The Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Industry is riveting stuff. Admissions of misconduct have led to resignations, sackings and shakeups of both boards and management of banks and other financial institutions. The brief periods that the one-man royal commission is in session are extensively covered by news outlets including live blogs.
Adding fuel to the fire, the Australian Prudential Regulation Authority (APRA), has just landed a report into governance at CBA, after 6 months of inquiry.
The 3-page executive summary alone bears reading. It’s sobering stuff:
CBA’s continued financial success dulled the senses of the institution. This dulling has been particularly apparent, at least until recently, in CBA’s management of its non-financial risks (that is, its operational, compliance and conduct risks). These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation. The consequences of this slowness were not grasped. The Panel has identified a number of tell-tale markers:
- inadequate oversight and challenge by the Board and its gatekeeper committees of emerging non-financial risks;
- unclear accountabilities, starting with a lack of ownership of key risks at the Executive Committee level;
- weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution;
- overly complex and bureaucratic decision making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings;
- an operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function; and
- a remuneration framework that …. had little sting for senior managers and above when poor risk or customer outcomes materialised (and, until recently, provided incentives to staff that did not necessarily produce good customer outcomes).
In the APRA diagnosis this occurred because:
In the environment of continued financial success, two critical voices became harder to hear, leaving CBA vulnerable to missteps.
One was the ‘voice of risk’, particularly for non-financial risks. The fact that there had been no large loss-making events in this area (though reputational damage clearly), the heavy emphasis of the risk function on financial risks, and the ineffective operational risk and compliance frameworks, muted that voice.
The other was the ‘customer voice’. Notwithstanding the customer focus enshrined in CBA’s Vision and Values, and its industry-leading customer satisfaction scores, the customer voice (in particular, customer complaints) did not always ring loudly in decision-making forums and product design.
Complacency as a Root Cause
In perhaps the most telling finding, the APRA report finds that CBA fell into a form of complacency born of financial success. The culture inside CBA suppressed intellectual curiosity and critical thinking.
This is one of the most interesting aspects of the report: that the seeds of failure lie in financial success. If complacency is the root cause of the CBA’s woes, then its also complacent to see CBA’s predicament as having nothing to offer in relation to conduct in other sectors.
Here’s a test: substitute “CBA” in the above passages with the name of another organisation. Does any of it ring true? If so, and if you have anything to do with risk, management or governance there, then you’ve got work to do.
Trust is said to be the currency of banking, but surely it’s the currency of all relationships.
These findings have been widely reported in the media, undermining trust in banks. A wider risk is that it breeds a general mistrust in the governing institutions of civil society.
APRA also recommends that CBA injects a ‘should we?’ question into its corporate “DNA” for all dealings with customers. That’s an integrity question that any of us can, and should, ask in any situation.
CBA has embarked on an ambitious culture change programme.
To paraphrase the APRA report, every organisation needs a culture “that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation”. APRA recommends a substantial upgrade of the authority and capability of the CBA operational risk management and compliance functions.
CBA is systemically important to banking in both Australia and New Zealand. So we all have an interest in the speedy return of CBA and our other financial institutions to good corporate health. We also all have an opportunity to learn from their predicament, to remember our customers, to ask the searching risk questions, to act with integrity and to guard against complacency in our success.
Disclosure: CBA provides banking services to Navigatus Consulting in Australia. ASB, a CBA subsidiary, also provides banking services directly to Kevin Oldham.