Commonwealth Bank "have not had a thorough enough identification of compliance obligations", David Cohen, the bank's chief risk officer told the financial services royal commission yesterday.Pressed by Kenneth Hayne, the commissioner, a reflective Cohen said "the issue that we have faced in the past is we have not had a thorough enough identification of compliance obligations."One of the things that we are addressing at the moment, as part of our revamped compliance team, is to establish a compliance register for every single business and support unit, so that it is very clear exactly what obligations must be met."I think, Commissioner, it is probably fair to say that we have lacked compliance policy to some degree. We did have compliance policies, of course, but I do think we needed a degree more compliance policies to deal with issues and then, as I mentioned, a much greater level of detail about what obligations needed to be met."Cohen told Hayne of the recent prudential report on the bank issued by APRA: "you will be aware of the focus there on the organisation asking itself the question: 'Should I?'"And I think that is a return to a very important basic element that, in that layering that I've just referred to, has sometimes I'm afraid been a bit lost. And again, I don't think it's deliberate on any part, but I think it has been the result of an accumulation and maybe a case of not seeing the wood from the trees, to a certain degree."Hayne challenged Cohen to explain CBA's difficulty, back in January, to respond in a comprehensive manner to the commission's demand for a catalogue of instances of misconduct.The risk insight tool at the bank, Cohen said, "seeks to be the sole repository; it unfortunately has not always been. It is highly dependent on people logging issues into that tool. "That is partly the function of the risk management team, partly the function of business people."Cohen said he bank had "great difficulty [with] the ability to use that risk insight tool in order - for example, to search and therefore get and deliver a report on instances of misconduct."He said that "that's not the detail of risk insight that I want to stay on. [My goal] is to move from that to an understanding of control of regulatory and reputational risk."Cohen elaborated that: "I think the other thing it tells you is that the forums, the governance forums, whether it be at management or board level, for escalating and bringing to attention reputational and conduct issues has not been strong enough in the past. "And such a forum, and all of the lower level forums that feed up into it, would provide a better flow of information, a better flow of escalation of serious issues, reputational issues and conduct issues."I think it also would lead to a better ability to aggregate, because one would have records of meetings and issues put before meetings and be able to aggregate all of those looking