The integrated plan, including clear timelines and individual accountability for specific measures, is designed to strengthen all aspects of Westpac’s financial and non-financial risk governance.

Chief executive Peter King said the plan detailed a comprehensive program of work to ensure the bank’s risk culture and governance “met the high standards expected of us”.

“We have made progress on improving our management of risk over the past 12 months, however there is much more work to do to ensure sustainable change,” Mr King said.

“The implementation of our integrated plan is a critical part of delivering on our fix, simplify, perform strategic priorities and is one of my top focus areas.”

The Australian Prudential Regulation Authority’s concerns arose from its risk governance review of Westpac in response to Austrac’s findings of multiple breaches of anti-money laundering legislation in December 2019.

The bank incurred a $1.3bn penalty – the nation’s biggest corporate fine – as a result of millions of acknowledged transgressions.

APRA also examined risk governance reviews conducted by Westpac and third parties over 2020, including the bank’s own reassessment which highlighted that changes since its 2018 self-assessment had only been “incremental”.

In the nine-page enforceable undertaking (EU), signed by Westpac chairman John McFarlane and chief executive Peter King, the regulator said it was concerned about the nature and extent of weaknesses in the lender’s risk governance and the pace of rectification.

It said that the culture, governance and accountability program started by Westpac in January 2019 had only delivered “incremental” progress and lacked momentum.

Westpac’s past attempts at remediation had also resulted in ongoing delays and, in some cases, a reset of programs.

One example was the CORE (customer outcomes and risk excellence) program, with the time frame for completion blowing out by six months to September 2022.

Westpac acknowledged in the EU that the complexity and breadth of the remediation agenda posed “significant execution risks” that needed to be addressed.

APRA deputy chair John Lonsdale said at the time that the regulator’s concerns had been communicated directly to the bank’s board and senior management, with the message that a deep commitment to change was required at all levels of the organisation.

“As one of the country’s largest and most important financial institutions, Westpac should be a leader in risk management,” Mr Lonsdale said.

“Although the bank has made progress in some areas over the past year, it is not good enough.

“We continue to observe new prudential issues arising while longstanding weaknesses persist, and we believe Westpac’s governance, culture and accountability frameworks and practices are still in need of a substantial uplift.”

One of the EU’s requirements was for independent assurance of the integrated plan.

Westpac appointed Promontory to provide quarterly assurance, with the reports to be released biannually.

The first report – for the period up to March 1 – was released on Wednesday.

Promontory acknowledged the completeness of the integrated plan, as it expanded on the existing CORE program, and noted that appropriate governance and accountability structures were in place to support effective implementation.

The firm said Westpac had committed significant resources to developing the plan, and there had been active and ongoing engagement by the board and senior executives.

“Westpac has been open and responsive to issues and challenges raised by Promontory during this period,” the review said.

“The plan is designed to address the root causes of Westpac’s risk governance shortcomings.”

The bank identified five root causes of its shortcomings in non-financial risk, undertaking to reconsider them in the light of the EU.

The root causes included an immature and reactive risk culture; an organisational structure which created complexity; a three lines of defence risk model that was not well understood or embedded; a shortfall in risk management capacity and capability, and challenges in execution and “staying the course”.

Promontory said the board risk committee would be the main venue for oversight of the integrated plan, with individual directors also having regular engagement with particular workstreams.

The focus of the meetings would be the design principles, progress and achievement of outcomes.

More related stories

Markets

Why global money is rethinking ‘anything but China’ trade

Big investors are preparing to play in China again, but the wild swings are not for the faint hearted.

Read more

Financial Services

Country’s biggest super fund to cop $27m fine

Superannuation members with multiple accounts tend to be the least well off and work multiple jobs, a court has heard as the country’s biggest superannuation scheme is set to pay a record fine over its alleged conduct.

Read more