Final APRA report into CBA culture released

5 mins  03.05.2018

The Australian Prudential Regulation Authority (APRA) released the Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA), which examined the frameworks and practices in relation to the governance, culture and accountability within the organisation, on 1 May.   APRA writes that the 35 report recommendations 'provide a roadmap for the CBA Board and executive team to deliver organisational and cultural change across the CBA group' as well as 'important insight for all institutions particularly about the need to maintain a broad focus on all aspects of risk and stakeholder interest'.

The Australian Prudential Regulation Authority (APRA) released the Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA) on 1 May 2018 following a six month inquiry into the governance, culture and accountability at the organisation. 

Overall, the report found that 'CBA's continued financial success' had 'dulled the senses of the institution' with respect to the way in which it has managed its non-financial risks [ie operational, compliance and conduct risks]' and that consequently, 'These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation'.  

Five key areas to be addressed

More particularly, APRA states five key areas need to be improved to address the report recommendations.  These are as follows:
  1. 'more rigorous Board and Executive Committee level governance of non-financial risks;

  2. exacting accountability standards reinforced by remuneration practices;

  3. a substantial upgrading of the authority and capability of the operational risk management and compliance functions;

  4. injection into CBA’s DNA of the "should we" question in relation to all dealings with and decisions on customers; and

  5. cultural change that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation'. 

Enforceable undertaking

  • CBA has acknowledged APRA’s concerns and has offered an Enforceable Undertaking (EU) under which CBA’s remedial action in response to the report will be monitored.  

  • In recognition of the prudential risks arising from the report findings, APRA has applied a $1 billion add-on to CBA’s minimum capital requirement 'until such times as these recommendations are addressed to APRA’s satisfaction'. 

  • The EU also requires CBA to report to APRA by 30 June on how the findings have been reflected in the remuneration outcomes for current and (where appropriate) past executives and to tie accountability for completing items in the remediation plan to the performance scorecards of the senior executive team (and other staff) as relevant. 

Overview of key concerns and recommendations

A high level overview of the key concerns identified in the report, and the accompanying recommendations is below.    

  • Overall the Panel found that there was insufficient focus on non-financial risk at CBA due to the continuing financial success of the organisation which 'dulled' it's 'senses to signals that might have otherwise alerted the board and senior executives to a deterioration in CBA’s risk profile' particularly with respect to the management of non-financial (operational, compliance and conduct risks) risks. 

  • Insufficient oversight of non-financial risk by the Board and Executive Committee: The Panel found a level of over-confidence in the operations of Board Committees over much of the period under review.  The report adds that a lack of benchmarking added to the issue as 'rigorous benchmarking would have indicated that aspects of CBA’s governance practices were, in fact below mature practice.'  The Report comments that the CBA has recently identified a number of areas where the governance practices of CBA can be enhanced and has plans in place to address the issues identified, many of which are in line with 'the Panel's assessment of where the Board needs to focus its attention'. 

    Recommendations 1-5 of the report relate specifically to the role of the board and more particularly to strengthening board oversight of risk management practices, aligning them with 'global better practice' for risk management and increasing engagement between the board and business unit and support function owners of significant issues. 

    Recommendation 6-8 relate to strengthened leadership oversight.

  • Shortcomings in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution.

    • The Report found that 'the customer voice (in particular, customer complaints) did not always ring loudly in decision making forums and product design' and were too focused on 'short term' customer satisfaction metrics rather than on resolving complaints or identifying systemic issues. 

    • The Report states that 'CBA has difficulty identifying broad, systemic issues in its businesses, including by linking sources of risk data across the institution and through analysis of customer complaints.'

    • The report identifies shortcomings in CBA’s handing of issues escalated from staff, customers and regulators and that 'CBA has had difficulty resolving identified issues as a result of organisational complacency, low senior-level oversight, and weak project execution capabilities'.

    • Recommendations 16 to 19 of the report call for the Board and Board committees to prioritise investment in the identification of systemic issues arising from customer complaints, to improve board and committee processes for monitoring and addressing issues identified, for improvements in reporting on risks in line with better practice peer organisations and for improved engagement with regulators.

  • An operational risk management framework that emphasised process rather than outcomes and 'worked better on paper than in practice supported by an immature and under-resourced compliance function'.  Recommendations 9-15 relate to strengthening risk frameworks and capabilities within the organisation. In particular, recommendation 10 requires that business unit 'Chief Risk Officers have the necessary independence to provide effective challenge to the business'.  Recommendation 12 requires CBA strengthen its management of operational and compliance risk by implementing a number of specific measures.

  • Lack of clear accountability: The report found that there was a lack of clear accountability and a consequent lack of ownership of risk, including at board committee level in the organisation.  The Panel made a number of recommendations that touch on the issue.  Recommendation 22 specifically recommends that the CBA, build on the foundation established by the Banking Executive Accountability Regime (BEAR) and incorporate the Accountability Principles set out in the report.

  • A remuneration framework that 'had little sting' for senior managers and executives for poor risk or customer outcomes (at least until the AUSTRAC action)'.  Recommendations 23 to 26 relate to measures to strengthen remuneration practices, policies and oversight.  Recommendation 23 recommends that the board exercise stronger governance to ensure the effective application of the remuneration framework, that there are pay consequences for poor conduct and that group executives 'cascade accountability throughout the group on a consistent basis'.     

 Broader implications

  • Expectation that all regulated institutions undertake a self-assessment: APRA Chair, Wayne Byres called on all regulated institutions to conduct a self-assessment 'to gauge whether similar issues might exist in their institutions' and said APRA supervisors will expect institutions to demonstrate how they have considered the issues raised in the report. 

  • Requirement that large financial institutions provide a board endorsed report: Mr Byers also said that 'For the largest financial institutions, APRA will be seeking written assessments that have been reviewed and endorsed by their Boards. 

  • 'Required reading' for every board: Commenting on the report, Treasurer Scott Morrison said: 'The report, I think, is required reading not only for every financial institution in this country, but, frankly, it should be the next item on the agenda of every single board meeting in this country, regardless of whether you're a bank or not. It goes to the heart of what responsibilities of board directors are'.

CBA response

In a statement, CBA CEO Matt Comyn said: 'We have embraced the Report as a critical but fair assessment of the issues facing us and we will act on its recommendations, and the requirements of the Enforceable Undertaking, in an open, transparent and timely way.'  Mr Comyn also apologised to the bank's customers and staff, regulators, shareholders and the Australian community.

He added that change priorities already on foot within the organisation are consistent with the report recommendations: 'Our current change priorities are consistent with the Report’s recommendations. We now have a detailed roadmap for ongoing change and we will work with APRA to ensure we implement all of the Report’s 35 recommendations.' 

In support of this, the CBA statement included a table demonstrating the similarities between the five 'levers of change' identified in APRA's enforceable undertaking (the five areas that need to be improved to address the 35 recommendations in APRA's report) and CBA change priorities.   

CBA Chairman Catherine Livingstone confirmed that addressing the report findings would be a key priority, 'Addressing the findings of the Report is a key focus for the Board and management to ensure that our governance, culture and accountability frameworks and practices are significantly improved and meet the high standards expected of us.'

The statement adds that:

  • CBA will release its third quarter trading update on 9 May and in early July, subject to finalisation with APRA, CBA will provide a public update on its agreed remediation plan. 

  • An estimate of the expected financial cost of the program for the 2019 financial year will be included in the CBA's annual results announcement on 8 August. 

  • CBA 'remains in a strong financial position'. 

CEO to forgo short term bonus for 2018

Separately, CBA released the transcript of a video interview with Mr Comyn in which he said that he had asked the board to cancel his short term bonus for 2018.  Mr Comyn explained that 'There has to be clear consequences for failure to exercise and fulfil those accountabilities. And one small example of that is since coming into the role, actually a few days after my appointment, I did form a view that it would be inappropriate to accept a short term incentive this year, it is a conversation I had with the Chair in February and then with the full Board in March. And for me this is only one small step in demonstrating that accountability and the steps that are going to be required are going to be different this time round'. 

[Sources: APRA media release 01/05/2018; Prudential Inquiry into the Commonwealth Bank of Australia (CBA) - Final Report; Enforceable Undertaking given by the Commonwealth Bank of Australia (CBA) and accepted by Australian Prudential Regulation Authority; Prudential Inquiry into the Commonwealth Bank of Australia (CBA) - Terms of Reference; CBA ASX Announcements: 01/05/2018; Transcript of video Interview with Matt Comyn 01/05/2018; Treasurer Scott Morrison transcript 01/05/2018; [registration required] The AFR 01/05/2018; 01/05/2018; 01/05/2018; Bloomberg 01/05/2018; The Guardian 01/05/2018]


We are a fully vaccinated workplace.

Playing our part in creating a safe workplace and communities.