Westpac’s multi-year project to fix its risk governance, the CORE program, has run into some “scheduling uncertainty, risk of disruption and quality issues” as a result of changes to the bank’s organisational structure and leadership team.
The project’s independent reviewer, Promontory Australia, has produced its fifth assurance report on the program, saying the structural and leadership changes are having an impact on the “executive sponsorship arrangements” for the program.
In February, the bank announced that as part of its plan to reduce its cost base it would reduce the size of its corporate functions by 20 per cent, moving support services like HR and technology to the business units.
It also combined the roles of chief risk officer, and group executive financial crime, compliance and conduct. CRO David Stephen and group executive financial crime, compliance and conduct Les Vance are both leaving the bank.
And the bank announced the creation of two new divisions – corporate services and customer services and technology. It said these business units would drive efficiency and productivity.
Promontory said the organisational changes are consistent with the objectives of the program and are intended to clarify accountabilities across the bank.
But it said it would be a challenge for the bank to avoid the potentially disruptive impact of its organisational restructure. As a result, the program’s status “moved from green to amber”.
One of those challenges is making sure CORE does not get swept up in the bank’s ambitious cost reduction program.
It warned that the bank has a history of not seeing big projects through and it must maintain a “rigorous focus on execution”.
CORE is a massive project, with 343 separate “design, implement and embed activities”.
The bank started CORE following Austrac’s finding that its anti-money laundering process was badly flawed.
In December 2020, APRA announced that CORE was falling short. Westpac gave the regulator an enforceable undertaking to “lift substantially its efforts to address risk governance deficiencies”, agreeing to submit a detailed integrated plan outlining all major remediation activities related to risk governance, with clear timelines and accountabilities.
In an earlier report, Promontory criticised the program for having “deliverables” that were expressed in terms that were too broad. It said these needed to be refined.
In the latest report, it said the bank had made improvements in this area, applying a more quantitative approach to measuring outcomes.
Overall, Promontory said the program is on track with most of the design activities completed a year after the APRA-approved revised program was started.
It also said senior management had supported the delivery of the program through communication with staff.