As a former whistleblower, I've seen how broken cultures destroy organisations from within. ANZ's $240 million penalty proves we're still not measuring what actually matters. 

When I raised concerns years ago about serious misconduct at an insurance company, the procedures existed. The policies were documented. The risk frameworks were approved. But the culture punished truth-tellers, rewarded silence, and protected the powerful from consequences. That's where our risk models failed: they couldn't capture what really mattered.

Now, watching ANZ receive Australia's largest-ever corporate penalty of $240 million while APRA demands "real culture change", and not just procedural fixes, I'm reminded why I shifted my career toward understanding the human factors that traditional risk management misses.

APRA Chair Joe Longo described ANZ's previous attempts to address cultural issues as "astonishing" in their inadequacy. But here's the uncomfortable truth: ANZ isn't an outlier. It's a symptom of a systemic problem in how financial institutions approach risk management.

The black box risk managers can't see

Here's the problem that keeps me up at night: Risk managers have traditionally been trained in statistics, finance, and regulatory frameworks, rather than in psychology and sociology. We've built sophisticated models to measure credit risk, market risk, and operational risk. But culture? That's been the black box.

ANZ's failures illustrate this gap perfectly. The Oliver Wyman review analysed over 1,400 documents, surveyed 3,495 employees, and conducted more than 110 interviews. What did they find? About 30% of staff interviewed were aware of "allegations of bullying, alcohol and substance abuse" by certain individuals over several months or years. Staff raised concerns repeatedly, but ANZ Markets' leadership "did not take decisive action".

Only 43% of Australian Markets staff believed senior leaders' actions aligned with their words. Only 52% in Sydney believed that consequences for misconduct were appropriate. Half of the sampled risk events lacked evidence of complete root cause analysis.

Learn more: Why boards need to take action on power-hungry leaders

These warning signals existed in emails, meeting transcripts, and internal communications long before regulators arrived. But how do you detect these patterns in a bank with tens of thousands of employees? How do boards and senior management monitor culture when toxic or hierarchical dynamics suppress disclosure of problems?

The answer is: they couldn't until now.

Cracking open the black box through AI

The latest generation of AI and machine learning can finally measure what was previously unmeasurable. We can now analyse unstructured data: emails, meeting transcripts, exit interviews, and collaboration tool messages. We can build psychological profiles that identify toxic patterns before they metastasise into compliance breaches. We can detect early warning signs of cultural breakdown and transition from reactive compliance to proactive culture management.

LLMs can learn to simulate an individual’s behaviour. For example, in Chat Bankman-Fried: an Exploration of LLM Alignment in Finance, researchers prompted twelve LLMs to impersonate the CEO of a financial institution and test their willingness to misuse customer assets to repay outstanding corporate debt. My current research combines psychological frameworks and profiles with few-shot examples of an individual’s behavioural history to improve the accuracy of AI simulations, predicting operational risk and fraudulent behaviours. This exciting and emerging field isn’t limited to risk management. Other UNSW academics are applying AI simulations of human behaviour to other use cases, such as mobility, urban policymaking, and health.

Consider what AI-powered culture analytics might have revealed at ANZ months or years prior to the scandals erupting. An AI system would detect escalating complaints coupled with inadequate management responses. It would flag the disconnect between ANZ's stated emphasis on non-financial risk and the reality that remuneration was "primarily based on financial performance." It would identify that staff trust was collapsing long before it manifested in the manipulation of $14 billion in government bond trades or ignoring 488 hardship requests from vulnerable customers.

The psychological foundation exists. Dave Ingram's work on plural risk cultures demonstrates that toxic organisational monocultures (where a single personality type dominates decision-making) consistently lead to failures. Healthy organisations require cognitive diversity, robust challenge mechanisms, and genuine psychological safety. AI can measure these factors by analysing how decisions are made, who speaks up in meetings, whose concerns are heard, and who is dismissed.

Unlike annual surveys that employees learn to game, continuous analysis of actual workplace interactions provides an unvarnished picture of organisational health. It detects what Royal Commissioner Kenneth Hayne identified: when "pursuit of corporate gain" and "individual gain spurred on by remuneration or other financial incentives" create systematic, not isolated, misconduct.

The privacy question is a red herring

Someone inevitably objects whenever I raise these ideas: "What about privacy? What about employee morale?"

Let's be clear: In Australia, it's already legal for employers to use AI to scan employees’ internal emails and communications. They must follow privacy laws and provide written notice to employees in some states, such as NSW and ACT. The Madzikanda v Australian Information Commissioner case established clear parameters: monitoring is lawful when the conduct relates to employment and employers have transparent workplace policies.

More importantly, we can make this opt-in. If you want a decision-making role in a highly regulated industry with potential for serious customer harm, you agree to a psychological profile to screen for suitability. APRA already requires assessment of fitness and propriety for directors, senior managers, auditors, and actuaries. Why shouldn't that assessment include evidence that you don't exhibit the psychological patterns associated with toxic leadership?

Key decisions must already be documented and reviewed by audit, regulators, and chief risk officers. Instead of jumping at shadows and giving in to algorithmic aversion, we should be more concerned about the legal and operational risks of not screening key decision-makers when we have the tools to do so.

Workers are already protected if monitoring is abused. The Federal Circuit and Family Court have ruled that companies and directors can be held personally liable for adverse action against employees who raise concerns. The barriers to taking action are low: Fair Work Commission applications for unfair dismissal or workplace bullying cost less than $90, making legal recourse accessible to employees. The question isn't whether we can measure culture ethically; rather, it is whether we can measure culture ethically. It's whether we're ready to fix a known and serious problem.

Banks have no excuse for incompetence

APRA already requires management of culture. APRA uses and consults with organisational psychologists to analyse risk in regulated institutions. It has highlighted the benefits of psychological expertise in organisational diagnostics.

But, here's the chicken-and-egg problem: when culture is toxic or hierarchical (or both, as I personally experienced), the Board and Chief Risk Officer have no visibility of problems. Issues are suppressed before they reach the top.

This raises an important question: how can major Australian banks in the 21st century lack the maturity, scale, and processes to manage organisational culture effectively? With the resources and expertise available, there's a real opportunity to close this gap.

Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School

Consider the evidence. ANZ has racked up $550 million in penalties since 2016. Commonwealth Bank paid $700 million in 2018 for enabling money laundering, plus a $1 billion capital reserve from APRA. Westpac paid $1.3 billion in 2020 for over 23 million contraventions, including failures around child exploitation risks. ANZ's bond manipulation cost taxpayers $26 million directly.

These aren't isolated incidents. They're predictable outcomes of systemic cultural dysfunction. The business case for prevention is overwhelming. Deloitte research shows organisations with data-driven cultures are 2.5 times more likely to exceed business goals. McKinsey found that predictive analytics improves employee retention by 40% and efficiency metrics by 30%. Preventing a single major compliance event (typically costing $5 million to $50 million or more) provides a 10 to 100 times return on investment.

What needs to change

The financial sector needs more than better rules. It needs better leaders, supported by better tools to understand and shape organisational culture.

For UNSW graduates entering banking, financial services, and corporate risk roles, this is your opportunity. Champion the integration of behavioural science and AI into organisational risk management. Develop literacy in both organisational psychology and AI capabilities. Build cross-functional coalitions across risk, compliance, HR, and technology. Design pilot programs that demonstrate value while addressing privacy concerns in a transparent manner.

Risk management functions must develop a deeper understanding of people, moving beyond financial and operational process metrics. This means hiring psychologists and sociologists alongside actuaries, operational risk managers, and finance specialists. It means using AI to analyse the 80-90% of organisational data that was previously inaccessible: the unstructured human interactions where culture actually lives.

APRA is absolutely right to insist that ANZ demonstrate "real culture change" before lifting enforceable undertakings. You can't risk-manage your way out of a culture problem with more procedures. You must change hearts and minds at every level, starting at the top.

But boards can't change what they can't see. That's why measurement matters. Culture can be measured. We have the tools. The opportunity is here to move forward with solutions that work.

The cost of continuing to fail

When ANZ's remuneration report faced its first strike in December 2024, with 38.28% of votes cast against, it signalled something deeper than shareholder dissatisfaction with executive pay. It reflected a loss of trust in governance itself. Former CEO Shayne Elliott forfeited $3.4 million, but shareholders absorbed far greater losses. Companies facing remuneration strikes experience average share price declines of 30%.

The human cost is harder to quantify but no less real. ANZ ignored 488 hardship requests from customers experiencing family violence, unemployment, serious medical issues, and bereavement (some for over two years). They took debt recovery action without even responding. They charged fees to 18,900 deceased customers for years after death.

These failures don't happen because of inadequate compliance manuals. They occur because of cultures that devalue empathy, discourage speaking up, and reward financial performance above all else.

The choice facing banks and their future leaders is straightforward: continue managing culture through annual surveys and reactive investigations while hoping to avoid becoming the next scandal, or embrace technology that can detect warning signals before they destroy customer lives and institutional reputations.

Learn more: The strategic impact of AI on business transformation

The path forward is clear for an industry that prides itself on quantitative risk management. The technology exists. The psychological frameworks exist. The business case is proven. The legal framework supports ethical implementation.

What's needed now is leadership willing to step up and implement these solutions. We must acknowledge that traditional risk management has a blind spot and embrace approaches that provide genuine accountability at all levels.

As someone who paid a personal price for speaking truth to power, I can tell you: the status quo isn't sustainable. But I'm optimistic about what's possible. The next generation of risk managers has the tools and expertise to make a real difference. The question is whether we're ready to seize this opportunity to transform how we manage culture in financial institutions. All we have to do is step up.

Colin Priest is a former insurance C-Suite executive and now Senior Lecturer at UNSW Business School. His current research uses AI and machine learning to measure and manage the human factors that traditional risk models miss, particularly in highly regulated industries. He combines actuarial science, AI, and risk management expertise with behavioural science to develop predictive approaches to culture management.