The report by the Panel headed by former APRA chairman, John Laker, is the most compelling analysis of corporate governance at a major public company ever to be published. Indeed, its scope and public release are unprecedented. It will undoubtedly be influential in the approach and policies of corporate regulators around the world.
As a major financial institution (a “financial icon”) the report notes a succession of conduct and compliance issues—Austrac’s legal action recent high-profile example (as yet un-litigated)—to state that “CBA has fallen from grace”.
The report focuses on CBA’s management of non-financial risks (i.e. operational, compliance and conduct risks). It states that these risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and CBA’s leadership was slow to recognise, and address, emerging threats to CBA’s reputation.
The Panel identified a number of what it described as “tell-tale markers” of poor governance including:
- Inadequate oversight and challenge by the board and its committees.
- Unclear accountabilities and lack of executive ownership of key risks.
- Weaknesses in how risk issues were identified and escalated.
- Lack of urgency in management and resolution of risk issues.
- Overly complex and bureaucratic decision-making which (puzzlingly) “favoured collaboration over timely and effective outcomes and slowed the detection of risk failings”.
- An operational risk management framework that worked better on paper than in practise.
- A remuneration framework that had little “sting for senior manager and … provided incentives to staff that did not necessarily produce good customer outcomes”.
All of this is against a backdrop on continued financial success by the organisation, no large loss-making events in relation to operational risks, and “industry leading customer satisfaction scores”.
This last feature is dismissed by the Panel with a statement that “the customer voice (in particular, customer complaints) did not always ring loudly in decision-making forums and product design”.
The Panel concluded that cultural factors lie at the heart of CBA’s shortcomings. It blames four broad and interlinked cultural traits as follows:
- A widespread sense of complacency that ran through CBA, from the top down. This led to a belief that the institution was well-run and inherently conservative on risk, and this belief bred over-confidence.
- A reactive rather than a proactive or pre-emptive approach to dealing with operational and compliance issues. CBA was characterised by a “slow, legalistic and reactive, at times dismissive, culture which also characterised many of the CBA’s dealings with regulators”. In sum, a sense of “chronic ease” rather than “chronic unease”.
- An insular culture that did not reflect on and learn from experiences and mistakes, including at Board and senior leadership levels. This evinced a lack of “intellectual curiosity and critical thinking” about the full depth of risk issues and a “tin ear” towards community expectations about fair treatment.
- A collegial and collaborative working environment which places high levels of trust in peers, teams and leaders. While these are positive elements of a sound culture, the Panel points to the downside: a lessening of constructive criticism, slower and complex decision-making processes, and impediments to accountability and individual ownership of risk issues.
The Panel’s recommendations to address these shortcomings are designed to strengthen governance, accountability and culture within CBA. They focus on several key “levers of change”:
- More rigorous board and executive governance of non-financial risks.
- Exacting accountability standards, reinforced by remuneration practices.
- A substantial upgrading of the authority and capability of the operational risk management and compliance functions.
- “Injection into CBA’s DNA of the “should we?” question in relation to dealings with customers”.
- Moving the cultural dial from reactive to challenging and striving for better practice in risk identification and remediation.
The report’s section on board governance makes particularly interesting reading. Here is a selection of its statements:
- “Ultimately it is the board … that is responsible for the Bank’s prudent risk management. The board provides direction to senior management by identifying the principal risks facing the Bank and by setting its risk appetite.”
- “The board delegates to the CEO and senior management primary ownership and responsibility for implementing sound risk management practices.”
- It is the board’s role to oversee the three lines of defence which is the framework for managing risk across the organisation. The Risk Committee and Audit Committee assist the board in this task, as does the Remuneration Committee.
- The Panel found that at all levels the attention and priority afforded to the governance and management of non-financial risks in CBA was not “to the standard it would have expected in a domestic systemically important bank”.
- For much of the period under review, the board did not demonstrate rigorous oversight and challenge to CBA management. The tone at the top was “unclear”.
- CBA’s focus on financial risks was not matched by a strong “risk champion” for operational, compliance and conduct risks.
- Focus on aggregate customer satisfaction survey results reinforced a good news story that the board and management were “predisposed to hear”. Alarm bells from the treatment of aggrieved customers “did not sound loudly”.
- The board did not have a “highly visible presence” on risk issue remediations, and the lack of apparent urgency by the board and its committees in dealing with non-financial risks imparted “a tone of inaction” to the rest of the organisation.
- There were gaps in communication between committees, despite overlapping membership and a lack of candour from management in messaging to the board and its committees.
- At board and committee level, there was a lack of “genuine benchmarking”.
In criticising the lack of rigour and urgency on the part of the board and its committees, the Panel acknowledges “one of the challenges facing all boards is ensuring strong oversight of senior management whilst still preserving an appropriate separation from managerial responsibilities. The Panel accepts that a board must have a high degree of trust in the executives that it has appointed. However, the degree of trust needs to be continually tested and validated through appropriate metrics and constructive challenge by directors who collectively must have appropriate levels of expertise and experience”.
The Board Audit Committee (BAC) came in for particular criticism for exhibiting “a lack of rigour and urgency in holding management to account in addressing and closing out audit issues”. For example, there were three Red audit reports on AML, the first in 2013, the second in 2015 noting that the issues raised two years before “have not progressed due to a lack of ownership” and a third in September 2016 which stated unequivocally that CBA “has been slow to address many of the previously identified issues and associated root causes”. This led the Panel to describe the operation of the BAC as “passive” and a “light hand on the tiller”.
The Panel criticised the BAC members for not being routinely provided with nor requesting full copies of Red audit reports but relying merely on summaries and for not calling the owners of issues raised in Red audit reports to appear directly before the BAC.
Similarly, the Board Risk Committee (BRC) was criticised for not policing closure of material control weaknesses reported to the Committee. The BRC received only aggregate measures of untested or unsatisfactory controls, and the BRC was heavily reliant on the CRO. Issue escalation protocols to the BRC were not clearly laid out in CBA policies. Also, the chair of the BRC had a reputation as an industry expert, as did the CRO, and while this expertise was a strength, the two provided a “scholarly gravitas” that stifled the level challenge at the committee meetings.
As with the BAC, the BRC was criticised for lack of clarity in terms of formal accountability, for a lack of candour in messaging from management for a lack of benchmarking, and for a high degree over-confidence in management reporting.
Some Implications for Financial Institution Directors
There is much food for thought in the APRA report. Coupled with the Royal Commission evidence relating to AMP, company directors generally (regardless of sector) will no doubt ponder the implications for their roles for many months to come. It is early days, but here are a few preliminary comments:
- Boards will need to spend more time reflecting on how they are setting and demonstrating “cultural tone from the top”.
- Boards will need to pay increased attention to devising and monitoring measures that illuminate culture and behaviour across their organisations.
- Directors will need to be more visibly engaged around operational risk, customer complaints and feedback, and regulatory compliance, and board and committee minutes will need to more fully articulate how directors are questioning and challenging management on these matters.
- Generally, more time will need to be devoted to BAC and BRC meetings which will need to engage in greater detail around items such as internal audit reports, regulatory correspondence and instances of non-compliance with policies and controls, in much the same depth that many companies now interrogate safety incidents in great detail.
- Boards will need to engage in more rigorous and detailed analysis to justify remuneration decisions, overlaying a conduct and risk lens across traditional financial objectives.
- Nominations committees will need to work harder to identify and recruit director candidates with deep industry experience (a key lesson from AMP).
- All directors, particularly chairmen, will need to carefully manage the risk of becoming quasi executive as they spend more time engaging more deeply with management in the operation of their companies.
Implications for the Financial Sector
There will also be a number of consequences for the financial sector generally. Here are a few:
- It is going to get harder to recruit well-qualified directors for FIG companies, due to both the greater time demands and reputational risk involved.
- Inevitably, government will be pressured into giving both ASIC and APRA even greater powers, prosecution penalties and resources to more deeply interrogate financial companies, all of which will lead to increased costs of compliance teams and top management distraction.
- It is likely that “community expectations” must now take prominence in addition to prudential risk management when it comes to approving loans and financial products. “Community expectations” will be difficult to define and subject to special interest group lobbying.
- Inevitably, lending decisions will be delayed and more costly as banks are required to gather more evidence in relation to serviceability, etc. The full burden of this will fall on the big banks, but smaller institutions will likely fall outside the spotlight, putting larger institutions at a competitive disadvantage.
- The importance of positive credit reporting will be highlighted. Not all banks have signed up to the voluntary code as yet, but all should seek to do so.