Major bank acknowledges GAC ‘shortcomings’ to regulator

In June 2018, APRA requested that Westpac, together with other large financial institutions, perform a self-assessment of governance, culture and accountability.

The regulator had requested 36 banks, insurers and superannuation licensees to reflect on the censorious findings of the Final Report of the Prudential Inquiry into Commonwealth Bank of Australia (CBA) to see whether issues similar to those raised in the report of the Prudential Inquiry might exist.

While the prudential regulator released a 28-page information paper summarising the self-assessment efforts of the nation’s largest financial institutions in May (which concluded that there are material weaknesses in the management of non-financial risks across the industry), Westpac has this week publicly released its self-assessment for the first time.

The 131-page report, which was submitted to APRA in November last year but was released publicly on Thursday (11 July), was undertaken by a joint team of Westpac employees and consultants from global management consulting firm Oliver Wyman.

Report findings

While the report suggested that Westpac’s governance, accountability and culture settings, in their totality, “generally support sound management of the group’s non-financial risks”, there were a range of “shortcomings and opportunities to enhance frameworks and practices” identified in this report.

These shortcomings included:

• An organisational tendency to cultivate complexity. “To achieve satisfactory outcomes amidst this complexity, there is too often reliance on personal networks, critical employees and ad hoc workarounds. The inefficiencies and the opportunity for errors in this, including in risk management, are obvious,” the report read.
• A tendency to privilege upfront conceptual work over execution and implementation. The review team stated that this manifest as “a fading of focus” from idea to action. “Consequences include an execution deficit, delayed and inadequate embedding of change, additional cost and a lack of accountability for outcomes.”
• An organisational imperative for safety. The report suggests that the recession of the 1990s pushed the bank into “near insolvency”, which had in turn “made Westpac sceptical about becoming involved in things that it didn’t fully understand or which did not seem to make sense”. While the team suggested there were benefits to this approach, the counter was an inhibition of “proper empowerment of employees by unnecessarily restricting decision rights, leading to gaps in individual accountability and an overweighting to matrix-managed collective decision-making” as well as “undue caution” quashing those speaking out about risk issues.

However, Westpac’s review team concluded that these issued “do not aggregate to a level of significance that would call into question Westpac’s fundamental ability to manage non-financial risk”.

According to the review team, Westpac’s management of non-financial risks across all lines of defence was “generally less mature than its management of financial risks”, which it says were “likely near, or at, the root cause of many of Westpac’s non-financial risk-related issues”.

While acknowledging that the bank found “a lack of clarity on accountabilities and consequences, and challenges in rapidly identifying, prioritising, escalating and remediating issues” – as was the case in the Prudential Inquiry into CBA – it concluded that there was no prominent “sense of chronic ease, complacency and certain governance-related issues”.

The report reads that while the report is not intended to “excuse or mitigate misconduct at Westpac”, the bank “must not allow efforts to mature its non-financial risk capabilities to detract in any way from its financial risk management capability”.

Recommendations

The review team recommended establishing an “overarching, cohesive program” that runs group-wide and should be sponsored by the CEO and overseen by the executive team and the board risk and compliance committee over a period of several years.

This program, the report said, should be structured around five streams, each with an accountable executive. These are: board and executive governance, risk and compliance, customer, remuneration and accountability, and culture.

The swathe of recommendations put forward by the review team included: 

• Completing and rolling out further risk training and education programs
• Developing one common process to regularly review, assess and test the effectiveness of controls to manage non-financial risk
• Implement a conduct risk program to instil a “Should we?” consideration in group-wide decision-making and “reinforce the centrality of the customer”
• Ensure accountability for the timely and effective closure of issues, including enhancements to remuneration and consequence management frameworks
• Establish a single, group-wide approach to manage whistleblower investigations
• Increase group executive attendance at enterprise portfolio oversight committee meetings and enhance oversight of associated delegations

Commenting on Thursday, Westpac Group CEO Brian Hartzer said: “The CGA self-assessment was a valuable exercise. We acknowledge the need to improve non-financial risk management and oversight and we are working to resolve the issues raised. 

“Our board and senior executives are committed to addressing the shortfalls identified in the report and will continue to provide regular updates on our progress.” 

Westpac group chief risk officer David Stephen is now said to be leading a program of work, overseen by the board, to implement the self-assessment’s recommendations. 

According to Westpac, around 20 per cent of the recommendations have been implemented to date.

[Related: CBA weaknesses ‘not unique’ in industry: APRA]