Unless you’ve been living under a rock, you would have taken note of the Royal Commission into Australia’s financial sector, exposing a lack of transparency and malpractice from high-level executives from a number of Australia's largest financial institutions.
As Matt Comyn, chief executive at Commonwealth Bank told the commission, within the bank there’s been "a culture of us not learning from issues of misconduct in the past" which had led to a pattern of recurring problems for both the bank- and its customers.
Comyn attributed this to “too much fragility… to hear criticism” from its customers which - if you’re to look at this in the context of ISO principles – meant the bank was unable to learn from its previous mistakes to ensure they wouldn’t happen again.
As the ABC writes: “Customers weren’t prioritised and executives were too timid to call out bad behaviour.”
Catherine Livingstone, who joined Commonwealth Bank’s board in 2016 was questioned last week by counsel Rowena Orr, who probed to determine whether or not high level executives were aware – through internal audits – of the fact its latest-generation of ATMs were being used by criminals and terrorists for large-scale money laundering; Commbank settled the case for $700-million.
The questioning went as follows:
[Counsel] Orr: “These issues were identified by the audit department in 2013?”
[CBA] Livingstone: “Yes.”
Orr: “And they were identified again in 2015?”
Orr: “And they were identified again in 2016?”
Livingstone: “That’s correct.”
Orr: “What does an overall red audit rating mean, Ms Livingstone?”
Livingstone: “Well, it’s the most serious rating you can have on an audit report. And in relation to the controls in the relevant area, it would indicate that the area is not in a state of control.”
As is clear to see, the bank had completed its due diligence in terms of audits, but their inaction following these audits has become a massive problem, for both the banks and their clients. If we pull this all back to the guiding principles of ISO when looking at your business, if you’re doing the work in commissioning audits for the business – whether with an internal or external auditor – but not making the changes suggested or required, you’re not completing the process. On a similar note, if you’re identifying things to change, make an adjustment and fail to check back on the results of these changes, you’re not completing the process.
The plan, do, check, act (PDCA) cycle requires you to plan and implement a change of process or procedure across your operations, but to also measure the effectiveness of your changes. The importance of the monitoring phase of the process is often overlooked, despite being one of the most crucial pieces of the puzzle.