Something appears to be very wrong with risk management at the Commonwealth Bank (CBA), that cuts right across the bank. There have been risk management problems in the retail (money laundering), institutional banking (foreign exchange and bank bill swap rate benchmark manipulation) and wealth management (Comminsure scandal) arms of the bank.
This tsunami of scandals helped to trigger the Financial Services Royal Commission which will examine banking misconduct.
And the responsibility, the accountability for risk management stops, and starts, with the bank’s board.
In presenting its 2018 half yearly profits, the CBA board announced that the bank had set aside provisions of A$375 million in anticipation of a penalty resulting from failures to properly implement anti-money laundering controls.
In the media conference following the appointment of Matt Comyn as the new CEO of CBA, the chair of the banks’ board Catherine Livingstone, admitted, while it was:
…entirely appropriate to share a collective accountability for the issues that we have had… [that] the processes around operational risk management and compliance risk management…is where we have not performed as we should have.
In his first media conference as CEO, Mr Comyn, not surprisingly, concurred with his new boss.
And it became unanimous, when a few days later the progress report of the Australian Prudential Regulation Authority’s Prudential Inquiry Panel into the culture at CBA, reported that investigations were being focused on “capabilities and accountabilities for risk management in the organisation, particularly for operational, compliance and reputational risk”.
How the CBA manages risk
CBA’s latest annual report describes in some detail the risk management framework that is supposed to direct risk management across the bank. The framework, which incorporates the requirements of APRA’s prudential standard for risk management, comprises three main components: a risk appetite statement (which describes the types and maximum levels of risk that the board is willing to accept), a three year rolling group business plan and a risk management strategy.
The bank’s risk appetite is formulated by the Board Risk Committee, approved by the board, and dictates the levels of risk-taking in each business line.
In practise the bank actually follows what is called a Three Lines of Defence model. The so-called first line of defence is business management, which is responsible for the effective implementation of the board-approved risk management framework.
The second line is a separate group of staff with specific risk management skills to develop and monitor the risk management process. The third and last line is an independent group that acts as an internal audit function.
CBA is a large and complex organisation, and naturally there is a large, complex risk bureaucracy. This is detailed in the bank’s latest risk report.
However, APRA is clear that the board should take ultimate responsibility.
The lines of defence are clearly broken. If there had been one single, or maybe two, risk management failures at CBA, you could put it down to complexity, teething problems or just bad luck. But over the last decade, there has been a catalogue of bad risk decisions affecting the bank’s customers, shareholders and the Australian financial system.
After the first few times, surely the effectiveness of the risk framework and the three lines of defence should have been questioned and remedial action taken? But apparently it was not, and there is now frantic action by the people responsible – the CBA board - to do something (anything) about it.
In the media conference, Catherine Livingstone and the new CEO repeatedly talked about “collective accountability” and tried to diffuse the severity of the situation by talking about “organisation wide” and “culture” issues, as if even the staff in the bank’s branches were somehow to blame.
In fact, in the case of money laundering through ATMs that has drawn the ire of AUSTRAC, it was the first line business staff in the branches who raised the alarm. Their warnings were not taken seriously. To claim that the lower-level staff are somehow “collectively accountable” is bordering on the bizarre.
The accountability for the risk management failures is indeed spread far and wide but by far and away it is the joint responsibility of the board and executive committee. The knee-jerk reaction to cut a few bonuses is insufficient.
Someone in the board of the bank has to resign or be fired. Where failures are detected, bonuses already paid out, for example to recently retired board members, should be retrieved.
And going forward, the three lines of defence must become a real protection for customers rather than a convenient pretence, and APRA must ensure, for customers’ sakes, that the three lines are operating effectively in all large financial institutions.