How Commonwealth Bank confused co-operation with complacency


Published by the  Australian Financial Review, Wednesday 9 August


Implementing cultural change within CBA was one of Ralph Norris’ major achievements as chief executive from 2005 to 2011. He insisted on far more co-operation across divisions. CBA changed from being a set of competing fiefdoms to becoming a much more co-operative enterprise. One of the core cultural values he insisted on was teamwork, formally “trust and team spirit”.

One now starts to wonder if this went too far. A number of recent problems at CBA, most notably the obvious failure of controls in the deposit system, point to an unwillingness to ask the hard questions of one’s colleagues.

There appear to have been multiple failures. Assuming that a programming error lay at the core of the issue,this should have been picked up by the business when it did its acceptance testing of the changes it was handed by the technology team. Given that the change involved anti-money laundering, compliance should have been involved in acceptance as well. So it is possible that there were basic problems with the process around the technology change. Given that CBA is a renowned technology shop,it is hard to imagine that the process were so fundamentally flawed that the acceptance testing process was not structured properly.

It seems most likely that the processes were in place but were not undertaken effectively. That comes back to a cultural issue. Did the business fail to ask hard questions of the technology team? And did the risk and compliance people fail to push for proof that the necessary controls were in place? It looks as if the different divisions were too trusting of what they had been given by others. Too much faith was placed in the technologists to have made the changes with appropriate controls.

A second cultural change Norris implemented was what he called “tofu” – taking ownership and following up. The logic is that if a problem is brought to your attention as a manager, you personally needed to take control of it. Addressing the problem might involve chasing up subject matter experts, but you were the one who had to be answerable, you had to follow-up and make sure the problem was resolved.

This should have led to a quick resolution of any issues brought to the bank’s attention by AUSTRAC. Whoever it addressed its concerns to, had responsibility to make sure the issue was resolved. Again, this would have involved a hand-off to the technology group, but some manager had responsibility for making sure the problem was solved. If this did not happen, there is another level of failure of the cultural norms of the bank.

The most likely explanation is again one of excessive reliance on other section of the bank. Seeing the problem, someone will have pointed out the problems to the technology team, but failed to follow-up. So much for tofu.


Trust v complaisance

Good culture also involves escalation. Any manager who receives communication from one of the regulators is expected to escalate the matter to his or her manager. Being willing to reveal problems rather than hide them, and to escalate bad problems quickly, is normally expected in a bank. As in most large organisations unfortunate things happen, but it is standard practice to escalate them quickly to a level of the organisation where they can be effectively resolved.

Again it seems likely that the problems were noted, and colleagues were asked to remedy the problems and trusted to make sure they had been implemented, without anyone following up.

Clearly, trust is very important in any social organisation. The fact that the culture inside CBA was changed to a more trusting one during Norris’ regime is partly responsible for the out-performance of the bank. However, the sense one gets from the different issues we have seen at CBA is that trust has morphed into complaisance – an unwillingness to disagree. It does not seem as if colleagues are asking each other hard enough questions.

The major banks are all spending about $1 billion on technology each year. The systems are complex and involve multiple interactions between new and old systems. The risk of them not doing what is really expected of them is quite high. One lesson from the CBA failures, is that both banks and their regulators need to do a lot more rigorous acceptance testing as new systems are brought on-line.

Risk and compliance are core issues for any bank. CBA has been spending over $200 million a year on improving its risk and compliance technology. But obviously technology cannot resolve all of the issues. Individual managers need to take responsibility for ensuring that what they ask for from the technology is what they are actually delivered.