The CBA APRA Report: “required reading” for all directors


    The Australian Prudential Regulation Authority (APRA) has released the Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA).

    The 111-page report, released on 1 May 2018, has been described by Treasurer Scott Morrison as “required reading” for every board member in the country. You can access the whole report here.

    The report follows from an APRA inquiry into governance, culture and accountability within the CBA group initiated following a number of damaging public incidents involving the CBA, including most notably, the AUSTRAC anti-money laundering proceedings.

    The CBA has agreed to implement all 35 recommendations made in the report.

    APRA Chairman Wayne Byres observed that "the findings of the report provide important insight for all financial institutions, particularly about the need to maintain a broad focus on all aspects of risk and stakeholder interest and not allow financial success to mask or detract from other important measures of an institution’s performance and risk profile."

    Many of the issues raised by APRA are issues that can, at times, face any board or organisation. For this reason, directors should carefully consider these findings in light of their own organisations, with a view to assessing whether change is necessary.

    Wayne Byres also said that the CBA had itself identified and begun taking positive steps to address many of the issue raised by the report.

    What can directors take from this important report?

    1. Risk governance

    According to APRA’s report, the CBA board lacked rigour and urgency in dealing with non-financial risks. For instance, APRA noted that CBA’s board agenda was “relatively static”, and did not sufficiently escalate non-financial risks to the level APRA expected.

    In addition, APRA’s report identified inadequate reporting of risk to the board. APRA found that while the CBA board received regular reports of regulatory matters which had already been identified, they were not receiving an adequate picture of CBA’s overall risk profile. Nor were they being provided with detail on the trajectory of risks, or new and emerging risk.

    APRA also identified a tendency of management to over-emphasise positive news to the board, while de-emphasising bad news.

    Insights for directors

    • Directors should consider whether non-financial risks are being adequately considered and discussed at board level.
    • Directors are entitled to expect management to consider and report on the overall picture of the risks facing the company, including any new and emerging risks.
    • Senior management should be encouraged to not simply ask whether an activity is allowed under regulation (“can we?”), but whether it is ethical and appropriate (“should we?”).
    • Directors should consider whether compliance has sufficient status and authority within an organisation, including making the appointment and removal of the head of compliance subject to approval by the board Risk Committee.
    • For further discussion by APRA on risk governance, see particularly Section A.2 of APRA’s report (pages 12 -21).

    2. Holding management to account

    The APRA report represents a timely reminder to all directors that while collaboration and collegiality with management is important, a board must always hold management to account.

    In relation to the CBA board and committees, APRA observed that the “gravitas” and particular eminence of two key individuals (including the former Chief Risk Officer) had tended to stifle debate on the Board Risk Committee, thereby limiting its effectiveness.

    Such a situation may not be unfamiliar to many directors, and needs to be proactively addressed at board level.

    In another example, APRA observed gaps in reporting and metrics to directors, which limited board and committee effectiveness. For instance, APRA observed that the CBA board was not receiving alerts on individual incidents or themes that might indicate an underlying or emerging risk or issue that might have reputational consequence. Positive aggregate customer satisfaction metrics tended to obscure board visibility of customer complaints who had extremely negative experiences.

    Nor was the Board Audit Committee receiving detailed reports of “red-flag” audit issues, but instead was only provided summaries.

    On the other hand, APRA was positive about an increasing philosophy within the board of “don’t tell me, show me” to ensure that trust placed in management teams is being verified.

    Insights for directors

    • In holding management to account, boards and committees should aim to embrace the philosophy of “don’t tell me, show me”.
    • Boards must actively self-assess board and committee performance, as well as engaging external assessment where appropriate.
    • Directors should enhance attention to customer satisfaction by regularly discussing trends in customer complaints, and requiring sophisticated customer metrics.
    • Directors must end any organisational tolerance for any ineffective or untimely resolution of significant matters of concern.
    • For further discussion by APRA on accountability, see particularly Part A.5 (pages 37 – 46) and B.7 (pages 58 – 64) of the report.

    3. Remuneration

    The role of directors in setting down clear guidance on how staff are remunerated is a critical component of good governance.

    Critically, APRA observed that the Board Remuneration Committee had not provided clear guidance on its expectations of how managers should exercise their discretion when considering a reduction to remuneration for poor risk outcomes.

    In addition, APRA also observed that CBA’s remuneration structure lacked an upside for sound risk management, despite examples globally of a trend towards this practice.

    Insights for directors

    • Directors should consider whether their expectations regarding remuneration are clear.
    • Directors should also consider whether remuneration is being appropriately adjusted for poor risk and compliance outcomes within the organisation, and conversely, for sound risk management.
    • For further discussion by APRA on remuneration, see particularly Part B.8 (pages 65 – 79) of the report.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.