Culture, Governance and Accountability Reassessment Report
ASX
Release
17 JULY 2020
Westpac releases Culture, Governance and Accountability Reassessment Report
Westpac has today released its reassessment of its culture, governance and accountability
remediation plan (CGA reassessment) which includes a comprehensive Group-wide
transformation program to strengthen management of non-financial risk across Westpac.
Westpac first completed a CGA self-assessment in November 2018 and developed a
remediation plan to address the recommendations. Following AUSTRAC’s Statement of Claim
in 2019, Westpac reassessed its remediation plan to ensure it remained fit for purpose.
The main conclusion from the reassessment is that important aspects of Westpac’s non-
financial risk culture are immature and reactive. The reassessment confirmed that Westpac was
overly complex which results in confusion around accountability and challenges in execution.
Shortcomings in the way Westpac manages non-financial risk have also been identified by each
of Westpac’s three lines of defence, with further change required to address identified
weaknesses.
Westpac Group CEO, Peter King, said: “Our reassessment confirms that our management of
non-financial risk is currently not at the standard we set for ourselves.
“It is clear we have more to do to address these shortcomings, including improving our risk
management capability and risk culture which is not where we want it to be. As a result, we are
embarking on a comprehensive, multi-year program called Customer Outcomes and Risk
Excellence (CORE). The program is a company priority and as CEO I’m accountable for its
delivery,” Mr King said.
The CORE program’s three key pillars are:
• Direction and tone set by Board and Group Executive – initiatives that set clear
direction and tone from leadership to promote a proactive risk culture.
• Clear risk boundaries for decision making – simplifying risk management
frameworks and increasing capability and resources in the Risk function.
• Accountable and empowered people – providing additional training and support for
employees to help them understand they all have a role in managing risk and driving
clearer accountability and decision making.
Westpac has already commenced its change program with several initiatives underway
including:
• Establishing a new Board Legal, Regulatory and Compliance Committee;
• Creating a new Group Executive role for financial crime, compliance and conduct to
drive more focus on these areas;
Level 18, 275 Kent Street
Sydney, NSW, 2000
•Greater focus on banking businesses in Australia and New Zealand to simplify
operations and reduce risk;
•Implementing a new line of business operating structure that will clarify responsibilities
and improve accountability across the organisation;
•Enhancing capability across our three lines of defence, including appointing an
additional 240 experts across our risk and compliance functions. Through this work we
are continuing to identify further risk issues, which are being addressed as a matter of
priority.
“This program is comprehensive and where we find any new issues, they will be dealt with
promptly and as efficiently as possible,” Mr King said.
Promontory Australia provided independent assurance over Westpac’s reassessment and
concluded the reassessment was done ‘ diligently, thoroughly and professionally’, and noted that
the new CORE program provides the basis for substantial and positive change.
The Reassessment Report and the Executive Summary of Promontory’s assurance report are
attached.
For further information:
David Lording Andrew Bowden
Group Head of Media Relations Head of Investor Relations
0419 683 411 T.(02) 8253 4008
M. 0438 284 863
This document has been authorised for release by
Tim Hartin, General Manager &
Company Secretary.
Reassessment
of the Culture,
Governance and
Accountability
Remediation Plan
June 2020
Westpac GroupReassessment of CGA Remediation Plan02
Contents
Chapter 3
Principal conclusions of the
Reassessment
06
3.1Analysis of recent developments
has confirmed five root causes of
continuing shortcomings
06
3.2 Further work is needed to fully
address the root causes of
shortcomings
07
3.3Despite progress in closing
recommendations, a Program reset
is needed
08
Chapter 4
Shortcomings in culture,
governance and accountability
frameworks and practices
10
4.1Summary of shortcomings identified
in the 2018 Self-Assessment
10
4.2Analysis of recent developments13
4.3Building First Line risk and control
capability is a fundamental
requirement for change
18
4.4Recent developments not
incorporated in the scope of
the Reassessment
18
Chapter 5
Lessons learnt from the 2019
CGA Program
19
5.1Review of the status of individual
recommendations
19
5.2 Review of the CGA Program19
5.3CORE Program structure 21
Chapter 6
The CORE Program –
2020 and beyond
22
6.1Pillars and Workstreams22
6.2Program Level Measurement27
6.3Communications and engagement28
Appendix 1
Findings regarding
recommendations
and actions
29
Appendix 2
List of abbreviations
43
Chapter 1
Foreword from the
Chairman and CEO
03
Chapter 2
Context and scope
04
2.1Westpac’s 2018 Self-Assessment and
CGA Program
04
2.2Requirement for a Reassessment04
2.3Approach to Westpac’s Reassessment04
2.4Scope of the Reassessment05
2.5Structure of the report05
Westpac Banking Corporation ABN 33 007 457 141
Reassessment of CGA Remediation Plan03Westpac Group
In 2018, Westpac conducted a self-assessment of
culture, governance and accountability frameworks and
practices (“the 2018 Self-Assessment”). It identified 45
recommendations for improvement, principally focused
on Westpac’s management of non-financial risks. The
Culture, Governance and Accountability Program (“the
CGA Program”) was mobilised in January 2019 to
implement these recommendations.
Following the Australian Transaction Reports and
Analysis Centre’s (AUSTRAC’s) Statement of Claim in
November 2019, the Australian Prudential Regulation
Authority (APRA) required Westpac to conduct a
reassessment of the CGA Program to determine
whether it remains fit for purpose. This is an important
exercise. It comes at a time when we have identified
risk management, along with our customer franchise,
performance discipline, and digital transformation, as
one of four critical priorities for protecting and building
value for the long term. Since AUSTRAC’s Statement
of Claim we have announced important changes that
we anticipate will have a strong, positive impact on
Westpac’s management of risk and performance.
For example, our focus on simplifying our portfolio and
our products, together with streamlining and automating
processes, will help reduce complexity. We are moving
towards a clearer line-of-business operating model to
provide more clearly defined First Line accountability.
We have made a number of leadership changes and a
fundamental review of culture at a Group level has led to
a reset of our Culture Roadmap. These changes will take
time – we must stay the course.
The Reassessment highlights that important aspects
of Westpac’s non-financial risk culture have been
immature and reactive, and we recognise that we need
to change. The shortcomings identified in the 2018
Self-Assessment were serious and the report called out
that if we did not address this maturity gap, it could
contribute to further issues. Important changes have
been implemented since, but the change has been
incremental and the CGA Program as a whole has not
delivered sufficient momentum.
The Reassessment makes clear that what is required is a
program of deeper change. It emphasises the importance
of sound risk management, of high quality oversight by
the Board and Group Executive, strong risk capabilities, a
proactive risk culture, effective risk boundaries and timely
escalation of issues.
This Reassessment has been shared with all Westpac
employees. The active engagement and input of our
people is critical to this work: all of us have a role to play.
Regular updates will be provided to APRA, to investors
and our people, and there will be ongoing external
independent assurance of progress.
A commitment to change is at the heart of the updated
CGA Program. Westpac does not underestimate both
the magnitude of the changes that are required and
the effort involved. Improving culture, governance and
accountability frameworks and practices is a key priority
for Westpac’s management team under the strong
oversight of the Board.
John McFarlane
Chairman
Westpac Banking Corporation
Peter King
CEO
Westpac Banking Corporation
Foreword from the Chairman and CEO
Chapter 1
Reassessment of CGA Remediation Plan04Westpac Group
2.1 Westpac’s 2018 Self-Assessment
and CGA Program
In 2018, APRA asked the boards of 36 financial
institutions to assess their organisation’s culture,
governance and accountability frameworks and practices
in light of issues identified by APRA’s Prudential Inquiry
into the Commonwealth Bank of Australia earlier
that year.
In response, Westpac commissioned an internal review
team to conduct its 2018 Self-Assessment, supported
by external consulting firm Oliver Wyman. Its objective
was to identify strengths and shortcomings related
to Westpac’s culture, governance and accountability
frameworks and practices, particularly as they affected
non-financial risk performance in the Bank’s Australian
operations and focused on events from July 2013 to
June 2018.
Westpac’s 2018 Self-Assessment, which contained 45
recommendations for improvement and to remediate
shortcomings, was endorsed by the Board and Group
Executive, submitted to APRA in November 2018 and
subsequently made publicly available.
To implement the recommendations, Westpac established
its Culture, Governance and Accountability – or “CGA” –
Program in January 2019 and has since provided public
progress reports on actions taken. Most recently, as part
of its Interim Results in May 2020, Westpac reported
that 30 recommendations had been implemented from
a design standpoint and were being embedded.
2.2 Requirement for a Reassessment
In November 2019, Westpac received a Statement
of Claim from AUSTRAC in relation to alleged
contraventions of obligations under the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006.
The allegations, which remain before the court at the
time of preparing this report, included a failure to
report a large number of international funds transfer
instructions, and other issues relating to Westpac’s
processes, procedures and oversight.
In light of the magnitude of issues identified in
AUSTRAC’s Statement of Claim, APRA wrote to
Westpac on 16 December 2019 initiating a number of
supervisory actions. APRA noted that while Westpac’s
2018 Self-Assessment had identified recommendations
to strengthen its culture, governance and accountability
frameworks and practices, the issues identified in
AUSTRAC’s Statement of Claim prompted a reassessment
to determine whether Westpac’s CGA remediation plan:
• “Remains appropriate and ‘fit for purpose’”;
• “Targets the underlying root causes”; and
• “How execution risks in remediation can be better
managed”.
APRA stated Westpac’s Reassessment should “consider
developments since the completion of its 2018
Self-Assessment to verify if the existing recommendations
and actions remain fit for purpose and identify
additional recommendations and actions that should be
incorporated into the remediation plan”.
2.3 Approach to Westpac’s Reassessment
In response to APRA’s request, the Reassessment was
undertaken with oversight by Westpac’s CEO and led by
the Group Executive, Customer and Corporate Relations.
The Chairman, Board members, and the Group Executive
team, also provided significant input and oversight.
An internal review team, made up of members of the
existing CGA Program and a number of General Managers
with relevant subject matter expertise, supported by an
expert team from Oliver Wyman, undertook a detailed
review which included:
• Multiple feedback sessions with the Group Executive
and other senior managers;
• Analysis of approximately 500 documents including
individual framework policies and procedures,
Board committee papers, reports and minutes,
Executive Team papers and minutes, CGA Program
documentation, internal staff communications,
Human Resources data and culture surveys, emails
and correspondence generated since the 2018
Self-Assessment;
Chapter 2
Context and scope
Reassessment of CGA Remediation Plan05
Westpac Group
Context and ScopeChapter 2
• To verify the relevance of existing recommendations
and actions and incorporate additional actions: The
recommendations and actions set out in the CGA
Program were reviewed to assess their relevance in
addressing the shortcomings identified in the 2018
Self-Assessment and in recent developments, and
updated as appropriate.
• To determine how execution risks can be better
managed: The effectiveness of the oversight and
management of the CGA Program was assessed based
on evidence of progress and management of execution
risks to date, and a set of better external practices for
mitigating execution risks identified.
In parallel to the Reassessment, a senior member
of the Westpac Risk function performed a review
of possible root causes contributing to Westpac’s
alleged anti-money laundering (AML) shortcomings, as
identified in AUSTRAC’s Statement of Claim. A review
of root cause now takes place at Westpac following a
significant incident. In reviewing this work as part of
the analysis of recent developments, the internal review
team found significant commonality between the root
causes identified as contributing to Westpac’s alleged
AML shortcomings, and those identified in the overall
Reassessment of the CGA Program. These causes have
been considered in this report.
2.5 Structure of the report
The remainder of the Reassessment is set out in Chapters
3 to 6:
• Chapter 3 summarises the principal conclusions of
the Reassessment;
• Chapter 4 lists the key shortcomings identified in the
2018 Self-Assessment, and updated based on the
shortcomings identified in recent developments and
root causes. It reviews recommendations and actions
taken to date and identifies areas where further actions
are required beyond those set out in the existing CGA
Program;
• Chapter 5 assesses the governance and management
of the CGA Program through to March 2020, and
identifies changes that are required to better manage
execution risks; and
• Chapter 6 sets out the required outcomes,
workstreams and metrics for the updated CGA
Program, renamed the “CORE Program”.
All recommendations included in the 2018
Self-Assessment are listed in Appendix 1, with an update
on their status and how they are carried forward in the
updated CGA Program.
• Evidence-based discussions with approximately 50
employees, including Directors, Group Executives and
General Managers, focusing on specific examples of
risk management challenges, concerns and successes
over the past two years, and perspectives on the
implementation of the CGA Program to date and other
Group-wide transformation programs underway; and
• Detailed reviews of recent regulatory and compliance
related matters, including AUSTRAC’s Statement
of Claim, regulatory reviews of risk measurement,
management, and reporting practices, and reviews
of business conduct.
In determining whether the CGA Program is fit for
purpose, a consistent methodology was applied
to analyse the shortcomings identified in recent
developments and compare them to those identified
in the 2018 Self-Assessment.
The Reassessment has been independently assured
by Promontory Australia. Promontory examined the
robustness of the Reassessment process, resulting
updates made to the CGA Program and likely
effectiveness of the actions, and submitted its assurance
report to the Board and to APRA. Ongoing progress of
Westpac’s CGA Program will continue to receive external,
independent assurance.
2.4 Scope of the Reassessment
The core scope of the Reassessment, as was the case
for the 2018 Self-Assessment, was on Westpac’s culture,
governance and accountability frameworks and practices.
As such, matters outside this determination, such as
detailed analysis of particular risk classes or the way the
Bank manages financial risk, were not considered.
The Reassessment considered developments since
the 2018 Self-Assessment, between July 2018 and
March 2020, including AUSTRAC’s Statement of Claim.
While both strengths and shortcomings were observed
during the Reassessment process, the primary focus
for reporting has been shortcomings because these
are most likely to be relevant to the assessment of the
appropriateness of Westpac’s CGA Program.
The Reassessment was established with three key
objectives, aligned to APRA’s requirements:
• To determine whether Westpac’s CGA Program
sufficiently targets the underlying root causes of
shortcomings: The shortcomings identified in recent
developments were compared with those identified in
the 2018 Self-Assessment and CGA Program, enabling
an assessment of whether any underlying root causes
had not been appropriately targeted.
Reassessment of CGA Remediation Plan06Westpac Group
Three principal conclusions of the Reassessment
1. Important shortcomings remain in Westpac’s culture,
governance and accountability frameworks and
practices. These are related to five root causes:
–An organisational construct that creates complexity;
–An immature and reactive risk culture in
non-financial risk management;
–A three lines of defence model that is not well
understood or embedded, particularly in the
First Line;
–A shortfall in sufficient non-financial risk
management capability; and
–Challenges in execution and staying the course.
2. Fully addressing root causes will require further work
in these key areas:
–Board and Executive oversight of non-financial risk;
–Risk culture;
–Risk boundaries, frameworks and capabilities; and
–First Line ownership and capability to manage risk.
3. The CGA Program has made progress in addressing
recommendations from the 2018 Self-Assessment.
However, given the magnitude of the necessary
change to address root causes, the CGA Program
requires a reset including more rigorous prioritisation,
co-ordination and oversight.
CGA Program reset: “CORE Program”
These principal conclusions have formed the basis of a
reset to Westpac’s CGA Program, renamed the Customer
Outcomes & Risk Excellence – or “CORE” – Program,
summarised below and detailed in Chapter 6.
3.1 Analysis of recent developments has
confirmed five root causes of continuing
shortcomings
The Reassessment has confirmed important
shortcomings remain in Westpac’s culture, governance
and accountability frameworks and practices. This is
related to five root causes below, that are consistent
with the cultural ‘DNA strands’ identified in the 2018
Self-Assessment. Explicitly stating the root causes is
critical to Westpac’s work to improve non-financial risk
management.
3.1.1 An organisational construct that creates complexity
Aspects of Westpac’s organisational design, including
unclear end-to-end accountability, create complexity.
This introduces inconsistency in the way risk is managed
across the Bank and impedes an ability to quickly and
accurately form an organisation-wide view of issues. This
is exacerbated by complex technology systems, including
many duplicate systems.
3.1.2 An immature and reactive risk culture in
non-financial risk management
Westpac’s risk culture has been immature and reactive in
the management of non-financial risk. Awareness of risks
and obligations has been inconsistent, and the Bank’s
approach to managing non-financial risk has not been
sufficiently proactive. Contributory behavioural traits
include a tendency to focus on individual issues rather
than broader shortcomings and inconsistent challenging
of assumptions from a risk perspective. These cultural
traits have contributed to continued shortcomings in
important elements of Westpac’s culture, governance
and accountability frameworks and practices.
3.1.3 A three lines of defence model that is not well
understood or embedded, particularly in the First Line
Westpac’s three lines of defence model has not been
consistently understood and embedded. This has blurred
boundaries and meant some things ‘fall through the
cracks’ as roles, responsibilities and accountabilities can
be unclear. These issues have been particularly evident in
the First Line where stronger ownership of risk outcomes
is required.
Chapter 3
Principal conclusions
of the Reassessment
Reassessment of CGA Remediation Plan07
Westpac Group
Principal conclusions of the ReassessmentChapter 3
3.2.2 Risk Culture
The Reassessment confirms that in some respects
Westpac’s risk culture – the shared beliefs, attitudes and
norms employees use to consider, identify, understand,
discuss, and manage current and emerging risks the Bank
is exposed to – remains reactive, and action to strengthen
it needs to be prioritised.
A new Risk Culture workstream within the renewed CORE
Program, which closely aligns with work underway on
Westpac’s Culture Roadmap, incorporates actions to
embed a robust risk culture framework across the Bank.
Data and assessment tools will be used to identify and act
on risk culture at a divisional and Group level.
A priority for the Bank’s culture work will be to strengthen
psychological safety, as the Reassessment identified that
in some situations, leaders had reacted to incidents with
a focus on who is to blame rather than what to learn. It is
important this trait does not develop further at Westpac.
The CORE Program focuses on actions to promote
a risk culture of learning from events and improving,
and actions that empower employees to make good
decisions. Westpac desires a culture where accountability
is a value associated with high performance rather than
consequence.
3.2.3 Risk boundaries, frameworks and capabilities
The 2018 Self-Assessment recognised it would take
significant investment and time to develop the required
level of maturity in non-financial risk management and,
in the interim, the maturity gap may contribute to further
issues. This has proved to be the case.
Clearer prioritisation features in the renewed CORE
Program for the Second Line in setting frameworks,
controls (including policies and limits), and standards
for use across the Group. This includes a focus on
frameworks being clear and consistent to support
effective risk challenge, oversight and First Line decision
making. Capability is being built in the Risk function to
do so effectively.
3.2.4 First Line ownership and capability to manage risk
Stronger ownership and capability in risk management is
required in the First Line, across all employees regardless
of whether their roles are customer-facing or functional,
such as technology and operations. The CORE Program
emphasises the need to identify and achieve minimum
professional standards to bring consistent capability,
so that First Line decision makers are able to exercise
effective risk-weighted judgement. This includes work
to address continued weaknesses in project execution
that impede sound risk outcomes. Additional actions
for building stronger accountability in practice are
incorporated into a new stream of the CORE Program,
Accountability and Decision Making in Practice.
3.1.4 A shortfall in sufficient non-financial risk
management capability
In some areas, Westpac employees have not had
sufficient capability to manage non-financial risk and
compliance obligations effectively.
3.1.5 Challenges in execution and staying the course
Westpac’s tendency to privilege conceptual work over
execution creates challenges in effective management
of non-financial risk. This can result from insufficient
discipline in prioritising, a tendency to focus on
conceptualisation over embedding, and undue caution
which has been described as an organisational imperative
for safety.
3.2 Further work is needed to fully address
the root causes of shortcomings
While the Reassessment found Westpac’s CGA
Program has delivered important changes to address
shortcomings, in many cases they have been incremental.
The Reassessment identified that additional actions,
many of which are underway, are needed to fully address
root causes in the key areas below.
3.2.1 Board and Executive oversight of non-financial risk
Given the complexity of non-financial risk issues,
oversight of non-financial risk by the Board and Executive
Team is being refocused.
The Board has instituted changes that are in progress.
These include the formation of a new sub-committee of
the Board Risk Committee, the Board Legal, Regulatory
& Compliance Committee, to focus on specific
non-financial risks, allowing the Board Risk Committee
to spend more time setting and ensuring adherence
to risk appetite, current and future risk policies, and
mitigating market and operational risks. Each Committee
will have a different mix of Directors who will continue
to apply constructive challenge, scrutiny and insight to
risk governance and risk culture. The frequency of the
Committees’ meetings will also increase.
The renewed CORE Program includes actions to review
recently implemented and impending changes to the
operation and structure of the Board Risk Committee and
Board Legal, Regulatory & Compliance Committee.
Given the number of non-financial risk management
issues experienced in recent years, the Group Executive
must prioritise its oversight of improvements to culture,
governance and accountability frameworks and practices.
The CORE Program includes actions to strengthen
executive leadership of risk management and culture,
such as setting and role modelling behaviours that
promote sound risk management.
Reassessment of CGA Remediation Plan08
Westpac Group
Principal conclusions of the ReassessmentChapter 3
To signal these changes, the renewed CGA Program
has been renamed the Customer Outcomes & Risk
Excellence – or “CORE” – Program. This aims to reflect
its importance as a core strategic priority for the Bank
and to demonstrate that excellence in risk management
aligns with Westpac’s desire to continue improving
outcomes for customers. Improving culture, governance
and accountability frameworks and practices is critical to
doing the right thing by customers, through the products
and services provided, the way in which customers’
concerns are addressed, and the clarity, professionalism
and integrity that guides decision making.
The CORE Program has established three pillars, and
14 workstreams highlighted in Figure 1 and described
in more detail in Chapter 6. The three pillars will help
the Program integrate and co-ordinate resources to
accomplish its purpose as simply as possible, with the
right weight and focus. Chapter 6 details the root causes
each pillar of the program addresses, together with the
outcomes and progress indicators for each workstream.
Activities, milestones and outcomes will be closely
co-ordinated with other strategic transformation
programs underway across Westpac.
While the anticipated delivery date for the final
milestones of the CORE Program will be March 2022
(allowing the time to embed required changes to focus
more strongly on outcomes), it is anticipated that the
actions – particularly around culture – will continually
evolve into the future.
A strong link is made in the CORE Program between
First Line risk decisions and the need for clear risk
boundaries. If risk boundaries are well understood and
the consequences of operating outside them clear, then
employees can have optimal space – the authority and
empowerment – to identify and select from different
options to best manage risk in the business.
3.3 Despite progress in closing recommendations,
a Program reset is needed
The shortcomings identified in the Reassessment
were broadly consistent with those in the 2018 Self-
Assessment. The CGA Program must continue to focus
on the effective design and embedding of the existing
recommendations from the 2018 Self-Assessment and
has made progress in a number of areas.
However, given the magnitude of the necessary
change, the Program must execute with a clearer and
more consistent understanding of the link between
individual actions and their impact on remediation of
root causes. More rigorous Program-level prioritisation
and co-ordination of outcomes and interdependencies
is required to fully address root causes and mitigate
execution risks. There has been a significant reset of the
CGA Program to achieve this:
• Stronger Program-level oversight from the Board and
Group Executive, in addition to existing oversight of
activity at the level of individual recommendations;
• Articulating and communicating the CGA Program
as a critical organisational priority;
• A clear focus on outcomes (as well as activity);
• A stronger role for business leaders and functional
leaders, modelling the strengthened role for the First
Line in risk management generally;
• Increased central capacity and capability for
co-ordination of deliverables and interdependencies;
• Formal mechanisms for quick escalation of contentions
and Program decisions; and
• Broader engagement with Westpac’s people to ensure
the Program is seen as each employee’s responsibility
rather than the responsibility of the Risk Function.
Reassessment of CGA Remediation Plan09Westpac Group
Principal conclusions of the ReassessmentChapter 3
Figure 1: Updated CGA Program, “CORE Program” Design
Pillars
Direction and tone set by Board
and Group Executive
Clear risk boundaries for
decision making
Accountable and empowered people
What good
looks like
• Customer outcomes improve
because the direction and tone set
by the Board and Group Executive
promotes a proactive risk culture.
• Clear direction for risk appetite and
culture is set by the Board, and risk
management and performance
is governed with constructive
challenge.
• Clear expectations for culture,
governance and accountability are
set by executives and they role
model behaviours for a proactive
and systematic risk culture.
• A transformation in our culture and
the way we identify, understand and
act on risk, driven by our leaders.
• Customer outcomes improve
because our people make decisions
within clear risk boundaries.
• Risk management frameworks,
policies and limits are robust, clear
and fit for purpose.
• Risk boundaries are applied
consistently and supported by the
right data, systems and controls.
• Risk professionals have the skills,
experience and confidence to
provide the right balance of
challenge and insight to decision
makers across the Bank.
• Customer outcomes improve
because our people know they are
accountable and empowered to
own the risks in their role.
• First Line demonstrates strong
capability to manage risks, issues
and controls.
• Decisions are made and change is
executed with clear authority and
within understood boundaries, with
each line playing its role.
• Individuals respect the right of the
accountable person to decide on a
course of action but provide input
to decisions and always speak up
proactively if they see unethical or
non-compliant behaviour.
Workstreams
and sponsors
Board Governance of
Non-Financial Risk
Risk Frameworks
Managing Risk in the
First Line
Chairs of the BRC and BLRCC Chief Risk OfficerChief Executive, Consumer
Executive Leadership
Culture
Second Line Risk
Roles & Capability
Issues Management
Group Executive,
Human Resources
Chief Risk Officer
Group Executive, Financial Crime,
Compliance and Conduct
Risk Culture Behaviours &
Measurement
Conduct RiskControls
Chief Risk Officer
Group Executive, Financial Crime,
Compliance and Conduct
Group Executive, Financial Crime,
Compliance and Conduct
Enterprise
Prioritisation
Customer Complaints
Chief Information Officer
Group Executive, Customer and
Corporate Relations
Remuneration &
Consequence Management
Change Management
& Delivery
Group Executive,
Human Resources
Chief Information Officer
Accountability &
Decision Making in Practice
Group Executive, Human Resources
2
3
4
5
16
9
10
11
12
13
14
7
8
Program
objective
Improving Customer Outcomes and Risk Excellence (CORE)
A clear path forward, getting it right the first time
Related
Strategic
Priorities
Technology
Technology Execution Strategy
Risk Management
Financial Crime Program
Organisational Design & Culture Road Map
Lines of BusinessDesired Culture Roadmap
Reassessment of CGA Remediation Plan10Westpac Group
Despite Westpac’s 2018 Self-Assessment identifying
multiple shortcomings in culture, governance and
accountability frameworks and practices, it is possible a
focus on the positive high-level findings of that report
may have contributed to many in the Bank not fully
appreciating the cumulative impact of the issues.
For this reason, the principal shortcomings identified
in the 2018 Self-Assessment are listed together in
Section 4.1, grouped under the same six themes.
For each theme, the Reassessment internal review
team has linked the shortcomings identified in the 2018
Self-Assessment to the relevant root causes summarised
in Chapter 3 of this Reassessment, an important insight
for fully remediating the issues.
4.1 Summary of shortcomings identified
in the 2018 Self-Assessment
References in quotations throughout this section are to
verbatim findings in the 2018 Self-Assessment, reflecting
shortcomings identified at that time.
4.1.1 Board and Senior Management
The 2018 Self-Assessment identified that:
• Some Directors said they had difficulty “digesting the
sheer volume and complexity of the information they
are given”;
• Directors would at times “like management to be more
forthright in their reporting and escalation of issues”,
avoiding a tendency “to focus on the good news”;
• Board and senior management decisions about
investment through Westpac’s largest funding pool,
the Enterprise Investment Pool, may on occasion
“inadvertently underweigh risk considerations”;
• BRCC and RISKCO papers indicated that some
non-financial risks had been “regularly out of appetite”,
and associated actions were “not always taken as
promptly as expected”;
• Given that “prompt and effective issue resolution
and closure are crucial to a robust risk and control
environment, a more stringent approach to oversight”
was required; and
• Westpac’s tendency to “perpetuate complexity by
introducing, among other things, new committees”,
led to “capacity and execution constraints”, and “a
lack of clarity of accountabilities and introduction of
additional risk”.
Root Causes:
• Organisational complexity coupled with an
immature and reactive risk culture can challenge
Westpac’s ability to identify and report issues
promptly and clearly; and
• Three lines of defence not well understood or
embedded, particularly in the First Line, leading to
a number of issues ‘falling through the cracks’ as
accountabilities were not sufficiently clear.
Shortcomings in culture, governance and
accountability frameworks and practices
Chapter 4
Reassessment of CGA Remediation Plan11
Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
4.1.3 Issue and incident management
The 2018 Self-Assessment identified that:
• “Processes to identify systemic issues are constrained
by the need to manually aggregate and analyse
Issue data”;
• Limitations in the JUNO
1
control system “may constrain
Westpac’s ability to understand the nature and
significance of control breakdowns”;
• Issues identified by Line 1 were “not always effectively
closed” and “30% of open issues are extended”, 13%
“are extended more than once”;
• Issues identified by Group Audit, or by regulators, were
“extended more often than issues identified by Line 1
and Line 2”;
• Employees “lack confidence that action will be
taken” unless issues were “the subject of regulator or
media scrutiny”;
• “Too short a period of time to rectify issues” was
frequently assumed, “only to later identify that a
longer period was needed”, “often because of system
complexity”;
• Greater focus was “placed on Issue identification than
on Issue assessment, resolution and closure in relevant
policies and frameworks”;
• Despite “a notable uplift” ahead of the 2018
Self-Assessment, there were “opportunities to
strengthen customer complaint and issue reporting”,
and a recognised need “to rationalise systems into a
single platform” and adopt a “Group-wide approach
to customer complaint management”; and
• There was not “a single, Group-wide approach to
handle whistleblower investigations consistently”
across the Bank.
Root Causes:
• Organisational complexity and an immature and
reactive risk culture can challenge Westpac’s ability
to identify and prioritise issues, and this has been
exacerbated by blurring of accountability;
• In a number of cases, the root cause is also linked
to a shortfall in sufficient capability in some areas
of non-financial risk management; and
• Some shortcomings relate to challenges in execution
and staying the course.
4.1.2 Risk management and compliance
The 2018 Self-Assessment identified that:
• Line 1 did “not always take ownership of, and
accountability for, the risks of the business”;
• “The separation between Line 1 and Line 2 has been
blurred” because “Line 2 performs activities that
should be performed by Line 1, often to compensate
for inadequate Line 1 maturity”;
• “Skills and capabilities to manage risk and
compliance across all three lines of defence should be
strengthened”;
• “Senior Compliance representation” was “incomplete
at the divisional and functional executive team levels”;
• At times, “Group Audit has not exerted sufficient
influence to ensure that risks and issues were given the
necessary attention”;
• There was “limited detail in [non-financial] risk appetite
articulation” and “metrics have not been established
for each specific compliance and conduct risk”;
• Absence of “a sufficiently granular control language
could hamper Westpac’s ability to identify gaps in
the control environment or systemic breakdowns in
controls”;
• Division-specific risk policies and processes “added
complexity and, at times, challenged Westpac’s ability
to form an aggregate view of certain risks”;
• Businesses ran on “multiple overlapping systems, with
associated multiple processes”, and this “increased
complexity and therefore risk”; and
• Risk and Compliance needed to “place more emphasis
on change management to ensure that policies are
understood and adhered to in Line 1.”
Root Causes:
• Three lines of defence model not well understood or
embedded, particularly in the First Line, is the primary
root cause of these shortcomings; and
• A shortfall in sufficient capability in non-financial
risk management, an immature and reactive risk
culture and organisational complexity have also been
significant causal factors.
1. JUNO is Westpac’s integrated risk and compliance system.
Reassessment of CGA Remediation Plan12
Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
4.1.6 Culture
The 2018 Self-Assessment identified that:
• There was “a demonstrable need for more focused
leadership actions, at all levels, to bring the values to
life for employees”. 45% of employees surveyed for the
2018 Self-Assessment agreed that Westpac “is better
at talking about the values than putting them into
practice”;
• Without ingrained awareness of non-financial risk
awareness, it is likely that “some employees will make
inappropriate trade-offs” (for example to the detriment
of compliance requirements);
• Over-collaboration drove “an unnecessarily high level
of meetings and committees, excessive numbers of
people involved in decisions, slowness, and diffusion
of accountability”;
• “Insufficient personal ownership” led to “diffused
accountability”, “challenges to ownership of issues
and outcomes”, and “constraints on responding to
service difficulties”, all of which had a “bearing on
the effectiveness and efficiency with which risk,
compliance and customer matters” were managed;
• Many employees “resign themselves to complexity
as the natural state of affairs at Westpac, and their
response to that complexity was often to wrap
more complexity around it, potentially adding risk
in the process”;
• “More work” was needed “to increase employee
comfort” to speak up, and to address “hierarchical
behaviour” and “listening by leaders”, who needed to
“seek out and be open to feedback and raised issues”;
• There was “insufficient discipline in prioritising, making
decisions and saying no”, which meant that Westpac
could “struggle to cut through and attain clarity as to
matters most needing attention”; and
• It was noted that “learning and reflection” were
“not sufficiently incorporated in day-to-day
operating rhythms”.
In the 2018 Self-Assessment, the analogy of “corporate
DNA” was used to summarise how these cultural traits
combined in three deeply interwoven “strands”:
• An organisational tendency to cultivate complexity;
• A tendency to privilege upfront conceptual work over
execution and implementation; and
• An organisational imperative for safety, both at a
company and employee level.
All five of the root causes summarised in Chapter 3 of
this Reassessment are reinforced by deeply embedded
cultural traits. There is a strong focus on actions to
address cultural traits in many of the workstreams in
the CORE Program and through a number of strategic,
organisational, leadership and operational changes
beyond the Program.
4.1.4 Financial prioritisation
The 2018 Self-Assessment identified that:
• “The absence of risk analysis in submissions” to the
Enterprise Investment Pool meant that “decisions
whether to endorse an initiative may not have taken
adequate account of non-financial risks”;
• “Pressure to adhere to initial cost estimates” could
“result in extensions to project schedules, reduction in
scope and compromised solution design”, and in some
cases solutions that didn’t “adequately take account
of risk”;
• The Finance and HR functions were perceived as
“exerting considerable influence and control over
businesses” which could hamper their “ability to make
appropriate and timely decisions”; and
• The absence of a “sufficiently robust approach to
manage non-financial risk” created instances when:
“risks are not identified; the gravity, extent and
implications of risks are not appreciated; mitigants are
not identified; risks are not given due attention”.
Root Causes:
• Challenges in execution and insufficient prioritisation
of risk, together with a shortfall in capability in some
areas of non-financial risk management, are at the root
cause of the majority of these shortcomings.
4.1.5 Remuneration and other consequence management
The 2018 Self-Assessment identified that:
• Westpac had “taken action to enhance and simplify
remuneration frameworks and practices”, and several
“strengths” were identified in these enhancements, but
“a range of shortcomings and opportunities to enhance
frameworks and practices were identified” to bring
about and report the desired risk-based remuneration
consequences;
• There was “significant divisional, front versus back
office, and GM versus GM-1 variation in consequence
management and remuneration outcomes”;
• The concept of accountability was “not elevated
among Westpac’s five core values”;
• Accountability was “sometimes difficult to establish”,
with a “strong tendency toward collective decision
making”, the “absence of formalised end-to-end
accountability of processes that cut across business
units”, and “a lack of role clarity including residual
blurring of Line 1 and Line 2”; and
• Given the infancy of BEAR and its implementation at
Westpac, the 2018 Self-Assessment concluded that
“the effects of BEAR in practice” were “yet to be seen”.
Root Causes:
• Organisational complexity was a critical causal factor
of shortcomings relating to inconsistent frameworks
and variations in practices; and
• Three lines of defence model not well understood
or embedded, particularly in the First Line, was the
primary root cause for shortcomings relating to
accountability.
Reassessment of CGA Remediation Plan13
Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
As outlined in Chapter 3, the conclusions from this
analysis of recent developments are:
• Important shortcomings remain in Westpac’s culture,
governance and accountability frameworks and
practices;
• Analysis of recent developments has confirmed five
root causes of these shortcomings:
–An organisational construct that creates complexity;
–An immature and reactive risk culture in
non-financial risk management;
–A three lines of defence model that is not well
understood or embedded, particularly in the
First Line;
–A lack of sufficient capability in non-financial risk
management; and
–Challenges in execution and staying the course.
These root causes are consistent with the DNA strands
identified in the 2018 Self-Assessment. Explicitly
identifying these root causes in the Reassessment is
critical to Westpac’s work to improve non-financial
risk management.
In four key areas further action is needed in the
CORE Program to address fully the root causes of the
shortcomings and deliver the required outcomes. This
must occur in closer co-ordination with other strategic
transformation programs underway at Westpac. These
four areas are:
• Board and Executive oversight of non-financial risk;
• Risk culture;
• Risk boundaries, frameworks and capabilities; and
• First Line ownership and capability to manage risk.
Table 1 sets out these four areas in further detail, including
the work that has been undertaken since the 2018
Self-Assessment to address them and the further actions
now incorporated in the CORE Program. Of these four
areas, the one that requires a change from every Westpac
employee relates to risk ownership and capability. This
requirement is fundamental to tackling the maturity
gap in the management of non-financial risk. Following
Table 1, a specific commentary is provided, setting out in
more detail what this requirement demands in practice.
4.2 Analysis of recent developments
The Reassessment analysed whether the shortcomings
identified in the 2018 Self-Assessment explain
developments since then. This was necessary to address
APRA’s request that Westpac assess the fitness for
purpose of its CGA Program, given it was established to
remediate these issues.
In analysing developments since the 2018
Self-Assessment, the Reassessment team:
• Performed detailed reviews of a number of regulatory
and compliance related matters faced by Westpac
since the 2018 Self-Assessment, including multiple
regulatory reviews of risk measurement, management,
and reporting practices, and reviews of business
conduct. For each of these matters a consistent
methodology was applied to identify the issues and
root causes, and compare them to those identified in
the 2018 Self-Assessment;
• Held interviews with Westpac Directors, Group
Executives, General Managers and other staff, across
the Bank. These interviews were evidence based,
focusing on specific examples of risk management
challenges, concerns and successes over the past two
years; and
• Reviewed documentary evidence, focusing primarily
on evidence relating to risk shortcomings, issues
and incidents. The Internal Review Team also read
all papers presented and discussed at the BRCC and
RISKCO since September 2018 to understand the
issues that have been identified and how those issues
have been reported and taken forward. Group Audit
reports were also reviewed.
Additionally, a robust diagnosis of culture was undertaken
early in 2020 using the Barrett Cultural Assessment Tool
and other culture data, including responses from monthly
sentiment surveys. The initial results of that diagnostic
were made available to the internal review team during
the course of the Reassessment, and its high-level
findings have been compared to the nine cultural traits
identified in the 2018 Self-Assessment. As in the 2018
Self-Assessment, positive traits within the culture enable
Westpac to perform well for customers most of the time;
but the Bank’s culture also inculcates behaviours that
contribute to shortcomings, and the Reassessment has
primarily attempted to identify and understand those
shortcomings rather than culture in totality.
Reassessment of CGA Remediation Plan14Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
Table 1: Analysis of recent developments – areas where further action is needed
1. Board and Executive oversight of non-financial risk
Reassessment Conclusions
Given the complexity of non-financial risk issues, Westpac needs to refocus oversight of non-financial risk at
Board and Group Executive level.
At the Board level, this has implications for Board Committee structures, charters and reporting practices,
so the Board is best placed to continue engaging in constructive challenge, scrutiny and oversight.
Given the number of non-financial risk management issues experienced in recent years, further improvements
in culture, governance and accountability frameworks and practices are required and must be critical priorities
for the Group Executive.
Detailed Findings
Progress made
under CGA Program
New actions
under CORE Program
• The oversight of non-financial
risks and issues remains an
urgent priority, notwithstanding
improvements made since 2018.
• A number of non-financial risk
appetite statements and metrics
remain at too high a level to drive
effective Board or RISKCO action
and lack robust data in reporting.
This can make it challenging to
synthesise insights.
• BRCC and RISKCO agendas
remain long with lengthy papers,
impeding meeting efficiency and
potentially making it more difficult
to identify and oversee risk.
• Directors assert that “message
management” has lessened but
remains a relevant issue.
• Nine recommendations in the
2018 Self-Assessment focused
on Board and RISKCO reporting
and their response to risks out
of appetite, outstanding issues,
and complaints.
• These recommendations have
progressed through the design
effectiveness stage gate and
ongoing work is underway to
embed them.
• New Board and RISKCO templates
and practices have been
developed and implemented
(but more work is needed to see
improvement in insight and paper
length).
• Customer complaint reporting has
been enhanced.
• A Board Legal, Regulatory
& Compliance Committee
(BLRCC) has been established
and the Board Risk Committee
(BRC) is being adapted to cover
key risks/themes.
• New actions in the ‘Board
Governance of Non-Financial Risk’
workstream to review recently
implemented and impending
changes to the operation and
structure of the BRC and BLRCC.
• This work will also incorporate
relevant recommendations from
the AUSTRAC Advisory Panel
Report.
• New actions in the ‘Executive
Leadership Culture’ workstream to
strengthen executive leadership of
risk management and culture.
• Board and Executive oversight
of the CORE Program has been
strengthened.
Reassessment of CGA Remediation Plan15
Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
Detailed Findings
Progress made
under CGA Program
New actions
under CORE Program
• The nine cultural traits set out in
the 2018 Self-Assessment continue
to contribute to shortcomings in
recent developments.
• Non-financial risk is seen as more
of a priority, although more focus
is needed.
• Risk culture was a root cause of
shortcomings in the management
of certain non-financial risks,
through tendencies to:
–Focus on individual issues
rather than broader
implications;
–Be reactive rather than
proactive;
–Be too satisfied with a sense
of success;
–The ‘voice of Risk’ being
too faint;
–Be too insular in the approach
to managing certain risks; and
–Be ineffective in escalating
concerns and challenging
assumptions.
• The role of senior management
in leading risk management and
setting the tone for risk culture
is key.
• Recent developments highlighted
a tendency to cultivate complexity.
• Some leaders react to incidents
with a focus on who is to blame
rather than what to learn. This
is partly connected to people’s
response to BEAR requirements.
However, it is important that this
trait does not develop further
at Westpac.
The 2018 Self-Assessment
contained four broader culture
recommendations linked to Westpac’s
Culture Roadmap:
• The ‘Navigate’ program has further
embedded the Westpac values;
• The Service Promise has been
simplified;
• The existing suite of leadership
programs has been updated to
increase focus on risk;
• The behaviours-first ‘Motivate’
performance management system
has been updated; and
• A risk culture framework has
been developed and piloted, with
ongoing reporting to RISKCO
and BRCC.
• Actions in the ‘Risk Culture
Behaviours and Measurement’
workstream to drive risk culture,
with Group Executive leadership
and clear co-ordination of Risk
and HR expertise in setting and
measuring risk behaviours.
• These actions recognise the
vital role of leadership action in
changing culture and will be linked
to the updated Culture Roadmap.
• Developing a set of defined
role model behaviours which
promote sound risk management
and a proactive and systematic
risk culture.
• Actions to embed the Risk
Culture Dashboard and Maturity
Self-Assessment process.
• New actions will be taken
to define and strengthen
psychological safety, and to
monitor and mitigate any
tendency to blame individuals
when issues occur.
Table 1: Analysis of recent developments – areas where further action is needed
continued
2. Risk culture
Reassessment Conclusions
The Reassessment confirms that Westpac’s risk culture remains reactive principally in relation to non-financial
risk management.
It is important for the Board and Group Executives to receive and respond to feedback on how culture is helping
or hindering Westpac’s progress towards the goal of a proactive and systematic risk culture.
Reassessment of CGA Remediation Plan16Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
Detailed Findings
Progress made
under CGA Program
New actions
under CORE Program
• The relevant shortcomings identified
in the 2018 Self-Assessment continue
to apply to recent events.
• Blurred roles and responsibilities
between Line 1 and Line 2 continue
and were highlighted in a number of
the recent developments.
• Capability and resource gaps
remain in Line 2, and there is limited
capacity at senior levels within Risk
which is creating a bottleneck for
risk uplift and change.
• There are shortcomings in Westpac’s
ability to effectively identify the
root causes of issues, and issues
have not been closed promptly
and effectively.
• In some areas risks and associated
obligations were not sufficiently
understood, including the
implications of not meeting
those obligations.
• Clarity and granularity of non-
financial risk appetite needed
improvement; and certain risks
were continuously out of appetite.
• Multiple systems and data
definitions continue to challenge
Westpac’s ability to manage
issues. This reflects and amplifies
organisational complexity.
• Westpac experiences challenges
in remediating issues raised by its
regulators in a sufficiently timely and
effective way. Sometimes regulatory
scrutiny was needed to get things
moving in areas where the issues
were already known.
• While accountability for Group
Executives is clearer as a result
of formal changes such as
implementation of BEAR and
strengthening of remuneration
frameworks, more guidance is
needed on how accountability
applies in practice for employees
at all levels.
• Nine recommendations in the 2018
Self-Assessment focused on risk
roles and capabilities across the
three lines of defence, and on risk
appetite statements, taxonomy,
policies and controls (including for
conduct and reputation).
• Seven of these nine remain
in design. Progress has been
made with design principles
and divisional plans set for
three lines of defence role
clarity, and diagnosis complete
of the associated capability
requirements.
• Four further issue-related
recommendations require
upgrades to JUNO control
systems which have now been
scheduled.
• 270 new risk roles across all three
lines of defence are in recruitment.
• Recommendations from the 2018
Self-Assessment remain critical
and are embedded in workstreams
in two organising pillars: ‘Clear
risk boundaries for decision-
making’ and ‘Accountable and
empowered people’. This reflects
the importance of ownership in
both Line 1 and Line 2.
• As a number of recommendations
relating to risk boundaries are in
design and have long-dated final
milestones, tighter management
of timescales, milestones and
outcomes is a key focus for the
CORE Program.
• Commence a strategic ‘reset’ of
the conduct risk program through
a dedicated ‘Conduct Risk’
workstream.
• Workstreams to strengthen issues
management and controls will
be sponsored by Line 1 General
Managers, given the importance
of embedding these initiatives in
business processes.
• Dependencies with relevant
technology initiatives beyond
JUNO will be tightly co-ordinated
to simplify and automate controls
and processes where possible.
Table 1: Analysis of recent developments – areas where further action is needed
continued
3. Risk boundaries, frameworks and capabilities
Reassessment Conclusions
Clearer prioritisation is required in the updated CGA Program for the Second Line in setting frameworks,
controls (including policies and limits) and standards for use across the Group.
This is to be supported by increased capability and capacity in the Second Line Risk function
Reassessment of CGA Remediation Plan17
Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
Detailed Findings
Progress made
under CGA Program
New actions
under CORE Program
• Ownership and accountability for
risk in the First Line continues
to be inconsistent and there are
significant risk capability gaps.
• In some areas there was
insufficient expertise, resourcing
and systems to manage some
risks and to consistently meet
obligations.
• Employees do not always feel they
are sufficiently empowered to fulfil
their roles and responsibilities.
• Risk considerations were not
always appropriately factored
into decision making. In
some recent developments,
commercial arguments sometimes
took precedence over risk
requirements.
• Continued shortfalls in project
execution impede sound risk
outcomes in certain projects.
• There is still a proliferation of
committees, driven among
other things by a lack of clear
accountability.
• Two recommendations from the
previous section focusing on
boundaries have a strong impact
on First Line accountability
(three lines of defence roles and
capabilities).
• Seven additional
recommendations have a
significant impact on First Line
accountability and have been
refined in the CORE Program.
Four (G31-3, G35) relate to
Enterprise Investment and Project
risks, and three (A5-6, G34) to
accountability in practice.
• A recommendation to rationalise
divisional governance forums and
sharpen individual accountability
has delivered a first round of
reductions in and clarifications
of committees, with more work
to do.
• In addition, the four culture
recommendations all impact
strongly on First Line risk
management. These have been
incorporated within the updated
Culture Roadmap.
• The recommendations from the
2018 Self-Assessment relating
to three lines of defence roles
and capabilities remain fit for
purpose, and the CORE Program
has increased First Line leadership
of work to address them.
• New actions aim to sharpen
accountability and risk-weighting
in decision making (at
Enterprise, project and
business-as-usual levels).
• First Line ownership is needed
for effective non-financial
risk management, and four
workstreams – ‘Managing
Risk in the First Line’, ‘Issues
Management’, ‘Controls’ and
‘Customer Complaints’ – will
require key First Line action.
Table 1: Analysis of recent developments – areas where further action is needed
continued
4. First Line ownership and capability to manage risk
Reassessment Conclusions
The CORE Program must emphasise more strongly First Line leadership in risk management.
This must include a major emphasis on First Line accountability for effective risk-weighted judgement
in decision making.
It must also emphasise the upskilling of all employees in risk identification, assessment, mitigation, and in
issue management.
There is a strong link to the previous finding, in that clarifying risk boundaries helps sharpen the accountability
and authority (empowerment) of First Line decision makers to manage risk.
Reassessment of CGA Remediation Plan18
Westpac Group
Shortcomings in culture, governance and accountability frameworks and practices Chapter 4
4.4 Recent developments not incorporated
in the scope of the Reassessment
Since the commencement of the Reassessment, a
number of organisational changes have been made
that are anticipated to have a strong, positive impact
on Westpac’s risk management. However, given their
implementation commenced in parallel with the
Reassessment, they have not been considered in the
review of recent developments:
• Confirmation of the Bank’s strategic geographic market
focus to Australia and New Zealand, together with
investments to simplify and automate processes and
systems, both expected to reduce complexity;
• Commenced the move away from full matrix reporting
and shifting to a clearer line-of-business model, also
expected to reduce complexity and provide more
clearly defined First Line accountability, with each area
directly accountable for financial, risk and compliance,
performance and customer outcomes; and
• A number of leadership changes and a fundamental
review of culture at a Group level.
These changes will take time and require disciplined
execution and persistence. Progress measures will be
developed to assess their success in changing behaviour
to address the detrimental strands of ‘corporate DNA’
identified in the 2018 Self-Assessment. The Executive
Team, with the Board’s oversight, will work to define
these metrics.
Although an evaluation of the likely impact of these
changes has not formed part of the scope of the
Reassessment, appropriate steps have been taken to
co-ordinate activity between these initiatives and the
CORE Program.
4.3 Building First Line risk and control capability
is a fundamental requirement for change
Both the 2018 Self-Assessment and the Reassessment
found inconsistent risk and control capability contributed
to Westpac’s shortcomings in non-financial risk
management. Given that risk originates in all business
activity, all employees – whether in customer facing or
support roles – must have the core skills to consider,
identify, understand, discuss and manage current and
emerging risks. Every First Line employee must have the
capability to:
• Proactively and systematically manage risks relevant
to their role;
• Describe how risk appetite relates to them and what
risks are within and outside their risk appetite;
• Describe the risks relevant to their role and the impact
those risks could have; and
• Understand the key controls they need to manage
those risks and if they are working.
Together with these behavioural elements, more
consistent risk infrastructure also needs to be evident
across the First Line. This includes stated risk appetite
with clear measures, clear risk profiles, end-to-end
process and control maps (with accountabilities and
responsibilities defined) and compliance plans that are
clearly articulated, linked to process and controls.
To achieve this, an important action of the CORE
Program is to identify minimum professional standards
that aim to improve the capability of First Line decision
makers to exercise effective risk-weighted judgement.
A number of enterprise-wide metrics will be used to
monitor and provide insight into the progress of building
risk capability and ownership and they are outlined in
Section 6.2.
Reassessment of CGA Remediation Plan19Westpac Group
Since establishing the CGA Program in January 2019,
30 of its 45 recommendations had been implemented
from a design standpoint as announced in Westpac’s
Interim Results in May 2020.
As part of the Reassessment, the current status of work
was reviewed in relation to all 45 recommendations,
and the oversight and management of the Program as
a whole. The Reassessment found that this work has
delivered important changes to address shortcomings,
but that in many cases change has been incremental and
additional actions are needed.
At the commencement of the Reassessment, the CGA
Program was continuing to implement recommendations
from the 2018 Self-Assessment. Naturally, a number
of those recommendations addressed complex and
underlying shortcomings that would take time to
resolve. As a result, many recommendations remain,
appropriately, work in progress.
5.1 Review of the status of individual
recommendations
The status of all 45 recommendations and how each has
been incorporated into the renewed CORE Program is
detailed in Appendix 1. In summary:
• 14 recommendations are in the ‘further steps’ stage
– these have been implemented from a design
standpoint and work is ongoing to progress them to
final closure. The Reassessment has identified further
insights and actions that should be incorporated into
the CORE Program. In some cases, this will require
additional design activity;
• 12 recommendations are ‘open’ – these remain
in the design stage of development, and further
insights generated through the Reassessment will be
incorporated into updated plans within the relevant
workstream; and
• 19 recommendations are at the ‘embed/monitor’
stage – these have been implemented from a design
standpoint and work is ongoing to progress them to
final closure, after which they will be monitored for
ongoing effectiveness within the BAU environment.
5.2 Review of the CGA Program
The CGA Program has established firm foundations,
but significant changes are required for Westpac
to manage fully the execution risks of the Program,
summarised below.
5.2.1 Active role for the Group Executive and Board
The Executive Steering Group and the Board were
important governance fora in establishing, directing
and overseeing progress of the CGA Program from its
inception in January 2019. The Executive Steering Group
had met six times by the end of March 2020 to review
overall Program progress, undertaken deep dives into
specific recommendations, and challenged capacity
and other Program constraints. The Board received a
Program-level progress update at each Board meeting
since December 2018.
However, the strongly functional nature of the delivery
of the CGA Program made it challenging to oversee
the co-ordination of progress across the Program. The
Program’s focus on activity measurement rather than
outcomes also contributed to this issue. Scrutiny of
individual initiatives will continue at the relevant Board
or Executive governance forum, however there will be
increased focus on oversight of the Program as a whole.
At the Program level, the Chairman and CEO will both
sponsor the Program and lead discussion at Board
and at the Executive Team. The CEO, a member of the
Executive Steering Group in his previous role before his
appointment as CEO, will now Chair it.
Given recent developments, the successful achievement
of the CORE Program’s outcomes is one of Westpac’s
four strategic priorities. This message has been, and
continues to be, clearly communicated by the Chairman
and CEO.
5.2.2 Clear co-ordination of the CORE Program with
other initiatives
On its establishment, the CGA Program was one of a large
number of priority initiatives in Westpac. It was overseen
separately from these other initiatives, and without any
formal co-ordination of outcomes, activities, investment
or business engagement.
Linkages to other initiatives have been explicitly
recognised in the design of the renewed CORE Program,
particularly in relation to Lines of Business and the
Culture Roadmap. Dependencies with those initiatives
will be managed both at the workstream and Program
level, and the CORE Design Authority will provide an
accelerated decision forum for managing conflicts and
making trade-offs.
Support from the Central Program Authority will help
accountable Executives and General Managers in putting
forward the right case for change and associated
investment requirements where resources are required
to deliver against milestones.
Lessons learnt from the 2019 CGA Program
Chapter 5
Reassessment of CGA Remediation Plan20
Westpac Group
Lessons learnt from the 2019 CGA ProgramChapter 5
The governance of the renewed CORE Program includes
a strong Central Program Authority with clear milestone
tracking to monitor progress against more granular
definitions for each stage gate, and towards clearly
articulated closure end states. Interdependent initiatives
have been grouped into workstreams under the oversight
of accountable Group Executives and General Managers.
Effective identification and management of all relevant
interdependencies will be a critical element of stage-
gate submission and assurance. Interdependencies
between CORE Program deliverables and other elements
of the strategic transformation initiatives will be clearly
identified and co-ordinated.
5.2.6 Engaging employees
Many Westpac employees understood that the 2018
Self-Assessment contained significant implications for
roles, responsibilities and capabilities across the Bank.
However, there was a perception shared by many that its
most important implications were for the Risk function
that was reinforced by the Risk function leading most of
the implementation activity. Employee engagement was
also impacted by the fact it took many months for the
2018 Self-Assessment to be circulated to all employees.
In the CORE Program, there is a dedicated change and
engagement team, working with workstream sponsors
to identify, plan, resource and deploy the required
communications and change management support
within and across divisions and businesses. First Line
leaders and change practitioners will co-ordinate activity
at a divisional and business level after workstream
deliverables move from the design to the implement
and embed stage.
The CEO has Executive accountability for the CORE
Program, and executive sponsorship of the Program
is with the Group Executive, Customer & Corporate
Relations. They will both have the CORE Program as a
key element of their communications and engagement
activity with all employees across the Bank. The Program
now has a full-time Communications Director, and
communications and engagement will clearly signal its
implications and expectations for everyone in the Bank,
irrespective of role.
5.2.3 Focusing on root causes and outcomes as well
as on activity
The CGA Program prioritised on-time delivery of planned
activities, partly to avert a cultural trait, highlighted in the
2018 Self-Assessment, to prioritise conceptualisation over
execution. However, as there was no articulated target
state for the CGA Program or enterprise-wide outcomes
and metrics to track progress, recommendation owners
may have prioritised achieving activity by a target date
over embedding change to achieve a target outcome.
The root causes of shortcomings have been identified
explicitly in the Reassessment to enable workstream
leaders to validate that activity is addressing the
appropriate underlying causal factors. Additional actions
have been identified and incorporated in the relevant
workstreams as a result. Target state outcomes for each
organising pillar, and outcomes and progress measures
set at a workstream level.
5.2.4 A strong role for business leaders as well
as functional leaders
Functional leaders in Legal, Customer & Corporate
Relations, HR, and Risk assumed accountability for
workstreams in the CGA Program when it was first
established. This has been important in generating robust
technical solutions and effective integration with existing
and complementary initiatives. However, this approach
did not fully consider the importance of including First
Line leadership in the formulation of effective and
sustainable solutions.
In the CORE Program, a number of workstreams have
First Line leaders as sponsor, and for all workstream
initiatives, all relevant lines of business will be required
to input and challenge design, and then lead relevant
implementation and embedding into their divisions. The
explicit identification and tracking of outcome metrics,
most of which require change in business practices to be
achieved, supports a much stronger business focus in the
Program as a whole.
5.2.5 Tighter Program management of deliverables
and interdependencies
In the initial CGA Program, delivery of individual
recommendations sometimes prioritised the work
required to close the design of their own activities,
with less focus on understanding or managing the
inter-relationships between recommendations, either
in their design or in their business operation. This was
not an issue for recommendations with straightforward,
short-term deliverables, but created significant challenge
for recommendations that required longer dated and
more complex milestones, business engagement and
cross-functional activities.
Reassessment of CGA Remediation Plan21Westpac Group
Lessons learnt from the 2019 CGA ProgramChapter 5
5.3 CORE Program structure
Based on the lessons learnt from the 2019 CGA Program, the CORE Program structure has been enhanced as
shown in Figure 2.
Program Structure
Board Chairman and CEO (accountable for CORE Program to the Board)
Executive Sponsor (Group Executive, Customer and Corporate Relations)
Executive Steering Committee
CORE Design Authority
Integrated Delivery
Assurance
Central Program Office
• Program Director
• Portfolio Management
• Project Managers
• Risk SMEs
• Change and
Communications
Dedicated Functional Points
of Contact
Finance
HR
Other (as required)
Responsibilities
Board Chairman and CEO: The Chair has Board accountability and the CEO is accountable for the CORE Program to the Board.
Executive Sponsor: Accountable for CORE Program outcomes, including holding GEs/GMs to account, and reporting progress
to the regulator with the support of the CEO and CRO.
Executive Steering Committee: Responsible for overseeing strategic aspects of the program of work, monitoring and guiding
performance, and assisting in the mitigation of any material risks or issues that impede the satisfactory progress of the
workstreams and the overall program of work.
Central Program Authority: Central program office responsible for establishing co-ordination across the workstreams,
and monitoring reviewing, reporting and supporting the integrated delivery of workstream outcomes for the program of work.
CORE Design Authority: Responsible for making major decisions across workstreams, making calls on inter-program
prioritisation, resolving inter-program conflict, and ensuring long-term capabilities are being built.
Integrated Delivery: Co-ordinated sequencing of change and communications delivery.
Assurance: Provides independent assurance to ensure completeness.
GE Workstream Sponsor: Accountable for workstream outcomes and progress indicators and supporting the GM Workstream
Owner with the agreed project of work.
GM Workstream Owner: Responsible for delivering workstream outcomes and progress indicators, and partnering with the
central program team to manage integrated delivery and assurance requirements.
Figure 2: CORE Program structure
Risk Frameworks
Second Line Risk Roles
& Capability
Conduct Risk
Board Governance of
Non-Financial Risk
Executive Leadership
Culture
Risk Culture Behaviours
& Measurement
Remuneration &
Consequence Management
Enterprise Prioritisation
2. Clear Risk Boundaries
for Decision Making
Managing Risk in the
First Line
Issues Management
Controls
Customer Complaints
Change Management
& Delivery
Accountability and
Decision Making in Practice
3. Accountable and
Empowered People
1. Direction and Tone set by
Board & Group Executive
Central Program AuthorityCORE Pillars and Workstreams
Reassessment of CGA Remediation Plan22Westpac Group
To trigger the deep change required to address Westpac’s
non-financial risk shortcomings, the Bank has undertaken
a significant reset of its existing CGA Program, including
reorientation of actions to form clearer links to root
cause remediation, and more rigorous prioritisation
and co-ordination.
As a clear signal of these changes, the renewed CGA
Program has been renamed the Customer Outcomes
& Risk Excellence – or ‘CORE’ – Program. This reflects
its objective to improve customer outcomes and
demonstrates its importance as a core strategic priority
for the Bank.
The activities, milestones and outcomes of the CORE
Program will be closely monitored and public progress
reports made. Work will also be co-ordinated with
other strategic transformation programs underway
across Westpac.
6.1 Pillars and Workstreams
Activities fall into 14 workstreams, grouped under
three pillars which are designed to help integrate and
co-ordinate resources to accomplish outcomes as simply
as possible, with the right weight and focus. The three
pillars are:
1. Direction and Tone set by Board and Group Executive:
recognising that co-ordinated and committed
leadership direction and tone are critical to remediating
the five root causes identified in the Reassessment;
2. Clear Risk Boundaries for Decision Making: providing
clarity to employees on risk settings, maximising
their room to make good risk decisions within these
boundaries; and
3. Accountable and Empowered People: helping First
Line decision makers to manage risk effectively,
identify and resolve issues, exercise effective controls
and manage projects and change.
These pillars are outlined below together with detail on:
• What good looks like;
• The root causes being addressed; and
• Workstreams, and their outcomes, owners and
progress measures.
Chapter 6
The CORE Program –
2020 and beyond
Reassessment of CGA Remediation Plan23Westpac Group
The CORE Program – 2020 and beyondChapter 6
6.1.1 Pillar 1 – Direction and Tone set by Board and Group Executive
Strong direction and tone set by the Board and Group Executive will be essential to address all five root causes.
WorkstreamOutcomeOwner Progress Indicators
1
1
Board
Governance
of Non-
Financial Risk
• Clear direction for Westpac’s risk
appetite and risk culture is set
by the Board and there is strong
governance of all aspects of risk
management.
Sponsored by
the Chairs of
the Board Risk
Committee and
Board Legal,
Regulatory &
Compliance
Committee
• Board-endorsed
consequences for
overdue issues and/or
risks out of appetite for
extended periods.
2
Executive
Leadership
Culture
• Leaders role model Westpac’s
desired risk culture including risk
management behaviours and
practices as a part of Westpac’s
broader cultural state.
Group Executive,
Human
Resources
• Leaders are provided
feedback through
360 feedback survey
on demonstrating
management of risk
culture.
3
Risk Culture
Behaviours
and
Measurement
• Robust risk culture data and
assessment processes are used
by management to scrutinise
and enhance risk culture towards
Westpac’s established target state,
enabling the Board and Executive to
have oversight of risk culture across
the Group.
Chief Risk
Officer
• Divisions use the new
risk culture capabilities
to challenge their risk
management practices
and behaviours and
implement initiatives
that improve them.
4
Enterprise
Prioritisation
• Enterprise investment decisions
are risk-based and the Board has
visibility of the risk trade-offs made
in formulating investment decisions.
Chief
Information
Officer
• Demonstrated and
traceable consideration
of risk in key
prioritisation decisions.
5
Remuneration
and
Consequence
Management
• Consequence management
and remuneration adjustment
frameworks work together to
reinforce positive, and deter
negative, risk behaviours and are
used effectively and consistently in
practice to achieve their goals.
• Expected behaviours are reinforced
through remuneration and
performance management policies
and practices.
Group Executive,
Human
Resources
• Clear evidence that poor
risk behaviour outcomes
consistently result in
individual consequences,
and that exceptional
risk behaviours are
rewarded.
What good looks like:
• Customer outcomes improve because the direction and tone set by the Board and Group Executive promotes
a proactive risk culture.
• Clear direction for risk appetite and culture is set by the Board, and risk management and performance is
governed with constructive challenge.
• Clear expectations for culture, governance and accountability are set by executives and they role model
behaviours for a proactive and systematic risk culture.
• A transformation in our culture determines the way we identify, understand and act on risk, driven by
our leaders.
1. One Progress Indicator described from each stream for brevity.
Reassessment of CGA Remediation Plan24
Westpac Group
The CORE Program – 2020 and beyondChapter 6
6.1.2 Pillar 2 – Clear Risk Boundaries for Decision Making
Establishing clear risk boundaries for decision making will address the root causes relating to embedding and
understanding of three lines of defence particularly in the First Line, capability in non-financial risk management and
organisational complexity.
WorkstreamOutcomeOwner Progress Indicators
2
6
Risk
Frameworks
• Implementation of robust Risk
Management Frameworks
(documents) provide clear and
consistent boundaries for risk
appetite and tolerance, and support
governance over effective risk
challenge and decision making.
Chief Risk
Officer
• Cascaded and clearly
understood risk appetite
statements across the
Group.
7
Second
Line Risk
Roles and
Capability
• Roles and responsibilities for the
Second Line are clear.
• Second Line Risk specialists have the
required experience and skill.
• Risk capability is maintained through
a comprehensive risk training and
education curriculum.
Chief Risk
Officer
• Second Line Risk
experience, skills and
confidence – evidence
of newly formed or
strengthened risk
expertise and skillsets
including 90% of new
or open roles filled
in non-financial risk
classes; evidence of
Risk engagement
through membership at
appropriate divisional
Leadership Team forums.
8
Conduct Risk• Business is conducted in a way that
provides suitable, fair and clear
outcomes for our customers and to
support market integrity.
• All our staff quickly identify, report
and respond to material conduct
risks.
• Establishing and maintaining a
reputation as a trusted and safe
bank is recognised as being critical
to the continued operation of our
business.
Group Executive,
Financial Crime,
Compliance and
Conduct
• Increased transparency
and visibility of conduct
risk through a uniform
and standard way of
measuring and assessing
conduct risk.
What good looks like:
• Customer outcomes improve because our people make decisions within clear risk boundaries.
• Risk management frameworks, policies and limits are robust, clear and fit for purpose.
• Risk boundaries are applied consistently and supported by the right data, systems and controls.
• Risk professionals have the skills, experience and confidence to provide the right balance of challenge and
insight to decision makers across the Bank.
2. One Progress Indicator described from each stream for brevity.
Reassessment of CGA Remediation Plan25Westpac Group
The CORE Program – 2020 and beyondChapter 6
6.1.3 Pillar 3 – Accountable and Empowered People
Accountability and empowerment in First Line risk management will address all five root causes relating to
moving from a reactive to a proactive risk culture, embedding and understanding of the three lines of defence,
challenges with execution and staying the course, capability in non-financial risk management in the First Line and
organisational complexity.
Workstream OutcomeOwner Progress Indicators
3
9
Managing
Risk in the
First Line
• Required risk capabilities are in place
in the First Line, in conjunction with
the Lines of Business program.
• Appropriately skilled and
accountable people are working
in aligned operating models and
teams in all First Line Divisions
across the Group.
Chief Executive,
Consumer
• Improved risk capability
through delivery and
implementation of risk
fundamentals programs.
10
Issues
Management
• Management of issues is improved
through the establishment of
a systematic approach to root
cause analysis and effective issue
resolution across the organisation.
Group
Executive,
Financial Crime,
Compliance
and Conduct
• Evidence of behavioural
uplift in root cause
analysis and improved
quality of issue definition
and closure assessed
through sampling.
11
Controls• A robust control environment is
embedded in which:
–Risk control owners know their
controls and understand their
responsibilities;
–Risk control owners are supported
by fit for purpose systems, tools,
processes and guidance;
–Key controls are in place for all
material risks across the value chain;
–Controls are well documented,
operate effectively, and are
regularly tested and monitored; and
–Any control weaknesses
are promptly identified and
effectively addressed.
Group
Executive,
Financial Crime,
Compliance
and Conduct
• Improvements in
controls testing
outcomes and in level
of controls testing by
First Line.
12
Customer
Complaints
• Westpac’s approach towards
Complaints management creates
a strong culture that welcomes
feedback and values complaints.
• Complaints are resolved quickly
and directly, within mandatory
timeframes, with care, objectivity and
‘fairness’; and complaints data is used
to improve products and processes.
Group Executive,
Customer and
Corporate
Relations
• Improved outcomes
for customers with
complaints – ease,
speed, quality and
satisfaction metrics.
What good looks like:
• Customer outcomes improve because our people know they are accountable and empowered to own the risks
in their role.
• First Line demonstrates strong capability to manage risks, issues and controls.
• Decisions are made and change is executed with clear authority and within understood boundaries with
each Line playing its role.
• Individuals respect the right of the accountable person to decide on a course of action but provide input
to decisions and always speak up proactively if they see unethical or non-compliant behaviour.
3. One Progress Indicator described from each stream for brevity.
Reassessment of CGA Remediation Plan26Westpac Group
The CORE Program – 2020 and beyondChapter 6
WorkstreamOutcomeOwner Progress Indicators
4
13
Change
Management
& Delivery
• Programs and projects have clear
accountable and responsible persons
who understand the expectations of
successful delivery.
• Strong risk management practices
are in place for both delivered and
delivery risk, and programs and
projects receive ongoing, transparent
reporting to make decisions.
• When issues are identified they
are escalated and addressed, with
lessons learnt and applied to future
programs and projects.
Chief
Information
Officer
• Number of Accountable
Sponsors with an
‘effective’ operational
effectiveness rating for
key delivery controls.
14
Accountability
and Decision
Making in
Practice
• Our people have the accountability,
authority and skills they need to
fulfil their roles.
• Our People Leaders provide
clear authority to their people
and monitor and verify progress,
taking the opportunity to coach,
course-correct and encourage
challenge throughout.
• Our people and People Leaders
are clear on their individual
accountabilities, as well as the
context and structural accountability
framework they operate within.
Group Executive,
Human
Resources
• Culture measures
demonstrate
improvement in clarity
of accountability.
4. One Progress Indicator described from each stream for brevity.
Reassessment of CGA Remediation Plan27Westpac Group
The CORE Program – 2020 and beyondChapter 6
6.2 Program Level Measurement
A set of enterprise-wide metrics have been identified to track the progress of CORE at a Program level, and how
the progress indicators in each workstream are contributing to sustained improvement in non-financial risk maturity.
These are summarised below:
Pillar 1
Direction and Tone set by
Board and Group Executive
Pillar 2
Clear Risk Boundaries for
Decision Making
Pillar 3
Accountable and Empowered
People
Lead IndicatorsSpeak Up (Pulse)Risk policy rationalisationProportion of issues raised
by First Line
Role modelling (Pulse)Second Line Effectiveness
(Audit, Pulse)
Extended or overdue
High-rated issues
BRC/BLRCC actions
completed on time and
Group RISKCO actions
completed on time
Role Clarity (Pulse)
Completion of mandatory
leader training
Committees Rationalised
Shorter papers to RISKCO
and Board
On-time ownership of new
incidents
Controls rated Requires
Improvement or
Unsatisfactory
Lag IndicatorsNon-financial risks (NFR) out
of appetite
Timeliness of mandatory and
voluntary breach reporting
Critical/High NFR incidents
Misconduct casesNumber of conduct breaches
reported to regulators
Severe Complaints
Program
Delivery
Completion of scheduled
key milestones
Completion of scheduled
key milestones
Completion of scheduled
key milestones
These metrics are based on currently available management information and are indicators of Program progress.
The scope of the CORE Program includes the development of insights and metrics relating to the behavioural traits
that underly shortcomings relating to culture, governance and accountability practices.
Reassessment of CGA Remediation Plan28
Westpac Group
Chapter 6The CORE Program – 2020 and beyond
6.3 Communications and engagement
Critical to the success of the CORE Program in meeting
its objectives is its active adoption by all Westpac
employees. Managing risk must be seen as each individual
employee’s responsibility rather than the responsibility of
the Risk Function.
An integrated communications strategy has been
developed to bring CORE to life with foundational,
Group-wide and targeted areas of focus. There will be
co-ordinating sequencing of change and communications
delivery to all employees.
As such, communication about the CORE Program will
be Bank-wide, emphasising that managing risk is a core
part of everyone’s role, whether on the front line or in a
support function. An example of how this message may
be made to stick is by use of an easy-to-recall acronym,
such as “I AM RISK”:
• IDENTIFY risk as part of normal business operations;
• ACCOUNTABLE for understanding and remaining
within risk limits;
• MANAGE risks proactively, following key controls and
complying with policies;
• RAISE my hand when I see a potential issue;
• INVOLVE others, including Risk specialists, to learn
from their experience and networks;
• STAY ALERT for changes that may elevate or introduce
new risk; and
• KNOW that it is a privilege to take risk for Westpac
and customers, and always keep that responsibility
front of mind.
This is the aspiration for every Westpac employee.
Reassessment of CGA Remediation Plan29Westpac Group
Appendix 1
Findings regarding recommendations
and actions
Westpac’s 2018 Self-Assessment provided
45 recommendations to address shortcomings in
Westpac’s governance, culture and accountability
frameworks and practices. Action has been taken against
all recommendations.
These actions have been assessed to determine how
effectively they have addressed the shortcomings and
their associated root causes:
• 14 recommendations are in the ‘further steps’ stage
– these have been implemented from a design
standpoint and work is ongoing to progress them to
final closure. The Reassessment has identified further
insights and actions that should be incorporated into
the CORE Program. In some cases, this will require
additional design activity;
• 12 recommendations have been assessed as ‘open’ –
these remain in the design stage of development, and
further insights generated through the Reassessment
are incorporated into the updated plans within the
relevant workstream; and
• 19 recommendations are at the ‘embed/monitor’
stage – these have been implemented from a design
standpoint and work is ongoing to progress them to
final closure, after which they will be monitored for
ongoing effectiveness within the BAU environment.
Activity for all recommendations will transition into one of
the 14 workstreams in the renewed CORE Program, along
with the four new actions introduced in Table 1, where
further insights and actions from this Reassessment will
inform the design, implementation and embedding of
activity in the relevant workstream.
A summary of the work completed to date, status and
further steps required for each recommendation is
included in the following table.
Reassessment of CGA Remediation Plan30
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G1BRCC agenda
review
• Added new BRCC
meeting to annual cycle.
• Added standing agenda
item to discuss meeting
efficiency at BRCC
meetings.
• Established new practice
where BRCC meetings
begin with discussion of
top risks and issues.
• Established BLRCC to
allow more time for
BRCC to focus on other
risk matters.
Embed/
Monitor
• Monitor the ongoing
efficiency and
effectiveness of the BRC/
BLRCC agenda and
operations.
Risk
Frameworks
G2BRCC and
RISKCO
reporting
• Updated report template
and page length limit,
supported by training and
guidance notes.
Further
steps
• Streamline and improve
quality of BRC/BLRCC
reporting.
• Strengthen capability
and templates to improve
reporting.
Risk
Frameworks
G3Board Audit
Committee
(BAC)
membership
• Formalised BRCC
Chairman as a member
of BAC.
Embed/
Monitor
• None.Risk
Frameworks
G4BAC and BRCC
reporting of
issue extension
• Updated reporting to BAC
and BRCC to include issue
extension information.
• Changed process such
that issues can only be
extended where ‘credible
pathway’ exists.
Embed/
Monitor
• Monitor the ongoing
appropriateness of
reporting of high-rated
issue extensions to the
BAC and BRC/BLRCC.
Risk
Frameworks
G5Reporting of
‘tail’ customer
complaints
• Updated reporting to
include long-dated
complaints.
• Introduced standing
agenda at monthly Board
meeting on long-dated
and complex complaints,
including deep dives and
red flags assigned to
long-dated complaints
that warrant further
scrutiny.
Further
steps
• Update complaints
reporting to further
highlight to the Board
which complaints are
serious and extreme.
Customer
Complaints
G6Investment
allocation
decisions
• Updated Enterprise
Investment Pool (EIP)
submissions to include
description of risks arising
from an initiative, and the
risks of not proceeding.
• Introduced new practice
where ET presents Board
with portfolio view of EIP
submissions and risks.
Embed/
Monitor
• None – further actions
have been defined as part
of G31.
Enterprise
Prioritisation
Reassessment of CGA Remediation Plan31
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G7Risk appetite• Performed review of
‘out of appetite’ risks by
Divisional CROs.
• Established interim
measures to improve
transparency of progress
to return to appetite.
Further
steps
• Work with the relevant
accountable owner of
each plan to bring risks
back within appetite
to ensure sufficient
prioritisation and urgency
is being applied.
• Where there is no
credible pathway or long
timelines, ensure there is
a discussion at the ET/
Board level to accept
this risk if appropriate or
take other measures, e.g.
withdrawing from specific
business activities.
Risk
Frameworks
G8Issue resolution
and closure
• Updated Issue and
Action Management
Policy to allow issue
extension only where
‘credible pathway’ exists.
• Reviewed long-standing
issues in each division,
in line with new
requirements regarding
‘credible pathways’.
• Developed Line 1 Issue
Ownership Plan to
embed target behaviours
regarding issue resolution.
Further
steps
• Take appropriate actions
to close long-outstanding
issues and high-rated
long-outstanding issues
as a matter of the
highest priority.
Issues
Management
G9G2, G4–G8 as
they apply to
the ET and
RISKCO
• Relevant updates to
BRCC/BAC reporting
have been reflected in
RISKCO reporting.
• ET Customer Forum exists
to discuss complex open
complaints cases.
• ET receives individual
EIP submissions with
risk analysis.
Further
steps
• Assess the efficiency with
which time is utilised
and the adequacy of the
time allocated overall for
RISKCO.
• Streamline and improve
the quality of RISKCO
reporting.
Risk
Frameworks
G10Rationalisation
of governance
committees
• Established a
Committee Map showing
dependencies between
committees to perform
committee rationalisation
exercise. This decreased
committees by 16%.
• Interviews conducted
with GMs to identify and
confirm root causes of
committee proliferation.
• Established Group
Committees Register and
Committee Operating
Principles.
• Created Standard
templates for committee
agendas, papers and
minutes.
Further
steps
• Further rationalise
committees, with central
oversight of divisional
rationalisation efforts.
Accountability
and Decision
Making in
Practice
Reassessment of CGA Remediation Plan32
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G11Three Lines
of Defence,
Divisional
CROs
• Actions taken to address
G11.1 completed as part of
A1-A4.
• Designed a new three
lines of defence (3LOD)
model, including through:
–Establishment of
governance forums
to oversee design
of the 3LOD future
state and to resolve
complex issues;
–New Line 1 Risk and
Compliance teams
within divisions; and
–Creation of detailed
implementation plans
to implement the 3LOD
future state.
• Increased Divisional CRO
team resources; agreed
and announced a new
Divisional CRO matrix
reporting structure.
Further
steps
• Ensure the enterprise
capability uplift
developed as part of
G12 includes relevant
training and education
to front-line business.
• Progress and adjust
current and planned
actions on 3LOD uplift
including:
–Review divisional
implementation
plans for consistency
and monitor
implementation; and
–Work with the divisions
to develop a targeted
and consistent
communications plan.
Managing Risk
in the First Line
• Progress and adjust
current and planned
actions on 3LOD uplift,
including:
–Resolve residual issues
in the understanding of
the role of the Line 2
Risk function;
–Ensure that all
remaining open points
on 3LOD target state
are closed; and
–Ensure that
representatives from
front-line businesses
(i.e. not from the Line
1 Risk teams) are
engaged in the design
and implementation of
G11.2 going forward.
Second Line
Risk Roles and
Capability
Reassessment of CGA Remediation Plan33
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G12Skills,
capabilities and
stature
• Approved extensive risk
training program with
adequate funding, tailored
to role types developed
as part of G11.
• Approved 270 new risk
Full-Time Equivalent
(FTE) employees to
uplift capability.
• Designed program to
rotate employees in
Lines 2 and 3.
Open
• Progress with current
and planned initiatives.
Managing Risk
in the First Line
Second Line
Risk Roles and
Capability
G13The risk
and control
environment
• Developed new
Bank-wide risk taxonomy,
and approved funding
to review and update
controls in accordance
with the taxonomy.
• Linked material
obligations in compliance
obligations library to
risk taxonomy, and to
controls.
• Uplifted control
self-assessment process
(one common process
yet to be developed).
• Developed new process
to identify new and
emerging risks, including
new paper at RISKCO
and BRCC.
Open
• Integrate compliance
and operational risk
assessments into one
common process.
• Progress and adjust
current and planned
actions on taxonomy and
controls including:
–Provide training
across 3LOD on new
taxonomy, its objective
and purpose;
–Embed the new risk
taxonomy;
–Develop common
control taxonomy; and
–Identify and remediate
controls and gaps and
weaknesses; address
flow-on impacts.
• Enhance the compliance
obligation library to
ensure it is comprehensive
and has a consistent level
of detail across the Group.
• Link any new or changed
obligations to risks and
controls.
• Confirm that the
identification and
reporting of new,
emerging and heightened
risks is complemented
by equivalent actions
to manage these risks
effectively.
Controls
Reassessment of CGA Remediation Plan34
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G14Setting and
monitoring risk
and compliance
appetite
• Developed new qualitative
statements of appetite
and metrics for each risk
in the new risk taxonomy.
• Developed new Risk
Management Framework
requiring risk appetite
to be articulated and
measured across
the Group.
Open
• Progress and adjust
current and planned
actions on RAS roll-out,
including:
–Define qualitative
statements of appetite
and metrics for Level 1
risks;
–Update Group-wide,
Divisional and ET RAS
for new statements and
metrics and cascade as
appropriate;
–Reconsider
appropriateness of
two-metric limit;
–Develop actions to
equip the Bank with
data to measure risk
profile relative to
risk appetite;
–Develop oversight
framework to oversee
and manage risk
appetite; and
–Embed new risk
appetite, including
through training
and education.
Risk
Frameworks
G15Conduct risk
management
• Enhanced key conduct-
related risk frameworks,
including the Product and
Service Lifecycle.
• Included conduct risk as
standing agenda item in
divisional risk committee
meetings.
Open
• Commence with a ‘reset’
of the conduct risk
program, including a
redesign of the Code of
Conduct and initiatives
to embed conduct risk
into policies, processes
and controls.
Conduct Risk
G16Management
of reputational
risk
• Uplifted Reputation Risk
Framework, including to:
–Formalise role of
Divisional RISKCOs;
–Establish the ‘Yes
Check’; and
–Establish a
Reputational Risk
Committee.
• Clarifying roles and
responsibilities to manage
reputation risk.
Further
steps
• Embed reputation risk
management into relevant
policies, processes and
controls.
• Ensure that
responsibilities for
the management of
reputation risk across the
3LOD are clarified as part
of work to implement G11.
Conduct Risk
G17Divisional
approaches to
manage risk
and compliance
• Reviewed and rationalised
41 risk and compliance
policies and frameworks.
• Established Westpac
Group Risk Policy – Policy
Management to minimise
inconsistency and
proliferation of policies.
Further
steps
• Review Group and
divisional non-financial
risk policies and
procedures to reduce
unnecessary overlap
and complexity.
Risk
Frameworks
Reassessment of CGA Remediation Plan35
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G18Systemic Issue
identification
• Approved funding
for broader JUNO
upgrade to introduce
new functionality, uplift
‘front-end’ ease of use
and uplift back-end
analytics capability.
• Actions to address G18
scheduled for after
JUNO upgrade.
Open
• Progress with planned
actions to upgrade JUNO.
• Establish an interim,
manual solution to
identify systemic issues
through stakeholder
collaboration.
Issues
Management
G19Issue escalation• Introduced Compliance
ex-post issue sampling.
• Increased minimum
sample size for
Compliance incident
sampling.
• Expanded scope and
objectives of Operational
Risk Data Quality Review
to ensure issue rating
accurately reflects
residual risk.
Embed/
Monitor
• Monitor the impact of
actions taken on the
incorrect classifications
of issues and
incidents in terms of
compliance impact.
Issues
Management
G20Issue reporting• Updated relevant policies
to require reporting of
significant near misses
and high-rated issues and
incidents to RISKCO and
the BRCC.
Embed/
Monitor
• Monitor the ongoing
appropriateness of
reporting of incidents
and issues to Group and
Divisional RISKCO and
the BRC/BLRCC, and the
associated policies.
Risk
Frameworks
G21JUNO Uplift• Approved JUNO upgrade
(see ‘Work Completed’
for G18).
• Actions to implement G21
confirmed feasible as part
of JUNO upgrade.
Open
• Progress with planned
actions to upgrade JUNO,
prioritising upgrades
for G21.
• Train and educate relevant
employees on the new
JUNO capability.
Issues
Management
G22Issue resolution
and closure
• Developed root cause
methodology, rolled this
out through ongoing
training, and plans created
to ensure incorporation of
methodology into key risk
committees and forums.
• Embedded BEAR
statements which include
accountability for issue
and incident closure.
• Established the Group
Risk Classification
Framework
which identified
long-outstanding issues
which may need to
be considered.
Open
• Implement and embed the
root cause methodology
throughout the Bank.
Issues
Management
• Continue to build broader
risk capability (including
with regards to issue and
incident management).
Issues
Management
Managing Risk
in the First Line
• Monitor impact of formal
changes BEAR and
the new Remuneration
Framework made to
confirm they provide
clear accountability for
timely and effective
issue closure.
Remuneration
and
Consequence
Management
Reassessment of CGA Remediation Plan36
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G23Customer
complaints
management
systems
• Continued ongoing work
to test and roll-out a
single customer complaint
system in ‘drops’.
Open
• Progress with planned
actions to establish and
use one single customer
complaint platform.
Customer
Complaints
G24Identification
of systemic
customer
complaints
• Introduced new
requirement to record
all customer complaints
(including those
resolved at first point
of resolution).
• Provided training and
communications to
embed this requirement.
• Uplifted Board and ET
reporting to include
complaints by product,
channel, age, root cause
and theme (e.g. conduct).
Embed/
Monitor
• Monitor complaints
logging in terms of
data quality and level
of embedding in the
business.
• Monitor the effectiveness
of the identification of
trends in root causes.
Customer
Complaints
G25Reporting
of serious
and extreme
complaints
• Updated Board reporting
to include long-dated
complaints.
• Introduced standing
agenda at monthly Board
meeting on long-dated
and complex complaints,
including deep dives
and red flags assigned
to certain long-dated
complaints that warrant
further scrutiny.
• Uplifted Customer
Solutions more broadly,
including establishment
of Customer Outcomes
Committee and
Vulnerable Customer
policies and standards.
Further
steps
• Update complaints
reporting to further
highlight to the Board
which complaints are
serious and extreme.
Customer
Complaints
G26Reporting
of long-dated
complaints
and other
customer
matters
• Determined that no action
was required because
serious matters would be
included in long-dated
complaints reporting and/
or Litigation Reports to
the Board.
Embed/
Monitor
• Periodically review the
appropriateness of
including long-dated
matters in an expanded
version of the Customer
Complaints Dashboard
or other reporting and/or
forums as required.
Customer
Complaints
G27Life and
general
insurance
complaint
handling
• Centralised customer
complaints handling,
supported by Group-wide
Complaints Management
Policy and Standard.
Embed/
Monitor
• Monitor and address any
challenges associated
with the transition to
centralised complaints
handling.
Customer
Complaints
G28Accountability
for complaint
resolution
• Updated CEO and GE
scorecards to include
measures on long-dated
complaints and average
time to close complaints.
Embed/
Monitor
• Monitor whether
scorecard metrics help
to promote the desired
behaviours in relation
to customer complaint
resolution, and refine
metrics if needed.
Customer
Complaints
Reassessment of CGA Remediation Plan37
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G29Escalation
of customer
complaints
• Engaged Compliance
and Operational Risk for
review of processes and
quarterly sample testing
to ensure complaints are
appropriately logged.
• Ensured Compliance
attendance and
representation at
complaints discussions.
Embed/
Monitor
• Proceed with planned
updates to the
Customer Complaints
Management Policy.
Customer
Complaints
G30Group-wide
approach
to handle
whistleblower
investigations
• Developed and
implemented
Group-wide approach
to handle whistleblower
investigations, supported
by enhancements to
systems and processes.
• Continued awareness
campaigns and training
programs, including
implementation of
single whistleblower
management system for
all employees.
Embed/
Monitor
• Monitor the effectiveness
of the approach to
handle whistleblower
investigations.
Risk
Frameworks
G31Investment
Allocation
Decisions
• Established process
for all investment and
major change initiative
submissions to include
risk assessment and
analysis.
• Enhanced systems to
capture and record
risk analysis.
• Provided guidance
on how risk analysis
should be presented
in submissions.
Further
steps
• The outcome and
rationale of decisions,
including where funding
is not received, is clearly
communicated.
• Uplift the articulation of
submissions and Board
reporting.
• Ensure that there is
sufficient Board visibility
of initiatives which are
not funded.
Enterprise
Prioritisation
G32/
G33
SteerCo
templates
• Reviewed, updated and
standardised templates
and agendas to highlight
risks, assumptions and
changes to project scope,
schedule, solution and
expected benefits.
• Developed ‘how to’
guidelines on new
templates.
Further
steps
• Incorporate relevant
elements from the
Operational Risk in
Projects (ORiP) Policy
into Westpac’s project
execution framework
to drive uplift in project
delivery and subsequent
risk and compliance
outcomes.
• Monitor the impact of
this transition and other
changes to the project
execution framework.
Change
Management
and Delivery
Reassessment of CGA Remediation Plan38
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
G34Operational
Decision
Making
• Elevated the stature and
standing of Risk, including
strengthening key risk
positions, including
Operational Risk and
Compliance professionals
at relevant committees,
and redefining the
purpose of the Risk
function “to provide
leading risk oversight,
insight and control”.
• Established joint
accountability between
CFO and COO for
prioritisation of strategic
investments.
Open
• Several workstreams
will take forward the
underlying findings to
strengthen the voice of
Risk in all decisions and to
clarify and uphold Line 1
authority and boundaries
and the rights of support
functions to challenge
decisions.
Second Line
Risk Roles and
Capability
G35Enterprise
Portfolio
Oversight
Committee
(EPOC)
delegation
• Established requirement
for GEs to obtain prior
approval from the
Enterprise Portfolio
Governance Committee
(EPGC) Chair to delegate.
Subsequently, EPGC and
other committees were
replaced by the Enterprise
Portfolio Committee
(EPC) which does not
include business GEs
as members.
Embed/
Monitor
• Once the recently
announced changes
to enterprise change
oversight have been
implemented, monitor
the effectiveness and
appropriateness of
enterprise change
oversight to ensure an
appropriate level of
attention is given to risk
considerations.
Enterprise
Prioritisation
A1Risk-adjustment
process for
employees on
discretionary
Short-Term
Variable
Reward plans
• Engaged external review
of effectiveness of
Remuneration Policy and
annual Remuneration
Review.
• Developed Group-wide
Risk Classification
Framework with new
process to adjust STVR
and other discretionary
remuneration.
• Implemented Variable
Reward Guidelines to
provide guidance to staff
on process.
• Updated ‘RemExpress’
system to capture and
aggregate data for
calibration.
Embed/
Monitor
• Monitor the impact
of actions taken and
refine the Group
classification framework
as it is implemented
to guide remuneration
adjustments.
• Review the effectiveness
of actions taken for A1
in driving better risk
behaviours and outcomes
and accountability,
particularly in the
First Line.
Remuneration
and
Consequence
Management
Reassessment of CGA Remediation Plan39
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
A2Risk gate and
risk-adjustment
criteria and
aggregation
of data
• Updated ‘Reputation
and Risk’ component
of senior management
scorecards to have up
to 100% STVR at risk;
established process to
review appropriateness
of scorecards.
• Reviewed risk gates for
consistency and enhanced
where relevant.
Embed/
Monitor
• Monitor the impact of risk
gate and risk adjustment
criteria in terms of driving
better risk behaviour and
outcomes and ensure
these are reviewed
regularly. This should
include ensuring that
reviews are documented.
• Ensure how aggregated
data is used by the
relevant committees/
functional areas
is reviewed and
documented.
Remuneration
and
Consequence
Management
A3Framework
and policy
alignment,
consistency
and
rationalisation
• Engaged external
review on remuneration
frameworks and policies
to identify and address
inconsistencies.
• Updated RemExpress to
make it consistent with
the new Group-wide Risk
Classification Framework
and to require consistent
recording of STVR
adjustments.
• Rationalised remuneration
frameworks and policies.
Embed/
Monitor
• Continue to regularly
review and rationalise
(where appropriate) our
remuneration adjustment
and consequence
management frameworks
and policies, ensuring
that the applied risk
adjustment processes
are clear, transparent
and predictable.
Remuneration
and
Consequence
Management
A4Review
consequence
management
outcomes for
consistency
• Introduced JUNO control
that requires:
–Conduct matters
be acknowledged,
captured and
responded to; and
–Consequence
management outcomes
be regularly reviewed
for consistency across
levels and divisions.
• Established JUNO control
to review and update
Group Consequence
Management Framework
and Code of Conduct
annually.
Embed/
Monitor
• Monitor the impact of
actions taken to ensure
that the Group CMF is
applied consistently and
appropriately across
divisions and levels in
the organisation.
Remuneration
and
Consequence
Management
Reassessment of CGA Remediation Plan40
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
A5Accountability
as subject of
overt, Group-
wide focus
• Updated relevant
policies with
Group-wide definition of
accountability; developed
scenarios through
‘Navigate’ on this.
• Clarified accountability
for GEs and GMs through
BEAR.
• Enhanced remuneration
and consequence
management frameworks
to clarify accountability
(see A3).
Embed/
Monitor
• Monitor employee
behaviours to ensure
accountability is
understood and
demonstrated across all
levels of the organisation,
taking further actions
where required.
Accountability
and Decision
Making in
Practice
A6Westpac’s
propensity
towards
collective
decision
making
• Embedded BEAR
Accountability
Statements to clarify
GE accountability
in decision-making
processes.
• Documented for all
committees their purpose,
Chair and what decisions/
approvals are made by
the committee.
Further
steps
• Define accountability
for individuals when
they make decisions
as part of a collective
decision-making body.
Accountability
and Decision
Making in
Practice
Reassessment of CGA Remediation Plan41
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
C1–
C4
C1 – Leadership
C2 – Ways of
working
C3 – Learning
Updated wide range of
cultural initiatives in light
of the nine cultural traits
identified in the 2018
Self-Assessment, including
‘Navigate’ program,
simplification of the Service
Promise, suite of leadership
programs and ‘Motivate’.
Launched new initiatives
associated with
recommendations C1-C4,
examples include:
C1: New GM1 ‘Executive Edge’
leadership program including
Leadership 360;
C2: New Culture Assessment
Framework, continuing
to embed ‘Our Compass’,
reinforcing the empowerment
model to ‘Check, Confirm,
Create’, and supporting
Agile ways of working;
C3: Extensive Risk capability
program including the ‘Risk
Institute’ for all employees
(also responding to
recommendation G12); and
C4: The Motivate
performance management
framework – our approach to
performance, development
and reward – is well
embedded across the
Group, with target levels of
achievement being exceeded
across both measures.
The new ‘Great Employee
Moments’ recognition
platform has been rolled
out, providing a consistent
platform across the Group
with significant new
recognition functionality.
All design actions in the
work program addressing
the recommendations have
been completed. However,
given the culture refresh
work underway and that
cultural transformation
is necessarily a long-
term initiative, we are
maintaining recommendations
C1-C3 as an ‘Open’ status
and further actions in relation
to those recommendations
are incorporated in the
CORE Program.
Open
• Define the desired
long-term cultural
change to be realised
by the CORE Program
(either directly or as part
of the broader Culture
Roadmap) and prioritise
short-term culture shifts,
incorporating the cultural
traits identified by the
2018 Self-Assessment and
the Reassessment, as well
as the Risk Culture target
state and the Barrett
values survey.
• Explicitly co-ordinate with
‘Risk Culture Behaviours
and Measurement’
workstream and broader
cultural change activities.
Executive
Leadership
Culture
• Embed the existing
Risk Culture framework
to regularly assess risk
culture across the Group.
• Define Westpac’s
target risk culture
by reference to the
2018 Self-Assessment
cultural traits.
• Design, implement, and
measure the effectiveness
of actions to shift towards
the target culture.
• Explicitly co-ordinate with
‘Executive Leadership
Culture’ workstream to
ensure actions are aligned
and mutually reinforcing.
Risk Culture
Behaviours and
Measurement
Reassessment of CGA Remediation Plan42
Appendix 1Findings regarding recommendations and actions
Westpac Group
#TopicWork CompletedStatus
Summary of further
insights and actions
CORE
Workstream
C4 – Reward
and recognition
Embed/
Monitor
• Continuously monitor
the impact of
reward, recognition
and consequence
management on
behaviours and
culture, as part of
ongoing monitoring of
recommendations A1-A5.
Remuneration
and
Consequence
Management
Reassessment of CGA Remediation Plan43Westpac Group
List of abbreviations
Appendix 2
The following abbreviations may appear throughout this report.
AbbreviationAbbreviated term
AMLAnti-money laundering
APRAAustralian Prudential Regulation Authority
AUSTRACAustralian Transaction Reports and Analysis Centre
BACBoard Audit Committee
BAUBusiness as usual
BEARBanking Executive Accountability Regime
BERBoard Effectiveness Review
BLRCCBoard Legal, Regulatory & Compliance Committee
BRCBoard Risk Committee
BRCCBoard Risk & Compliance Committee
BSRBoard Strategy Review
BTFGBT Financial Group
CGACulture, Governance and Accountability
CGA ProgramCulture, Governance and Accountability Program
CEOChief Executive Officer
CFOChief Financial Officer
CMFConsequence Management Framework
CORE ProgramCustomer Outcomes & Risk Excellence Program
CROChief Risk Officer
C VACultural Values Assessment survey
DEDesign Effectiveness
DQRData Quality Review
EIPEnterprise Investment Pool
EPCEnterprise Portfolio Committee
EPGCEnterprise Portfolio Governance Committee
EPOCEnterprise Portfolio Oversight Committee
ETExecutive Team
Reassessment of CGA Remediation Plan44Westpac Group
AbbreviationAbbreviated term
FTEFull Time Equivalent
GEGroup Executive
GMGeneral Manager
GM1Managers one level below GM
IDRInternal Dispute Resolution
IFTIsInternational Funds Transfer Instructions
JUNOJUNO is Westpac’s integrated risk and compliance system
3LODThree Lines Of Defence
LTLeadership Team
NFRNon-financial Risks
OEOperating Effectiveness
ORiPOperational Risk in Projects
PEFmProject Execution Framework methodology
RASRisk Appetite Statement
RCSARisk and Control Self-Assessment
RISKCOGroup Executive Risk Committee
STVRShort-Term Variable Reward
VRGVariable Reward Guidance
WIBWestpac Institutional Bank
Appendix 2List of abbreviations
Westpac Banking Corporation CONFIDENTIAL
Independent Assurance Over Westpac’s CGA Reassessment
27 May 2020
Independent Assurance over
Westpac’s Culture, Governance, and
Accountability (CGA) Reassessment
Final Report (Executive Summary)
CONFIDENTIAL
Prepared for
Westpac Banking Corporation
26 June 2020
Promontory Australia, a division of IBM
Level 3, 120 Sussex St | Sydney, NSW, 2000
+61 2 9478 8888 | promontory.com
Westpac Banking Corporation CONFIDENTIAL
Independent Assurance over Westpac’s CGA Reassessment – Final Report
26 June 2020
2
Promontory Australia, a division of IBM, has been engaged to provide external assurance to
Westpac over its reassessment of its Culture, Governance and Accountability Remediation Plan.
A representative of Westpac has reviewed a draft version of this Report for the purposes of
identifying possible factual errors. Promontory is responsible for final judgement on all views and
information in this Report.
This Report is provided solely for the purposes described above. Promontory’s external assurance
role may not incorporate all matters that might be pertinent or necessary to a third party’s evaluation
of Westpac’s Management Review or any information contained in this Report. No third-party
beneficiary rights are granted or intended. Any use of this Report by a third party is made at the third
party’s own risk.
Promontory is neither a law firm nor an accounting firm. No part of the services performed constitutes
legal advice, the rendering of legal services, accounting advice, or the rendering of accounting or
audit services.
Westpac Banking Corporation CONFIDENTIAL
Independent Assurance over Westpac’s CGA Reassessment – Final Report
26 June 2020
3
Executive Summary
On 20 November 2019 the Australian Transaction Reports and Analysis Centre (
AUSTRAC
) lodged a
Statement of Claim (
SoC
) in the Federal Court against Westpac Banking Corporation (
Westpac
or
Bank
) for failing to meet certain of its obligations under the Anti-Money Laundering and Counter-
Terrorism Financing Act 2006 (
AML/CTF Act
).
1
Following AUSTRAC’s action, on 16 December the Australian Prudential Regulatory Authority (
APRA
)
wrote to Westpac, noting that the SoC pointed to fundamental deficiencies in Westpac’s risk
management. As part of a number of supervisory actions, APRA required Westpac to undertake a
reassessment of its 2018 Culture, Governance and Accountability (
CGA
) Self-Assessment and
Remediation Plan (
CGA Reassessment
or
Reassessment
) to determine whether it is still ‘fit for
purpose’. This was to be completed by 30 June 2020.
APRA required Westpac to arrange external independent assurance over the reassessment process
and outcomes. Westpac engaged Promontory Australia (
Promontory
) to provide this assurance to the
Board and to APRA. The assurance considers:
•
The robustness of the reassessment process
•
The sufficiency and completeness of the remediation plan
•
The likely effectiveness of the remediation actions planned
Promontory’s assurance activities commenced in February 2020 and ran for a period of approximately
five months, during which time we had extensive meetings with the Reassessment team and provided
feedback, challenge and observations about the process, analysis, conclusions and draft plans. We
reviewed a large number of documents provided by Westpac, including relevant policies, procedures
and case studies. We also conducted a sample of interviews with senior Westpac representatives, and
had a series of ‘deep dive’ sessions with the Reassessment team and other relevant Westpac staff.
Based on our activities, Promontory can provide the following assurances:
The reassessment process was robust
.
•
The process involved a thorough testing of the findings from the 2018 Self-Assessment through
document reviews, board and committee papers, and interviews
•
There was close analysis of the issues arising from a series of recent events and developments,
including the AUSTRAC SoC
•
The process included a thorough review of the progress with implementing the
recommendations of the 2018 Self-Assessment report, and lessons from this implementation
experience
•
The process enabled the identification of several areas that require further work to address the
root causes of CGA shortcomings
•
There was a greater focus on the development of a more detailed and robust revised
remediation plan
1
Chief Executive Officer of the Australian Transaction Reports and Analysis Centre v Westpac Banking Corporation ACN 007
457 141, 20 November 2019.
Westpac Banking Corporation CONFIDENTIAL
Independent Assurance over Westpac’s CGA Reassessment – Final Report
26 June 2020
4
The overall remediation plan is sufficient and complete.
•
The new remediation plan (the
updated CGA Program
, which Westpac is renaming the
Customer Outcomes and Risk Excellence Program) builds on work done to date, but represents
a substantial and more detailed ‘reset’ from the original remediation plan (
original CGA
Program
)
•
The updated CGA Program has a clearer vision, outcomes and structure, with fourteen
workstreams that are more coherently linked to Westpac’s risk management shortcomings
o
The Program contains actions that appropriately cover the range of shortcomings and
root causes that Westpac must address to uplift CGA frameworks and practices
o
There is a clearer statement of shortcomings and root causes that the Program seeks
to address
•
The updated CGA Program identifies four areas for further work to properly address the root
causes of CGA weaknesses, and these have been appropriately derived from the
Reassessment analysis
•
There is an overall timeframe to March 2022 and key dates across all workstreams
•
There is clear scope to build additional detail into the updated CGA Program during the coming
implementation period to support effective execution
The remediation plan is likely to be effective.
•
There are much clearer and stronger messages from the Board and senior management about
the need for change to non-financial risk management and the importance of remediation
•
The updated CGA Program has a much more robust governance structure that has been
designed to ensure the resourcing, prioritisation and coordination necessary to drive
implementation
•
There is a stronger focus on outcomes, rather than just the completion of activities
•
There is a better allocation of ‘ownership’ of workstreams and actions across group executives
from across the Bank
•
The updated CGA Program provides for better monitoring and consideration of
interdependencies
•
Further details to support outcomes and deliverables can be developed in the early
implementation phase of the Program
In conducting our assurance, we note that the Reassessment was conducted diligently, thoroughly and
professionally. The three principal conclusions about key root causes of CGA shortcomings, areas for
further work, and the need to reset the CGA Program are impressively forthright. The members of the
Reassessment team have shown themselves to be open to feedback about how to strengthen key
elements of the design of the remediation plan.
The updated CGA Program provides the basis for a substantial and positive program of change. The
decision to develop it as a ‘reset’ of the original CGA Program is sound. It builds on the work undertaken
to date but extends this work in key areas based on the assessment of key recent events. The updated
Program covers an appropriate range of issues to address Westpac’s CGA weaknesses, and it has a
clearer focus on the root causes of these weaknesses. Promontory observes that the updated Program
will benefit from additional operational details and these should be incorporated in the early part of the
implementation phase.
Finally, we highlight the change in ‘tone’ in the Reassessment report and the updated CGA Program
as they relate to the acceptance of deficiencies in Westpac’s non-financial risk management and the
Westpac Banking Corporation CONFIDENTIAL
Independent Assurance over Westpac’s CGA Reassessment – Final Report
26 June 2020
5
need for uplift this area. The strength of the supporting messages coming from the Board, CEO and
Senior Executives are critical to the success of a program of this nature. Ongoing review and
engagement at this level will be vital. In this context, embedding a more prominent role for the Board,
CEO and Senior Executives in a robust governance structure is a key improvement over the original
CGA Program.
On the basis of our assurance we make the following five recommendations to the Board:
1. That the Board and Executive Team ensure a sustained commitment to and strength of
message about the updated CGA Program
2. That there is clear and ongoing communication about how the updated CGA program supports
good customer outcomes in ways that resonate across all areas of the bank
3. That the Board and Executive Team closely monitor the interdependencies within the updated
CGA Program and between the Program and other programs of work underway at Westpac to
help ensure more effective implementation
4. That the Board and Executive Team retain a clear focus on strengthening ‘risk culture’ within
the overall program of work on cultural issues at the bank
5. That further work is undertaken in the early implementation phase of the updated CGA program
to develop details of program design to support effective execution.
Promontory Australia, a division of IBM
Level 3, 120 Sussex St | Sydney, NSW, 2000
+61 2 9478 8888 |
promontory.com
Promontory Australasia (Sydney) Pty Ltd, an IBM Company
Level 3, 120 Sussex St | Sydney, NSW, 2000
+61 2 9058 3600 |
promontory.com
Data sourced from publicly available filings. Our datasets may not be complete. Automated analysis can produce errors. If you believe any data on this page is incorrect, please contact us at hello@nzxplorer.co.nz. For informational purposes only. Not investment advice.