On 30th of April 2018, the Australian Prudential Regulator APRA released its report into Commonwealth Bank (CBA). Based on various incidents impacting on CBA’s reputation, APRA deemed it necessary to initiate the inquiry. Aim was to evaluate reasons which led to these incidents. The assessment resulted in 35 distinct recommendations for three themes:
Governance: The assessment found room for improvement for the role of the board, senior leadership oversight, management of risks & compliance, alignment of financial objectives & other priorities as well as issue identification & escalation.
Accountability: The report lists various recommendations to improve on personal and collective accountability. Furthermore, the link between accountability and the remuneration framework needs to be reinforced.
Culture: The document elaborates on findings as well as subsequent recommendations for improving on leadership and underlying culture.
During the review, CBA initiated various transformation programs to address some of the findings. However, the final report casts some doubts on organisational capabilities to deliver on these programs. In answer, the bank consolidated all programs into one transformation program led by the CEO.
While CBA already initiated necessary organisational changes to improve on Governance, Accountability and Culture, the question arises how other financial service institutions are prepared to meet APRA’s expectations.
Readiness Assessment Criteria
In order to evaluate whether an organisation is meeting APRA’s expectations, following key components are suggested to assess organisational readiness (see figure below).
Each of the building blocks addresses at least one of the three themes Governance, Accountability or Culture but all are intrinsically correlated.
Risk Management System
A single risk management system must permeate the entire organisation, i.e. it is used by all business lines and supporting functions. This system needs to possess sophisticated aggregation capabilities in order to address reporting needs for different hierarchy levels ranging from team to board level. The aggregation functionality must also comprise drill-down capabilities for single risk reviews on all hierarchy levels.
Program and Project Portfolio Management
A sophisticated program and project portfolio management mechanism is a direct reflection of the organisational capability to deliver on large & complex business transformations especially if multiple business lines are impacted. Such a mechanism should be able to answer following questions:
- Which internal/external customer benefits can be realised?
- Are these benefits more important than others?
- Which resources (e.g. personnel, budgets etc.) are required?
- Is it the right time to allocate resources to a certain program / project and for how long are these resources used?
- Are promised benefits realised within the planned timeframe and budget?
- Are interdependencies and interlinked outcomes managed appropriately?
The mechanism comprises two parts:
- Pipeline Management and
- Execution Management
Pipeline Management prioritises incoming programs/ projects according to their urgency and importance. Criteria for determining urgency and importance include financial and non-financial impacts (e.g. risks) arising from executing them later or not at all. The standardisation of the assessment process increases comparability of programs / projects simplifying their prioritisation.
Execution Management and its standardisation ensures sophisticated portfolio management. This includes enhanced monitoring and reporting capabilities on single program / project as well as portfolio level. Furthermore, it must be possible to manage interdependencies, interlinked outcomes as well as scope creep for cross-functional initiatives.
Outcome / benefit status and progress must link back to respective items in the risk/ compliance management system.
Compliance Management System
A single policy and regulatory requirement management system is required which permeates the entire organisation. It should permit easy access to policies according to business line applicability, release & effective date, correlation to other policies etc. Such system standardises the consultation and release phase for existing and new policies. Granted policy exemptions can be managed easily and documented accordingly. Information about breaches and incidents must link back to the risk management system and, where applicable, to the program / project portfolio management mechanism.
Non-financial Risk Taxonomy
Management of specific risks such as market or credit risks is usually well understood and managed in a financial institution. With the rise of new technologies, cost pressures and other factors, non-financial risks increase as well. However, non-financial risks are usually less well understood, sometimes understaffed and managed in silos, i.e. each business line manages its own risks leaving cross-business risks potentially unmanaged. To address this, a standardised non-financial risk taxonomy is necessary. The standardisation enforces treatment of similar risks in different business lines in same way. It also eliminates redundancies in responsibilities as well as controls. A non-financial risk taxonomy also standardises data collection and aggregation for the reporting process.
Customer Complaint Process
Customer complaints are a reflection of potential issues within the organisation. In order to identify and assess inherent risks, a detailed complaint analysis is required. Furthermore, regulatory expectations go as far as saying that a service needs to be provided for the community – not only in compliance with regulatory requirements (“Should We” vs. “Can We”). Therefore, a sophisticated customer complaints analysis and management process is needed. Complaints, shortcomings and mitigating activities should be incorporated in respective reports prepared for various hierarchy levels. Furthermore, they must be reflected in the risk /compliance management system.
Three Lines of Defence Model
Together with the standardised taxonomy for non-financial risks, the Three Lines of Defence Model ensures appropriate risk & compliance management throughout the organisation. A working Three Lines of Defence Model includes clear understanding of risk ownership which needs to be enforced from the top down. Furthermore, accountabilities and responsibilities of roles need to be defined, documented and communicated throughout the organisation.
To ensure that the first line of defence can be challenged, the Chief Risk Officer must be independent from business. However, in order “to bridge the gap” between the first and second line, risk and compliance professionals require an in-depth understanding of the business – potentially coming from that business complementing their competence profiles with risk or compliance expertise.
In addition, the independence of the third line of defence – Internal Audit – must be ensured, i.e. the Head of Internal Audit reports directly to the board. Consequently, first and second line of defence activities can be reviewed and challenged objectively.
Risk behaviour and its consequences on the organisation (positive or negative) should be reflected in the remuneration of individuals and teams. The entire incentive system must be aligned to strategic objectives including risk/compliance management and customer outcome.
Organisational attitude towards Accountability, Governance and underlying Culture should be demonstrated and communicated from the top down starting with board. This includes organisational values, constructive challenge and appropriate conflict resolution. Furthermore, discussions and decisions regarding identified risks need to be part of all decision-making processes. Communication along these criteria prevents complacency and group-think. Furthermore, communication with the regulators should be proactive and constructive. Evidences must be available in verbal or written communication.
Connecting directly to communication, the board needs to ensure visibility and “Walk the Talk”. Senior management must enforce individual as well as collective accountability and encourage constructive challenge as well as debate. In addition, appropriate governance mechanisms need to be in place to
- identify, assess and manage cross-functional risks
- track and manage execution of the project / program portfolio
- ensure timely and suitable issue closure.
Evidences should be available in committee charters, agendas, minutes and reports.
While proposed criteria cover all major themes of APRA’s expectations regarding Governance, Accountability and Culture, other factors must be considered as well. Examples include:
- strategic alignment of risk/compliance considerations and their integration into daily business
- data governance, information security and preservation of privacy
- hiring criteria for professionals for risk / compliance management and business transformations
Taking these assessment criteria into account:
Is your organisation meeting APRA's expectations regarding Governance, Accountability and Culture?
 Source: Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report on 30/04/2018
 It must be possible to aggregate the portfolios for different organisational units and hierarchy levels.