Observations from the Prudential enquiry report into the CBA

“Effective risk governance focuses on the quality, independence and reliability of the internal processes adopted by… an organisation… to manage its risks.  It encapsulates not only the role, responsibilities and functioning of the Board in relation to risk governance, but also the adequacy of the internal structures, operational controls and procedures to manage risk throughout the… organisation…”

The primary focus of an effective organisation must be governance, accountability and culture.

Governance:

The lesson From the CBA experience is that the board must question and challenge management, down the line.  Constructive engagement with regulators and viewing them as a source of help rather than as adversaries will assist in resolving risk and customer related issues in a timely manner.

Non-financial risks must be treated as seriously as financial risks.  Boards should monitor regular risk assessments and ensure risk profiles are up to date.  Ensure risk appetite is well defined and understood and is communicated throughout the organisation.

Establish effective protocols for escalation of issues.  Ensure the board has the right information to enable it to act or advise on operational and compliance matters.  The board must be rigorous and visible in dealing with such issues.  Defined metrics and analysis around customer complaints will increase board engagement with customer feedback.  Underlying or emerging risks that might have reputational consequences can be signalled through such information.

Accountability:

“Effective accountability mechanisms will encourage the prompt identification and escalation of new and emerging risk issues, and will have clear consequences for not doing so.”

Ensure delegations are clear and responsibilities are well understood.  Review annually.  In conjunction with the CEO ensure control functions within the organisation have clearly delineated for identification, monitoring and management of risk.  Consequences for adverse outcomes when risk management fails must be clear and enforced.  Ensure regular and timely reporting to the board from relevant executive team members.  Boards should question and challenge management in a respectful manner.

Committee reporting to the board must include greater detail on risk issues.  Remuneration committees must work harder on their recommendations – who, how, why?  Fuller minutes must be kept in board meetings to evidence engagement around culture and risk.

“A sound risk management culture requires a sense of ‘chronic unease’, with staff at all levels continuously looking out for current and emerging risks and improving the business.”

Culture:

Good intent is not enough. People must apply the right standards and do their jobs properly. The onus is on boards and management to improve culture and performance – regulation alone will not fix it.

Boards must spend more time reviewing indicators of culture. Discussion at board level of vision, mission and values will enable directors to determine the culture they wish to foster. Desired cultural norms require constant reinforcement, so directors must be more visible within their organisations, and they must learn and understand their industries.

Time to think:

There must be an escape mechanism from the “busyness” of modern corporate life to allow directors, executives and staff time to think.

At all levels of the organisation there must be time for:

  • Reflection, introspection and learning
  • Self-reflection and questioning
  • Constructive challenge and cross examination

Seven questions for directors to ask themselves:

  1. Do we set the right tone from the top?
  2. Do we have a good measure of culture?
  3. Is our cultural dial moving from reactive to challenging?
  4. Is the voice of the customer heard at the board table?
  5. Are remuneration policies in place and appropriate?
  6. Do we rely too much on committees?
  7. Is there enough industry and operations experience at the table?

Global emerging best practice suggests that:

  • Diversity in board makeup and differing perspectives are critical for healthy challenge.
  • Technology can enable directors to use high level “dashboards” for more granular metrics and data that will facilitate debate, challenge and discussion.
  • Directors should work towards seamless communication between board committees.
  • Establishment of a non-financial risk committee can assist in evaluating non-financial risk such as potential reputational damage.
  • Remuneration committees must have the knowledge and expertise to challenge the executive remuneration process and make adjustments.