Take Control To Restore Public Trust In Financial Services


The risks financial institutions face for managing other people's money has been laid bare over the course of the ongoing Royal Commission into Misconduct in the Banking, Superannuation and Financial Services. No one will argue that public trust needs to be restored.

The hearings have shone a light on issues which are likely to damage the reputation of both the organisations involved and the financial services industry more broadly. The first step for financial institutions is a prudent and timely review of the internal control environment. This will mitigate future reputational, financial, regulatory and legal risk, and importantly will help restore confidence with customers.

However, the last thing an organisation needs is an over-engineered and costly set of controls that grind operations to a halt. Necessary risks can be taken with greater confidence if events are visible and monitored and understood, rather than trying to eliminate all risks.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

  1. effectiveness and efficiency of operations,

  2. reliability of financial reporting, and

  3. compliance with applicable laws and regulations.”

In most organisations, employees are committed to following an organisation's policies and its ethical and behavioural standards. However, the hearings from the royal commission demonstrate that there is plenty of room for the financial services industry to do a lot better.

Where then to begin? Below I provide a very simplified outline or starting point for reviewing organisational internal controls including management and culture, risk management and data and systems:


Does your organisation establish and effectively communicate written policies and procedures, a code of ethics and standards of conduct?

  1. Are your employees working within the law and behaving consistently with organisational expectations and how are you monitoring this?

  2. Is management fostering a strong environment that encourages the highest levels of integrity, personal and professional standards?

  3. Does your senior leadership team exhibit and promote a culture of care and internal control within the organisation?


It is imperative to ensure that controls are well understood as part of the risk management framework. Categorising this will allow your organisation to capture the results of risk assessments made at both the strategic and operational level. Controls are typically classified into five different types:


This involves establishing the process governing the approach and behaviours against which all risks will be assessed and managed.


This involves identifying risk events (or near misses) and describing them in qualitative terms (if it were to occur).


This involves implementing technical and procedural controls designed to stop future events occurring.

Restorative mitigation

This involves developing a range of procedures to contain the risk event after it has occurred and prevent further risks events.. A sensible approach will also include evaluating controls objectives and assigning risks based on a prioritisation or weighting on the risk. The other consideration is ensuring that the control environment enables (or even encourages) risks to be taken in accordance with appetite.

Monitor and review

This involves ongoing review of risks and identification of any new risks that might occur as the organisation evolves. The results of this will also be an input to the review and continuous improvement for the organisations risk management framework.


  1. Do systems have accurate, complete and current data about your customers?

  2. Do technology systems exist that support a robust internal control environment?

  3. Are product and service configuration in systems regularly reviewed? For example, correct fees.

  4. Are regular data quality checks part of the control environment? Is there a team or is it an automated and systematic process?

As I said earlier, it is never too late to make important improvements. If your organisation would benefit from an internal control environment review, please feel welcome to contact QMV.



Kin Fok - Lead Consultant


Like what you see? Please subscribe to receive original QMV content !

You may also benefit from our free monthly pensions and superannuation regulatory updates.