Scholars of regulatory theory, whistleblowing and consumer protection might wonder what APRA has been doing up till now ... and whether it will in future engage more effectively with its regulatory responsibilities.
The Executive Summary in the report states
Community trust in banks has been badly eroded, globally and in Australia.
Globally, the financial crisis exposed a series of corporate scandals in banks. Governance weaknesses, serious professional misbehaviour, ethical lapses and compliance failures have resulted in substantial financial losses and record fines and penalties. ‘Conduct risk’ has entered the lexicon of bank Boards and regulators as a clear and present danger.
Banks in Australia were resilient through the crisis but their conduct is far from unblemished. Failings in the provision of financial advice, dubious lending practices, mis-selling of financial products, shortcomings in the setting of benchmark interest rates and compliance breaches have undermined community trust, drip by corrosive drip. Trust is the currency of banks, and improper conduct that undermines confidence or causes harm to customers devalues that currency.
The Commonwealth Bank of Australia (CBA) has acquired the status of a financial icon, built on its history, its continued financial success and its innovation in customer-facing technology. As Australia’s largest financial institution, CBA touches a wide range of Australians. Hence, the community holds high expectations for the institution, as does CBA itself. Nonetheless, it too has had a succession of conduct and compliance issues – AUSTRAC’s legal action a recent high-profile example – and these expectations have not been met. CBA has ‘fallen from grace’. How can this happen in a bank of CBA’s stature and sophistication? This, fundamentally, is the question that the Inquiry Panel has been asked to address.
There is no simple answer, no ‘silver bullet’ remedy. A complex interplay of organisational and cultural factors has been at work. However, a common refrain has emerged from the Panel’s intensive analysis and enquiries over the past six months: CBA’s continued financial success dulled the senses of the institution.
This dulling has been particularly apparent, at least until recently, in CBA’s management of its non-financial risks (that is, its operational, compliance and conduct risks). These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation. The consequences of this slowness were not grasped.
The Panel has identified a number of tell-tale markers:
- inadequate oversight and challenge by the Board and its gatekeeper committees of emerging non-financial risks;
- unclear accountabilities, starting with a lack of ownership of key risks at the Executive Committee level;
- weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution;
- overly complex and bureaucratic decision- making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings;
- an operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function; and
- a remuneration framework that, at least until the AUSTRAC action, had little sting for senior managers and above when poor risk or customer outcomes materialised (and, until recently, provided incentives to staff that did not necessarily produce good customer outcomes).
In the environment of continued financial success, two critical voices became harder to hear, leaving CBA vulnerable to missteps. One was the ‘voice of risk’, particularly for non-financial risks. The fact that there had been no large loss-making events in this area (though reputational damage clearly), the heavy emphasis of the risk function on financial risks, and the ineffective operational risk and compliance frameworks, muted that voice.
The other was the ‘customer voice’. Notwithstanding the customer focus enshrined in CBA’s Vision and Values, and its industry-leading customer satisfaction scores, the customer voice (in particular, customer complaints) did not always ring loudly in decision-making forums and product design.
In the Panel’s view, cultural factors lie at the heart of these shortcomings. Four broad and interlinked cultural traits stand out. First, and obviously, a widespread sense of complacency has run through CBA, from the top down. CBA’s first ranking on many financial measures created a collective belief within the institution that CBA was well run and inherently conservative on risk, and this bred over-confidence, a lack of appreciation for non-financial risks, and a focus on process rather than outcomes. CBA was desensitised to failings with customers. Delays in (or premature closing of) risk and audit issues and the late delivery of projects were readily tolerated, with limited remuneration or other consequences.
Secondly, CBA has been reactive – rather than proactive and pre-emptive – in dealing with risks. Operational risk and compliance issues tended to receive attention only once they had emerged clearly or reputational consequences began to rear, but that attention did not always guarantee timely and effective resolution. A slow, legalistic and reactive, at times dismissive, culture also characterised many of CBA’s dealings with regulators. Taken together, complacency and reactivity led to a sense of ‘chronic ease’ in CBA, rather than the ‘chronic unease’ that has proven effective in driving safety cultures in other industries.
Thirdly, CBA became insular. It did not reflect on and learn from experiences and mistakes (its own and others’), including at Board and senior leadership levels. Lessons from previous incidents have not been readily captured or shared across CBA. A lack of intellectual curiosity and critical thinking about the ‘bigger picture’ and the full depth of risk issues inevitably limited CBA’s ability to learn, anticipate and adapt. CBA turned a tin ear to external voices and community expectations about fair treatment.
The fourth cultural trait is the collegial and collaborative working environment at CBA, which places high levels of trust in peers, teams and leaders. Reinforcing this is the significant value placed on the ‘good intent’ of staff. These are positive elements of a sound culture. However, they have had a downside. Pursuit of consensus has lessened constructive criticism and has led to slower decision-making, lengthier and more complex processes, and a slippage of focus on outcomes. It has also impeded accountability and the individual ownership of risk issues. Trust has not been continually validated through strong metrics, healthy challenge and oversight. Good intent has been too readily used to excuse poor risk outcomes.
The Panel has made a series of specific recommendations designed to strengthen governance, accountability and culture within CBA. They focus on some key levers of change:
- more rigorous Board and Executive Committee governance of non-financial risks;
- exacting accountability standards reinforced by remuneration practices;
- a substantial upgrading of the authority and capability of the operational risk management and compliance functions;
- injection into CBA’s DNA of the ‘should we?’ question in relation to all dealings with and decisions on customers; and
- cultural change that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation.
The Panel has also identified a number of ‘better practice’ benchmarks that CBA should aspire to meet.
CBA had acknowledged shortcomings ahead of the AUSTRAC action and this Inquiry. Remediation had begun, with a particular focus on upgrading risk management and compliance. These efforts will need to be substantially enhanced under CBA’s new leadership.
CBA’s new remediation program is ambitious and on a scale that exceeds previous risk management initiatives. In some areas, it has anticipated the Panel’s recommendations; in other areas, however, it remains a blank canvas. To succeed, it will be critical that the program breaks the mould – it cannot succumb to the weight of bureaucracy, unclear accountabilities and porous deadlines that have challenged earlier CBA projects. Milestones must be clear, realistic, and enforced. Senior leaders must take ownership and their remuneration should be linked to successful delivery.
Regaining community trust will require time, hard work and an undistracted risk and customer focus. Many of CBA’s working practices and cultural traits are deeply ingrained and must be squarely addressed if the ‘reset’ of the institution recommended by the Panel is to succeed. The CBA Board must be up to this challenge, and the signs are positive. Significantly, the ‘light hand on the tiller’ of earlier years has been replaced by a firmer and more visible hand and oversight and challenge has intensified. In the end, however, it will be results that count.
The Report that follows may read as a long catalogue of shortcomings. That would be too narrow a read. The Panel acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia. The Report is a road map for this journey.