Westpac Adds Credit, Liquidity and Data to Risk Overhaul
Westpac’s plan to lift risk governance standards in the wake of the AUSTRAC scandal has been ticked off by the regulator following a significant expansion that has seen it add five additional streams to 14 others it had agreed to complete.
A report from an independent third party reveals Westpac has agreed to add renewed focus to the bank’s handling of credit risk, financial risk, liquidity risk, technology risk and data risk.
The bank was required to submit and complete a revised plan of how it intended to address its risk governance shortcomings, which came to the attention of the prudential regulator following the 2019 debacle, after its first attempt failed to score a pass mark.
Westpac chief executive Peter King said the bank had made good headway but there was plenty of hard work ahead in bedding down the changes for the long term. “Our integrated plan outlines a comprehensive program of work to ensure the bank’s risk culture and risk governance meet the high standards expected of us,” Mr King said.
Westpac entered into a court enforceable undertaking (EU) with the Australian Prudential Regulation Authority in December 2020 after the regulator had slammed the bank for failing to come to grips with the problems that led to a AU$1.3 billion (FJ$2.3billion)financial settlement with AUSTRAC.
As part of the EU, Westpac agreed to submit an entirely new risk governance programme to be overseen by a third party.
The bank engaged independent consultant Promontory to fulfil that role, with the firm’s employees sitting in on board and senior executive meetings to ensure they got it right.
New issues emerged
Promontory’s first report is dated March 5 and was released on Wednesday.
It covers a frantic 90-day period since the bank was sledged by the regulator for its “immature and reactive” risk systems, which saw new issues emerge including a bungled liquidity ratio for its New Zealand business. Promontory reviewed board papers, board committee papers and executive committee papers as part of the review to get a sense of the problem.
It also sat in on a meeting between APRA and Westpac on January 22 to discuss the IT risk governance stream and a subsequent board risk committee meeting on February 2.
“It will also be important for Westpac to demonstrate a strong and sustained ‘tone from the top’ in the implementation of the integrated plan, at board, chief executive officer and senior executive level,” Promontory’s review said.
Liquidity risk governance has emerged as a particular area of focus for the bank in the revised plan.
Which has created a separate stream of work titled Liquidity and Capital Adequacy Risk Governance that will ensure “consistent application of relevant prudential standards and reporting standards”.
Credit risk governance too will receive a dedicated stream to make sure the bank has an “effective control environment to track, manage and report, internally and externally”.
This follows a 2017 review from consultants which found credit risk data drawn from “manual spreadsheets” and “paper-based files”.
Market risk governance will be assessed and uplifted across similar criteria as liquidity risk and credit risk. The technology risk governance stream will ensure the bank is “assessing the significance of systems, setting the technology risk appetite, delivering a multi-year technology road map aligned to strategy and business priorities as well as risk considerations”.
Data risk will likewise have its own work stream with the bank pledging to strengthen its oversight and operating model by “appointing accountable owners for data quality” and “setting up oversight committees to manage delivery of the execution plan and the pathway to meeting risk appetite”.