Summary: Prudential Inquiry into CBA

Summary: Prudential Inquiry into CBA


A Royal Commission has been called to address the erosion of society’s trust in our banks and financial institutions. It has uncovered numerous failings in the provision of financial advice, questionable lending practices, mis-selling of financial products, inappropriate setting of benchmark interest rates, and compliance breaches.

The Commonwealth Bank of Australia is the country’s largest financial institution, and a long standing financial icon, renowned for its history, continued success, customer-focus and technologically innovative solutions. However, over the last few years, several incidences have occurred which not only damaged the reputation of CBA but highlight a number of shortcomings in how risks and compliance obligations are managed. These incidences include mis-selling of margin loans to retail customers, misconduct by financial advisers, fees charged when no financial advice was provided, use of an outdated definition of heart attack in insurance products sold by CommInsure, and mis-selling of credit card insurance.

Hence, a Prudential Inquiry was established, with a subsequent report that outlines the shortcomings that have led to the significant issues for the business.

The most pertinent issue faced by CBA is that its continued financial success has ‘dulled the senses’ of the institution, particularly its management of non-financial risks (operational, compliance and conduct risks). The main contributors to this include:

1. Inadequate oversight and challenge by the Board and its committes of non-financial risks

Essentially, the Board of a company should be responsible for ensuring that prudent risk management and identification processes are in place, so that they can in turn, provide direction to senior management. It should ensure there are no unnecessary overlaps or material gaps in the risk framework, as a lack of role clarity can result in mismanagement and failure to identify risks before it’s too late. Some examples:

  • As recently as August 2017, the Board was aware of an incomplete data management framework that wasn’t fully implemented, which created exposure to data risk and data quality issues.
  •  The CBA Board would pass on issues to the CEO to ensure a single consistent voice was delivered in internal and external communications. Because of this, the Board lacked visibility, presence and rigour.
  • A lack of urgency in holding management accountable for ensuring risks were mitigated and issues addressed quickly.

2. Unclear accountabilities - lack of ownership of key risks at Executive Committee level

Generally speaking, a well-functioning Executive Committee should operate with a sense of collective accountability, as well as individual accountability for distinct business units; and all members should have an in-depth understanding of all areas of the business to encourage healthy, constructive criticism and challenge to avoid group-think. Some examples:

  • Historically, there was no Executive-level committee dedicated to overseeing the operational and compliance risk profile. These risks were considered periodically, but not on a regular itemised basis, which prevented CBA from forming an aggregate view of their risk profile. This has been improved as of late 2017. Evidently, Executive oversight of non-financial risks should be given the same amount of attention as financial risks.
  • Globally, non-financial risk committees have increased in popularity to identify operational risk and compliance at senior management and Board level.
  • At CBA, risk management was dominated by a ‘tick the box’ mentality, which meant serious non-financial risks were not identified and scrutinised early enough.
  • With regards to key concerns and issues, there was the existence of several handoffs between layers and teams of the bank, which diluted decision making and strong oversight.

3. Weaknesses in how issues, incidents and risks were identified and escalated, accompanied by a lack of urgency in subsequent manangement and resolution

  • CBA has a “Three Lines of Defence” model to manage operational and compliance risk, control environment, compliance function and conduct risk profile:
  • 1st line: Business owns risk and ensures controls are in place
  • 2nd line: Independent risk management policies, systems and processes to promote consistency
  • 3rd line: Independent audit function (internal audit and external)
  • However, the simplicity of the model was tainted by the fact it allowed business units to tailor this model for their own intents and purposes. This resulted in challenges dealing with multiple models over the group and a lack of documentation about how each model works
  • Each line of defence was inconsistent between business units, didn’t perform effectively, and roles and responsibilities became interchangeable between lines 1 and 2.
  • This increased the risk of gaps in identification, measurement and management of operational and compliance risks.
  • CBA’s operational risk and compliance policies were incredibly technical, thus making it difficult to implement, but have been reviewed for simplification.
  • There are shortcomings in how CBA handled issues escalated from:
  • Staff: Majority of issues are raised by staff, however there are difficulties in identification (particularly of larger, systematic issues), escalation and resolution. Inadequate and tardy resolution of issues is tolerated.
  • Customers: There has been too great of a focus on short-term customer satisfaction and not enough focus on resolving extreme examples of poor customer service. There was no discussion of customer complaints or systematic issues from these complaints in Board meetings.
  • Regulators: CBA acted defensively and were unwilling to cooperate on matters raised by regulatory bodies (APRA, ASIC, AUSTRAC), rather than acting openly like other banks. A slowness or disinterest in responding to regulatory concerns was also evident.

4. Overly complex and bureaucratic decision-making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk shortfalls

  • Complacency exhibited in the willingness of staff to accept less than optimal outcomes and attributing them to factors over which they have no control, i.e. social expectations, rising regulatory demands and unbalanced political and media scrutiny --> CBA accepts explanations for sub-optimal solutions and mistakes.
  • There have been pockets of excessive consultation or consensus-driven activity, resulting in slower decision making.
  • A strong risk culture should be somewhat collaborative, where processes are simple and efficient in order to manage and understand risks.
  • The level of bureaucracy built up in CBA has resulted in risk management being perceived as a low priority ‘administrative task’.

5. Operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function

  • Lack of capability for root cause analysis of customer complaints caused by a lack of clear governance, manual processes and lack of staff incentives related to root causes of complaints

6. Remuneration framework that inadequately punished senior managers and higher, when poor risk or customer outcomes materialised

  • At CBA, their formal remuneration framework sets financial and non-financial hurdles for determining variable remuneration, which can be adjusted downwards for incidents involving poor conduct, inadequate risk management or failure to adhere to the bank’s values
  • Total remuneration is made up of fixed salary, short term variable remuneration (performance-based) and long-term variable remuneration (for Executives), which is designed to incentivise employees to act in the interest of shareholders.
  • There were significant weaknesses in the implementation of this formal remuneration framework, particularly in adjusting remuneration as a result of poor risk and customer outcomes. It was rare for the CEO and Group Executives to have their remuneration reduced based on risk, or if it was reduced, only slightly.


The ‘dulled senses’ refers to inadequacy in identifying and mitigating risks, particularly non-financial risks, and mis-handling of customer grievances. The Panel believes that cultural factors are at the core of these shortcomings.

  1. Widespread sense of complacency evident in CBA, from the top down. Their high calibre of success, being ranked top for numerous financial measures, created a belief that CBA was well run and conservative on risk. This led to over-confidence and a lack of appreciation for non-financial risk, as well as a focus on process rather than outcomes. CBA became desensitised to customer failings, tolerated risk and audit issues, and lacked financial consequences for the late delivery of projects.
  1. CBA adopted a reactive approach to dealing with risks. Operational risk and compliance issues were only dealt with once they became clear, or reputational consequences started becoming apparent. Even then, resolution was not always timely or effective, and often dismissal of the risks at hand occurred.
  1. CBA became insular – It did not reflect on and learn from past experiences and mistakes. Lessons from previous incidents have not been readily captured or shared across CBA. A lack of intellectual curiosity and critical thinking about the full depth of risk issues, limited CBA’s ability to learn, anticipate and adapt. CBA turned a tin ear to external voices and community expectations about fair treatment.
  1. The collegial and collaborative working environment, which places high levels of trust in peers, teams and leaders, is normally seen to be a redeeming quality of workplace culture. However, the desire to reach a consensus has reduced the amount of constructive criticism given and resulted in slower decision making, lengthier and more complex processes and less focus on outcomes. Executives were also reluctant to raise concerns outside of their own area. It also negatively affected accountability and individual ownership of risk issues. A lack of strong metrics, a will to challenge colleagues and oversight prevented the validation of trust.

The Panel’s key recommendations on how to instigate a positive change include:

  1. More rigorous Board and Executive Committee governance of non-financial risks;
  2. Exacting accountability standards reinforced by remuneration practices;
  3. Upgrade of the authority and capability of the operational risk management and compliance functions;
  4. CBA needs to question ‘should we?’ in relation to all dealings with and decisions about customers;
  5. Cultural change from reactive and complacent, to empowered, challenging and striving for the best practice in risk identification and remediation.


Gabbie Anastasi
Gabbie Anastasi
John Colvin, Gabbie Anastasi

What We Do

Learn about how our firm values translate into the work we do.

Work with us

If you are interested in collaborating with us on a research project, please contact us.

Get in touch
Powered by BreezingForms