Exhibit 2
ASX Release Level 18, 275 Kent Street Sydney, NSW, 2000 17 JULY 2020 Westpac releases Culture, Governance and Accountability Reassessment Report Westpac has today released its reassessment of its culture, governance and accountability remediation plan (CGA reassessment) which includes a comprehensive Group-wide transformation program to strengthen management of non-financial risk across Westpac. Westpac first completed a CGA self-assessment in November 2018 and developed a remediation plan to address the recommendations. Following AUSTRAC’s Statement of Claim in 2019, Westpac reassessed its remediation plan to ensure it remained fit for purpose. The main conclusion from the reassessment is that important aspects of Westpac’s non-financial risk culture are immature and reactive. The reassessment confirmed that Westpac was overly complex which results in confusion around accountability and challenges in execution. Shortcomings in the way Westpac manages non-financial risk have also been identified by each of Westpac’s three lines of defence, with further change required to address identified weaknesses. Westpac Group CEO, Peter King, said: “Our reassessment confirms that our management of non-financial risk is currently not at the standard we set for ourselves. “It is clear we have more to do to address these shortcomings, including improving our risk management capability and risk culture which is not where we want it to be. As a result, we are embarking on a comprehensive, multi-year program called Customer Outcomes and Risk Excellence (CORE). The program is a company priority and as CEO I’m accountable for its delivery,” Mr King said. The CORE program’s three key pillars are: • Direction and tone set by Board and Group Executive – initiatives that set clear direction and tone from leadership to promote a proactive risk culture. Clear risk boundaries for decision making – simplifying risk management frameworks and increasing capability and resources in the Risk function. Accountable and empowered people – providing additional training and support for employees to help them understand they all have a role in managing risk and driving clearer accountability and decision making. • • Westpac has already commenced its change program with several initiatives underway including: • • Establishing a new Board Legal, Regulatory and Compliance Committee; Creating a new Group Executive role for financial crime, compliance and conduct to drive more focus on these areas;
Greater focus on banking businesses in Australia and New Zealand to simplify operations and reduce risk; Implementing a new line of business operating structure that will clarify responsibilities and improve accountability across the organisation; Enhancing capability across our three lines of defence, including appointing an additional 240 experts across our risk and compliance functions. Through this work we are continuing to identify further risk issues, which are being addressed as a matter of priority. • • “This program is comprehensive and where we find any new issues, they will be dealt with promptly and as efficiently as possible,” Mr King said. Promontory Australia provided independent assurance over Westpac’s reassessment and concluded the reassessment was done ‘diligently, thoroughly and professionally’, and noted that the new CORE program provides the basis for substantial and positive change. The Reassessment Report and the Executive Summary of Promontory’s assurance report are attached. For further information: David Lording Group Head of Media Relations 0419 683 411 Andrew Bowden Head of Investor Relations T. (02) 8253 4008 M. 0438 284 863 This document has been authorised for release by Tim Hartin, General Manager & Company Secretary.
Reassessment of the Culture, Governance and Accountability Remediation Plan June 2020
Contents Chapter 1 Chapter 4 Chapter 6 Foreword from the Chairman and CEO 03 Shortcomings in culture, governance and accountability frameworks and practices 10 The CORE Program – 2020 and beyond 22 6.1 6.2 6.3 Pillars and Workstreams Program Level Measurement Communications and engagement 22 27 28 4.1 Summary of shortcomings identified in the 2018 Self-Assessment Analysis of recent developments Building First Line risk and control capability is a fundamental requirement for change Recent developments not incorporated in the scope of the Reassessment 10 Chapter 2 4.2 4.3 13 18 Context and scope 04 Appendix 1 4.4 18 2.1 Westpac’s 2018 Self-Assessment and CGA Program Requirement for a Reassessment Approach to Westpac’s Reassessment Scope of the Reassessment Structure of the report 04 Findings regarding recommendations and actions 29 2.2 2.3 2.4 2.5 04 04 05 05 Chapter 5 Appendix 2 Lessons learnt from the 2019 CGA Program 19 Chapter 3 List of abbreviations 43 Principal conclusions of the Reassessment 06 5.1 Review of the status of individual recommendations Review of the CGA Program CORE Program structure 19 5.2 5.3 19 21 3.1 Analysis of recent developments has confirmed five root causes of continuing shortcomings Further work is needed to fully address the root causes of shortcomings Despite progress in closing recommendations, a Program reset is needed 06 3.2 07 3.3 08 Westpac Banking Corporation ABN 33 007 457 141 02 Reassessment of CGA Remediation Plan Westpac Group
Foreword from the Chairman and CEO In 2018, Westpac conducted a self-assessment of culture, governance and accountability frameworks and practices (“the 2018 Self-Assessment”). It identified 45 recommendations for improvement, principally focused on Westpac’s management of non-financial risks. The Culture, Governance and Accountability Program (“the CGA Program”) was mobilised in January 2019 to implement these recommendations. Following the Australian Transaction Reports and Analysis Centre’s (AUSTRAC’s) Statement of Claim in November 2019, the Australian Prudential Regulation Authority (APRA) required Westpac to conduct a reassessment of the CGA Program to determine whether it remains fit for purpose. This is an important exercise. It comes at a time when we have identified risk management, along with our customer franchise, performance discipline, and digital transformation, as one of four critical priorities for protecting and building value for the long term. Since AUSTRAC’s Statement of Claim we have announced important changes that we anticipate will have a strong, positive impact on Westpac’s management of risk and performance. For example, our focus on simplifying our portfolio and our products, together with streamlining and automating processes, will help reduce complexity. We are moving towards a clearer line-of-business operating model to provide more clearly defined First Line accountability. We have made a number of leadership changes and a fundamental review of culture at a Group level has led to a reset of our Culture Roadmap. These changes will take time – we must stay the course. The Reassessment highlights that important aspects of Westpac’s non-financial risk culture have been immature and reactive, and we recognise that we need to change. The shortcomings identified in the 2018 Self-Assessment were serious and the report called out that if we did not address this maturity gap, it could contribute to further issues. Important changes have been implemented since, but the change has been incremental and the CGA Program as a whole has not delivered sufficient momentum. The Reassessment makes clear that what is required is a program of deeper change. It emphasises the importance of sound risk management, of high quality oversight by the Board and Group Executive, strong risk capabilities, a proactive risk culture, effective risk boundaries and timely escalation of issues. This Reassessment has been shared with all Westpac employees. The active engagement and input of our people is critical to this work: all of us have a role to play. Regular updates will be provided to APRA, to investors and our people, and there will be ongoing external independent assurance of progress. A commitment to change is at the heart of the updated CGA Program. Westpac does not underestimate both the magnitude of the changes that are required and the effort involved. Improving culture, governance and accountability frameworks and practices is a key priority for Westpac’s management team under the strong oversight of the Board. John McFarlane Chairman Westpac Banking Corporation Peter King CEO Westpac Banking Corporation 03 Reassessment of CGA Remediation Plan Westpac Group Chapter 1
Context and scope 2.1Westpac’s 2018 Self-Assessment and CGA Program In 2018, APRA asked the boards of 36 financial institutions to assess their organisation’s culture, governance and accountability frameworks and practices in light of issues identified by APRA’s Prudential Inquiry into the Commonwealth Bank of Australia earlier that year. In response, Westpac commissioned an internal review team to conduct its 2018 Self-Assessment, supported by external consulting firm Oliver Wyman. Its objective was to identify strengths and shortcomings related to Westpac’s culture, governance and accountability frameworks and practices, particularly as they affected non-financial risk performance in the Bank’s Australian operations and focused on events from July 2013 to June 2018. Westpac’s 2018 Self-Assessment, which contained 45 recommendations for improvement and to remediate shortcomings, was endorsed by the Board and Group Executive, submitted to APRA in November 2018 and subsequently made publicly available. To implement the recommendations, Westpac established its Culture, Governance and Accountability – or “CGA” – Program in January 2019 and has since provided public progress reports on actions taken. Most recently, as part of its Interim Results in May 2020, Westpac reported that 30 recommendations had been implemented from a design standpoint and were being embedded. In light of the magnitude of issues identified in AUSTRAC’s Statement of Claim, APRA wrote to Westpac on 16 December 2019 initiating a number of supervisory actions. APRA noted that while Westpac’s 2018 Self-Assessment had identified recommendations to strengthen its culture, governance and accountability frameworks and practices, the issues identified in AUSTRAC’s Statement of Claim prompted a reassessment to determine whether Westpac’s CGA remediation plan: • • • “Remains appropriate and ‘fit for purpose’”; “Targets the underlying root causes”; and “How execution risks in remediation can be better managed”. APRA stated Westpac’s Reassessment should “consider developments since the completion of its 2018 Self-Assessment to verify if the existing recommendations and actions remain fit for purpose and identify additional recommendations and actions that should be incorporated into the remediation plan”. 2.3 Approach to Westpac’s Reassessment In response to APRA’s request, the Reassessment was undertaken with oversight by Westpac’s CEO and led by the Group Executive, Customer and Corporate Relations. The Chairman, Board members, and the Group Executive team, also provided significant input and oversight. An internal review team, made up of members of the existing CGA Program and a number of General Managers with relevant subject matter expertise, supported by an expert team from Oliver Wyman, undertook a detailed review which included: 2.2 Requirement for a Reassessment In November 2019, Westpac received a Statement of Claim from AUSTRAC in relation to alleged contraventions of obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. The allegations, which remain before the court at the time of preparing this report, included a failure to report a large number of international funds transfer instructions, and other issues relating to Westpac’s processes, procedures and oversight. • Multiple feedback sessions with the Group Executive and other senior managers; Analysis of approximately 500 documents including individual framework policies and procedures, Board committee papers, reports and minutes, Executive Team papers and minutes, CGA Program documentation, internal staff communications, Human Resources data and culture surveys, emails and correspondence generated since the 2018 Self-Assessment; • 04 Reassessment of CGA Remediation Plan Westpac Group Chapter 2
Chapter 2 Context and Scope • Evidence-based discussions with approximately 50 employees, including Directors, Group Executives and General Managers, focusing on specific examples of risk management challenges, concerns and successes over the past two years, and perspectives on the implementation of the CGA Program to date and other Group-wide transformation programs underway; and • Detailed reviews of recent regulatory and compliance related matters, including AUSTRAC’s Statement of Claim, regulatory reviews of risk measurement, management, and reporting practices, and reviews of business conduct. • To verify the relevance of existing recommendations and actions and incorporate additional actions: The recommendations and actions set out in the CGA Program were reviewed to assess their relevance in addressing the shortcomings identified in the 2018 Self-Assessment and in recent developments, and updated as appropriate. To determine how execution risks can be better managed: The effectiveness of the oversight and management of the CGA Program was assessed based on evidence of progress and management of execution risks to date, and a set of better external practices for mitigating execution risks identified. • In determining whether the CGA Program is fit for purpose, a consistent methodology was applied to analyse the shortcomings identified in recent developments and compare them to those identified in the 2018 Self-Assessment. The Reassessment has been independently assured by Promontory Australia. Promontory examined the robustness of the Reassessment process, resulting updates made to the CGA Program and likely effectiveness of the actions, and submitted its assurance report to the Board and to APRA. Ongoing progress of Westpac’s CGA Program will continue to receive external, independent assurance. In parallel to the Reassessment, a senior member of the Westpac Risk function performed a review of possible root causes contributing to Westpac’s alleged anti-money laundering (AML) shortcomings, as identified in AUSTRAC’s Statement of Claim. A review of root cause now takes place at Westpac following a significant incident. In reviewing this work as part of the analysis of recent developments, the internal review team found significant commonality between the root causes identified as contributing to Westpac’s alleged AML shortcomings, and those identified in the overall Reassessment of the CGA Program. These causes have been considered in this report. 2.4 Scope of the Reassessment The core scope of the Reassessment, as was the case for the 2018 Self-Assessment, was on Westpac’s culture, governance and accountability frameworks and practices. As such, matters outside this determination, such as detailed analysis of particular risk classes or the way the Bank manages financial risk, were not considered. The Reassessment considered developments since the 2018 Self-Assessment, between July 2018 and March 2020, including AUSTRAC’s Statement of Claim. While both strengths and shortcomings were observed during the Reassessment process, the primary focus for reporting has been shortcomings because these are most likely to be relevant to the assessment of the appropriateness of Westpac’s CGA Program. The Reassessment was established with three key objectives, aligned to APRA’s requirements: • To determine whether Westpac’s CGA Program sufficiently targets the underlying root causes of shortcomings: The shortcomings identified in recent developments were compared with those identified in the 2018 Self-Assessment and CGA Program, enabling an assessment of whether any underlying root causes had not been appropriately targeted. 2.5 Structure of the report The remainder of the Reassessment is set out in Chapters 3 to 6: • Chapter 3 summarises the principal conclusions of the Reassessment; Chapter 4 lists the key shortcomings identified in the 2018 Self-Assessment, and updated based on the shortcomings identified in recent developments and root causes. It reviews recommendations and actions taken to date and identifies areas where further actions are required beyond those set out in the existing CGA Program; Chapter 5 assesses the governance and management of the CGA Program through to March 2020, and identifies changes that are required to better manage execution risks; and Chapter 6 sets out the required outcomes, workstreams and metrics for the updated CGA Program, renamed the “CORE Program”. • • • All recommendations included in the 2018 Self-Assessment are listed in Appendix 1, with an update on their status and how they are carried forward in the updated CGA Program. 05 Reassessment of CGA Remediation Plan Westpac Group
Principal conclusions of the Reassessment 3.1Analysis of recent developments has confirmed five root causes of continuing shortcomings The Reassessment has confirmed important shortcomings remain in Westpac’s culture, governance and accountability frameworks and practices. This is related to five root causes below, that are consistent with the cultural ‘DNA strands’ identified in the 2018 Self-Assessment. Explicitly stating the root causes is critical to Westpac’s work to improve non-financial risk management. 3.1.1 An organisational construct that creates complexity Aspects of Westpac’s organisational design, including unclear end-to-end accountability, create complexity. This introduces inconsistency in the way risk is managed across the Bank and impedes an ability to quickly and accurately form an organisation-wide view of issues. This is exacerbated by complex technology systems, including many duplicate systems. 3.1.2 An immature and reactive risk culture in non-financial risk management Westpac’s risk culture has been immature and reactive in the management of non-financial risk. Awareness of risks and obligations has been inconsistent, and the Bank’s approach to managing non-financial risk has not been sufficiently proactive. Contributory behavioural traits include a tendency to focus on individual issues rather than broader shortcomings and inconsistent challenging of assumptions from a risk perspective. These cultural traits have contributed to continued shortcomings in important elements of Westpac’s culture, governance and accountability frameworks and practices. 3.1.3 A three lines of defence model that is not well understood or embedded, particularly in the First Line Westpac’s three lines of defence model has not been consistently understood and embedded. This has blurred boundaries and meant some things ‘fall through the cracks’ as roles, responsibilities and accountabilities can be unclear. These issues have been particularly evident in the First Line where stronger ownership of risk outcomes is required. 06 Reassessment of CGA Remediation Plan Westpac Group Three principal conclusions of the Reassessment 1. Important shortcomings remain in Westpac’s culture, governance and accountability frameworks and practices. These are related to five root causes: – An organisational construct that creates complexity; – An immature and reactive risk culture in non-financial risk management; – A three lines of defence model that is not well understood or embedded, particularly in the First Line; – A shortfall in sufficient non-financial risk management capability; and – Challenges in execution and staying the course. 2. Fully addressing root causes will require further work in these key areas: – Board and Executive oversight of non-financial risk; – Risk culture; – Risk boundaries, frameworks and capabilities; and – First Line ownership and capability to manage risk. 3. The CGA Program has made progress in addressing recommendations from the 2018 Self-Assessment. However, given the magnitude of the necessary change to address root causes, the CGA Program requires a reset including more rigorous prioritisation, co-ordination and oversight. CGA Program reset: “CORE Program” These principal conclusions have formed the basis of a reset to Westpac’s CGA Program, renamed the Customer Outcomes & Risk Excellence – or “CORE” – Program, summarised below and detailed in Chapter 6. Chapter 3
Chapter 3 Principal conclusions of the Reassessment 3.1.4 A shortfall in sufficient non-financial risk management capability In some areas, Westpac employees have not had sufficient capability to manage non-financial risk and compliance obligations effectively. 3.2.2 Risk Culture The Reassessment confirms that in some respects Westpac’s risk culture – the shared beliefs, attitudes and norms employees use to consider, identify, understand, discuss, and manage current and emerging risks the Bank is exposed to – remains reactive, and action to strengthen it needs to be prioritised. A new Risk Culture workstream within the renewed CORE Program, which closely aligns with work underway on Westpac’s Culture Roadmap, incorporates actions to embed a robust risk culture framework across the Bank. Data and assessment tools will be used to identify and act on risk culture at a divisional and Group level. A priority for the Bank’s culture work will be to strengthen psychological safety, as the Reassessment identified that in some situations, leaders had reacted to incidents with a focus on who is to blame rather than what to learn. It is important this trait does not develop further at Westpac. The CORE Program focuses on actions to promote a risk culture of learning from events and improving, and actions that empower employees to make good decisions. Westpac desires a culture where accountability is a value associated with high performance rather than consequence. 3.1.5 Challenges in execution and staying the course Westpac’s tendency to privilege conceptual work over execution creates challenges in effective management of non-financial risk. This can result from insufficient discipline in prioritising, a tendency to focus on conceptualisation over embedding, and undue caution which has been described as an organisational imperative for safety. 3.2 Further work is needed to fully address the root causes of shortcomings While the Reassessment found Westpac’s CGA Program has delivered important changes to address shortcomings, in many cases they have been incremental. The Reassessment identified that additional actions, many of which are underway, are needed to fully address root causes in the key areas below. 3.2.1 Board and Executive oversight of non-financial risk Given the complexity of non-financial risk issues, oversight of non-financial risk by the Board and Executive Team is being refocused. The Board has instituted changes that are in progress. These include the formation of a new sub-committee of the Board Risk Committee, the Board Legal, Regulatory & Compliance Committee, to focus on specific non-financial risks, allowing the Board Risk Committee to spend more time setting and ensuring adherence to risk appetite, current and future risk policies, and mitigating market and operational risks. Each Committee will have a different mix of Directors who will continue to apply constructive challenge, scrutiny and insight to risk governance and risk culture. The frequency of the Committees’ meetings will also increase. The renewed CORE Program includes actions to review recently implemented and impending changes to the operation and structure of the Board Risk Committee and Board Legal, Regulatory & Compliance Committee. Given the number of non-financial risk management issues experienced in recent years, the Group Executive must prioritise its oversight of improvements to culture, governance and accountability frameworks and practices. The CORE Program includes actions to strengthen executive leadership of risk management and culture, such as setting and role modelling behaviours that promote sound risk management. 3.2.3 Risk boundaries, frameworks and capabilities The 2018 Self-Assessment recognised it would take significant investment and time to develop the required level of maturity in non-financial risk management and, in the interim, the maturity gap may contribute to further issues. This has proved to be the case. Clearer prioritisation features in the renewed CORE Program for the Second Line in setting frameworks, controls (including policies and limits), and standards for use across the Group. This includes a focus on frameworks being clear and consistent to support effective risk challenge, oversight and First Line decision making. Capability is being built in the Risk function to do so effectively. 3.2.4 First Line ownership and capability to manage risk Stronger ownership and capability in risk management is required in the First Line, across all employees regardless of whether their roles are customer-facing or functional, such as technology and operations. The CORE Program emphasises the need to identify and achieve minimum professional standards to bring consistent capability, so that First Line decision makers are able to exercise effective risk-weighted judgement. This includes work to address continued weaknesses in project execution that impede sound risk outcomes. Additional actions for building stronger accountability in practice are incorporated into a new stream of the CORE Program, Accountability and Decision Making in Practice. 07 Reassessment of CGA Remediation Plan Westpac Group
Chapter 3 Principal conclusions of the Reassessment A strong link is made in the CORE Program between First Line risk decisions and the need for clear risk boundaries. If risk boundaries are well understood and the consequences of operating outside them clear, then employees can have optimal space – the authority and empowerment – to identify and select from different options to best manage risk in the business. To signal these changes, the renewed CGA Program has been renamed the Customer Outcomes & Risk Excellence – or “CORE” – Program. This aims to reflect its importance as a core strategic priority for the Bank and to demonstrate that excellence in risk management aligns with Westpac’s desire to continue improving outcomes for customers. Improving culture, governance and accountability frameworks and practices is critical to doing the right thing by customers, through the products and services provided, the way in which customers’ concerns are addressed, and the clarity, professionalism and integrity that guides decision making. The CORE Program has established three pillars, and 14 workstreams highlighted in Figure 1 and described in more detail in Chapter 6. The three pillars will help the Program integrate and co-ordinate resources to accomplish its purpose as simply as possible, with the right weight and focus. Chapter 6 details the root causes each pillar of the program addresses, together with the outcomes and progress indicators for each workstream. Activities, milestones and outcomes will be closely co-ordinated with other strategic transformation programs underway across Westpac. While the anticipated delivery date for the final milestones of the CORE Program will be March 2022 (allowing the time to embed required changes to focus more strongly on outcomes), it is anticipated that the actions – particularly around culture – will continually evolve into the future. 3.3 Despite progress in closing recommendations, a Program reset is needed The shortcomings identified in the Reassessment were broadly consistent with those in the 2018 Self-Assessment. The CGA Program must continue to focus on the effective design and embedding of the existing recommendations from the 2018 Self-Assessment and has made progress in a number of areas. However, given the magnitude of the necessary change, the Program must execute with a clearer and more consistent understanding of the link between individual actions and their impact on remediation of root causes. More rigorous Program-level prioritisation and co-ordination of outcomes and interdependencies is required to fully address root causes and mitigate execution risks. There has been a significant reset of the CGA Program to achieve this: • Stronger Program-level oversight from the Board and Group Executive, in addition to existing oversight of activity at the level of individual recommendations; Articulating and communicating the CGA Program as a critical organisational priority; A clear focus on outcomes (as well as activity); A stronger role for business leaders and functional leaders, modelling the strengthened role for the First Line in risk management generally; Increased central capacity and capability for co-ordination of deliverables and interdependencies; Formal mechanisms for quick escalation of contentions and Program decisions; and Broader engagement with Westpac’s people to ensure the Program is seen as each employee’s responsibility rather than the responsibility of the Risk Function. • • • • • • 08 Reassessment of CGA Remediation Plan Westpac Group
Chapter 3 Principal conclusions of the Reassessment Figure 1: Updated CGA Program, “CORE Program” Design Program objective Pillars What good looks like • Customer outcomes improve because the direction and tone set by the Board and Group Executive promotes a proactive risk culture. Clear direction for risk appetite and culture is set by the Board, and risk management and performance is governed with constructive challenge. Clear expectations for culture, governance and accountability are set by executives and they role model behaviours for a proactive and systematic risk culture. A transformation in our culture and the way we identify, understand and act on risk, driven by our leaders. • Customer outcomes improve because our people make decisions within clear risk boundaries. Risk management frameworks, policies and limits are robust, clear and fit for purpose. Risk boundaries are applied consistently and supported by the right data, systems and controls. Risk professionals have the skills, experience and confidence to provide the right balance of challenge and insight to decision makers across the Bank. • Customer outcomes improve because our people know they are accountable and empowered to own the risks in their role. First Line demonstrates strong capability to manage risks, issues and controls. Decisions are made and change is executed with clear authority and within understood boundaries, with each line playing its role. Individuals respect the right of the accountable person to decide on a course of action but provide input to decisions and always speak up proactively if they see unethical or non-compliant behaviour. • • • • • • • • • Workstreams and sponsors Chairs of the BRC and BLRCC Chief Risk Officer Chief Executive, Consumer Group Executive, Human Resources Group Executive, Financial Crime, Compliance and Conduct Chief Risk Officer Group Executive, Financial Crime, Compliance and Conduct Group Executive, Financial Crime, Compliance and Conduct Chief Risk Officer Group Executive, Customer and Corporate Relations Chief Information Officer & Delivery Group Executive, Human Resources Chief Information Officer Decision Making in Practice Group Executive, Human Resources 09 Reassessment of CGA Remediation Plan Westpac Group Related Strategic Priorities Organisational Design & Culture Road Map Lines of Business Desired Culture Roadmap Technology Technology Execution Strategy Risk Management Financial Crime Program 14 Accountability & 13 Change Management Remuneration & Consequence Management 5 12 Customer Complaints Enterprise Prioritisation 4 11 Controls 8 Conduct Risk Risk Culture Behaviours & Measurement 3 10 Issues Management 7 Second Line Risk Roles & Capability Executive Leadership Culture 2 9 Managing Risk in the First Line 6 Risk Frameworks Board Governance of Non-Financial Risk 1 Accountable and empowered people Clear risk boundaries for decision making Direction and tone set by Board and Group Executive Improving Customer Outcomes and Risk Excellence (CORE) A clear path forward, getting it right the first time
Shortcomings in culture, governance and accountability frameworks and practices Despite Westpac’s 2018 Self-Assessment identifying multiple shortcomings in culture, governance and accountability frameworks and practices, it is possible a focus on the positive high-level findings of that report may have contributed to many in the Bank not fully appreciating the cumulative impact of the issues. For this reason, the principal shortcomings identified in the 2018 Self-Assessment are listed together in Section 4.1, grouped under the same six themes. For each theme, the Reassessment internal review team has linked the shortcomings identified in the 2018 Self-Assessment to the relevant root causes summarised in Chapter 3 of this Reassessment, an important insight for fully remediating the issues. 4.1 Summary of shortcomings identified in the 2018 Self-Assessment References in quotations throughout this section are to verbatim findings in the 2018 Self-Assessment, reflecting shortcomings identified at that time. 4.1.1 Board and Senior Management The 2018 Self-Assessment identified that: • Some Directors said they had difficulty “digesting the sheer volume and complexity of the information they are given”; Directors would at times “like management to be more forthright in their reporting and escalation of issues”, avoiding a tendency “to focus on the good news”; Board and senior management decisions about investment through Westpac’s largest funding pool, the Enterprise Investment Pool, may on occasion “inadvertently underweigh risk considerations”; BRCC and RISKCO papers indicated that some non-financial risks had been “regularly out of appetite”, and associated actions were “not always taken as promptly as expected”; Given that “prompt and effective issue resolution and closure are crucial to a robust risk and control environment, a more stringent approach to oversight” was required; and Westpac’s tendency to “perpetuate complexity by introducing, among other things, new committees”, led to “capacity and execution constraints”, and “a lack of clarity of accountabilities and introduction of additional risk”. • • • • • Root Causes: • Organisational complexity coupled with an immature and reactive risk culture can challenge Westpac’s ability to identify and report issues promptly and clearly; and • Three lines of defence not well understood or embedded, particularly in the First Line, leading to a number of issues ‘falling through the cracks’ as accountabilities were not sufficiently clear. 10 Reassessment of CGA Remediation Plan Westpac Group Chapter 4
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices 4.1.2 Risk management and compliance The 2018 Self-Assessment identified that: 4.1.3 Issue and incident management The 2018 Self-Assessment identified that: • Line 1 did “not always take ownership of, and accountability for, the risks of the business”; “The separation between Line 1 and Line 2 has been blurred” because “Line 2 performs activities that should be performed by Line 1, often to compensate for inadequate Line 1 maturity”; “Skills and capabilities to manage risk and compliance across all three lines of defence should be strengthened”; “Senior Compliance representation” was “incomplete at the divisional and functional executive team levels”; At times, “Group Audit has not exerted sufficient influence to ensure that risks and issues were given the necessary attention”; There was “limited detail in [non-financial] risk appetite articulation” and “metrics have not been established for each specific compliance and conduct risk”; Absence of “a sufficiently granular control language could hamper Westpac’s ability to identify gaps in the control environment or systemic breakdowns in controls”; Division-specific risk policies and processes “added complexity and, at times, challenged Westpac’s ability to form an aggregate view of certain risks”; Businesses ran on “multiple overlapping systems, with associated multiple processes”, and this “increased complexity and therefore risk”; and Risk and Compliance needed to “place more emphasis on change management to ensure that policies are understood and adhered to in Line 1.” • “Processes to identify systemic issues are constrained by the need to manually aggregate and analyse Issue data”; Limitations in the JUNO1 control system “may constrain Westpac’s ability to understand the nature and significance of control breakdowns”; Issues identified by Line 1 were “not always effectively closed” and “30% of open issues are extended”, 13% “are extended more than once”; Issues identified by Group Audit, or by regulators, were “extended more often than issues identified by Line 1 and Line 2”; Employees “lack confidence that action will be taken” unless issues were “the subject of regulator or media scrutiny”; “Too short a period of time to rectify issues” was frequently assumed, “only to later identify that a longer period was needed”, “often because of system complexity”; Greater focus was “placed on Issue identification than on Issue assessment, resolution and closure in relevant policies and frameworks”; Despite “a notable uplift” ahead of the 2018 Self-Assessment, there were “opportunities to strengthen customer complaint and issue reporting”, and a recognised need “to rationalise systems into a single platform” and adopt a “Group-wide approach to customer complaint management”; and There was not “a single, Group-wide approach to handle whistleblower investigations consistently” across the Bank. • • • • • • • • • • • • • • • • • Root Causes: • Three lines of defence model not well understood or embedded, particularly in the First Line, is the primary root cause of these shortcomings; and • A shortfall in sufficient capability in non-financial risk management, an immature and reactive risk culture and organisational complexity have also been significant causal factors. Root Causes: • Organisational complexity and an immature and reactive risk culture can challenge Westpac’s ability to identify and prioritise issues, and this has been exacerbated by blurring of accountability; In a number of cases, the root cause is also linked to a shortfall in sufficient capability in some areas of non-financial risk management; and Some shortcomings relate to challenges in execution and staying the course. • • 1. JUNO is Westpac’s integrated risk and compliance system. 11 Reassessment of CGA Remediation Plan Westpac Group
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices 4.1.4 Financial prioritisation The 2018 Self-Assessment identified that: 4.1.6 Culture The 2018 Self-Assessment identified that: • “The absence of risk analysis in submissions” to the Enterprise Investment Pool meant that “decisions whether to endorse an initiative may not have taken adequate account of non-financial risks”; “Pressure to adhere to initial cost estimates” could “result in extensions to project schedules, reduction in scope and compromised solution design”, and in some cases solutions that didn’t “adequately take account of risk”; The Finance and HR functions were perceived as “exerting considerable influence and control over businesses” which could hamper their “ability to make appropriate and timely decisions”; and The absence of a “sufficiently robust approach to manage non-financial risk” created instances when: “risks are not identified; the gravity, extent and implications of risks are not appreciated; mitigants are not identified; risks are not given due attention”. • There was “a demonstrable need for more focused leadership actions, at all levels, to bring the values to life for employees”. 45% of employees surveyed for the 2018 Self-Assessment agreed that Westpac “is better at talking about the values than putting them into practice”; Without ingrained awareness of non-financial risk awareness, it is likely that “some employees will make inappropriate trade-offs” (for example to the detriment of compliance requirements); Over-collaboration drove “an unnecessarily high level of meetings and committees, excessive numbers of people involved in decisions, slowness, and diffusion of accountability”; “Insufficient personal ownership” led to “diffused accountability”, “challenges to ownership of issues and outcomes”, and “constraints on responding to service difficulties”, all of which had a “bearing on the effectiveness and efficiency with which risk, compliance and customer matters” were managed; Many employees “resign themselves to complexity as the natural state of affairs at Westpac, and their response to that complexity was often to wrap more complexity around it, potentially adding risk in the process”; “More work” was needed “to increase employee comfort” to speak up, and to address “hierarchical behaviour” and “listening by leaders”, who needed to “seek out and be open to feedback and raised issues”; There was “insufficient discipline in prioritising, making decisions and saying no”, which meant that Westpac could “struggle to cut through and attain clarity as to matters most needing attention”; and It was noted that “learning and reflection” were “not sufficiently incorporated in day-to-day operating rhythms”. • • • • • • Root Causes: • Challenges in execution and insufficient prioritisation of risk, together with a shortfall in capability in some areas of non-financial risk management, are at the root cause of the majority of these shortcomings. • 4.1.5 Remuneration and other consequence management The 2018 Self-Assessment identified that: • • Westpac had “taken action to enhance and simplify remuneration frameworks and practices”, and several “strengths” were identified in these enhancements, but “a range of shortcomings and opportunities to enhance frameworks and practices were identified” to bring about and report the desired risk-based remuneration consequences; There was “significant divisional, front versus back office, and GM versus GM-1 variation in consequence management and remuneration outcomes”; The concept of accountability was “not elevated among Westpac’s five core values”; Accountability was “sometimes difficult to establish”, with a “strong tendency toward collective decision making”, the “absence of formalised end-to-end accountability of processes that cut across business units”, and “a lack of role clarity including residual blurring of Line 1 and Line 2”; and Given the infancy of BEAR and its implementation at Westpac, the 2018 Self-Assessment concluded that “the effects of BEAR in practice” were “yet to be seen”. • • • • In the 2018 Self-Assessment, the analogy of “corporate DNA” was used to summarise how these cultural traits combined in three deeply interwoven “strands”: • • • An organisational tendency to cultivate complexity; A tendency to privilege upfront conceptual work over execution and implementation; and An organisational imperative for safety, both at a company and employee level. • • All five of the root causes summarised in Chapter 3 of this Reassessment are reinforced by deeply embedded cultural traits. There is a strong focus on actions to address cultural traits in many of the workstreams in the CORE Program and through a number of strategic, organisational, leadership and operational changes beyond the Program. Root Causes: • Organisational complexity was a critical causal factor of shortcomings relating to inconsistent frameworks and variations in practices; and • Three lines of defence model not well understood or embedded, particularly in the First Line, was the primary root cause for shortcomings relating to accountability. 12 Reassessment of CGA Remediation Plan Westpac Group
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices 4.2 Analysis of recent developments The Reassessment analysed whether the shortcomings identified in the 2018 Self-Assessment explain developments since then. This was necessary to address APRA’s request that Westpac assess the fitness for purpose of its CGA Program, given it was established to remediate these issues. In analysing developments since the 2018 Self-Assessment, the Reassessment team: As outlined in Chapter 3, the conclusions from this analysis of recent developments are: • Important shortcomings remain in Westpac’s culture, governance and accountability frameworks and practices; Analysis of recent developments has confirmed five root causes of these shortcomings: • – – An organisational construct that creates complexity; An immature and reactive risk culture in non-financial risk management; A three lines of defence model that is not well understood or embedded, particularly in the First Line; A lack of sufficient capability in non-financial risk management; and Challenges in execution and staying the course. • Performed detailed reviews of a number of regulatory and compliance related matters faced by Westpac since the 2018 Self-Assessment, including multiple regulatory reviews of risk measurement, management, and reporting practices, and reviews of business conduct. For each of these matters a consistent methodology was applied to identify the issues and root causes, and compare them to those identified in the 2018 Self-Assessment; Held interviews with Westpac Directors, Group Executives, General Managers and other staff, across the Bank. These interviews were evidence based, focusing on specific examples of risk management challenges, concerns and successes over the past two years; and Reviewed documentary evidence, focusing primarily on evidence relating to risk shortcomings, issues and incidents. The Internal Review Team also read all papers presented and discussed at the BRCC and RISKCO since September 2018 to understand the issues that have been identified and how those issues have been reported and taken forward. Group Audit reports were also reviewed. – – – • These root causes are consistent with the DNA strands identified in the 2018 Self-Assessment. Explicitly identifying these root causes in the Reassessment is critical to Westpac’s work to improve non-financial risk management. In four key areas further action is needed in the CORE Program to address fully the root causes of the shortcomings and deliver the required outcomes. This must occur in closer co-ordination with other strategic transformation programs underway at Westpac. These four areas are: • • • • • Board and Executive oversight of non-financial risk; Risk culture; Risk boundaries, frameworks and capabilities; and First Line ownership and capability to manage risk. Additionally, a robust diagnosis of culture was undertaken early in 2020 using the Barrett Cultural Assessment Tool and other culture data, including responses from monthly sentiment surveys. The initial results of that diagnostic were made available to the internal review team during the course of the Reassessment, and its high-level findings have been compared to the nine cultural traits identified in the 2018 Self-Assessment. As in the 2018 Self-Assessment, positive traits within the culture enable Westpac to perform well for customers most of the time; but the Bank’s culture also inculcates behaviours that contribute to shortcomings, and the Reassessment has primarily attempted to identify and understand those shortcomings rather than culture in totality. Table 1 sets out these four areas in further detail, including the work that has been undertaken since the 2018 Self-Assessment to address them and the further actions now incorporated in the CORE Program. Of these four areas, the one that requires a change from every Westpac employee relates to risk ownership and capability. This requirement is fundamental to tackling the maturity gap in the management of non-financial risk. Following Table 1, a specific commentary is provided, setting out in more detail what this requirement demands in practice. 13 Reassessment of CGA Remediation Plan Westpac Group
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices Table 1: Analysis of recent developments – areas where further action is needed • The oversight of non-financial risks and issues remains an urgent priority, notwithstanding improvements made since 2018. A number of non-financial risk appetite statements and metrics remain at too high a level to drive effective Board or RISKCO action and lack robust data in reporting. This can make it challenging to synthesise insights. BRCC and RISKCO agendas remain long with lengthy papers, impeding meeting efficiency and potentially making it more difficult to identify and oversee risk. Directors assert that “message management” has lessened but remains a relevant issue. • Nine recommendations in the 2018 Self-Assessment focused on Board and RISKCO reporting and their response to risks out of appetite, outstanding issues, and complaints. These recommendations have progressed through the design effectiveness stage gate and ongoing work is underway to embed them. New Board and RISKCO templates and practices have been developed and implemented (but more work is needed to see improvement in insight and paper length). Customer complaint reporting has been enhanced. A Board Legal, Regulatory & Compliance Committee (BLRCC) has been established and the Board Risk Committee (BRC) is being adapted to cover key risks/themes. • New actions in the ‘Board Governance of Non-Financial Risk’ workstream to review recently implemented and impending changes to the operation and structure of the BRC and BLRCC. This work will also incorporate relevant recommendations from the AUSTRAC Advisory Panel Report. New actions in the ‘Executive Leadership Culture’ workstream to strengthen executive leadership of risk management and culture. Board and Executive oversight of the CORE Program has been strengthened. • • • • • • • • • • 14 Reassessment of CGA Remediation Plan Westpac Group 1. Board and Executive oversight of non-financial risk Reassessment Conclusions Given the complexity of non-financial risk issues, Westpac needs to refocus oversight of non-financial risk at Board and Group Executive level. At the Board level, this has implications for Board Committee structures, charters and reporting practices, so the Board is best placed to continue engaging in constructive challenge, scrutiny and oversight. Given the number of non-financial risk management issues experienced in recent years, further improvements in culture, governance and accountability frameworks and practices are required and must be critical priorities for the Group Executive. Detailed Findings Progress made under CGA Program New actions under CORE Program
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices Table 1: Analysis of recent developments – areas where further action is needed continued • The nine cultural traits set out in the 2018 Self-Assessment continue to contribute to shortcomings in recent developments. Non-financial risk is seen as more of a priority, although more focus is needed. Risk culture was a root cause of shortcomings in the management of certain non-financial risks, through tendencies to: The 2018 Self-Assessment contained four broader culture recommendations linked to Westpac’s Culture Roadmap: • Actions in the ‘Risk Culture Behaviours and Measurement’ workstream to drive risk culture, with Group Executive leadership and clear co-ordination of Risk and HR expertise in setting and measuring risk behaviours. These actions recognise the vital role of leadership action in changing culture and will be linked to the updated Culture Roadmap. Developing a set of defined role model behaviours which promote sound risk management and a proactive and systematic risk culture. Actions to embed the Risk Culture Dashboard and Maturity Self-Assessment process. New actions will be taken to define and strengthen psychological safety, and to monitor and mitigate any tendency to blame individuals when issues occur. • • The ‘Navigate’ program has further embedded the Westpac values; The Service Promise has been simplified; The existing suite of leadership programs has been updated to increase focus on risk; The behaviours-first ‘Motivate’ performance management system has been updated; and A risk culture framework has been developed and piloted, with ongoing reporting to RISKCO and BRCC. • • • • • – Focus on individual issues rather than broader implications; Be reactive rather than proactive; Be too satisfied with a sense of success; The ‘voice of Risk’ being too faint; Be too insular in the approach to managing certain risks; and Be ineffective in escalating concerns and challenging assumptions. • – • • – – • – – • The role of senior management in leading risk management and setting the tone for risk culture is key. Recent developments highlighted a tendency to cultivate complexity. Some leaders react to incidents with a focus on who is to blame rather than what to learn. This is partly connected to people’s response to BEAR requirements. However, it is important that this trait does not develop further at Westpac. • • 15 Reassessment of CGA Remediation Plan Westpac Group 2. Risk culture Reassessment Conclusions The Reassessment confirms that Westpac’s risk culture remains reactive principally in relation to non-financial risk management. It is important for the Board and Group Executives to receive and respond to feedback on how culture is helping or hindering Westpac’s progress towards the goal of a proactive and systematic risk culture. Detailed Findings Progress made under CGA Program New actions under CORE Program
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices Table 1: Analysis of recent developments – areas where further action is needed continued • The relevant shortcomings identified • in the 2018 Self-Assessment continue to apply to recent events. Blurred roles and responsibilities between Line 1 and Line 2 continue and were highlighted in a number of the recent developments. Nine recommendations in the 2018 Self-Assessment focused on risk roles and capabilities across the three lines of defence, and on risk appetite statements, taxonomy, policies and controls (including for conduct and reputation). Seven of these nine remain in design. Progress has been made with design principles and divisional plans set for three lines of defence role clarity, and diagnosis complete of the associated capability requirements. Four further issue-related recommendations require upgrades to JUNO control systems which have now been scheduled. 270 new risk roles across all three lines of defence are in recruitment. • Recommendations from the 2018 Self-Assessment remain critical and are embedded in workstreams in two organising pillars: ‘Clear risk boundaries for decision-making’ and ‘Accountable and empowered people’. This reflects the importance of ownership in both Line 1 and Line 2. As a number of recommendations relating to risk boundaries are in design and have long-dated final milestones, tighter management of timescales, milestones and outcomes is a key focus for the CORE Program. Commence a strategic ‘reset’ of the conduct risk program through a dedicated ‘Conduct Risk’ workstream. Workstreams to strengthen issues management and controls will be sponsored by Line 1 General Managers, given the importance of embedding these initiatives in business processes. Dependencies with relevant technology initiatives beyond JUNO will be tightly co-ordinated to simplify and automate controls and processes where possible. • • • Capability and resource gaps remain in Line 2, and there is limited capacity at senior levels within Risk which is creating a bottleneck for risk uplift and change. There are shortcomings in Westpac’s ability to effectively identify the root causes of issues, and issues have not been closed promptly and effectively. In some areas risks and associated obligations were not sufficiently understood, including the implications of not meeting those obligations. Clarity and granularity of non-financial risk appetite needed improvement; and certain risks were continuously out of appetite. Multiple systems and data definitions continue to challenge Westpac’s ability to manage issues. This reflects and amplifies organisational complexity. Westpac experiences challenges in remediating issues raised by its regulators in a sufficiently timely and effective way. Sometimes regulatory scrutiny was needed to get things moving in areas where the issues were already known. While accountability for Group Executives is clearer as a result of formal changes such as implementation of BEAR and strengthening of remuneration frameworks, more guidance is needed on how accountability applies in practice for employees at all levels. • • • • • • • • • • • • 16 Reassessment of CGA Remediation Plan Westpac Group 3. Risk boundaries, frameworks and capabilities Reassessment Conclusions Clearer prioritisation is required in the updated CGA Program for the Second Line in setting frameworks, controls (including policies and limits) and standards for use across the Group. This is to be supported by increased capability and capacity in the Second Line Risk function Detailed Findings Progress made under CGA Program New actions under CORE Program
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices Table 1: Analysis of recent developments – areas where further action is needed continued • Ownership and accountability for risk in the First Line continues to be inconsistent and there are significant risk capability gaps. In some areas there was insufficient expertise, resourcing and systems to manage some risks and to consistently meet obligations. Employees do not always feel they are sufficiently empowered to fulfil their roles and responsibilities. Risk considerations were not always appropriately factored into decision making. In some recent developments, commercial arguments sometimes took precedence over risk requirements. Continued shortfalls in project execution impede sound risk outcomes in certain projects. There is still a proliferation of committees, driven among other things by a lack of clear accountability. • Two recommendations from the previous section focusing on boundaries have a strong impact on First Line accountability (three lines of defence roles and capabilities). Seven additional recommendations have a significant impact on First Line accountability and have been refined in the CORE Program. Four (G31-3, G35) relate to Enterprise Investment and Project risks, and three (A5-6, G34) to accountability in practice. A recommendation to rationalise divisional governance forums and sharpen individual accountability has delivered a first round of reductions in and clarifications of committees, with more work to do. In addition, the four culture recommendations all impact strongly on First Line risk management. These have been incorporated within the updated Culture Roadmap. • The recommendations from the 2018 Self-Assessment relating to three lines of defence roles and capabilities remain fit for purpose, and the CORE Program has increased First Line leadership of work to address them. New actions aim to sharpen accountability and risk-weighting in decision making (at Enterprise, project and business-as-usual levels). First Line ownership is needed for effective non-financial risk management, and four workstreams – ‘Managing Risk in the First Line’, ‘Issues Management’, ‘Controls’ and ‘Customer Complaints’ – will require key First Line action. • • • • • • • • • • 17 Reassessment of CGA Remediation Plan Westpac Group 4. First Line ownership and capability to manage risk Reassessment Conclusions The CORE Program must emphasise more strongly First Line leadership in risk management. This must include a major emphasis on First Line accountability for effective risk-weighted judgement in decision making. It must also emphasise the upskilling of all employees in risk identification, assessment, mitigation, and in issue management. There is a strong link to the previous finding, in that clarifying risk boundaries helps sharpen the accountability and authority (empowerment) of First Line decision makers to manage risk. Detailed Findings Progress made under CGA Program New actions under CORE Program
Chapter 4 Shortcomings in culture, governance and accountability frameworks and practices 4.3 Building First Line risk and control capability is a fundamental requirement for change Both the 2018 Self-Assessment and the Reassessment found inconsistent risk and control capability contributed to Westpac’s shortcomings in non-financial risk management. Given that risk originates in all business activity, all employees – whether in customer facing or support roles – must have the core skills to consider, identify, understand, discuss and manage current and emerging risks. Every First Line employee must have the capability to: 4.4 Recent developments not incorporated in the scope of the Reassessment Since the commencement of the Reassessment, a number of organisational changes have been made that are anticipated to have a strong, positive impact on Westpac’s risk management. However, given their implementation commenced in parallel with the Reassessment, they have not been considered in the review of recent developments: • Confirmation of the Bank’s strategic geographic market focus to Australia and New Zealand, together with investments to simplify and automate processes and systems, both expected to reduce complexity; Commenced the move away from full matrix reporting and shifting to a clearer line-of-business model, also expected to reduce complexity and provide more clearly defined First Line accountability, with each area directly accountable for financial, risk and compliance, performance and customer outcomes; and A number of leadership changes and a fundamental review of culture at a Group level. • Proactively and systematically manage risks relevant to their role; Describe how risk appetite relates to them and what risks are within and outside their risk appetite; Describe the risks relevant to their role and the impact those risks could have; and Understand the key controls they need to manage those risks and if they are working. • • • • • Together with these behavioural elements, more consistent risk infrastructure also needs to be evident across the First Line. This includes stated risk appetite with clear measures, clear risk profiles, end-to-end process and control maps (with accountabilities and responsibilities defined) and compliance plans that are clearly articulated, linked to process and controls. To achieve this, an important action of the CORE Program is to identify minimum professional standards that aim to improve the capability of First Line decision makers to exercise effective risk-weighted judgement. A number of enterprise-wide metrics will be used to monitor and provide insight into the progress of building risk capability and ownership and they are outlined in Section 6.2. These changes will take time and require disciplined execution and persistence. Progress measures will be developed to assess their success in changing behaviour to address the detrimental strands of ‘corporate DNA’ identified in the 2018 Self-Assessment. The Executive Team, with the Board’s oversight, will work to define these metrics. Although an evaluation of the likely impact of these changes has not formed part of the scope of the Reassessment, appropriate steps have been taken to co-ordinate activity between these initiatives and the CORE Program. 18 Reassessment of CGA Remediation Plan Westpac Group
Lessons learnt from the 2019 CGA Program Since establishing the CGA Program in January 2019, 30 of its 45 recommendations had been implemented from a design standpoint as announced in Westpac’s Interim Results in May 2020. As part of the Reassessment, the current status of work was reviewed in relation to all 45 recommendations, and the oversight and management of the Program as a whole. The Reassessment found that this work has delivered important changes to address shortcomings, but that in many cases change has been incremental and additional actions are needed. At the commencement of the Reassessment, the CGA Program was continuing to implement recommendations from the 2018 Self-Assessment. Naturally, a number of those recommendations addressed complex and underlying shortcomings that would take time to resolve. As a result, many recommendations remain, appropriately, work in progress. 5.2.1 Active role for the Group Executive and Board The Executive Steering Group and the Board were important governance fora in establishing, directing and overseeing progress of the CGA Program from its inception in January 2019. The Executive Steering Group had met six times by the end of March 2020 to review overall Program progress, undertaken deep dives into specific recommendations, and challenged capacity and other Program constraints. The Board received a Program-level progress update at each Board meeting since December 2018. However, the strongly functional nature of the delivery of the CGA Program made it challenging to oversee the co-ordination of progress across the Program. The Program’s focus on activity measurement rather than outcomes also contributed to this issue. Scrutiny of individual initiatives will continue at the relevant Board or Executive governance forum, however there will be increased focus on oversight of the Program as a whole. At the Program level, the Chairman and CEO will both sponsor the Program and lead discussion at Board and at the Executive Team. The CEO, a member of the Executive Steering Group in his previous role before his appointment as CEO, will now Chair it. Given recent developments, the successful achievement of the CORE Program’s outcomes is one of Westpac’s four strategic priorities. This message has been, and continues to be, clearly communicated by the Chairman and CEO. 5.1Review of the status of individual recommendations The status of all 45 recommendations and how each has been incorporated into the renewed CORE Program is detailed in Appendix 1. In summary: • 14 recommendations are in the ‘further steps’ stage – these have been implemented from a design standpoint and work is ongoing to progress them to final closure. The Reassessment has identified further insights and actions that should be incorporated into the CORE Program. In some cases, this will require additional design activity; 12 recommendations are ‘open’ – these remain in the design stage of development, and further insights generated through the Reassessment will be incorporated into updated plans within the relevant workstream; and 19 recommendations are at the ‘embed/monitor’ stage – these have been implemented from a design standpoint and work is ongoing to progress them to final closure, after which they will be monitored for ongoing effectiveness within the BAU environment. 5.2.2 Clear co-ordination of the CORE Program with other initiatives On its establishment, the CGA Program was one of a large number of priority initiatives in Westpac. It was overseen separately from these other initiatives, and without any formal co-ordination of outcomes, activities, investment or business engagement. Linkages to other initiatives have been explicitly recognised in the design of the renewed CORE Program, particularly in relation to Lines of Business and the Culture Roadmap. Dependencies with those initiatives will be managed both at the workstream and Program level, and the CORE Design Authority will provide an accelerated decision forum for managing conflicts and making trade-offs. Support from the Central Program Authority will help accountable Executives and General Managers in putting forward the right case for change and associated investment requirements where resources are required to deliver against milestones. • • 5.2 Review of the CGA Program The CGA Program has established firm foundations, but significant changes are required for Westpac to manage fully the execution risks of the Program, summarised below. 19 Reassessment of CGA Remediation Plan Westpac Group Chapter 5
Chapter 5 Lessons learnt from the 2019 CGA Program 5.2.3 Focusing on root causes and outcomes as well as on activity The CGA Program prioritised on-time delivery of planned activities, partly to avert a cultural trait, highlighted in the 2018 Self-Assessment, to prioritise conceptualisation over execution. However, as there was no articulated target state for the CGA Program or enterprise-wide outcomes and metrics to track progress, recommendation owners may have prioritised achieving activity by a target date over embedding change to achieve a target outcome. The root causes of shortcomings have been identified explicitly in the Reassessment to enable workstream leaders to validate that activity is addressing the appropriate underlying causal factors. Additional actions have been identified and incorporated in the relevant workstreams as a result. Target state outcomes for each organising pillar, and outcomes and progress measures set at a workstream level. The governance of the renewed CORE Program includes a strong Central Program Authority with clear milestone tracking to monitor progress against more granular definitions for each stage gate, and towards clearly articulated closure end states. Interdependent initiatives have been grouped into workstreams under the oversight of accountable Group Executives and General Managers. Effective identification and management of all relevant interdependencies will be a critical element of stage-gate submission and assurance. Interdependencies between CORE Program deliverables and other elements of the strategic transformation initiatives will be clearly identified and co-ordinated. 5.2.6 Engaging employees Many Westpac employees understood that the 2018 Self-Assessment contained significant implications for roles, responsibilities and capabilities across the Bank. However, there was a perception shared by many that its most important implications were for the Risk function that was reinforced by the Risk function leading most of the implementation activity. Employee engagement was also impacted by the fact it took many months for the 2018 Self-Assessment to be circulated to all employees. In the CORE Program, there is a dedicated change and engagement team, working with workstream sponsors to identify, plan, resource and deploy the required communications and change management support within and across divisions and businesses. First Line leaders and change practitioners will co-ordinate activity at a divisional and business level after workstream deliverables move from the design to the implement and embed stage. The CEO has Executive accountability for the CORE Program, and executive sponsorship of the Program is with the Group Executive, Customer & Corporate Relations. They will both have the CORE Program as a key element of their communications and engagement activity with all employees across the Bank. The Program now has a full-time Communications Director, and communications and engagement will clearly signal its implications and expectations for everyone in the Bank, irrespective of role. 5.2.4 A strong role for business leaders as well as functional leaders Functional leaders in Legal, Customer & Corporate Relations, HR, and Risk assumed accountability for workstreams in the CGA Program when it was first established. This has been important in generating robust technical solutions and effective integration with existing and complementary initiatives. However, this approach did not fully consider the importance of including First Line leadership in the formulation of effective and sustainable solutions. In the CORE Program, a number of workstreams have First Line leaders as sponsor, and for all workstream initiatives, all relevant lines of business will be required to input and challenge design, and then lead relevant implementation and embedding into their divisions. The explicit identification and tracking of outcome metrics, most of which require change in business practices to be achieved, supports a much stronger business focus in the Program as a whole. 5.2.5 Tighter Program management of deliverables and interdependencies In the initial CGA Program, delivery of individual recommendations sometimes prioritised the work required to close the design of their own activities, with less focus on understanding or managing the inter-relationships between recommendations, either in their design or in their business operation. This was not an issue for recommendations with straightforward, short-term deliverables, but created significant challenge for recommendations that required longer dated and more complex milestones, business engagement and cross-functional activities. 20 Reassessment of CGA Remediation Plan Westpac Group
Chapter 5 Lessons learnt from the 2019 CGA Program 5.3 CORE Program structure Based on the lessons learnt from the 2019 CGA Program, the CORE Program structure has been enhanced as shown in Figure 2. Figure 2: CORE Program structure 21 Reassessment of CGA Remediation Plan Westpac Group Responsibilities Board Chairman and CEO: The Chair has Board accountability and the CEO is accountable for the CORE Program to the Board. Executive Sponsor: Accountable for CORE Program outcomes, including holding GEs/GMs to account, and reporting progress to the regulator with the support of the CEO and CRO. Executive Steering Committee: Responsible for overseeing strategic aspects of the program of work, monitoring and guiding performance, and assisting in the mitigation of any material risks or issues that impede the satisfactory progress of the workstreams and the overall program of work. Central Program Authority: Central program office responsible for establishing co-ordination across the workstreams, and monitoring reviewing, reporting and supporting the integrated delivery of workstream outcomes for the program of work. CORE Design Authority: Responsible for making major decisions across workstreams, making calls on inter-program prioritisation, resolving inter-program conflict, and ensuring long-term capabilities are being built. Integrated Delivery: Co-ordinated sequencing of change and communications delivery. Assurance: Provides independent assurance to ensure completeness. GE Workstream Sponsor: Accountable for workstream outcomes and progress indicators and supporting the GM Workstream Owner with the agreed project of work. GM Workstream Owner: Responsible for delivering workstream outcomes and progress indicators, and partnering with the central program team to manage integrated delivery and assurance requirements. • Risk SMEs Communications of Contact CORE Design Authority Integrated Delivery Assurance Central Program Office • Program Director • Portfolio Management • Project Managers • Change and Dedicated Functional Points Other (as required) HR Finance 1. Direction and Tone set by Board & Group Executive Board Governance of Non-Financial Risk Executive Leadership Culture Risk Culture Behaviours & Measurement Enterprise Prioritisation Remuneration & Consequence Management 3. Accountable and Empowered People Accountability and Decision Making in Practice Managing Risk in the First Line Issues Management Controls Customer Complaints Change Management & Delivery 2. Clear Risk Boundaries for Decision Making Risk Frameworks Second Line Risk Roles & Capability Conduct Risk Board Chairman and CEO (accountable for CORE Program to the Board) Executive Sponsor (Group Executive, Customer and Corporate Relations) Executive Steering Committee Central Program Authority CORE Pillars and Workstreams Program Structure
The CORE Program – 2020 and beyond To trigger the deep change required to address Westpac’s non-financial risk shortcomings, the Bank has undertaken a significant reset of its existing CGA Program, including reorientation of actions to form clearer links to root cause remediation, and more rigorous prioritisation and co-ordination. As a clear signal of these changes, the renewed CGA Program has been renamed the Customer Outcomes & Risk Excellence – or ‘CORE’ – Program. This reflects its objective to improve customer outcomes and demonstrates its importance as a core strategic priority for the Bank. The activities, milestones and outcomes of the CORE Program will be closely monitored and public progress reports made. Work will also be co-ordinated with other strategic transformation programs underway across Westpac. 6.1 Pillars and Workstreams Activities fall into 14 workstreams, grouped under three pillars which are designed to help integrate and co-ordinate resources to accomplish outcomes as simply as possible, with the right weight and focus. The three pillars are: 1. Direction and Tone set by Board and Group Executive: recognising that co-ordinated and committed leadership direction and tone are critical to remediating the five root causes identified in the Reassessment; 2. Clear Risk Boundaries for Decision Making: providing clarity to employees on risk settings, maximising their room to make good risk decisions within these boundaries; and 3. Accountable and Empowered People: helping First Line decision makers to manage risk effectively, identify and resolve issues, exercise effective controls and manage projects and change. These pillars are outlined below together with detail on: • • • What good looks like; The root causes being addressed; and Workstreams, and their outcomes, owners and progress measures. 22 Reassessment of CGA Remediation Plan Westpac Group Chapter 6
Chapter 6 The CORE Program – 2020 and beyond 6.1.1 Pillar 1 – Direction and Tone set by Board and Group Executive Strong direction and tone set by the Board and Group Executive will be essential to address all five root causes. Board Governance of Non-Financial Risk • Clear direction for Westpac’s risk appetite and risk culture is set by the Board and there is strong governance of all aspects of risk management. Sponsored by the Chairs of the Board Risk Committee and Board Legal, Regulatory & Compliance Committee • Board-endorsed consequences for overdue issues and/or risks out of appetite for extended periods. Executive Leadership Culture • Leaders role model Westpac’s desired risk culture including risk management behaviours and practices as a part of Westpac’s broader cultural state. Group Executive, Human Resources • Leaders are provided feedback through 360 feedback survey on demonstrating management of risk culture. Risk Culture Behaviours and Measurement • Robust risk culture data and assessment processes are used by management to scrutinise and enhance risk culture towards Westpac’s established target state, enabling the Board and Executive to have oversight of risk culture across the Group. Chief Risk Officer • Divisions use the new risk culture capabilities to challenge their risk management practices and behaviours and implement initiatives that improve them. Enterprise Prioritisation • Enterprise investment decisions are risk-based and the Board has visibility of the risk trade-offs made in formulating investment decisions. Chief Information Officer • Demonstrated and traceable consideration of risk in key prioritisation decisions. Remuneration and Consequence Management • Consequence management and remuneration adjustment frameworks work together to reinforce positive, and deter negative, risk behaviours and are used effectively and consistently in practice to achieve their goals. Expected behaviours are reinforced through remuneration and performance management policies and practices. Group Executive, Human Resources • Clear evidence that poor risk behaviour outcomes consistently result in individual consequences, and that exceptional risk behaviours are rewarded. • 1. One Progress Indicator described from each stream for brevity. 23 Reassessment of CGA Remediation Plan Westpac Group 5 4 3 2 1 Workstream Outcome Owner Progress Indicators1 What good looks like: • Customer outcomes improve because the direction and tone set by the Board and Group Executive promotes a proactive risk culture. • Clear direction for risk appetite and culture is set by the Board, and risk management and performance is governed with constructive challenge. • Clear expectations for culture, governance and accountability are set by executives and they role model behaviours for a proactive and systematic risk culture. • A transformation in our culture determines the way we identify, understand and act on risk, driven by our leaders.
Chapter 6 The CORE Program – 2020 and beyond 6.1.2 Pillar 2 – Clear Risk Boundaries for Decision Making Establishing clear risk boundaries for decision making will address the root causes relating to embedding and understanding of three lines of defence particularly in the First Line, capability in non-financial risk management and organisational complexity. Risk Frameworks • Implementation of robust Risk Management Frameworks (documents) provide clear and consistent boundaries for risk appetite and tolerance, and support governance over effective risk challenge and decision making. Chief Risk Officer • Cascaded and clearly understood risk appetite statements across the Group. Second Line Risk Roles and Capability • Roles and responsibilities for the Second Line are clear. Second Line Risk specialists have the required experience and skill. Risk capability is maintained through a comprehensive risk training and education curriculum. Chief Risk Officer • Second Line Risk experience, skills and confidence – evidence of newly formed or strengthened risk expertise and skillsets including 90% of new or open roles filled in non-financial risk classes; evidence of Risk engagement through membership at appropriate divisional Leadership Team forums. • • Conduct Risk • Business is conducted in a way that provides suitable, fair and clear outcomes for our customers and to support market integrity. All our staff quickly identify, report and respond to material conduct risks. Establishing and maintaining a reputation as a trusted and safe bank is recognised as being critical to the continued operation of our business. Group Executive, Financial Crime, Compliance and Conduct • Increased transparency and visibility of conduct risk through a uniform and standard way of measuring and assessing conduct risk. • • 2. One Progress Indicator described from each stream for brevity. 24 Reassessment of CGA Remediation Plan Westpac Group 8 7 6 Workstream Outcome Owner Progress Indicators2 What good looks like: • Customer outcomes improve because our people make decisions within clear risk boundaries. • Risk management frameworks, policies and limits are robust, clear and fit for purpose. • Risk boundaries are applied consistently and supported by the right data, systems and controls. • Risk professionals have the skills, experience and confidence to provide the right balance of challenge and insight to decision makers across the Bank.
Chapter 6 The CORE Program – 2020 and beyond 6.1.3 Pillar 3 – Accountable and Empowered People Accountability and empowerment in First Line risk management will address all five root causes relating to moving from a reactive to a proactive risk culture, embedding and understanding of the three lines of defence, challenges with execution and staying the course, capability in non-financial risk management in the First Line and organisational complexity. Managing Risk in the First Line • Required risk capabilities are in place in the First Line, in conjunction with the Lines of Business program. Appropriately skilled and accountable people are working in aligned operating models and teams in all First Line Divisions across the Group. Chief Executive, Consumer • Improved risk capability through delivery and implementation of risk fundamentals programs. • • Management of issues is improved through the establishment of a systematic approach to root cause analysis and effective issue resolution across the organisation. Group Executive, Financial Crime, Compliance and Conduct • Evidence of behavioural uplift in root cause analysis and improved quality of issue definition and closure assessed through sampling. Issues Management Controls • A robust control environment is embedded in which: Group Executive, Financial Crime, Compliance and Conduct • Improvements in controls testing outcomes and in level of controls testing by First Line. – Risk control owners know their controls and understand their responsibilities; Risk control owners are supported by fit for purpose systems, tools, processes and guidance; Key controls are in place for all material risks across the value chain; Controls are well documented, operate effectively, and are regularly tested and monitored; and Any control weaknesses are promptly identified and effectively addressed. – – – – Customer Complaints • Westpac’s approach towards Complaints management creates a strong culture that welcomes feedback and values complaints. Complaints are resolved quickly and directly, within mandatory timeframes, with care, objectivity and ‘fairness’; and complaints data is used to improve products and processes. Group Executive, Customer and Corporate Relations • Improved outcomes for customers with complaints – ease, speed, quality and satisfaction metrics. • 3. One Progress Indicator described from each stream for brevity. 25 Reassessment of CGA Remediation Plan Westpac Group 12 11 10 9 Workstream Outcome Owner Progress Indicators3 What good looks like: • Customer outcomes improve because our people know they are accountable and empowered to own the risks in their role. • First Line demonstrates strong capability to manage risks, issues and controls. • Decisions are made and change is executed with clear authority and within understood boundaries with each Line playing its role. • Individuals respect the right of the accountable person to decide on a course of action but provide input to decisions and always speak up proactively if they see unethical or non-compliant behaviour.
Chapter 6 The CORE Program – 2020 and beyond Change Management & Delivery • Programs and projects have clear accountable and responsible persons who understand the expectations of successful delivery. Strong risk management practices are in place for both delivered and delivery risk, and programs and projects receive ongoing, transparent reporting to make decisions. When issues are identified they are escalated and addressed, with lessons learnt and applied to future programs and projects. Chief Information Officer • Number of Accountable Sponsors with an ‘effective’ operational effectiveness rating for key delivery controls. • • Accountability and Decision Making in Practice • Our people have the accountability, authority and skills they need to fulfil their roles. Our People Leaders provide clear authority to their people and monitor and verify progress, taking the opportunity to coach, course-correct and encourage challenge throughout. Our people and People Leaders are clear on their individual accountabilities, as well as the context and structural accountability framework they operate within. Group Executive, Human Resources • Culture measures demonstrate improvement in clarity of accountability. • • 4. One Progress Indicator described from each stream for brevity. 26 Reassessment of CGA Remediation Plan Westpac Group 14 13 Workstream Outcome Owner Progress Indicators4
Chapter 6 The CORE Program – 2020 and beyond 6.2 Program Level Measurement A set of enterprise-wide metrics have been identified to track the progress of CORE at a Program level, and how the progress indicators in each workstream are contributing to sustained improvement in non-financial risk maturity. These are summarised below: Lead Indicators Speak Up (Pulse) Risk policy rationalisation Proportion of issues raised by First Line Role modelling (Pulse) Second Line Effectiveness (Audit, Pulse) Extended or overdue High-rated issues Non-financial risks (NFR) out of appetite Timeliness of mandatory and voluntary breach reporting Critical/High NFR incidents Lag Indicators Misconduct cases Number of conduct breaches reported to regulators Severe Complaints Program Delivery Completion of scheduled key milestones Completion of scheduled key milestones Completion of scheduled key milestones These metrics are based on currently available management information and are indicators of Program progress. The scope of the CORE Program includes the development of insights and metrics relating to the behavioural traits that underly shortcomings relating to culture, governance and accountability practices. 27 Reassessment of CGA Remediation Plan Westpac Group BRC/BLRCC actions completed on time and Group RISKCO actions completed on time Role Clarity (Pulse) Completion of mandatory leader training Committees Rationalised Shorter papers to RISKCO and Board On-time ownership of new incidents Controls rated Requires Improvement or Unsatisfactory Pillar 1Pillar 2 Pillar 3 Direction and Tone set by Clear Risk Boundaries for Accountable and Empowered Board and Group Executive Decision Making People
Chapter 6 The CORE Program – 2020 and beyond 6.3 Communications and engagement Critical to the success of the CORE Program in meeting its objectives is its active adoption by all Westpac employees. Managing risk must be seen as each individual employee’s responsibility rather than the responsibility of the Risk Function. An integrated communications strategy has been developed to bring CORE to life with foundational, Group-wide and targeted areas of focus. There will be co-ordinating sequencing of change and communications delivery to all employees. As such, communication about the CORE Program will be Bank-wide, emphasising that managing risk is a core part of everyone’s role, whether on the front line or in a support function. An example of how this message may be made to stick is by use of an easy-to-recall acronym, such as “I AM RISK”: This is the aspiration for every Westpac employee. 28 Reassessment of CGA Remediation Plan Westpac Group • IDENTIFY risk as part of normal business operations; • ACCOUNTABLE for understanding and remaining within risk limits; • MANAGE risks proactively, following key controls and complying with policies; • RAISE my hand when I see a potential issue; • INVOLVE others, including Risk specialists, to learn from their experience and networks; • STAY ALERT for changes that may elevate or introduce new risk; and • KNOW that it is a privilege to take risk for Westpac and customers, and always keep that responsibility front of mind.
Findings regarding recommendations and actions Westpac’s 2018 Self-Assessment provided 45 recommendations to address shortcomings in Westpac’s governance, culture and accountability frameworks and practices. Action has been taken against all recommendations. These actions have been assessed to determine how effectively they have addressed the shortcomings and their associated root causes: • 14 recommendations are in the ‘further steps’ stage – these have been implemented from a design standpoint and work is ongoing to progress them to final closure. The Reassessment has identified further insights and actions that should be incorporated into the CORE Program. In some cases, this will require additional design activity; 12 recommendations have been assessed as ‘open’ – these remain in the design stage of development, and further insights generated through the Reassessment are incorporated into the updated plans within the relevant workstream; and 19 recommendations are at the ‘embed/monitor’ stage – these have been implemented from a design standpoint and work is ongoing to progress them to final closure, after which they will be monitored for ongoing effectiveness within the BAU environment. • • Activity for all recommendations will transition into one of the 14 workstreams in the renewed CORE Program, along with the four new actions introduced in Table 1, where further insights and actions from this Reassessment will inform the design, implementation and embedding of activity in the relevant workstream. A summary of the work completed to date, status and further steps required for each recommendation is included in the following table. 29 Reassessment of CGA Remediation Plan Westpac Group Appendix 1
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream BLRCC agenda and Monitor • Strengthen capability BAC and BRC/BLRCC. serious and extreme. steps Monitor 30 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G1BRCC agenda• Added new BRCC reviewmeeting to annual cycle. • Added standing agenda item to discuss meeting efficiency at BRCC meetings. • Established new practice where BRCC meetings begin with discussion of top risks and issues. • Established BLRCC to allow more time for BRCC to focus on other risk matters. Embed/ • Monitor the ongoing Risk efficiency and Frameworks effectiveness of the BRC/ operations. G2 BRCC and • Updated report template RISKCO and page length limit, reporting supported by training and guidance notes. Further steps • Streamline and improve Risk quality of BRC/BLRCC Frameworks reporting. and templates to improve reporting. G3 Board Audit • Formalised BRCC Committee Chairman as a member (BAC) of BAC. membership Embed/ Monitor Embed/ Monitor • None. Risk Frameworks G4 BAC and BRCC • Updated reporting to BAC reporting of and BRCC to include issue issue extension extension information. • Changed process such that issues can only be extended where ‘credible pathway’ exists. • Monitor the ongoing Risk appropriateness of Frameworks reporting of high-rated issue extensions to the G5 Reporting of • Updated reporting to ‘tail’ customerinclude long-dated complaints complaints. • Introduced standing agenda at monthly Board meeting on long-dated and complex complaints, including deep dives and red flags assigned to long-dated complaints that warrant further scrutiny. Further • Update complaints Customer reporting to furtherComplaints highlight to the Board which complaints are G6 Investment• Updated Enterprise allocation Investment Pool (EIP) decisions submissions to include description of risks arising from an initiative, and the risks of not proceeding. • Introduced new practice where ET presents Board with portfolio view of EIP submissions and risks. Embed/ • None – further actionsEnterprise have been defined as part Prioritisation of G31.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream to ensure sufficient is being applied. credible pathway or long confirm root causes of 31 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G7 Risk appetite • Performed review of ‘out of appetite’ risks by Divisional CROs. • Established interim measures to improve transparency of progress to return to appetite. Further steps Further steps Further steps Further steps • Work with the relevant Risk accountable owner of Frameworks each plan to bring risks back within appetite prioritisation and urgency • Where there is no timelines, ensure there is a discussion at the ET/ Board level to accept this risk if appropriate or take other measures, e.g. withdrawing from specific business activities. G8 Issue resolution • Updated Issue and and closure Action Management Policy to allow issue extension only where ‘credible pathway’ exists. • Reviewed long-standing issues in each division, in line with new requirements regarding ‘credible pathways’. • Developed Line 1 Issue Ownership Plan to embed target behaviours regarding issue resolution. • Take appropriate actionsIssues to close long-outstanding Management issues and high-rated long-outstanding issues as a matter of the highest priority. G9 G2, G4–G8 as • Relevant updates to they apply to BRCC/BAC reporting the ET and have been reflected in RISKCO RISKCO reporting. • ET Customer Forum exists to discuss complex open complaints cases. • ET receives individual EIP submissions with risk analysis. • Assess the efficiency with Risk which time is utilisedFrameworks and the adequacy of the time allocated overall for RISKCO. • Streamline and improve the quality of RISKCO reporting. G10Rationalisation • Established a of governance Committee Map showing committees dependencies between committees to perform committee rationalisation exercise. This decreased committees by 16%. • Interviews conducted with GMs to identify and committee proliferation. • Established Group Committees Register and Committee Operating Principles. • Created Standard templates for committee agendas, papers and minutes. • Further rationaliseAccountability committees, with centraland Decision oversight of divisionalMaking in rationalisation efforts. Practice
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream training and education current and planned including: and monitor to develop a targeted communications plan. current and planned Risk Roles and including: 32 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G11Three Lines • Actions taken to address of Defence, G11.1 completed as part of DivisionalA1-A4. CROs • Designed a new three lines of defence (3LOD) model, including through: – Establishment of governance forums to oversee design of the 3LOD future state and to resolve complex issues; – New Line 1 Risk and Compliance teams within divisions; and – Creation of detailed implementation plans to implement the 3LOD future state. • Increased Divisional CRO team resources; agreed and announced a new Divisional CRO matrix reporting structure. Further steps • Ensure the enterprise Managing Risk capability uplift in the First Line developed as part of G12 includes relevant to front-line business. • Progress and adjust actions on 3LOD uplift – Review divisional implementation plans for consistency implementation; and – Work with the divisions and consistent • Progress and adjustSecond Line actions on 3LOD uplift, Capability – Resolve residual issues in the understanding of the role of the Line 2 Risk function; – Ensure that all remaining open points on 3LOD target state are closed; and – Ensure that representatives from front-line businesses (i.e. not from the Line 1 Risk teams) are engaged in the design and implementation of G11.2 going forward.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream Risk Roles and current and planned across 3LOD on new taxonomy; control taxonomy; and controls and gaps and flow-on impacts. 33 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G12Skills, • Approved extensive risk capabilities and training program with stature adequate funding, tailored to role types developed as part of G11. • Approved 270 new risk Full-Time Equivalent (FTE) employees to uplift capability. • Designed program to rotate employees in Lines 2 and 3. Open Open • Progress with current Managing Risk and planned initiatives. in the First Line Second Line Capability G13The risk • Developed new and control Bank-wide risk taxonomy, environment and approved funding to review and update controls in accordance with the taxonomy. • Linked material obligations in compliance obligations library to risk taxonomy, and to controls. • Uplifted control self-assessment process (one common process yet to be developed). • Developed new process to identify new and emerging risks, including new paper at RISKCO and BRCC. • Integrate compliance Controls and operational risk assessments into one common process. • Progress and adjust actions on taxonomy and controls including: – Provide training taxonomy, its objective and purpose; – Embed the new risk – Develop common – Identify and remediate weaknesses; address • Enhance the compliance obligation library to ensure it is comprehensive and has a consistent level of detail across the Group. • Link any new or changed obligations to risks and controls. • Confirm that the identification and reporting of new, emerging and heightened risks is complemented by equivalent actions to manage these risks effectively.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream Divisional and ET RAS to embed conduct risk and controls. controls. responsibilities for reputation risk across the of work to implement G11. unnecessary overlap 34 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G14Setting and • Developed new qualitative monitoring risk statements of appetite and compliance and metrics for each risk appetite in the new risk taxonomy. • Developed new Risk Management Framework requiring risk appetite to be articulated and measured across the Group. Open Open • Progress and adjustRisk current and plannedFrameworks actions on RAS roll-out, including: – Define qualitative statements of appetite and metrics for Level 1 risks; – Update Group-wide, for new statements and metrics and cascade as appropriate; – Reconsider appropriateness of two-metric limit; – Develop actions to equip the Bank with data to measure risk profile relative to risk appetite; – Develop oversight framework to oversee and manage risk appetite; and – Embed new risk appetite, including through training and education. G15Conduct risk • Enhanced key conduct-managementrelated risk frameworks, including the Product and Service Lifecycle. • Included conduct risk as standing agenda item in divisional risk committee meetings. • Commence with a ‘reset’ Conduct Risk of the conduct risk program, including a redesign of the Code of Conduct and initiatives into policies, processes G16Management • Uplifted Reputation Risk of reputational Framework, including to: risk – Formalise role of Divisional RISKCOs; – Establish the ‘Yes Check’; and – Establish a Reputational Risk Committee. • Clarifying roles and responsibilities to manage reputation risk. Further steps Further steps • Embed reputation risk Conduct Risk management into relevant policies, processes and • Ensure that the management of 3LOD are clarified as part G17Divisional • Reviewed and rationalised approaches to 41 risk and compliance manage risk policies and frameworks. and compliance • Established Westpac Group Risk Policy – Policy Management to minimise inconsistency and proliferation of policies. • Review Group and Risk divisional non-financialFrameworks risk policies and procedures to reduce and complexity.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream manual solution to through stakeholder of issues and compliance impact. and issues to Group and risk capability (including Management Managing Risk incident management). changes BEAR and and Framework made to Management clear accountability for issue closure. 35 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G18Systemic Issue • Approved funding identification for broader JUNO upgrade to introduce new functionality, uplift ‘front-end’ ease of use and uplift back-end analytics capability. • Actions to address G18 scheduled for after JUNO upgrade. Open • Progress with plannedIssues actions to upgrade JUNO. Management • Establish an interim, identify systemic issues collaboration. G19Issue escalation • Introduced Compliance ex-post issue sampling. • Increased minimum sample size for Compliance incident sampling. • Expanded scope and objectives of Operational Risk Data Quality Review to ensure issue rating accurately reflects residual risk. Embed/ Monitor Embed/ Monitor • Monitor the impact of Issues actions taken on the Management incorrect classifications incidents in terms of G20 Issue reporting• Updated relevant policies to require reporting of significant near misses and high-rated issues and incidents to RISKCO and the BRCC. • Monitor the ongoing Risk appropriateness of Frameworks reporting of incidents Divisional RISKCO and the BRC/BLRCC, and the associated policies. G21JUNO Uplift • Approved JUNO upgrade (see ‘Work Completed’ for G18). • Actions to implement G21 confirmed feasible as part of JUNO upgrade. Open Open • Progress with plannedIssues actions to upgrade JUNO, Management prioritising upgrades for G21. • Train and educate relevant employees on the new JUNO capability. G22 Issue resolution • Developed root cause and closuremethodology, rolled this out through ongoing training, and plans created to ensure incorporation of methodology into key risk committees and forums. • Embedded BEAR statements which include accountability for issue and incident closure. • Established the Group Risk Classification Framework which identified long-outstanding issues which may need to be considered. • Implement and embed the Issues root cause methodology Management throughout the Bank. • Continue to build broaderIssues with regards to issue and in the First Line • Monitor impact of formal Remuneration the new Remuneration Consequence confirm they provide timely and effective
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream use one single customer serious and extreme. steps with the transition to behaviours in relation 36 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G23 Customer• Continued ongoing work complaintsto test and roll-out a managementsingle customer complaint systems system in ‘drops’. Open • Progress with plannedCustomer actions to establish and Complaints complaint platform. G24 Identification • Introduced new of systemicrequirement to record customerall customer complaints complaints (including those resolved at first point of resolution). • Provided training and communications to embed this requirement. • Uplifted Board and ET reporting to include complaints by product, channel, age, root cause and theme (e.g. conduct). Embed/ Monitor • Monitor complaintsCustomer logging in terms of Complaints data quality and level of embedding in the business. • Monitor the effectiveness of the identification of trends in root causes. G25 Reporting• Updated Board reporting of seriousto include long-dated and extreme complaints. complaints• Introduced standing agenda at monthly Board meeting on long-dated and complex complaints, including deep dives and red flags assigned to certain long-dated complaints that warrant further scrutiny. • Uplifted Customer Solutions more broadly, including establishment of Customer Outcomes Committee and Vulnerable Customer policies and standards. Further • Update complaints Customer reporting to furtherComplaints highlight to the Board which complaints are G26 Reporting • Determined that no action of long-datedwas required because complaints serious matters would be and other included in long-dated customercomplaints reporting and/ mattersor Litigation Reports to the Board. Embed/ Monitor Embed/ Monitor Embed/ Monitor • Periodically review the Customer appropriateness of Complaints including long-dated matters in an expanded version of the Customer Complaints Dashboard or other reporting and/or forums as required. G27 Life and • Centralised customer general complaints handling, insurancesupported by Group-wide complaint Complaints Management handlingPolicy and Standard. • Monitor and address any Customer challenges associatedComplaints centralised complaints handling. G28 Accountability• Updated CEO and GE for complaint scorecards to include resolution measures on long-dated complaints and average time to close complaints. • Monitor whetherCustomer scorecard metrics help Complaints to promote the desired to customer complaint resolution, and refine metrics if needed.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream Monitor submissions and Board delivery and subsequent outcomes. 37 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G29 Escalation• Engaged Compliance of customerand Operational Risk for complaints review of processes and quarterly sample testing to ensure complaints are appropriately logged. • Ensured Compliance attendance and representation at complaints discussions. Embed/ Embed/ Monitor • Proceed with plannedCustomer updates to the Complaints Customer Complaints Management Policy. G30 Group-wide • Developed and approach implemented to handleGroup-wide approach whistleblowerto handle whistleblower investigations investigations, supported by enhancements to systems and processes. • Continued awareness campaigns and training programs, including implementation of single whistleblower management system for all employees. • Monitor the effectiveness Risk of the approach to Frameworks handle whistleblower investigations. G31Investment • Established process Allocationfor all investment and Decisionsmajor change initiative submissions to include risk assessment and analysis. • Enhanced systems to capture and record risk analysis. • Provided guidance on how risk analysis should be presented in submissions. Further steps Further steps • The outcome and Enterprise rationale of decisions,Prioritisation including where funding is not received, is clearly communicated. • Uplift the articulation of reporting. • Ensure that there is sufficient Board visibility of initiatives which are not funded. G32/ SteerCo• Reviewed, updated and G33 templatesstandardised templates and agendas to highlight risks, assumptions and changes to project scope, schedule, solution and expected benefits. • Developed ‘how to’ guidelines on new templates. • Incorporate relevant Change elements from the Management Operational Risk in and Delivery Projects (ORiP) Policy into Westpac’s project execution framework to drive uplift in project risk and compliance • Monitor the impact of this transition and other changes to the project execution framework.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream decisions. appropriateness of adjustments. in driving better risk particularly in the 38 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE G34 Operational• Elevated the stature and Decisionstanding of Risk, including Makingstrengthening key risk positions, including Operational Risk and Compliance professionals at relevant committees, and redefining the purpose of the Risk function “to provide leading risk oversight, insight and control”. • Established joint accountability between CFO and COO for prioritisation of strategic investments. Open • Several workstreams Second Line will take forward the Risk Roles and underlying findings to Capability strengthen the voice of Risk in all decisions and to clarify and uphold Line 1 authority and boundaries and the rights of support functions to challenge G35 Enterprise • Established requirement Portfoliofor GEs to obtain prior Oversight approval from the Committee Enterprise Portfolio (EPOC) Governance Committee delegation (EPGC) Chair to delegate. Subsequently, EPGC and other committees were replaced by the Enterprise Portfolio Committee (EPC) which does not include business GEs as members. Embed/ Monitor Embed/ Monitor • Once the recently Enterprise announced changesPrioritisation to enterprise change oversight have been implemented, monitor the effectiveness and enterprise change oversight to ensure an appropriate level of attention is given to risk considerations. A1Risk-adjustment • Engaged external review process for of effectiveness of employees on Remuneration Policy and discretionary annual Remuneration Short-Term Review. Variable• Developed Group-wide Reward plans Risk Classification Framework with new process to adjust STVR and other discretionary remuneration. • Implemented Variable Reward Guidelines to provide guidance to staff on process. • Updated ‘RemExpress’ system to capture and aggregate data for calibration. • Monitor the impactRemuneration of actions taken and and refine the Group Consequence classification framework Management as it is implemented to guide remuneration • Review the effectiveness of actions taken for A1 behaviours and outcomes and accountability, First Line.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream include ensuring that and policies, ensuring adjustment processes and predictable. applied consistently and Management divisions and levels in be regularly reviewed 39 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE A2 Risk gate and • Updated ‘Reputation risk-adjustment and Risk’ component criteria and of senior management aggregation scorecards to have up of data to 100% STVR at risk; established process to review appropriateness of scorecards. • Reviewed risk gates for consistency and enhanced where relevant. Embed/ Monitor Embed/ Monitor Embed/ Monitor • Monitor the impact of risk Remuneration gate and risk adjustment and criteria in terms of driving Consequence better risk behaviour and Management outcomes and ensure these are reviewed regularly. This should reviews are documented. • Ensure how aggregated data is used by the relevant committees/ functional areas is reviewed and documented. A3 Framework • Engaged external and policy review on remuneration alignment, frameworks and policies consistencyto identify and address and inconsistencies. rationalisation• Updated RemExpress to make it consistent with the new Group-wide Risk Classification Framework and to require consistent recording of STVR adjustments. • Rationalised remuneration frameworks and policies. • Continue to regularlyRemuneration review and rationalise and (where appropriate) our Consequence remuneration adjustment Management and consequence management frameworks that the applied risk are clear, transparent A4 Review• Introduced JUNO control consequencethat requires: management– Conduct matters outcomes for be acknowledged, consistencycaptured and responded to; and – Consequence management outcomes for consistency across levels and divisions. • Established JUNO control to review and update Group Consequence Management Framework and Code of Conduct annually. • Monitor the impact of Remuneration actions taken to ensure and that the Group CMF is Consequence appropriately across the organisation.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream where required. steps 40 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE A5 Accountability• Updated relevant as subject of policies with overt, Group-Group-wide definition of wide focusaccountability; developed scenarios through ‘Navigate’ on this. • Clarified accountability for GEs and GMs through BEAR. • Enhanced remuneration and consequence management frameworks to clarify accountability (see A3). Embed/ Monitor • Monitor employeeAccountability behaviours to ensure and Decision accountability is Making in understood and Practice demonstrated across all levels of the organisation, taking further actions A6 Westpac’s• Embedded BEAR propensity Accountability towardsStatements to clarify collective GE accountability decisionin decision-making makingprocesses. • Documented for all committees their purpose, Chair and what decisions/ approvals are made by the committee. Further • Define accountability Accountability for individuals when and Decision they make decisionsMaking in as part of a collective Practice decision-making body.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream change to be realised Culture Self-Assessment, including (either directly or as part 2018 Self-Assessment and as the Risk Culture target values survey. ‘Risk Culture Behaviours workstream and broader Risk Culture framework Behaviours and target risk culture 2018 Self-Assessment • Design, implement, and of actions to shift towards ‘Executive Leadership ensure actions are aligned 41 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE C1– C4 C1 – Leadership Updated wide range of C2 – Ways of cultural initiatives in light working of the nine cultural traits C3 – Learning identified in the 2018 ‘Navigate’ program, simplification of the Service Promise, suite of leadership programs and ‘Motivate’. Launched new initiatives associated with recommendations C1-C4, examples include: C1: New GM1 ‘Executive Edge’ leadership program including Leadership 360; C2: New Culture Assessment Framework, continuing to embed ‘Our Compass’, reinforcing the empowerment model to ‘Check, Confirm, Create’, and supporting Agile ways of working; C3: Extensive Risk capability program including the ‘Risk Institute’ for all employees (also responding to recommendation G12); and C4: The Motivate performance management framework – our approach to performance, development and reward – is well embedded across the Group, with target levels of achievement being exceeded across both measures. The new ‘Great Employee Moments’ recognition platform has been rolled out, providing a consistent platform across the Group with significant new recognition functionality. All design actions in the work program addressing the recommendations have been completed. However, given the culture refresh work underway and that cultural transformation is necessarily a long-term initiative, we are maintaining recommendations C1-C3 as an ‘Open’ status and further actions in relation to those recommendations are incorporated in the CORE Program. Open • Define the desired Executive long-term culturalLeadership by the CORE Program of the broader Culture Roadmap) and prioritise short-term culture shifts, incorporating the cultural traits identified by the the Reassessment, as well state and the Barrett • Explicitly co-ordinate with and Measurement’ cultural change activities. • Embed the existing Risk Culture to regularly assess risk Measurement culture across the Group. • Define Westpac’s by reference to the cultural traits. measure the effectiveness the target culture. • Explicitly co-ordinate with Culture’ workstream to and mutually reinforcing.
Appendix 1 Findings regarding recommendations and actions insights and actions Workstream C4 – Reward and recognition • Continuously monitor the impact of reward, recognition and consequence management on behaviours and culture, as part of ongoing monitoring of recommendations A1-A5. Remuneration and Consequence Management Embed/ Monitor 42 Reassessment of CGA Remediation Plan Westpac Group # Topic Work CompletedStatus Summary of furtherCORE
List of abbreviations The following abbreviations may appear throughout this report. AML Anti-money laundering APRA Australian Prudential Regulation Authority AUSTRAC Australian Transaction Reports and Analysis Centre BAC Board Audit Committee BAU Business as usual BEAR Banking Executive Accountability Regime BER Board Effectiveness Review BLRCC Board Legal, Regulatory & Compliance Committee BRC Board Risk Committee Board Risk & Compliance Committee BRCC BSR Board Strategy Review BT Financial Group BTFG CGA Culture, Governance and Accountability CGA Program Culture, Governance and Accountability Program CEO Chief Executive Officer CFO Chief Financial Officer CMF Consequence Management Framework CORE Program Customer Outcomes & Risk Excellence Program CRO Chief Risk Officer CVA Cultural Values Assessment survey DE Design Effectiveness DQR Data Quality Review Enterprise Investment Pool EIP EPC Enterprise Portfolio Committee Enterprise Portfolio Governance Committee EPGC EPOC Enterprise Portfolio Oversight Committee ET Executive Team 43 Reassessment of CGA Remediation Plan Westpac Group AbbreviationAbbreviated term Appendix 2
Appendix 2 List of abbreviations FTE Full Time Equivalent GE Group Executive GM General Manager Managers one level below GM GM1 IDR Internal Dispute Resolution International Funds Transfer Instructions IFTIs JUNO JUNO is Westpac’s integrated risk and compliance system 3LOD Three Lines Of Defence LT Leadership Team NFR Non-financial Risks OE Operating Effectiveness ORiP Operational Risk in Projects PEFm Project Execution Framework methodology RAS Risk Appetite Statement RCSA Risk and Control Self-Assessment RISKCO Group Executive Risk Committee Short-Term Variable Reward STVR VRG Variable Reward Guidance Westpac Institutional Bank WIB 44 Reassessment of CGA Remediation Plan Westpac Group AbbreviationAbbreviated term
Westpac Banking Corporation Independent Assurance Over Westpac’s CGA Reassessment 27 May 2020 CONFIDENTIAL Independent Assurance over Westpac’s Culture, Governance, and Accountability (CGA) Reassessment Final Report (Executive Summary) CONFIDENTIAL Prepared for Westpac Banking Corporation 26 June 2020 Promontory Australia, a division of IBM Level 3, 120 Sussex St | Sydney, NSW, 2000 +61 2 9478 8888 | promontory.com
Westpac Banking Corporation Independent Assurance over Westpac’s CGA Reassessment – Final Report 26 June 2020 CONFIDENTIAL 2 Promontory Australia, a division of IBM, has been engaged to provide external assurance to Westpac over its reassessment of its Culture, Governance and Accountability Remediation Plan. A representative of Westpac has reviewed a draft version of this Report for the purposes of identifying possible factual errors. Promontory is responsible for final judgement on all views and information in this Report. This Report is provided solely for the purposes described above. Promontory’s external assurance role may not incorporate all matters that might be pertinent or necessary to a third party’s evaluation of Westpac’s Management Review or any information contained in this Report. No third-party beneficiary rights are granted or intended. Any use of this Report by a third party is made at the third party’s own risk. Promontory is neither a law firm nor an accounting firm. No part of the services performed constitutes legal advice, the rendering of legal services, accounting advice, or the rendering of accounting or audit services.
Westpac Banking Corporation Independent Assurance over Westpac’s CGA Reassessment – Final Report 26 June 2020 CONFIDENTIAL Executive Summary On 20 November 2019 the Australian Transaction Reports and Analysis Centre (AUSTRAC) lodged a Statement of Claim (SoC) in the Federal Court against Westpac Banking Corporation (Westpac or Bank) for failing to meet certain of its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).1 Following AUSTRAC’s action, on 16 December the Australian Prudential Regulatory Authority (APRA) wrote to Westpac, noting that the SoC pointed to fundamental deficiencies in Westpac’s risk management. As part of a number of supervisory actions, APRA required Westpac to undertake a reassessment of its 2018 Culture, Governance and Accountability (CGA) Self-Assessment and Remediation Plan (CGA Reassessment or Reassessment) to determine whether it is still ‘fit for purpose’. This was to be completed by 30 June 2020. APRA required Westpac to arrange external independent assurance over the reassessment process and outcomes. Westpac engaged Promontory Australia (Promontory) to provide this assurance to the Board and to APRA. The assurance considers: The robustness of the reassessment process The sufficiency and completeness of the remediation plan The likely effectiveness of the remediation actions planned • • • Promontory’s assurance activities commenced in February 2020 and ran for a period of approximately five months, during which time we had extensive meetings with the Reassessment team and provided feedback, challenge and observations about the process, analysis, conclusions and draft plans. We reviewed a large number of documents provided by Westpac, including relevant policies, procedures and case studies. We also conducted a sample of interviews with senior Westpac representatives, and had a series of ‘deep dive’ sessions with the Reassessment team and other relevant Westpac staff. Based on our activities, Promontory can provide the following assurances: The reassessment process was robust. The process involved a thorough testing of the findings from the 2018 Self-Assessment through document reviews, board and committee papers, and interviews There was close analysis of the issues arising from a series of recent events and developments, including the AUSTRAC SoC The process included a thorough review of the progress with implementing the recommendations of the 2018 Self-Assessment report, and lessons from this implementation experience The process enabled the identification of several areas that require further work to address the root causes of CGA shortcomings There was a greater focus on the development of a more detailed and robust revised remediation plan • • • • • 1 Chief Executive Officer of the Australian Transaction Reports and Analysis Centre v Westpac Banking Corporation ACN 007 457 141, 20 November 2019. 3
Westpac Banking Corporation Independent Assurance over Westpac’s CGA Reassessment – Final Report 26 June 2020 CONFIDENTIAL The overall remediation plan is sufficient and complete. • The new remediation plan (the updated CGA Program, which Westpac is renaming the Customer Outcomes and Risk Excellence Program) builds on work done to date, but represents a substantial and more detailed ‘reset’ from the original remediation plan (original CGA Program) The updated CGA Program has a clearer vision, outcomes and structure, with fourteen workstreams that are more coherently linked to Westpac’s risk management shortcomings • o The Program contains actions that appropriately cover the range of shortcomings and root causes that Westpac must address to uplift CGA frameworks and practices There is a clearer statement of shortcomings and root causes that the Program seeks to address o The updated CGA Program identifies four areas for further work to properly address the root causes of CGA weaknesses, and these have been appropriately derived from the Reassessment analysis There is an overall timeframe to March 2022 and key dates across all workstreams There is clear scope to build additional detail into the updated CGA Program during the coming implementation period to support effective execution • • • The remediation plan is likely to be effective. • There are much clearer and stronger messages from the Board and senior management about the need for change to non-financial risk management and the importance of remediation The updated CGA Program has a much more robust governance structure that has been designed to ensure the resourcing, prioritisation and coordination necessary to drive implementation There is a stronger focus on outcomes, rather than just the completion of activities There is a better allocation of ‘ownership’ of workstreams and actions across group executives from across the Bank The updated CGA Program provides for better monitoring and consideration of interdependencies Further details to support outcomes and deliverables can be developed in the early implementation phase of the Program • • • • • In conducting our assurance, we note that the Reassessment was conducted diligently, thoroughly and professionally. The three principal conclusions about key root causes of CGA shortcomings, areas for further work, and the need to reset the CGA Program are impressively forthright. The members of the Reassessment team have shown themselves to be open to feedback about how to strengthen key elements of the design of the remediation plan. The updated CGA Program provides the basis for a substantial and positive program of change. The decision to develop it as a ‘reset’ of the original CGA Program is sound. It builds on the work undertaken to date but extends this work in key areas based on the assessment of key recent events. The updated Program covers an appropriate range of issues to address Westpac’s CGA weaknesses, and it has a clearer focus on the root causes of these weaknesses. Promontory observes that the updated Program will benefit from additional operational details and these should be incorporated in the early part of the implementation phase. Finally, we highlight the change in ‘tone’ in the Reassessment report and the updated CGA Program as they relate to the acceptance of deficiencies in Westpac’s non-financial risk management and the 4
Westpac Banking Corporation Independent Assurance over Westpac’s CGA Reassessment – Final Report 26 June 2020 CONFIDENTIAL need for uplift this area. The strength of the supporting messages coming from the Board, CEO and Senior Executives are critical to the success of a program of this nature. Ongoing review and engagement at this level will be vital. In this context, embedding a more prominent role for the Board, CEO and Senior Executives in a robust governance structure is a key improvement over the original CGA Program. On the basis of our assurance we make the following five recommendations to the Board: 1. That the Board and Executive Team ensure a sustained commitment to and strength of message about the updated CGA Program That there is clear and ongoing communication about how the updated CGA program supports good customer outcomes in ways that resonate across all areas of the bank That the Board and Executive Team closely monitor the interdependencies within the updated CGA Program and between the Program and other programs of work underway at Westpac to help ensure more effective implementation That the Board and Executive Team retain a clear focus on strengthening ‘risk culture’ within the overall program of work on cultural issues at the bank That further work is undertaken in the early implementation phase of the updated CGA program to develop details of program design to support effective execution. 2. 3. 4. 5. 5
n """' Promontory Australia, a division o f IBM LeveI3,120 Sussex St I Sydney,NSW, 2000 -+61 2 9478 8888 I promontory.com PROMONTORY anIBM Compary