CBA Failures Identified by APRA Panel – Are They Relevant to Schools?

14 February 2019

The Australian Prudential Regulation Authority (APRA) released the Final Report of the Prudential Inquiry (Final Report) into the Commonwealth Bank of Australia (CBA) on 1 May 2018. The Final Report is comprehensive and contains a large number of findings and recommendations. Its overarching conclusion is that "CBA’s continued financial success dulled the senses of the institution", particularly in relation to the management of non-financial risks. The discussion of the management of non-financial risks is particularly relevant to school councils and boards.

Background to the Final Report

APRA announced the Prudential Inquiry on 28 August 2017 to examine the frameworks and practices in relation to the governance, culture and accountability within the CBA group, following a number of incidents that damaged the reputation and public standing of the bank. A Panel to conduct the inquiry – comprising Dr John Laker AO, Chairman of the Banking and Finance Oath, company director Jillian Broadbent AO and Professor Graeme Samuel AC, Professorial Fellow in the Monash Business School – was appointed on 8 September 2017 and the Inquiry’s investigative work began the following month. A Progress Report was released on 1 February 2018.

The Final Report  (released on 1 May 2018) into the CBA identified the following failures:

  1. inadequate oversight and challenge by the board and its committees of emerging non-financial risks
  2. unclear accountabilities, starting with a lack of ownership of key risks at the executive committee level
  3. weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution
  4. overly complex and bureaucratic decision-making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings
  5. an operational risk management framework that worked better on paper than in practice, supported by an immature and under-resourced compliance function
  6. a remuneration framework that, at least until the AUSTRAC action, had little sting for senior managers and above when poor risk or customer outcomes materialised (and, until recently, provided incentives to staff that did not necessarily produce good customer outcomes).

Of these six failures identified by the Final Report, this article will discuss the first five and how they are relevant for schools.

Inadequate Oversight and Challenge by the Board of Emerging Non-Financial Risks

School boards need to develop an enterprise risk management governance and compliance system that ensures all risks, especially non-financial risks, are properly considered. Non-financial risks are many and varied in a school context. While making a ‘great big list’ of all non-financial risks would be a starting point, the oversight of this type of list would mean that many boards would be using valuable time reviewing ‘low risk' risks. The better starting point would be to categorise non-financial risks and determine whether all non-financial risk categories are represented. After that, boards should consider which of the risks should be reviewed and the frequency of that review.

Some of the non-financial risks that might be considered include:

  • key stakeholder risks
  • child protection risks
  • privacy
  • data management and security
  • health and safety
  • human resources
  • school registration compliance
  • student duty of care
  • student bullying
  • complaints handling
  • overseas students
  • early learning centres
  • boarding services risks.

Non-financial reporting for school boards is the subject of a briefing paper by James Field, CEO of CompliSpace which is available on School Governance.

Non-financial reporting should include reports of incidents and completion of key compliance tasks, checklists etc. This type of non-financial data is essential if a board is to measure cultural change as a key outcome of any policy framework. The board needs an answer to the following questions: “Are the policies being followed in practice?” and  Are we confident that our articulated culture, ethos and philosophy are supported by staff?”.

Unclear Accountabilities, Lack Of Ownership of Key Risks at the Executive Committee Level

Who is the risk owner for a particular risk? The answer should not be "everyone". Many schools have historically operated using a diffused or shared model where responsibilities in a range of key risk and compliance areas are shared among the executive team or managers. Inevitably, such a model leads to risks not actually being owned by anyone and potentially lots of finger-pointing around the executive team. Where a risk is to be reviewed by the school executive, it should be brought to the executive by the risk owner who has already completed the risk assessment. It should be tabled at the executive for discussion, interrogation of existing risk controls and their effectiveness and eventual approval.

Weaknesses in Risk Identification and Escalation and a Lack Of Urgency in Management and Resolution

Incident management systems are a key component of any governance, risk and compliance (GRC) system. Incident management systems should allow for easy reporting of a wide range of incident types. It should also have back end workflows, conditional notification systems and clear escalation points. Incident management should enable reporting on a wide range of captured data so that specific issues can be interrogated easily, and there should be reports generated that can be provided to the executive and boards as required.

Incident management systems should link with other GRC systems such as compliance tasks and risk management so that the risk management process is dynamic and uses captured data to inform risk assessments and generate compliance tasks. This sort of system can really only be achieved using a technology solution. Paper-based systems do not allow for easy escalation, notifications, complex workflows or easy reporting.

Overly Complex and Bureaucratic Decision-Making Processes that Slowed the Detection of Risk Failings

This goes back to a lack of ownership of key organisational risks by individuals and management structures that lack clear role accountabilities and responsibilities. This Final Report finding certainly explodes the myth that collaborative decision-making leads to better decisions. Collaboration is only necessary when it is necessary. It is not an end in itself.

It is worth schools examining their current decision-making systems to see who can actually make a decision about changes in policy, or a complaint from the school community. How many different individuals or groups within the organisation have to be ‘consulted’ before a decision is made? It is often surprising just how much consultation is often unnecessarily embedded into decision-making systems. Many staff often feel that they should be consulted about almost every board or management decision.

Operational Risk Management Framework that Worked Better on Paper than in Practice, Supported by an Immature and Under-Resourced Compliance Function

The International Risk Management Standard ISO 31000 (2018) has six elements in the ‘Framework’. Two elements relevant here are evaluation and improvement. Evaluation should focus on whether the risk management framework is achieving its purpose of integrating risk management into the significant activities and functions of the organisation and whether the indicators (data) suggest that the framework needs adjusting. Continuous improvement of a risk framework is required so that it changes and adapts to new organisational requirements and internal and external challenges. Not only is the risk framework something that should be evaluated and improved but, additionally, the enterprise risks themselves should be regularly reviewed. Risks are not static and require changing. Last year's key strategic and operational risks will probably not be the same next year.  Risks need reviewing and updating to meet new challenges and changed circumstances.

What Should Schools be Doing Now?

This article has just touched on some of the key areas of a school’s operations which can generate important non-financial reporting information for a school board. Collecting data and effectively reporting on a range of non-financial data not only enhances a school board’s knowledge of key risk areas, but also ensures that the board can respond to areas which are susceptible to risk.

School boards should undertake a review of their current reporting and take a risk-based approach to prioritising any additional non-financial information that they feel will enhance their decision-making ability. Non-financial reports enhance the quality of decision-making by school boards, improving the ability of schools to achieve their strategic goals and objectives.

Jonathan Oliver

Jonathan is a Principal Consultant working with CompliSpace education clients. He has more than 10 years experience in the school sector as a teacher, compliance and legal adviser and more recently as a Business Manager. Jonathan has been a solicitor for nearly 30 years and worked in both private practice and community legal centres.