Westpac’s multi-year project to fix its risk governance, the CORE program, is complete, with independent reviewer Promontory Australia reporting that the bank has delivered all activities under the program.
Westpac chief executive Peter King said the bank would be talking to APRA and was hopeful that a capital charge related to the program would be removed at some point in the future.
King said the bank would work on ensuring the sustainability and effectiveness of the changes this year and in future implement a program of “continuous uplift” to continue the development of the bank’s risk management practices and risk culture.
The bank started CORE following AUSTRAC’s finding in 2019 that its anti-money laundering process was badly flawed. AUSTRAC alleged that the bank breached anti-money laundering obligations on 23 million occasions. The Federal Court approved a A$1.3 billion fine.
In December 2020, APRA said that CORE was falling short. Westpac gave the regulator an enforceable undertaking to “lift substantially its efforts to address risk governance deficiencies”, agreeing to submit a detailed integrated plan outlining all major remediation activities related to risk governance, with clear timelines and accountabilities.
It turned into a massive project, with 354 separate “design, implement and embed activities.”
Westpac released Promontory’s twelfth and final report yesterday. It said: “Completing CORE is a major achievement for Westpac. The program is one of the broadest and most ambitious risk transformation programs of its type and required significant commitment, resources and engagement from all parts of the bank.”
Promontory said Westpac risk governance has been substantially improved, making it a stronger bank. Risks are better identified, recorded and managed. Risk culture and desired behaviours are now consistent features of board and executive committee discussions and a focus of divisional priorities.
It was a very different situation a few years ago. A statement of agreed facts and admissions presented to the Federal Court by AUSTRAC and the bank said Westpac’s failure was the result of technological failings, management uncertainty as to which arrangements were in place, insufficient post-implementation review to confirm that reporting was taking place, and an absence of appropriate end-to-end review, assurance and oversight.
APRA got involved because it was concerned about the bank’s progress in fixing weaknesses that include “an immature and reactive risk culture, unclear accountabilities, capability shortfalls and inadequate oversight.”
One problem identified in the process was that the bank’s organisational structure was too complex. This introduced inconsistencies in the way risk was managed across the bank, made execution difficult and created confusion about policies and practices.
“Westpac’s tendency to perpetuate complexity by introducing, among other things, new committees led to capacity and execution constraints and a lack of clarity in accountability and introduction of additional risk,” one report said.
Yesterday’s Promontory report said: “Westpac now operates under a ‘line of business’ construct, with streamlined and clarified accountability structures. The bank’s practices for managing, governing and reporting on risks have been aligned to the line of business construct, helping to clarify the risk and control environment, reduce the bank’s inherent risk profile and drive greater transparency in risk