How to improve performance and avoid poor risk governance in your organisation
Many valuable lessons can be learned from the failures of risk governance in Australian banks.
The Commonwealth Bank of Australia (CBA) and Westpac Banking Corporation (Westpac), two of the largest banks in Australia had to provide Court Enforceable Undertakings in May 2018 and December 2021 respectively to the Australian Prudential Regulation Authority (APRA).
APRA is an independent statutory authority that supervises institutions across banking, insurance and superannuation and promotes financial system stability in Australia.
The authority announced the Prudential Inquiry on 28 August 2017 to examine CBA’s frameworks and practices concerning the governance, culture and accountability following several public incidents. APRA’s Final Report concluded that CBA’s continued financial success dulled the institution’s senses to signals that might have otherwise alerted the Board and senior executives to a deterioration in CBA’s risk profile.
“These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation. The consequences of this slowness were not grasped,” the Report stated.
There were several prominent cultural themes. They included a widespread sense of complacency, a reactive stance in dealing with risks, being insular and not learning from experiences and mistakes, and an overly collegial and collaborative working environment which lessened the opportunity for constructive criticism, timely decision-making and a focus on outcomes.
Other findings include:
- Inadequate oversight and challenge by Executives, the Board, and its committees of emerging non-financial risks. CBA has not set aside the requisite space, time and permission for quality reflection, introspection, and learning.
- Limited reflection and learning coupled with the focus on the day-to-day have also led to missing the bigger picture or full depth of risk issues, both current and emerging.
- Unclear accountabilities. It started with a lack of ownership of key risks at the Executive Committee level. This contributed to the inability to identify who is accountable when things have gone wrong. There is also the lack of ownership of outcomes in favour of the following process – ‘people are a lot more focused on risk management processes than outcomes’, ‘there is a tick-box approach rather than one of understanding the true broader risks’ and ‘we don’t empower bankers to utilise their risk judgment to ultimately achieve the best risk outcomes.’
- Weaknesses in how issues, incidents and risks were identified and escalated through the institution. There is a lack of urgency in their subsequent management and resolution. Major operational and compliance issues were not always escalated in sufficient detail for the Board to fully understand, discuss and make decisions on these issues.
- Overly complex and bureaucratic decision-making that favoured collaboration over timely and effective decision-making. This slowed the detection of risk failings.
- An operational risk management framework that worked better on paper than in practice. Risk management activities are onerous, complex, time-consuming, and achieves very little other than as a form-filling exercise. There is a perception of the risk function as process-focused and onerous. Risk function is seen to be an administrative, rather than strategic. This is supported by an immature and under-resourced risk function.
- The Board did not have the right balance of summarised and detailed reporting. The Regulatory and Operational Risk report had very limited detail on the risk profile of CBA, the trajectory of risks or on new and emerging risks.
- Operational and compliance risk metrics in the Group RAS were under-represented relative to metrics for financial risks. The metrics also focused on whether risk management processes had been properly executed rather than on CBA’s risk profile. They were backward-looking in nature. The metrics were not sufficiently detailed to provide a meaningful view of CBA’s operational and compliance risk profile.
- CBA has been highly reactive in dealing with operational and compliance risks. Reactivity is strongly related to complacency.
- Business units could not see the end-to-end view of risks across the value chain. It inhibits the ability to truly understand potential risk impacts on downstream and upstream activities.
- Executive Committee did not have sufficient visibility of thematic control issues. Business units might be willing to accept higher levels of risk without appropriate controls.
- CBA Board did not receive any metrics or analysis on customer complaints. Nor was there evidence of Board or Committee-level review of any systemic risks that these customer complaints might highlight. Reporting did not emphasise the serious customer complaints that may be a small portion of overall complaints. They may nonetheless represent many customers with an extremely negative experience.
- A focus on the immediacy of day-to-day issues has limited the ability to develop a strong feedback loop to learn from mistakes. There was a risk of missing the bigger picture or the full breadth and depth of issues. Learnings across business units have not been translated in a meaningful way.
For Westpac, APRA commenced an investigation in December 2019 into possible breaches of the Banking Act 1959 following allegations by Australian Transaction Reports and Analysis Centre (AUSTRAC) that Westpac failed to monitor and report millions of international fund transfer instructions. “Westpac contravened the Act on over 23 million occasions. These contraventions are the result of systemic failures in its control environment, indifference by senior management and inadequate oversight by the board,” AUSTRAC said in a statement of claim filed with the Federal Court.
AUSTRAC is responsible for preventing, detecting, and responding to criminal abuse of the financial system to protect the community from serious and organised crime.
APRA’s analysis of the material concluded that:
- Westpac’s Customer Outcomes and Risk Excellence (CORE) Program is not sufficiently far-reaching to address effectively wide-ranging risk governance gaps and carries high execution risk.
- Westpac’s non-financial risk culture was immature and reactive.
- Long-standing weaknesses remain unaddressed.
- Weak execution was a key root cause of the bank’s risk governance issues.
APRA concludes that Westpac has failed to deliver the expected risk governance improvements despite almost two years of remediation. It said that “As one of the country’s largest and most important financial institutions, Westpac should be a leader in risk management.”
A brief history of risk management
Risk management began to be studied after World War II. Modern risk management started after 1955. It has long been associated with the use of market insurance to protect individuals and organisations from various losses associated with accidents.
After World War II, large organisations with diversified portfolios of physical assets began to develop self-insurance against risks.
During the 1960s, contingent planning activities were developed. Various risk prevention or self-protection activities and self-insurance instruments against some losses were put in place.
The concept of risk management in the financial sector was revolutionised in the 1970s. This is when financial risk management became a priority for many organisations including banks, insurers, and non-financial enterprises exposed to various price fluctuations. The use of derivatives as instruments to manage insurable and uninsurable risk began.
In the 1980s, organisations began to consider financial management or risk portfolios. Financial institutions, including banks and insurance companies, intensified their market and credit risk management activities. High market volatility spurred the large US investment banks to put in place risk management departments.
The group of the 10 most industrialised countries (G10) signed an accord in 1988 to regulate banks, which took effect in 1992. Operational risk and liquidity risk management emerged in the 1990s.
Risk management became a corporate affair in the late 1990s. Financial institutions developed internal risk management models and capital calculation formulas to protect themselves from unanticipated risks and reduce regulatory capital.
At the same time, governance of risk management became essential, integrated risk management was introduced, and the first risk manager positions were created.
Adequate capital reserves became a major concern in the early 2000s following major defaults in the late 1990s and the Enron bankruptcy in 2001. In the wake of various scandals and bankruptcies resulting from poor risk management, the Sarbanes-Oxley regulation was introduced in the United States in 2002, stipulating governance rules for companies. Stock exchanges, including the NYSE in 2002, also added risk management governance rules for listed companies.
All these regulations, rules, and risk management methods did not suffice to prevent the financial crisis that began in 2007. Some banks declared bankruptcy, and government and central banks had to rescue many other financial institutions.
These bailouts protected financial markets over the short term but did not solve the fundamental problems behind the crisis. It is not necessarily the regulation of risks and governance rules that were inefficient, but rather their application and enforcement.
For financial institutions, a major reform related to operational and credit risk took place in 2004 (Basel II) and came into force in 2006. But many countries have not advanced far in its application because they were distracted by the financial crisis of 2007.
Basel III in 2010 adds new adequate capital rules to protect banks and improve control of liquidity risk. The accord requires even more risk management for banks and increases bank supervision. These risk regulation is limited to banks. Pension funds and hedge funds are not regulated in most countries.
Key lessons
This has been said and written many times and it will be said again. Organisations must move beyond compliance to a culture of engagement and accountability that inspires, motivates, and supports employees to drive business outcomes and performance. More so in highly regulated industries like the financial services industry. These employees must learn and adhere to complex rules and regulations to remain compliant with their employers and regulators.
Culture is defined as the way daily work gets done. It is the collective attitude, assumptions, purpose, and behaviours of the entire workforce.
A positive culture enables:
- Mutual trust and respect. It drives open, transparent, and regular communication and discussions. Be open to constructive feedback, criticisms, and challenges that is without fear, favour, or retribution.
- Personal accountability, not responsibility and delegation. There is ownership of actions (or non-performance), risks, and outcomes.
- Better understanding and appreciation of outcomes, performance, opportunities, and risks. Knowing the ‘Why’ is important.
- Timely and proactive actions. Opportunities and risk failings are quickly detected and actioned. There is no complacency or passing the buck. Everyone has a sense of urgency and priority.
- Empowerment of every individual. People make timely decisions, seize opportunities, and take risks that are within defined boundaries.
- Opportunity-seeking and risk-taking within acceptable boundaries or risk appetite. There is no holding back, but true empowerment and learning.
- Learning from experiences and mistakes. People are not complacent, insular, and reactive.
- Under-estimation of likelihood and extent of uncertainty and risk to questioned and not accepted.
- Inappropriate behaviours to be identified and managed. Everyone knows what to do about it, quickly.
- People with knowledge and information to speak out. Seek people’s intention, rather than commanding people to do things. In today’s environment where information is abundant and it is not possible to know everything, trust your staff for answers and direction. Have the humility to ask. Find out people’s intention instead and confirm it. They think and make decisions better. Don’t take that away from them.
- Integrated and embedded risk management to be well-established and full supported by management.
- Staff focus on the big picture and identification of emerging risks from different sources of information and across business units.
It should go without saying that the best way to get the behaviours you want is to provide rewards for doing them. But you must make sure you’re not inadvertently providing rewards for behaviours you’re trying to discourage.
The unintended consequence of performance targets linked to remuneration is the focus on the short-term (i.e., getting big bonuses). People become blindsided on the emerging issues and risks that have long-term reputational consequences. When these risks materialised and the CEO gets the axed or resigns to avoid being fired, he or she often walks away with millions of dollars in severance pay!
So, when corporate remuneration practices reward good and bad behaviours, you will always have immature and reactive risk culture and governance. There is no urgency to fix broken things. Instead, these broken things will make them richer!
When designed properly and intentionally, incentive programs can increase performance and drive organisational success. They can be used to shape people’s behaviour. It highlights what is important to an organisation. There is a positive reinforcement to those who display the desired behaviours.
But when designed poorly, incentives can put an organisation’s sustainability at risk. They pay out too much, incentivising the wrong behaviours, or possibly driving people to game the system to meet their targets and personal interest.
Used correctly, rewards and consequences can play an important role in creating a high performance and mature positive risk culture. Used incorrectly, rewards and consequences can create undesirable behaviours and outcomes.
Supportive governance arrangements
A positive culture must, therefore, be supported by the appropriate governance arrangements. Effective systems, processes, and oversight controls enable:
- Strong action-taking, execution, or implementation that seeks to address:
- Indifference especially by senior management.
- Performance and risk gaps.
- Emerging trends or threats.
- Big picture, strategic issues.
- Control issues.
- How issues, incidents and risk are identified, managed, and escalated.
- Personal ownership and accountability for key outcomes, risks, and issues especially at the executive level.
- Focus on the things that matter most. Avoid being distracted with new shining things or new management fads. Quick fixes are distractions.
- Requisite space, time and permission for quality reflection, introspection, and learning.
- Transformation of overly complex and bureaucratic decision-making.
- Reporting and escalation of poor behaviour without fear, favour, incrimination, and retribution.
- Opportunity-seeking and risk-taking to be defined. The 2009 financial crisis clearly showed that executives’ risk appetite is often not defined.
- An end-to-end view of risks across the value chain. Understand the potential risk impacts on downstream and upstream activities.
- The Chief Risk Officer (CRO) to have decision-making powers and have veto rights over transactions considered too risky rather than passively monitor risk measurement and analysis. This officer must report to the CEO and periodically meet with the board of directors. All important transactions must be analysed along with greater transparency and appropriate risk disclosure.
- A common risk taxonomy that can be used to aggregate and better manage group/enterprise-wide risks across business units.
- The right level and depth of performance and risk reporting. Have the right balance of summarised and detailed reporting. Include metrics and analysis of customer complaints or customers with an extreme negative experience.
These systems, processes and oversight controls must not be cumbersome, incomplete, or over-engineered. They should work better in practice, not just on paper.
The larger the organisation, the simpler system, processes, and oversight controls ought to be. Humans are good in over-complicating and over-engineering things, unfortunately.
Risk management must move beyond compliance and box-ticking. It must add value and strategic, without missing the bigger picture or the full breadth and depth of issues.