APRA Report - Much for boards to reflect on

APRA's report into the Commonwealth Bank of Australia (CBA) issued in May 2018 caused quite a stir in corporate Australia, leading to an inquiry into other financial institutions by regulators on both sides of the Tasman. The report gives boards of all shapes and sizes in New Zealand (and elsewhere) plenty of food for thought. It's not a report that only banks and bank boards need to read. On its release the Australian Treasurer (now its Prime Minister) was quoted as saying the report should be an agenda item on every board's agenda in Australia. The same could be said for New Zealand boards.

The report is lengthy, and there are many lessons to be drawn from it. Mettle has provided take-outs which boards in New Zealand should be reflecting on.

MEttle Take-outs

The Panel found that CBA's continued financial success dulled the sense of the institution to non-financial risks. There was a sense at all levels of the organisation that CBA was well run, it was an icon and that it was inherently conservative on risk. In the environment of continued financial success two voices became harder to hear – the “voice of risk” particularly for non-financial risks and the “voice of the customer” in particular customer complaints.

Questions for successful New Zealand entities: Is your organisation's financial success dulling your sense to non-financial risks? Do your people listen to the voice of the customer sufficiently? Do you focus predominantly on financial results? Are you meeting guidance, market expectations or budget? Is your focus on this so great that you don’t stop to really assess the non-financial risks that the need to deliver financial metrics might create? Do you focus on net promoter scores rather than looking to see if there are systemic issues in customer complaints?

The panel found that CBA had a culture of complacency from the top down, and was reactive rather than proactive in dealing with risks. Operational risk and compliance issues tended to receive attention only once they had emerged clearly or reputational consequences began to show. When attention was given it was not always timely or effective. The panel said there was “a slow”, legalistic and reactive, at times dismissive, culture which characterised many of CBA's dealings with regulators. It said that “taken together, complacency and reactivity led to a sense of “chronic ease” in CBA, rather than “chronic unease” that has proven effective in driving safety cultures in other industries.

Questions for successful entities are: Has your financial or other success made your organisation and your board complacent? Do you have “chronic unease” about non-financial risks?

The Panel said that CBA had become insular, did not reflect on and learn from experiences and (its own and others) including at board and senior executive levels. It said lessons from previous incidents had not been readily captured or shared across CBA. It said that CBA had turned a tin ear to external voices and community expectations about fair treatment.

Question for all entities: Does your organisation learn from its own and others' mistakes and experiences? Does a non-blame culture (considered a positive attribute of good culture) mean lessons are not really identified and learnt? Does your organisation have a “tin” ear to external voices and community expectations?

The Panel noted that one of CBA's cultural traits was it's “collegial” and collaborative working environment… which places high levels of trust in peers, teams and leaders. Reinforcing this is the significant value placed on the “good intent” of staff. These are positive elements of a sound culture. However, they have a downside. Pursuit of consensus has lessened constructive criticism and led to slower decision making, lengthier and more complex processes and a slippage of focus on outcomes. It also impeded accountability and the individual ownership of risk issues. Trust has not been continually validated through strong metrics, healthy challenge and oversight. Good intent has been too readily used to excuse poor risk outcomes.”

Questions for all entities: Does your organisation deal with risks proactively or realistically? How constructive is your relationship with regulators? Are your decision making processes more complex than necessary because of a desire to be collaborative? Does good intent mean you take the eye off the ball from an accountability perspective? Do you excuse poor risk outcomes when good intent existed?

The Panel found that the former CEO sought to empower business unit leaders to run their own businesses. The Panel noted that “In and of itself, this can be a good thing. However, when combined with an atmosphere of collegiality and high levels of trust in peers, it resulted in a lack of healthy constructive challenge within the Executive Committee and an inclination for Group Executives not to raise concerns outside their own area, at least until those concerns had risen (above the water line) in terms of materiality.”

Questions for all entities: Does your organisation's structure and culture – which undoubtedly includes empowering your leadership team – result in a lack of collective responsibility for the business's overall risk?

The Panel made a number of critical observations of CBA's risk management and compliance function. Amongst its recommendations to address the criticisms levelled, the Panel recommended that CBA strengthen its management of operational and compliance risk. It also recommended elevating the stature of the compliance function by making the function a member of the Executive Committee, making their appointment and removal subject to approval by the Board Risk Committee and ensuring they have direct access to the board.

Questions for all entities: Where does risk sit in your organisation? How do you signal through the existence or non-existence of a risk officer and that person's status in the organisation the importance you place on identifying, controlling and mitigating risk? Not all organisations will be of sufficient size or scale to have internal legal or risk resource. Where this is the case how do you resource risk, identify risk, mitigate and control risk?

The Panel noted that banking at its most basic level is predicated on community trust and the fastest way to erode such trust is to “fail to do the right thing” by its customers. It noted that banks are increasingly judged not by reference to the sum total of customer interactions but rather by reference to the fairness of outcomes for their most exposed customers. The Panel noted two examples of trade-off decisions being made in which financial objectives were implicitly prioritised over the “customer voice”. The “can we” question won out over the “should we” question.

Questions for all entities: Most businesses rely on “trust” – trust from customers – without which there is no business. Does your organisation truly put the customer at the centre of decision making? In designing and selling products or services to customers, does your organisation approach sales from the perspective of “can we?” or “should we?”. Does the desire for strong financial performance result in your people's judgement on sales being clouded?

The Panel found that CBA's application of its remuneration policies did little to reinforce accountability and effective risk management across the group. It noted that: “Until recently, the CBA Board had not held senior leaders to account for adverse risk and compliance outcomes that occurred under their watch. A willingness to excuse poor risk outcomes with limited consequence for executive remuneration has undermined the usefulness of variable remuneration schemes as a tool for promoting prudent risk-taking behaviours and fostered a culture of entitlement over one of genuine accountability.”

Questions for all entities: Does your remuneration system operate differently between senior management and lower level employees? Are there no real consequences for poor risk outcomes for senior executives but a sting in the tail for lower level employees?

Among the findings the panel made were:

  • Gaps in communication between committees despite overlapping memberships;
  • Instances of a lack of candour from management in messaging to the board and its committees;
  • Overconfidence in the effectiveness of the board and its committees, and lack of genuine bench markings;
  • Immature oversight of CBA's risk culture;
  • Prior to the appointment of the new Chair, the board's agenda was relatively static and not tailored to the issues, risks or focus areas that demanded attention. Face to face meetings between the former CEO and Chair were not sufficiently frequent to develop a targeted agenda or to understand the most pressing items on which the next meeting needed to focus;
  • Reports to the board from its committees were the final item on the agenda, with this time allotted often being insufficient due to overruns in prior items.

The questions this raises for boards are:

  • Is there good communication between committees on issues relevant to them?
  • Is your management team candid with the board about issues?
  • Are you over confident in the effectiveness of your board and subcommittees?
  • Is there sufficient engagement between the Chair and CEO so the Chair really understands the most pressing items which should be put on the board agenda?
  • Are your meetings conducted to allow subcommittees to properly perform their role?

How would your organisation stack up?

One of the points the Panel made in its report was the opportunity to learn from others mistakes. CBA is a highly successful organisation and makes a significant contribution in Australia and New Zealand. If APRA found issues inside an organisation of CBA’s stature, how would your organisation stack up if it conducted a review?

Every board in New Zealand has an opportunity to learn from APRA's report

MEttle recommends every board takes the time to reflect on the shortcomings the Panel found, the recommendations it made to CBA and ask itself how its organisation measures up. If changes should be made then seize the opportunity to create and protect shareholder value in your organisation.

Who can help

Download MEttle Ten

MEttle, a collection of stories and interviews with influential New Zealand business leaders, curated by MinterEllisonRuddWatts.

Read Now

Related Articles