Hi There
Well team, ASIC is on the warpath (just in case you hadn't noticed). Mercer has to pay $11.3m for greenwashing and Amex got a $8.8m penalty for DDO.
These mega penalties got me thinking back to ASIC's FY23 report into breach reporting, which showed that in two third of cases, the root cause was determined to be staff negligence/error - ie 'someone stuffed up'. Two thirds!
I suspect that when each breach was investigated, it was clear that someone did indeed stuff up. However, I do wonder what happened afterwards. Were staff members required to do more/repeat training? (A pet hate of mine as it's a waste of time in 95% of cases). Or were the systems/tech reviewed to see if there is a way to make it impossible for someone to stuff up?
And now I'm listening to Banking Bad about the rise and rise (and some absolutely appalling behaviour) of the Australian banking system. Nearly every time something has gone horribly wrong in banking over the last 50 years, the response has been 'a few bad apples, nothing to see here'. I fear it's all related.
I mean, we've gotten past the bad behaviour in banking bad (I hope!) but the reluctance to spend money on regtech and/or allow the time to really dig into these issues in order to solve them continues apace, which leaves everyone in the position of having to say that a breach was caused by 'staff failure' because there's simply no time to do anything else. Not helped AT ALL by the non-stop changes in regulation I know.
What's the solution? Dunno! But it will definitely require some different thinking to what got us to this point.
One solution could be the old checklist! I've just finished listening to a book called The Checklist Manifesto, which considers if the checklist system used by pilots could be used in medicine... or financial services. The book recommends a list of 6-8 of the things that are either easiest to miss and/or highest risk if they are missed. It makes some good points, which I'll happily tell you all about if you ask :).
Another way to check that you've got all your ducks in a row is to attend ASFA NSW Regs&Legs on Monday. Victoria Hugh will be discussing product product governance - you don't have to be a NSW ASFA member to attend - details below.
And lastly, if/when you do have to give feedback in the case of a breach caused by a staff member, I found this great read in HBR on how to give feedback (see link at end of newsletter).
Cheers
Sarah
Mayflower CEO