Westpac picks Oliver Wyman for sweeping risk management review

Westpac has brought in consultants to conduct a sweeping risk management review, as CEO Peter King attempts to rectify compliance failures.

Joyce Moullakis

3 min read

7:02PMOctober 20, 2020.

Updated 8:44AMOctober 21, 2020

Westpac CEO Peter King wants to lift the bank’s compliance and governance functions. Picture: Nikki Short

Westpac has appointed global consulting firm Oliver Wyman to conduct a sweeping 2021 risk management assessment, as the Peter King-led bank seeks to fix a raft of compliance and governance issues.

The Australian understands the key appointment occurred quietly in recent weeks, and Oliver Wyman has already started reviewing Westpac documents as part of the early stages of the huge program of work. Interviews with employees are also due to commence.

Sources said Oliver Wyman edged out KPMG and other rivals to win the mandate to conduct Westpac’s CPS 220 Risk Management review.

EY delivered the prior CPS 220 report to Westpac in August 2017.

The new review comes at a critical juncture for Westpac after the bank last month admitted to a string of compliance and risk management failures and agreed to pay a record $1.3bn penalty to financial crimes regulator Austrac. That related to more than 23 million breaches of anti-money laundering laws, including facilitating payments to fund child exploitation material, and was linked to the bank’s poor technology and risk management systems.

Westpac and Austrac are due to submit the agreed statement of facts and penalty to the Federal Court for approval by Judge Jonathan Beach on Wednesday. The record Westpac penalty eclipsed the $700m paid by Commonwealth Bank to Austrac in 2018.

A Westpac spokesman declined to comment on Tuesday on the Oliver Wyman appointment, but reiterated the bank took its regulatory obligations seriously.

Westpac’s response to the Austrac legal action included closing its LitePay product, and adding staff and resources to financial crime functions. The damning case prompted the exit of former chief executive Brian Hartzer and brought forward the retirement of prior chairman Lindsay Maxsted.

The CPS 220 Risk Management review typically happens every third year, although the 2020 assessment was delayed a year due to the disruption of COVID-19.

As well as the Westpac board and Mr King, the banking regulator will also be paying close attention to Westpac’s 2021 risk assessment, after the Austrac matter sparked a probe in December into potential breaches of the Banking Act.

At the time, the Australian Prudential Regulation Authority also hit Westpac with another $500m capital charge, forcing the bank to hold onto more capital to reflect heightened operational risk. That followed an earlier $500m charge that was imposed in light of shortcomings raised at the Hayne royal commission.

APRA delegated some of its enforcement powers regarding investigations of Westpac to the corporate regulator in June.

Westpac reassessed its culture and governance after the Austrac action emerged, and a report in July highlighted that parts of its risk culture were still “immature and reactive” which created issues for accountability.

At the time CEO Mr King said Westpac’s management of non-financial risk was not up to scratch.

“It is clear we have more to do to address these shortcomings, including improving our risk management capability and risk culture which is not where we want it to be. As a result, we are embarking on a comprehensive, multi-year program.”

Oliver Wyman has offices across 31 countries and its website says the firm has “deep industry knowledge with specialised expertise in strategy, operations, risk management, and organisation transformation”.

The furore over Westpac’s anti-money laundering breaches prompted the board to conduct another governance self-assessment, in addition to one conducted to coincide with the royal commission.

IBM-owned Promontory provided independent assurance over Westpac’s latest assessment report, while an Oliver Wyman team supported the review.

Oliver Wyman isn’t short of work in Australia. It also picked up a mandate from AMP last month, when the under-pressure wealth group hired the consulting firm to assist the board’s culture working group to review and improve culture.

The prudential standard that covers the CPS 220 review stipulates how it is conducted.

“An APRA-regulated institution must… ensure that the appropriateness, effectiveness and adequacy of the institution’s risk management framework are subject to a comprehensive review by operationally independent, appropriately trained and competent persons (this may include external consultants) at least every three years,” the standard says.

“The results of this review must be reported to the institution’s board risk committee, the senior officer outside Australia or compliance committee,”

Oliver Wyman is a subsidiary of New York-listed Marsh & McLennan Companies.

An article published on the firm’s website this month delved into the post-COVID-19 banking landscape and challenges of growing loan losses and a prolonged period of low interest rates, but also noted opportunities.

“Whilst we are seeing organisations focusing on specific initiatives, for example accelerating the pace of digital transformation, reviewing branch networks, and exploring remote working models, we have not observed many undertaking a comprehensive back review,” it said.

“This misses opportunities arising from the high degree of synergy and linkage between potential initiatives.”