culture that tolerated known deficiencies for years
• Inappropriate lending — the Commission heard evidence of home loans approved without adequate verification of borrower capacity to repay, in breach of responsible lending obligations under the NCCP Act. Incentive structures rewarded loan volume without adequate risk adjustment
• Insurance mis-selling — consumer credit insurance sold through high-pressure telephone sales channels to customers who were ineligible for claims, including unemployed and retired persons. Commission evidence showed that entities were aware of the problem but delayed remediation to protect revenue
• Superannuation trustee failures — trustees that failed to act in the best financial interests of members, including charging fees for services not provided and failing to transition members out of underperforming products

Commissioner Hayne's Six Norms

Commissioner Hayne distilled the conduct failures to six foundational norms that entities had breached:

1. Obey the law
2. Do not mislead or deceive
3. Act fairly
4. Provide services that are fit for purpose
5. Deliver services with reasonable care and skill
6. When acting for another, act in the best interests of that other

The simplicity of these norms was deliberate: the Royal Commission found that entities had overcomplicated their compliance frameworks while failing to adhere to basic principles of lawful and ethical conduct.

ASIC's Conduct Risk Framework

The Australian Securities and Investments Commission (ASIC) is the primary conduct regulator for financial services. Post-Royal Commission, ASIC has restructured its enforcement approach around several conduct risk pillars that directly affect compliance frameworks.

Design and Distribution Obligations (DDO)

Part 7.8A of the Corporations Act (effective October 2021) requires issuers to make target market determinations (TMDs) for financial products and distributors to take reasonable steps to ensure products are distributed consistently with TMDs. DDO is fundamentally a conduct risk obligation — it requires entities to design products with reference to customer outcomes, not solely commercial considerations. ASIC has issued multiple stop orders where TMDs were inadequate or where distribution practices were inconsistent with stated target markets.

Sales Practices and Product Intervention

ASIC's product intervention power (Part 7.9A) allows ASIC to impose conditions on or ban financial products where there is a risk of significant consumer detriment. ASIC has used this power against short-term credit products, binary options, and CFDs. Entities with robust conduct risk frameworks should be assessing their product range for consumer harm indicators before ASIC intervenes — reactive compliance is no longer acceptable.

Complaints Handling and IDR

Regulatory Guide 271 (Internal Dispute Resolution) sets binding standards for complaints handling. ASIC treats complaint volumes, complaint themes, and time-to-resolution as leading indicators of conduct risk. Entities that see rising complaint volumes in a particular product line or distribution channel and do not investigate and remediate the root cause are demonstrating the same risk culture failures that the Royal Commission identified.

CPS 511 Remuneration: Hardwiring Conduct into Pay

APRA's Prudential Standard CPS 511 (Remuneration), effective 1 January 2024 for larger entities, fundamentally changed how financial institutions must link remuneration to risk and conduct outcomes. CPS 511 implements several of Commissioner Hayne's recommendations and the FSB Principles on Sound Compensation Practices.

Key CPS 511 Requirements

• Variable remuneration caps — for senior managers and material risk-takers, variable remuneration must not exceed a proportion of fixed remuneration. This limits the financial incentive to take excessive risk for short-term gain
• Deferral — a minimum proportion of variable remuneration for senior executives must be deferred for at least four years (six years for CEOs). Deferral ensures that remuneration is exposed to risk outcomes that may take years to materialise — precisely the pattern seen in fees-for-no-service, where revenue was booked immediately but harm was discovered years later
• Clawback — entities must have the ability to recover variable remuneration already paid where a material risk event subsequently comes to light. CPS 511 requires clawback provisions to be enforceable, not merely aspirational
• Malus — entities must have the ability to reduce or cancel deferred variable remuneration that has not yet vested, where conduct, compliance, or risk outcomes warrant adjustment
• Board remuneration committee — the board must establish a remuneration committee with specific oversight responsibilities for ensuring that remuneration outcomes are consistent with risk management, compliance, and conduct expectations

Conduct Linkage in Practice

CPS 511 requires that conduct and compliance outcomes are a meaningful component of performance assessment for all employees whose remuneration includes a variable component. "Meaningful" means that a significant conduct failure must be capable of reducing variable remuneration to zero — not merely adjusting it marginally. Entities must demonstrate to APRA that the remuneration framework creates genuine downside risk for individuals who deliver financial results through poor conduct.

Measuring and Monitoring Conduct Risk

One of the most persistent challenges for compliance teams is making conduct risk measurable. Unlike credit risk or market risk, conduct risk does not lend itself to straightforward quantitative modelling. However, the CBA Prudential Inquiry and APRA's subsequent supervisory guidance have established a practical framework for measurement.

Leading Indicators

Leading indicators are forward-looking measures that signal emerging conduct risk before it crystallises into harm. Effective leading indicators include:

• Risk culture survey results — periodic surveys of staff perceptions about risk culture, escalation, psychological safety, and management responsiveness. Trends matter more than absolute scores
• Escalation volumes — the number and quality of risk events, near-misses, and compliance concerns escalated by staff. A declining trend may indicate a deteriorating speak-up culture, not improving risk outcomes
• Training completion and quality — not merely completion rates, but assessment pass rates and post-training behavioural changes
• Product review outcomes — results of product reviews under DDO, including whether TMDs were updated, distribution was restricted, or products were withdrawn
• Whistleblower reports — volume and nature of reports through internal and external whistleblower channels
• Audit findings — themes from internal audit reviews of conduct-related controls, including time-to-close for remediation actions

Lagging Indicators

Lagging indicators measure conduct risk that has already materialised:

• Customer complaint volumes and themes — analysed by product, channel, and geography to identify systemic patterns
• AFCA complaint outcomes — external dispute resolution outcomes where the entity's decision was overturned indicate potential systemic conduct issues
• Regulatory enforcement actions — infringement notices, enforceable undertakings, civil penalty proceedings, and licence conditions imposed by ASIC, APRA, or AUSTRAC
• Remediation programs — the frequency, size, and root cause of customer remediation programs. An entity that runs frequent large-scale remediations has a conduct risk problem, regardless of how robust its framework documents appear
• Breach reporting — reportable situations under s912D of the Corporations Act, including the volume, nature, and time-to-report
• Staff disciplinary actions — the number and nature of conduct-related disciplinary actions, including dismissals, formal warnings, and remuneration adjustments

The CBA Prudential Inquiry: A Case Study in Risk Culture Failure

APRA's 2018 Prudential Inquiry into the Commonwealth Bank of Australia remains the most detailed public examination of risk culture failure in an Australian regulated entity. The Inquiry Panel (chaired by John Laker AO) found that CBA had a "chronic underinvestment in the non-financial risk function" and that risk culture deficiencies pervaded the organisation despite strong financial performance.

Key findings relevant to conduct risk frameworks:

• Non-financial risk was treated as a compliance exercise rather than a genuine business discipline — risk reporting focused on completeness of documentation rather than quality of risk management
• The first line did not genuinely own non-financial risk — it was implicitly delegated to the second line, creating accountability gaps
• Board and executive committees received insufficient information to exercise effective challenge — risk reports were voluminous but lacked the insight needed for decision-making
• There was a "can do" culture that prioritised operational delivery over risk management, and where raising concerns was perceived as impeding progress
• Remediation of known issues was slow and incomplete — risk events were identified but consequence management was inconsistent

APRA imposed an additional $1 billion capital requirement on CBA as a supervisory response — a penalty without precedent that demonstrated APRA's willingness to use its prudential powers to address risk culture failures. The remediation program that followed (the Remedial Action Plan or RAP) took over three years to complete and involved fundamental restructuring of CBA's risk governance.

Common Conduct Risk Framework Gaps GoComply Detects

When financial institutions run their risk management frameworks, risk appetite statements, remuneration policies, and conduct risk policies through GoComply's compliance scanner, these are the gaps that surface most consistently:

• Risk appetite statement omits conduct risk — risk appetite statements that address credit, market, liquidity, and operational risk but do not explicitly articulate the entity's appetite for conduct risk, compliance risk, or customer outcome risk. CPS 220 requires the RMF to cover all material risks
• Risk culture not measurable — frameworks that describe desired risk culture attributes (e.g., "open and transparent") but do not define observable indicators, measurement methodologies, or reporting cadences. APRA's 2016 Information Paper expects risk culture to be assessed, not merely described
• CPS 511 clawback provisions not enforceable — remuneration policies that include clawback language but lack the contractual mechanisms, employment law advice, or board-approved trigger criteria needed to actually recover remuneration. Aspirational clawback does not meet APRA's requirements
• Leading indicators absent from board reporting — conduct risk reporting that relies exclusively on lagging indicators (complaints, breaches, enforcement actions) without forward-looking measures such as culture surveys, escalation trends, or product review outcomes
• Three lines model unclear on conduct risk ownership — frameworks where the first line (business) and second line (risk/compliance) have overlapping or ambiguous accountability for conduct risk, leading to the "implicit delegation" pattern identified in the CBA Prudential Inquiry
• No linkage between DDO product reviews and conduct risk reporting — entities that perform DDO product reviews in a separate compliance stream without feeding outcomes into their conduct risk reporting to the board
• Consequence management not evidenced — conduct risk frameworks that describe consequence management processes but cannot point to instances where consequences were actually applied, creating a gap between policy and practice

Building a Sound Conduct Risk Framework: Practical Steps

1. Define Conduct Risk in Your Risk Taxonomy

Ensure conduct risk is a named risk category in your risk taxonomy with a clear definition, a nominated senior executive owner (aligned with FAR accountabilities), and a distinct risk appetite threshold. Do not subsume conduct risk entirely within operational risk — while there is overlap, conduct risk has distinct drivers and measurement requirements.

2. Integrate the Four Risk Culture Indicators

Map your conduct risk framework to APRA's four indicators: tone from the top, accountability, effective challenge, and incentives. For each indicator, define what "good" looks like, how you will measure it, and what your escalation triggers are.

3. Build a Conduct Risk Dashboard

Create a conduct risk dashboard that combines leading and lagging indicators into a single view for the board risk committee. Include trend analysis (not just point-in-time snapshots), thresholds that trigger escalation, and narrative commentary that connects the data to business decisions.

4. Align Remuneration with CPS 511

Ensure your remuneration framework meets CPS 511's requirements for deferral, clawback, and malus — and that these mechanisms are contractually enforceable and have been tested with employment law advice. Document the criteria that would trigger clawback or malus, and ensure the board remuneration committee has reviewed and approved them.

5. Test Your Framework Under Stress

Conduct scenario exercises that test how your conduct risk framework would respond to a significant conduct event — a large-scale remediation, a regulator-initiated investigation, or a whistleblower disclosure. The CBA Prudential Inquiry demonstrated that frameworks that look adequate on paper can fail under pressure when accountability is unclear and escalation pathways are untested.

Related Regulations and Obligations

Conduct risk frameworks for Australian financial institutions intersect with a broad regulatory ecosystem:

• APRA CPS 220 (Risk Management) — the foundational prudential standard requiring a board-approved risk management framework covering all material risks
• APRA CPS 511 (Remuneration) — prudential standard linking remuneration to risk and conduct outcomes through deferral, clawback, and malus
• Financial Accountability Regime (FAR) — individual accountability for senior executives and directors, with APRA deregistration powers for conduct failures
• APRA CPS 230 (Operational Risk) — operational risk management obligations that overlap with conduct risk in areas such as process failures, system errors, and people risk
• ASIC DDO (Part 7.8A Corporations Act) — design and distribution obligations requiring products to be designed and distributed with reference to customer outcomes
• Corporations Act s912D (Breach Reporting) — mandatory reporting of reportable situations including significant breaches of financial services laws
• ASIC RG 271 (Internal Dispute Resolution) — complaints handling standards that generate key conduct risk data
• Whistleblower protections (Part 9.4AAA Corporations Act) — protections for individuals who report conduct concerns, intersecting with risk culture and speak-up obligations

This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 100 Australian regulation sources — ask the chatbot for instant clause-level answers on CPS 220, CPS 511, FAR, and all related conduct risk frameworks.