Risk-ism and the Commonwealth Bank

Last week I wrote about Face-ism and that it takes us less than 200 milliseconds to form a judgement about someone just by viewing their face. A judgement that is likely to be wrong as our facial expressions are formed from how we are feeling at one moment in time.

Risk suffers in the same way. My original consulting career was in risk. In my training programs on persuasion I usually tell the story about consulting to Australian Government agencies in the early 2000s. Often back in those days I was brought in by the CFO and by then risk already had a bad name. When I would walk into a room and be introduced as the risk guy, the looks on people’s faces ranged from confused, as in wtf, to a horrified stare like I was a vampire come to suck their blood.

How did this happen? First the risk profession made things way too complex and many in risk still tend to do so. Second, risk got hijacked by audit and it turned into a negative, a compliance activity. “If you don’t do this you will be in trouble with …”. Hence risk and compliance are commonly linked together.

The news about the Commonwealth Bank and allegations of both risk assessment and compliance failures under the Anti Money Laundering and Counter Terrorism Financing Act got me wondering. If the allegations are true (and don’t forget the truth is often somewhere between the views of two parties) what was the root cause?

Was it incompetence by the risk and compliance team? It seems not as reports say that issues were identified and not reported (unless the reporting process was the problem).

If not incompetence, was it a poor culture where turning a blind eye to breaches was seen as OK because it was good for business? I have no idea but it seems unlikely given the level of compliance up until 2012 before the ATM deposit machines were brought in.

Perhaps it was Risk-ism? A case where risk and compliance was seen in such a bad light that it was shunned or ignored. Hence the risk assessments were not put into place or were not given due attention. The compliance activities, including reporting, were not given priority.

No matter the reason, people knew things weren’t right and they were not heard by the right people. Further emphasising for me that being technically good in risk and compliance is only a pre-requisite for the role, it is not all the role. Being able to effectively communicate and persuade is eminently more important.