* This edition was originally published in the Conference Edition of the GRC Professional.
As a business grows and becomes more complex and the products it sells and the channels used to sell products multiply, board governance and oversight of risk management and compliance frameworks becomes more important.
For the Commonwealth Bank of Australia (CBA), 2017 was a watershed year: with over 50,000 employees operating internationally providing retail, business and institutional banking, funds management, superannuation, insurance, investment and share-broking products and services, it was exposed to a number of incidents that damaged its reputation and public standing.
According to CBA’s Chief Risk Officer, David Cohen, in his evidence at the Financial Services Royal Commission on 30 May 2018:
“One of the issues at the executive management level … is that we have lacked an executive non-financial risk committee or forum for considering non-financial risks. Because I think the organisation as a whole is relatively, not perfectly, but relatively good at logging and tracking and measuring financial risk. But the same emphasis has not been placed on non-financial risks such as conduct and reputational issues.”
In August 2017, APRA commissioned a Panel to conduct a prudential inquiry into CBA to examine its governance, culture and accountability frameworks. This followed incidents involving CBA, including AUSTRAC’s legal action in connection with AML breaches, as well as other conduct-related matters.
These incidents included:
mis-selling of margin loans to retail customers to invest in financial products recommended by Storm Financial (2008);
misconduct by financial advisers in Commonwealth Financial Planning, part of CBA’s wealth business (2010/11);
fees for no service in financial advice (2012 to 2015);
use of an outdated definition of heart attack in insurance products sold by CommInsure (2016);
anti-money laundering (AML) breaches and AUSTRAC action (2017); and
mis-selling of credit card insurance (2013 to 2018).
On 30 April 2018, APRA published the Panel’s Report. The Panel observed that there was inadequate oversight and challenge by the Board (and its Committees) of non-financial risks (that is, its operational, compliance and conduct risks) and, in particular emerging risks. In addition, material or ‘red flag’ risks were kept open for too long, suggesting a failure to properly monitor risks when they had been identified.
All businesses face risks. The critical points raised by the Report are to ensure there is an appropriate balance and focus in identifying material risks and addressing them as quickly as possible after they have been identified.
Although compliance risks may have financial consequences, they must be monitored separately because of customer and reputation effects.
What are the governance issues for risk and compliance?
The ASX Corporate Governance Principles and Recommendations defines corporate governance as “the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled within corporations. It encompasses the mechanisms by which companies, and those in control, are held to account.”
In other words, as discussed in the APRA Report, governance is the way in which decisions are made, including how financial objectives, values and strategic priorities impact on decision-making and risk-management, and how decisions, once made, are implemented and monitored.
In describing CBA’s management of its non-financial risks, the Inquiry concluded:
“These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation. The consequences of this slowness were not grasped.”
The Inquiry identified a number of factors:
inadequate oversight and challenge by the Board and its gatekeeper committees of emerging non-financial risks;
unclear accountabilities, starting with a lack of ownership of key risks at the Executive Committee level;
weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution;
overly complex and bureaucratic decision-making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings;
an operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function; and
a remuneration framework that did not penalise senior managers when poor risk or customer outcomes materialised and rewarded staff for behaviour that did not necessarily produce good customer outcomes.
Failure of the three lines of defence
The Inquiry did not criticise the Three Lines of Defence model.
However, it found that CBA had failed to effectively implement its Three Lines of Defence model (which it called the Three Lines of Accountability) across its operational units which operated as independent silos.
It said that CBA had inadequate mechanisms to manage the inherent challenge in its federated organisational structure: it failed to implement its Three Lines of Accountability model and Group operational and compliance risk management frameworks in a manner that reflected the specific business model and risk profile of each business unit, while also achieving a degree of consistency across units.
CBA had allowed business units to tailor the model for their purposes, rather than adopt a ‘one-size-fits-all’ approach. The challenges of having multiple models across the Group required strong oversight by the Group Risk function, including additional effort required by Group Risk to assess that its minimum standards have been applied, ensuring there were no gaps in roles and responsibilities, and managing risks arising from products and processes that cross business units.
CBA’s tailoring of the model across business units created additional complexity, which was compounded by a lack of documentation on how the model in each business unit worked in practice. CBA experienced challenges in managing this complexity--particularly in relation to operational and compliance risks.
The difficulty that CBA experienced was that various incidents of misconduct were recorded on different systems in different business units, without necessarily being encompassed in a single business unit.
Failure of governance
The Inquiry found that the Board, together with its Risk, Audit and Remuneration Committees, demonstrated significant shortcomings in the governance of non-financial risks. For much of the period under review, the Board did not demonstrate rigour of oversight and challenge to CBA management.
CBA’s focus on financial risks was not matched by a strong ‘risk champion’ for operational, compliance and conduct risks. Risk management in these areas was dominated by a ‘tick the box’, process-driven mentality. This meant that potentially serious non-financial risk issues were not identified early and addressed. CBA’s compliance function was under-developed, as was its framework to manage conduct risk.
The Report concluded that the various failings culminated in a dilution of the ‘voice of risk’ and the ‘customer voice’, which did not provide a sufficient counterweight to a strong and mature ‘voice of finance’ in ensuring sound risk and compliance outcomes.
For example, the Board did not receive alerts on individual incidents or themes that might indicate an underlying or emerging risk or issue that might have reputational consequences.
Inadequate communication between its Audit, Risk and Remuneration Committees was another contributing factor.
The Report recommended that CBA ensure its Three Lines of Accountability principles are effectively embedded and subject to strict governance. In doing so, it recommended that CBA must ensure that business units take primary ownership of risk management.
CBA’s approach to managing operational and compliance risks
CBA acknowledged to the Inquiry a focus on process rather than on mitigating risk. Interviewees noted that the risk function ‘couldn’t see the forest from the trees’ and was ‘consumed by process’.
The Report found that CBA’s operational risk and compliance functions had a heavy procedural bias. This was evidenced by rules-based policies containing very detailed, step-by-step processes that fostered a ‘form over substance’ approach to risk management. It was also evidenced in a significant focus on assessing compliance with policies and procedures.
CBA’s approach to operational and compliance risk was also focused on reacting to losses and incidents that had already occurred, rather than proactively identifying, measuring and managing risks.
Assuming that a business has adequate compliance resources, it needs to have an ability to identify and manage conduct risks and operational compliance risks, both existing and emerging.
The Board needs to have processes in place to receive information about those risks (including financial and reputational) and monitors accountability.
The APRA CBA Report is a case study of governance failure.
About the author
David Jacobson is the Principal of Bright Corporate Law, a law firm for Financial Service Providers, specialising in regulatory compliance, contracts, risk management, governance and training.