The prudential inquiry into Commonwealth Bank of Australia which delivered its final report in April 2018 identified three types of problems, they are as follows.
The first type of problem mentioned in the report is governance. Governance can be defined as the way in which decisions are made. This means how the financial objectives, values and strategic priorities undertaken by a firm impacts on the decision-making and risk-management and how such decisions which are made are implemented. Since governance involves decision-making, the Panel described the decision-making in CBA as overly complexed and bureaucratic. This had favoured collaboration over timely as well as the effective outcomes which slowed the process of detection of risk failings. Problems also arise when a firm is reactive rather proactive. The proactive approach focuses on taking actions before they appear and thus making a firm well prepared in order to deal with the problem when they arise. CBA however was reactive while dealing with their risks. It is always beneficial to have to plan before the risk appears rather than tackling and coming up with measures after they appear. Operational risk in CBA received attention only after they had emerged clearly. This also had an impact on their reputation. The solution to this risk may not always be timely and effective.
According to the Panel report on CBA, at all their levels, the degree of attention and priority given to the governance and management of non-financial risks was not up to the standard, considering the Commonwealth Bank of Australia being a domestic systemically bank. In terms of risk-management, the board along with their other committees, suffered from shortcomings in the governance of non-financial risks. The Board did not have the right balance of summarised and detailed reporting in the risk areas nor did they strive to make any improvements. While at the executive committee level, there was a lack of accountability for the non-financial risk management and lax remuneration practices. This ultimately led to inevitable weakness in relation to their emerging risks and customer related issues. The serious non-financial risk issues were also not identified and addressed in its early stage. The Panel observed an imbalance between the ‘voice of finance’ when it was compared to the ‘voice of risk’ and ‘customer voice’ collectively. The trade-off decisions were given a priority over the customers’ voice decisions even though treatment of their customers is very important for their reputation and public standing.
In order to deal complexity and to organise their risk governance, it has become a norm for the banks to implement the ‘Three Lines of Defence Model’. The first line of defence is the business, the second line is the independent risk management and compliance function and the third line is the independent audit function of both external and internal audits. However, CBA had failed to implement this model efficiently despite their number of attempts over the years.
Accountability is one of the five of CBA’s core values and is the second type of problem mentioned in the Panel. It can be defined as a process in which the staff of CBA collectively and individually fulfil their responsibilities. It provides a better clarity on personal accountability for risk management through detailed mapping of accountability to roles. Training on softer skill development and mindsets helps to build a culture of active identification and mitigation of risks.
The staff also has to suffer the consequences of failing to do so. Remuneration outcomes is defined as one of the best methods to hold the staffs accountable for their mistakes. CBA’s application of remuneration policies to support the accountability and effective risk management hardly helped. The Board did not hold the senior authorities to account for the risk and outcomes which happened on their watch.
There are a number of reasons behind CBA’s struggle with accountability, like the trust, over consulting and the federated organisational structure. CBA suffered the consequences of having a federated organisational structure. The executives were empowered about their respective business units but still was confused about the accountability for risks and issues in such business units. There was also a lack of consent and vision at the executive committee level. Accountability also failed in AML-CFT compliance. There was a lack of awareness of the roles and responsibilities of Line 1 and Line 2. An example of such confusion is mentioned in the Panel. The project to achieve compliance was run by Line 2: group operational risk and therefore the accountability for achieving compliance was with that team. However, they failed to achieve the compliance where Line 1 was mentioned as the owner of such risk.
Limited appetite to apply consequence management is also another struggle. The first example under this topic, talks on how complexity is used as an excuse for spreading accountability. The second example mentions how the senior authorities at the higher levels were not held responsible for resolving unclear roles and responsibilities at the lower levels and the third talks on how the accountability of Line 1 was not applied consistently.
There was also a lack of accountability for risk systems such as the collateral management system which records collateral. The credit risk limit system monitors and manages the credit exposures relating to derivatives while the country risk management systems which is required Line 2 to sponsor the project to improve CBA’s ability to manage its overseas exposures effectively in the absence of Line 1.
The third type of problem is culture and leadership. Culture is the norms of behaviour for both individuals and groups within CBA, which determines their collective ability to identify, understand, discuss, escalate and action taken on the current and future challenges and risks which are faced by them.
Under culture too, the Panel mentioned the staff being reactive. The senior level has a reactive approach to the operational risks. The staff have been good at reacting, flagging and tackling the issues once the rise, however they are lacking in the follow through issue resolution. There has also been a slow and reactive approach to regulatory interaction.
The risk function had an uneven, inconsistent and weak influence across the CBA. The risk function is said to have faced more obstacles than the business units while carrying out its mandate. Credibility, authority and respect of the risk function has been inconsistent and weak across CBA.
The CBA staffs also failed to learn and reflect from their past mistakes. The meetings held tend to focus on speed and intellectual debate rather than on reflecting their mistakes.
The working environment in the CBA is said to have a high level of trust among the various staffs at different levels. According to the Panel, this strength was exaggerated and has somewhat led to over-confidence and over-collaboration in abilities.
CBA also strived to balance empowerment with challenge which was in the end not executed well. The objective to empower Group Executives and encourage challenge was well intended but it was not put into practice.
The CBA sees itself to have a strong customer orientation, however it is still incomplete. They did not pay enough attention on identification of systemic issues their customer complaints. The small percentage of the customers complaints was not addressed efficiently and CBA failed to devote a sufficient attention in identifying the systematic issues or applying a long-term mindset.
Impact of These Problems on Financial Intermediaries and Their Customers
These problems have a negative impact on the financial intermediaries itself and therefore leads to a negative impact on their customers too. Lack of accountability for non-financial risk management and lax remuneration practices at the executive committee level led to an inevitable attitudinal weakness in relation to emerging risks and customer issues. There has been too much focus on the short-term aggregate customer satisfaction and a lack of focus on resolving poor experiences from customers. The identification of customers complaints has been weak. The board did not receive any analysis on the customer complaints nor was there evidence on the review of any systematic risks that such customer complaints might highlight. The board materials did not include any discussion related to their customer complaints or any risk arising from individual complaints.
The customer complaints of CBA have found their way into the public domain and this has therefore casted CBA into a poor light. This can therefore lead to unsatisfied customers and can damage the firm’s reputation in the market in the long run. Financial intermediaries who want to have a good reputation among their customers and in the market need to train their staff to on how to identify, handle and solve such problems.
Role of Regulation in Addressing Governance, Culture and Accountability Issues in Financial Intermediaries
On the 28th of August 2017, the Australian Prudential Regulation Authority announced that it would establish a prudential inquiry within the CBA group. The main reason for this is to identify the shortcomings in the frameworks and practices in the area of the problems and to find a solution on how to address such shortcomings.
Regulation under governance can be done with the APRA’s Standards. The board needs to undertake the annual assessment of its performance and that of its directors in response to the requirements under the Prudential Standard CPS 510 Governance. This handles the over-confidence in operations of the Board Audit Committee (BAC) and Board Risk Committee (BRC) and lack of benchmarking in the financial intermediaries. The board is also required to form a view on risk culture under the Prudential Standard CPS Risk Management.
The regulation of culture and leadership is also done under the APRA’s standard. In order to ensure that CBA has a healthy risk culture, CBA will have to take a complete approach which includes the targeted steps to solve their cultural and leadership weakness. These steps which are undertaken must be aligned with the requirements of the Board and management to form a view on risk culture under the Prudential Standard CPS 220 Risk Management.
Regulation of accountability is done under the Banking Executive Accountability Regime (BEAR) which strengthens APRA’s power in assessing the transparency and accountability of decision-making processes withing the authorised deposit taking institutions (ADIs). In the year 2009, the Financial Stability Board (FSB) released its Principle for Sound Compensation Practices and accompanying Implementation Standards, which was designed to achieve a clearer alignment between the remuneration practices and prudent risk-taking. In the year 2009/2010 APRA then gave effect to these FSB’s principles through amendments to its prudential standards on governance and introduced the Prudential Practice Guide PPG 511 Remuneration. This established the minimum requirements and better practice expectations in relation to the design, the governance and to the implementation of remuneration policies.
The ‘Three Lines of Defence’ model too was also applied by various financial intermediaries in order to solve these three problems. We can therefore say that regulation plays an important role in financial intermediaries in helping them to address these problems.
Actions of Financial Firms to Identify and Rectify These Problems
The financial firms have to not only be prepared physically but also be prepared mentally in order to identify and rectify the problems faced. The Panel mentions how one should change their mentality from ‘can we do it’ to ‘should we do it’. To solve the problem of governance, CBA has applied the risk management framework, which helps in identifying, measuring, evaluating, monitoring, reporting and in controlling the internal and external sources of risk. CBA’s risk management framework for identifying and managing risk related to operational and compliance involved certain processes. The ‘Risk in Change’ is one of the process and was strengthened by CBA. This process is used in order to identify and manage risks. The BRC oversees the implementation and operation of this framework while the BAC provides an objective review of the effectiveness of the reporting and the risk management framework. The Board Remuneration Committee too plays a role in overseeing the bank’s remuneration framework and assists the Board to ensure that the remuneration objectives and the structure of its remuneration arrangements are appropriate.
Under accountability, the effective accountability mechanisms undertaken by firms can help in identifying and in escalating the new and emerging risk issues. CBA makes it clear to the staff regarding their responsibilities. In order to rectify the problem of accountability, CBA makes it clear to their staff that everyone understands and deliver what is expected of them. It also expects its staff to acknowledge their mistakes, to escalate and learn from them. The team leaders too have the responsibility of setting clear expectations of each person and the team. CBA identified that further investment is required in order to improve the understanding of accountability across groups. This involved training of staff and remediating the work on the ‘Three Lines of Defence’ model. Risk management program was also used to rectify and to address the problem of accountability. Accountability principles are used by CBA to make sure that their executives who demonstrate accountability ensures an effective supervision in delegated activities. They enable appropriate funding, resourcing and proactively responded to the material risk issues to ensure that they do not persist without effective resolution. CBA has committed to adopt all the recommendations from the ‘Sedgwick Report’ on sales commissions and product-based payments in the retail focused businesses.