Westpac’s efforts to deal with its risk management problems through its Customer Outcomes and Risk Excellence program have fallen short and now the bank has had to give APRA an enforceable undertaking to “lift substantially its efforts to address risk governance deficiencies”.
APRA said in a statement yesterday that it was concerned about the bank’s progress in fixing weaknesses that include “an immature and reactive risk culture, unclear accountabilities, capability shortfalls and inadequate oversight”.
The bank’s problems came to light in the wake of Austrac’s court action over its many breaches of its anti-money laundering obligations.
But the problems don’t stop there. This week APRA said the bank breached the prudential standard on liquidity by incorrectly treating funding and loan products for the purposes of calculating its liquidity coverage ratio.
The bank has conceded that its remediation work has not delivered. An assessment conducted by an internal review team supported by Oliver Wyman, published in July, identified further changes the bank needed to make to fix weaknesses in the way it manages risk.
At the time, Westpac chief executive Peter King said: “Our management of non-financial risk is currently not at the standard we set for ourselves. It is clear we have more to do.”
When the review team went looking for the causes of the bank’s weaknesses in risk management, it found that the bank’s organisational structure was too complex. This introduced inconsistencies in the way risk is managed across the bank, made execution difficult and created confusion about policies and practices.
“Westpac’s tendency to perpetuate complexity by introducing, among other things, new committees led to capacity and execution constraints and a lack of clarity in accountability and introduction of additional risk,” the report said.
It found that awareness of risks was inconsistent and the approach to managing those risks was not sufficiently proactive.
“Contributory behavioural traits include a tendency to focus on individual issues rather than broader shortcomings,” the report said.
The bank has a “three line of defence” model, which is not well understood. The model has “blurred boundaries”, which means things fall through the cracks.
“Stronger ownership of risk outcomes is required,” the report said.
It also found that Westpac employees did not have sufficient capability to manage non-financial risk. Another problem was that “processes to identify systemic issues are constrained by the need to manually aggregate and analyse issue data”.
The report said that, given the complexity of non-financial risk issues, board and executive oversight needs to be refocused. Some directors said they had difficulty digesting the volume and complexity of the information they were given. They also said they would like management to be “more forthright in their reporting and escalation of issues”.
On the culture side, a priority should be to strengthen “psychological safety”. The report said there has been a tendency for leaders to react to incidents by looking for someone to blame rather than what can be learned.
APRA’s own review came to much the same conclusions, adding that the changes achieved so far have only been “incremental” and that new risk governance issues have continued