CASE BACKGROUND

In March 2016, Commonwealth Bank of Australia (CBA), Australia's biggest bank, was caughtinasecond majorscandal involvingitsinsurancearm,Commlnsure,justas it was recovering from the fallout from the previous financial planning scandal. Commlnsureis oneof Australia'slargestlifeinsurancecompanies,withabout 4million policyholders.The Commlnsure exposecreatedahugeuproarafteritwasaccusedof denyinglegitimate claimsofsickAustraliansintheir greatesttimeof need. Thescandal wentbeyond CBAand highlightedissuesinAustralia'slifeinsurance industry.

On7March2016, FourCorners,Australia'sleading investigativejournalismprogram, aireda50-minutedocumentary followingsixmonths' worthofinvestigationsaccusing Commlnsure of unscrupulous practices in denying the legitimate claims of sick and dying policyholders. Commlnsure was alleged to have manipulated client data, used outdatedmedical definitions,pressureddoctorstomodifyopinions,anduseddelaying tacticsinordertodenycustomers theirclaims.

Atthecentreofthescandal wasJamesKessel, whohadsuffered asevereheartattack inSeptember2014.Kesselhadbeenpaying hislifeinsurance premiumssincehis20s, and never thought he would ever need it. When his claim was received by Commlnsure's HQ in November, it set off a series of events eventually leading to Commlnsure'sexpose.

Kessel's claims then happened to be reviewed by Dr Benjamin Koh, the then chief medicalofficer(CMO) ofCommlnsure.Koh hadrealisedthatpartofKessel's filewas missing,andalertedtheITdepartmenttoinvestigate,suspectingthatatechnical glitch maybedeleting files.Afterhisrequestwasdeclined,Kohuncoveredseveral morefiles whichhave beenmodified ordeleted. Itwasallegedly commonforclaims assessorsin Commlnsure to pressure the medical team to omit or modify opinions which "ran counter to a claim strategy", and Koh found the disappearance of the crucial files to seem too convenient. He raised his concerns to his manager, Helen Troup, and subsequently to the board under Commlnsure's whistleblower protection guidelines. Less than a year later, Koh was dismissed.

Koh later spoke to journalists of Four Corners,alleging that CBA had avoided paying the claims of policyholders by using outdated medical definitions, changing or deleting customer records, and pressuring doctors to provide opinions that were not in favour of customers.

"STAR" TREATMENT FOR STAR EMPLOYEES

Commlnsurehadatalentedmedicalteamofprofessionalsresponsibleforindependent medical underwriting, claims and product advice. This was unlike the industry norm wherecompaniesentrustedthoserolestonon-medicallytrained persons. Kohinstilled a mottoof"Evidenced, ReasonedandUtmostGoodFaith"inhismedical teamwhen hefirst joinedthecompany, buthewouldsoonfindoutthatthecompany didnotseem to placeanyregardatalltotheirmoralobligations.

In criminatingdocumentsofcomplaintsthatdoctorswere pressuredtomodify opinions toavoidpayouts, and heatedemails telling doctors to"sticktothebrief' wereleaked. TestimoniesfromKohalsoaddedtotheserious allegationsthatCommlnsure bullied doctorstorectifytheirmedicalopinionsinorderforclaimstobedenied.

Aftermath

ASIC concluded its investigations into Commlnsure after almost two years. It was unabletofindevidence supporting allegations thatCommlnsureclaims managershad applied undue pressure on doctors to alter their medical opinions, or that medical recordsofcustomershadbeendeleted ormodifiedinanyinappropriateway.

ASICalsoannouncedthatCommlnsure'suseofseverely outdatedmedicaldefinitions in its trauma policies did not breach any laws, even though it was unethical as consumerscannotbeexpectedtoknowifamedical definitionisoutdated.However,it promptedASIC deputychairmanPeter Kelltocall forlawreforms,includingnolonger exemptinginsuranceclaimshandling fromseverallaws, harsherpenaltiesforbreaches ofgoodfaith,andsubjectinginsurancetobansonunfair contractterms.Ontopofthis, ASIC said it is pressuring companies to treat clients better, through better and faster interactionandincreased preparationandsupportfromclaimsexecutives.

Inresponse toASIC'srequest thatCommlnsureconduct anindependentinvestigation to provide reassurance, Commlnsure appointed Deloitte as an independent expert to assess the bank's alleged miscondnct and law firm DLA Piper to review ethical concerns. However, Deloitte expressed that it "did not identify any systemic issues relatingtohistoricallydeclinedclaimsanddid notidentifyanyevidencethatthecurrent andplannedimprovementstotheclaims handlingprocessesaredesignedinawaythat could systematically deliver poor customer outcomes". Criticisms were raised as Deloitte relied only on the files provided by Commlnsure, and did not interview the customersortheirfamilies.Reports byDLAPiperremainconfidential.

Commlnsurealsoformallyacknowledgedthatitpublishedmisleadingadvertisements for its Total Care Plan and Simple Life Insurance and was ordered to make an A$300,000 community benefit payment instead of an A$8 millionfine.

Commlnsure alsoupdated keydefinitionsintraumainsurance relatingtoheart attacks andarthritis.Theupdateddefinitionofheartattackwasapplied retrospectivelytoMay 2014, resultinginanadditional A$2.5million paidto17people.

CORPORATECULTURE

"Profit before anything else". This quote from Koh have been cited in many headlines surroundingtheincidentastheunderlyingthemeoftheentirescandal. Criticssuchas Koh perceiveCommlnsure'scorporatecultureasonewherethecompanywasnotjust bent on earning maximum profits, but forgone whatever ethics they had in order to achieve them while trampling over the rights of both employees and policyholders. Therewereseveralpractices inCommlnsurewhichfueledthefirm's cultureofvaluing profitsabovetheinterestsofitsstakeholders,startingfromtheclaimsdepartment.

Remunerationofclaimsmanagers weretiedtokeyperformanceindicators(KPis)such as the ratio of paid claims to premiums earned. Claims staff were able to affect the amount paid for claims. Despite possessing very limited medical knowledge, claim assessorsinCommlnsurecoulddeterminehowlongittakestoassessaclaim,theway acustomeristreatedwhiletheclaimisbeingassessed,andmoreimportantly,havethe finalsayonwhetheraclaimwillbepaid. Theassessorsalsoallegedlypaidscantregard totheprofessionalopinionsandethicalobligationsof Commlnsure'sdoctors,bullying themtochangeopinions notfittingthe"claimsstrategy".

This culture was exacerbated when Troup joined Commlnsure as its top executive in April2014. Withinthemedical team,therewere alreadyfearsthat therestructuringled by Troupwouldgivemorepower toclaimsmanagers andunderwriters,attheexpense ofthemedicalteam, whoweremeant toindependentlyjudge theconditionofcustomers.

Board of Directors

DetailsofComm!nsure'sboardarenotavailableinCBA'sAnnualReport.CBA's2015 and2016AnnualReportsshowedthatCBA'sboardhad11and12directorsrespectively (excluding directors who retired during the year). According to a report by The Korn/FerryInstitutein2013,Australia'saverageboardsizewas8.4.

Directors' Remuneration

In CBA's 2015 Annual Report, the CEO and Group Executives' pay comprised three elements: fixed remuneration, short-term incentive (STI) at risk and long-term incentive (LTI) at risk. They are rewarded up to 150% of their STI target, depending on performance. The LTI is measured against relative Total Shareholder Return (TSR) and customer satisfaction, with weighting of 75% and 25% respectively. The vesting period was four years. Non-financial performance criteria included the alignment to the key business priorities of customer focus and long-term shareholdervalue creation.

In the 2016 annual general meeting (AGM), there were objections to the executive remunerationreportbynearly49% oftheshareholders,wellabovethe25%mark which constitutesa"strike". Withasecond strikeinthenext AGM,theboardwouldberequired todisclosecertaininformationfortheboard. TheAustralianShareholders'Association said that the variable remuneration goals had become subjective and discretionary rather than being measurable. For its STI, the CEO's remuneration had a 40% weightagebasedonfmancialoutcomes,executivesmanagingbusinessunitshad45%, and thosemanagingsupport unitshad25%,according toitsarmualreport.

Following the Royal Banking Commission's investigations on CBA, it was revealed thatwhile scandalafterscandal wasbeingunearthedwithinCBA,executivescontinued receiving multi-million-dollar short-term incentive payments of up to 150% of their base pay. In fact, while CBA was embroiled in its insurance arm scandal, then- CEO Narev recommendedallexecutivesreceiveatleast 100%oftheir short-termincentives, in part because they had met their risk-management objectives in 2016. The then-chairmanTurnerrecommendedNarevreceive108%ofhistargetbonus,ontopofhis fixedpay.Onlyoneexecutive-CBA'sthen-head ofwealth,Annabel Spring, hadher bonus reduced to 95% over Commlnsure'sscandal.

Catherine Livingstone, CBA's Chairman during the investigations, admitted that the board's "10-minutes discussion" of the CEO's remuneration recommendations was inadequate,andtheboardought tohavechallengedit.Livingstoneconfirmedthatfrom 2011,CBAhadnever reducedanexecutive'sshort-termremunerationasaresultofa risk-related incident that had not yet been made public. Livingstone added that the boardwassendingamessagethat"therewillonlybeconsequencesifthereisapublic event, a mediaevent".

In light of the scandals faced, the bank said that it would change the composition of long-termincentivesofitstopexecutives,fromtheoriginal 75%linkagetoshareholder returnsand25%linkagetocustomersatisfaction,toanew25%focuson"peopleand community'',50%onshareholder returns,and25%oncustomer satisfaction.

Beauty, or Rather Ethics, is Skin Deep CBA often made great play of their corporate governance strategies, with CBA's executivesanddirectorsconstantlyparrotingthatCBAupholdshighethicalstandards. Back in 2015, David Turner, CBA's Chairman, said that "(CBA) will be the ethical bank,thebankothers lookuptoforhonesty,transparency,decency,goodmanagement, openness"inresponse toitsfinancialplanningscandal.Subsequentscandalsprovethat CBA's promises and policies were all forshow.

One of the corporate governance failings was in CBA's whistleblowing policy "SpeakUp", which promised protection to whistleblowers and assured that proper action will be taken to address concerns. Koh reported his concerns under this very policyonnumerousoccasions,toTroup, keyindependentdirectors oftheCommlnsure board,andalsoanintermediarytheboardhadputinplace.The boardpromisedanaudit butrefusedtodisclosedetails abouttheinvestigationoroutcome.Shortly after,hewas fired on 11 August2015.

Commlnsure gave Koh an option to resign and take a payout, as long as he signed a gag order. Koh walked away. This is not the first time CBA's whistleblowing policy had apparently failed and the whistleblower fired. The previous scandal in CBA's financial planning department saw whistleblower Jeff Morris allegedly fired and subjectedtoawitchhuntbythe bank.Thebankalsoallegedlyfailedtoprotect another whistleblower,Tim Cradock back in 2013.

CBA's head of compliance department made a scathing remark about how the compliancedepartment'sconcernswerenever takenseriously,andthatcompliancewas seenasa"rubberstamp"exerciseinCBA.

The Watchdog Nobody Fears

ASIC'sfindingsintheinvestigationof Commlnsurefollowingthe scandaldisappointed many.Duetodeficienciesandloopholes inthelaw, Commlnsuremanagedtogetaway withtheirharmfulproductsandbehaviour,andsimpleadvice fromASICto"treattheir customersbetter." Thiswasonlyonecaseamongst manywhereASICfailed tocome downhardoncompaniesthathavecommitted misconduct.

ASIChad oftencomeunder fireforitslenientmethods ofenforcement,astheregulator often imposes administrative or negotiated sanctions, likened to regulatory parking fines,rather thantakingtougher action. ASIChasalsobeencalleda"spectator"rather thanthe"toughcoponthebeat"theMinisterforFinancialServices hadclaimeditwas, asithadalwaysbeenotherparties,suchasFourCorners, whosniffedoutmisconduct in thesector.

JamesShipton, headofASIC,admittedthatASICmaybetoolenientandappear"too friendly" with Australia's major banks. Commissioner Kenneth Hayne also frowned upon ASIC'sfamilial andsocialapproachtowardsdealingwithbanks, questioningwhy ASIC officials often held informal meetings with the heads of Australia's banks, and did not take notes during thosemeetings.

Back in 2014, the previous ASIC Chairman, Greg Medcraft, had admitted that the regulatory environment in Austrajia did not have harsh enough civil penalties, remarking that "(Australia) is a bit of a paradise, ...for white collar (criminals)". However, Medcraft also claimed that it did not receive enough funding and resources, which curtailed its ability to crack down on errantcompanies.

Salvaging the Industry

Following the financial planning scandal, Labour Senator Mark Bishop chaireda Senate committee inquiry, which recommended a Royal Commission into CBA and ASIC.

Under political pressure and following the spate of scandals, Prime Minister Malcolm Turnbull armounced the formation of the Royal Commission into Misconduct in the Banking, Superarmuation and Financial Services Industry, otherwise known as the Banking Royal Commission, on 14December 2017, in order to restore public faith in the sector. The Royal Commission uncovered the glaring issues behind the Commlnsure scandal that many have known for a longtime.

TheCommission'sreportcontained76recommendations,withakeyfocusonclosing legal loopholes, increasing protection for consumers and the banning of particularly egregious sales practices in the pension and insurance markets. A new oversight authority,AustralianFinancialComplaintsAuthority(AFCA), startedoperationson1 December2018fordisputeresolutioninthebanksandfinancial servicessector.

Following the Commlnsure scandal, regulatory pressure has been put on the whole industry.APRA wrotetothe boardsofallactivelifeinsurersseeking informationabout the effectiveness of their governance and oversight mechanisms for claims handling, benefit defmitions, rejected claims and customer complaints. The importance of consumer protection relating to updating of out-of-date medical definitions for life insurancepoliciescreated a"legacyproducts"issueinthelifeinsurance industry,and thegovernmentiscurrentlyconsideringthisindustry-wideissuefurtherinresponseto recommendations fromthe Financial System Inquiry.

FORGOTTEN VOICES

CBA has a relatively dispersed shareholding structure, with no dominant majority shareholder. From 2014 to 2017, no single shareholder held more than 20% of the shares, while management owned less than 0.1% of sharescollectively.Dispersedshareholdersarelikely tobemoreconcernedwithshort term profits like dividends and the company's earnings, due to a lack of incentive in monitoring the management of the company.

WhileCBA's profitsanddividendsdeclaredtoshareholdersincreased,thePrudential InquiryFinalReportonCBAreleasedbyAPRAon1May2018,found thattwoother critical voices became harder to hear: that of the customer, and talk of non-financial risks. APRA said that CBA's continued financial success had "dulled the institution's senses to signals that might have otherwise alerted ... to a deterioration in CBA's risk profile",andthiswasparticularlyapparentinthenon-financialrisksidentified.Some of the key issues identified included a lack of accountability and ownership of risks, framework of processes that "worked better on paper than in practice" and a remunerationframeworkthathad"littlesting"fortheseniormanagementwhenissues with stakeholdersoccurred.

APRA identified a widespread sense of complacency and overconfidence from top down due to the bank's strong fmancial performance. The reactive culture and complacency lulled CBA into a false sense of security. In addition, the collegial and collaborativeworkingenvironmentlessenedconstructivecriticisms,andwithalackof reflection on past incidents, CBA became insular, limiting its ability to accurately identify risks.

WhileCBA'sshareholdersenjoyed theirshareofdividends,thiswasattheexpense of CBA'scustomers.However, theyarenowbearingthebulkofthecosts ascurrentCEO Matt Comynconfirmsthatthecustomer compensationamountwouldbeborne bythe bank'sshareholders.

Besidesshareholders,otherkeystakeholdersincludecustomers,thecommunity,CBA staff and regulatory bodies. The Group's engagement with other stakeholders is less than acceptable considering the scandals that have occurred from 2003 to 2018. The lack of customer protection and victimisation of whistleblowers who reported misconductissues aremajorareas ofconcern.Only withthegovernment'sintervention and the threat of a royal commission were the matters then set right. ASIC's slow responseoninvestigationandindecisiveaction withregardstowhistleblowingdidnot help thesituation.

FindingsintheDeloitte reportcommissionedbyCommlnsureregardingaccusationsof their misconduct revealed no wrong doing on their part. Notwithstanding that, the alleged misconduct had already undermined the trust and confidence of the policy holdersandcommunity.ThereviewalsofoundCommlnsure'sheartattackdefinitions wereconsistentwithsomebutnotthemajority ofplayersintheindustry inMay2014. Executiveswereawareoftheoutdatedmedical definitionssince2012 butchosenotto update its policies since it "ran counter to a claim strategy". This reflects the shareholder's wealth maximization corporate objective which is widely accepted barring a fewexceptions.

CBA Group has since been placing more focus on stakeholders under its Corporate Governance Framework. In its 2019 Corporate Governance Statement, stakeholder engagementissetoutas:"...providingbetteroutcomesforcustomers,earningthetrust ofthecommunitiesweserve,ensuring ourpeopleareenergizedandaccountable,and delivering sustainable, long-term returns for ourshareholders."

GOVERNANCE FROM ABOVE

ASXCorporateGovernanceCouncil's4theditionofCorporateGovernancePrinciples andRecommendationspublishedinFebruary2019describescorporategovernanceas "the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled within corporations. It encompasses the mechanismsbywhichcompanies,andthoseincontrol,areheldtoaccount."

CBA's corporate governance from 2014 to 2016 was described in a separate report (Corporate Governance Statement), with brief comments on these issues in the Chairman's Statement of their Annual Reports (AR). With the appointment of Livingstone as Chairman on 1 January 2017, the 2017 AR was revamped and a comprehensive section on Corporate Governance was included.

Since2017, CBAhasbeen strengtheningcorporategovernancepracticesforthegroup tomeetthehigherstandardsexpectedoftheminlightoftheAPRAPrudentialInquiry andtheFinalReportreleased bytheRoyalCommission.Asectionfor"Whistleblower protection"wasaddedinCBA's2017Corporate GovernanceStatement.Thissection wasnotincludedintheir2015Statement.The2019Corporate GovernanceStatement wasfurther expandedanddescribes thekeygovernancearrangementsandpracticesof theGroupwhichmetalltherequirementsofthefourth editionoftheASXCorporate Governance Council's Corporate Governance Principles and Recommendations. The Board now regularly reviews and refines its corporate governance arrangements and practicesinlightofnewlawsandregulations,evolvingstakeholderexpectationsand the dynamic environment in which the Groupoperates.

Tomonitor thebank'scultureandeffectivenessofitscultural changeinitiatives,CBA gathers information from employee surveys, audit and compliance reports, whistleblower reports and other sources. The Group's Code of Conduct sets the standardsofbehaviourexpectedofemployeeswhenengagingwithandbalancingthe interestsofstakeholders.MaterialbreachesmustbereportedtotheAuditCommittee.

TheGroupWhistleblowerPolicyoutlinestheprotectionextendedtoawhistleblower from any form of retaliation or victimisation, including termination of employment, harassmentanddiscrimination.TheRiskManagementFrameworkallowsthe Groupto managerisks withinaBoard-approvedriskappetiteandisregularlyreviewed inlight of emerging risks arising from changing business environments, better practice approaches and regulatory and community expectations. The board's approach to its composition and renewal emphasises the need for: (i) an appropriate mix of relevant skills, expertise and experience, and (ii) independence by adopting Independence Standards forassessment.

Once Bitten, Never Shy. The Attacks Continue

A year later, on 13 March 2018, CBA once again made headline news. It had breached its insurance license conditions by mis-selling credit card insurance to customers who were ineligible for the product. The Hayne Royal Commission heard that CBA should not have sold its Creditcard Plus insurance to 64,000 customers, who were unemployed when they purchased the credit card insurance, despite that being a requirement under the eligibilitycriteria.

Comyn personally admitted under the commission's grilling that CBA's culture had problems - short-term bonuses for staff often carried an inherent risk that they would encouragestafftoputtheirowninterests ahead ofacustomer's.However,despitethe identificationofsuchrisks, Comynultimatelydecided againstendingbonuses, stating that it was necessary to motivate andincentivise staff.

Requirement:

Please analyze the enterprise risks from the perspective of governance structure regarding the above case.