The Commonwealth Bank has been told to give its IT function a “stronger voice” in the company’s most senior management forum.
A six-month investigation into CBA by an Australian Prudential Regulation Authority (APRA)-appointed panel concluded [pdf] that the bank’s “continued financial success dulled [its] senses” to risk, leading to incidents like its alleged breaches of anti-money laundering laws.
The panel, in particular, singled out the bank’s executive committee - which comprises group executives of business units and central support functions - for criticism.
The committee’s “failure to accept ownership and accountability for IT systems used by the business units has been a major contributing factor in CBA’s inability to fully mitigate ... risk,” it found.
However, the panel appeared to indicate that CBA’s IT division, Enterprise Services, had limited say or influence in the weekly executive forum.
“A stronger voice on the executive committee from the Risk and Enterprise Services functions would ... have facilitated more timely and effective remediation [of risk],” it said.
APRA said it had raised “numerous” similar issues in late 2016, “including a lack of visibility at the executive committee level (and the Board) of the state of health of the IT environment”.
“CBA acknowledged [at the time] that APRA’s findings indicated that it was operating outside of its IT risk appetite,” the watchdog said.
“The APRA report recommended enhanced senior level governance and risk reporting for systems resilience, recovery, data storage and integrity, and risk management and culture.”
In addition, APRA said that “IT user access control weaknesses were identified by external audit as early as 2012 but have not yet been completely resolved, notwithstanding a large investment program”.
Part of the problem appeared to be the way that CBA treated investment in IT upgrades.
The panel said it believed “that CBA needs, over time, to more preemptively invest in risk, compliance and resilience projects rather than wait until they develop into ‘high rated’ issues”.
“Once issues have become ‘high rated’, their time critical nature creates elevated pressure for more tactical and bespoke solutions, adding to the buildup of organisational complexity,” the panel said.
The panel cited a March 2016 paper presented to the CBA Board by Enterprise Services as proof of short-term thinking when it comes to IT.
“Historically investment in new equipment and features have been favoured over the maintenance of existing systems,” it quotes the paper as saying.
“This has led to an underinvestment in support capabilities both in projects and in strategic investment requests.”
The panel also said that “focus groups and survey participants expressed views that CBA has developed bespoke, manual, ‘band-aid’ technology and process fixes in the name of serving the customer, rather than investing in long-term solutions”.
“This is essentially treating the symptom rather than addressing the cause, and may introduce risk issues down the track,” the panel said.
“Examples given on data integrity and legacy systems were particularly salient. One focus group member stated that ‘Leadership under-invests in tools and systems that would improve the management of risk. A lot of investments that have been done are customer-facing’.”
The APRA-appointed panel conducted focus groups with 110 executive managers from across CBA, including from within Enterprise Services.
It was set up in August last year to examine governance, culture and accountability at the bank.
'Heads should roll'
Treasurer Scott Morrison yesterday called the report’s findings “damning”.
“[The panel] found there was a complacent culture, dismissive of regulators, an ineffective board that lacked zeal and failed to provide oversight, a lack of accountability and ownership of key risks by senior executives, a remuneration framework that had no bite and they were reactive, slow, and had under resourced internal systems and processes,” Morrison said.
Morrison said he expected more executive resignations in the wake of the report.
“A number of the board members have already gone. A number of executives have already gone,” he said.
“My understanding is there will be others who will be leaving and that's what I would expect to be happening.”
CBA's CEO Matt Comyn acknowledged the findings and said the panel's recommendations would be implemented in full.
He also said he had "printed out 500 copies of the report, and I have sent that out to the top 500 leaders in the Commonwealth Bank".
"Over the next week I am going to have responses from all of those 500 leaders coming back to me, and a discussion across all of the top leadership groups in the Commonwealth Bank talking about how things are going to be different," he said.