APRA Court Enforceable Undertaking and OW Report release
•
•
•
•
•
•
•
•
GLOBAL MARKETS
BUSINESS REVIEW
01 April 2025
Contents
2
Contents
1.Executive summary ............................................................................................... 3
2.Background, scope and approach ......................................................................... 8
2.1. Background ....................................................................................................................... 8
2.2. Scope ................................................................................................................................ 9
2.3. Approach ........................................................................................................................ 10
2.4. Report structure.............................................................................................................. 14
3.Detailed findings ................................................................................................. 15
3.1. People and culture .......................................................................................................... 15
3.2. Governance..................................................................................................................... 23
3.3. Policies and frameworks.................................................................................................. 30
3.4. Tools and processes ........................................................................................................ 33
4.Root causes ......................................................................................................... 42
5.I.AM Amplified .................................................................................................... 46
6.Group-wide applicability ..................................................................................... 48
7.Recommendations .............................................................................................. 49
Appendix A. Oliver Wyman Culture Diagnostic Survey.............................................. 54
Appendix B. Case study selection .............................................................................. 57
Appendix C. Documents reviewed ............................................................................ 58
Appendix D. Glossary of terms and abbreviations ..................................................... 59
Executive summary
3
1. Executive summary
Background, scope and approach
ANZ’s Global Markets business has drawn stakeholder and media attention due to concerns related to
conduct, workplace behaviour, and non-financial risk governance. In response to these concerns, the ANZ
Board and the Australian Prudential Regulation Authority (APRA) initiated an independent review into
Global Markets culture and risk governance.
Oliver Wyman was engaged to conduct the review, which consisted of a culture diagnostic, risk governance
review, and root cause assessment for the Global Markets business. The review took place over a five-
month period, from October 2024 to March 2025, and excluded any assessment of matters subject to
regulatory investigation or legal action, as agreed with ANZ and APRA prior to the commencement of the
review.
Oliver Wyman used three complementary research methods to gather information across Global Markets
and the broader ANZ Bank Group including document review, an employee survey, and interviews. We
reviewed over 1,400 documents, surveyed over 3,400 employees and conducted over 110 interviews.0F
a
Oliver Wyman had full discretion over the interview list, ensuring a representative sample was selected. To
protect the anonymity of ANZ staff, no direct quotes from the survey or interviews have been shared with
ANZ or included in this report. In addition, we reviewed case studies to understand the operating
effectiveness of the culture and risk governance infrastructure of Global Markets, including past
operational incidents and material Markets change programs. Oliver Wyman did not investigate any
instances of inappropriate workplace behaviour; where inappropriate behaviour is referred to throughout
the report, this relates to instances where staff have alleged or reported such events.
Oliver Wyman provided periodic updates on material observations to the ANZ Board and management
team as well as APRA throughout the engagement. ANZ were also provided an opportunity to review the
case study fact bases as they formed an important evidence base for the risk governance assessment. Both
ANZ and APRA were given the opportunity to review a draft of the final report in order to identify any
potential instances of factual inaccuracy or unclear expression. Throughout the process, Oliver Wyman
retained full editorial ownership of the final report, and the views contained in this report are our own,
based on our review of the facts and our experience in performing similar reviews with Australian and
global financial services firms.
Findings
People and culture
The culture of ANZ Institutional and Markets has notable strengths. Most employees express pride in
working at ANZ, appreciate its culture, and operate within the Group’s risk culture expectations. The
culture emphasises positive traits such as collegiality, commercial drive, and reliability. However, the way
staff experience the culture is variable; sub-cultures exist where people understand the culture in different
a
Oliver Wyman issued the survey to Institutional and Markets staff in both business and enablement functions. We received
responses from 3,495 employees. The interviews were conducted with current ANZ Board members, executives, and staff across
Institutional, Markets and enablement functions. The interviewees were purposefully selected to provide a diverse pool of
experiences and perspectives across countries, functions, desks, and levels of seniority.
Executive summary
4
ways, and the culture is not always strong enough to compel staff to act in line with expected behaviours.
This creates the potential for isolated behaviours, at odds with the overall culture, to emerge.
There have been allegations of multiple instances of unacceptable workplace conduct in Markets in recent
years, relating to a small number of individuals, including bullying and alcohol and substance abuse. These
alleged incidents were serious, and in some cases sustained over time. However, we did not find evidence
of widespread or systemic misconduct. Most staff members do not recognise the inappropriate behaviour
that has been reported as representative of the culture they experience and are disappointed by what has
occurred.
A significant number of staff members in Sydney and London across various roles and seniority levels
within Markets shared that they had raised concerns to management about the observed inappropriate
workplace behaviour. Staff believe Markets leadership did not take decisive action to address the reported
misconduct, allowing it to persist. This has undermined confidence that speaking up about concerns drives
action, as well as eroding trust in leadership and negatively impacting morale. Some Markets leaders have
compounded these challenges by not effectively role modelling leadership standards and risk management
behaviours.
The Group’s employee-related processes, including the remuneration framework and consequence
management process, appear to be soundly designed overall. However, their application in Markets did
not effectively contribute as intended to preventing or addressing the instances of inappropriate workplace
behaviour which were reported to Oliver Wyman.
A positive but variable culture, leadership shortcomings, and limitations in the supporting infrastructure
allowed misconduct to emerge and persist. This ultimately resulted in a loss of trust among staff. Regaining
this trust and attaining confidence that similar problems will not re-emerge will require work to strengthen
the culture, leadership capabilities, and supporting employee processes.
Governance
A well-defined and embedded Three Lines of Defence model is an essential part of a bank’s overall risk
governance framework. The Markets model is well designed and forms an effective foundation but is not
consistently executed as intended. In the first line, there are several issues. The role and mandate of Desk
Risk Managers (Markets first line risk), have in practice expanded over time to take on responsibilities from
both the front office and Risk. There have been failings of front office supervision responsibilities.
Additionally, front office staff were not sufficiently involved in risk remediation activities, contributing to
ambiguity about risk ownership and impacting their non-financial risk capability development. We also
observed instances of the second line Risk function providing insufficient independent review and
challenge of Markets activities related to non-financial risk. The execution of the Three Lines of Defence
model in Markets has led to non-financial risk management weaknesses and made it harder for Markets to
develop consistent risk capabilities across the business.
The oversight governance model for the Group and Markets provides a solid framework for effective
oversight, with the Board and management highly engaged. However, enhancing reporting to include
meaningful insights and trend analysis would better empower the Board and management committees to
engage in discussion and challenge.
Policies and frameworks
Markets has a comprehensive suite of risk policies and frameworks effectively designed to guide risk
management and operations. We believe these are appropriate for an organisation of ANZ’s size, business
mix, and complexity, covering all required policies and material risk types.
Executive summary
5
While thorough, some of the current policy documentation suffers from inconsistency and complexity,
making it challenging for employees to navigate and apply these policies as intended. This can result in
inconsistent application. Simplifying and clarifying current policies will enable Markets staff to
independently and confidently operate within established guardrails, without the need to rely on support
functions in a way that diminishes their own risk ownership. Similarly, Markets’ approach to setting and
managing to its risk appetite is appropriate and within the Group’s limits, although there are opportunities
to make incremental improvements to the framework’s usefulness.
Tools and processes
The Markets business has made significant progress in evolving its risk infrastructure, particularly since the
FX and BBSW CEUs. However, while the risk tools and processes in place are appropriate, there is more
work to be done to ensure they are used consistently and effectively.
The control framework is well-designed to mitigate key risks; however, the highly manual control
landscape is not sufficiently supported by key processes to prevent control failings. Limitations in the
quality of control testing and independent oversight may contribute to an overly optimistic perception of
how effectively risks are managed. Similarly, ANZ’s tools for measuring risk culture are soundly designed
but there are opportunities for refinement to ensure they are producing accurate results.
Markets has a strong track record of rapid response to operational risk events; however, this does not
always translate into effective monitoring and remediation of issues. The absence of an end-to-end view of
key processes exacerbates these gaps, limiting the business’s ability to identify or remediate interrelated
risks. Greater emphasis on controls verification processes and systematically embedding lessons learnt
across the business will enhance the overall effectiveness of Markets’ risk management framework.
While this report identifies a number of shortcomings, we also acknowledge that Markets has made
significant improvements in recent years to improve culture, conduct, and risk governance. Initiatives such
as I.AM Amplified, the Markets Culture Uplift Program, and the FX and BBSW CEU Programs illustrate that
significant change is achievable when there is a strong focus and commitment.
Root causes
Oliver Wyman has identified five root causes that we believe contributed to both the emergence and
persistence of the shortcomings discussed in this report.
• Markets leadership shortcomings with regard to the importance and ownership of non-financial risk
management (including conduct risk) that has resulted in a lack of effective embedding of these
responsibilities across the business
• Inconsistent execution of first and second line non-financial risk management activities by the
appropriate functions, leading to unclear risk ownership and insufficient independent review and
challenge
• A tendency to view issues as isolated and overlook dependencies or systemic concerns, impacting
Market’s ability to identify broader risks requiring holistic remediation
• A focus on execution that drives action, but centres on implementing activities rather than driving
towards outcomes to embed change and reduce risk
• A variable Markets culture that was not always strong enough to constrain inappropriate behaviour
Addressing these root causes requires a comprehensive approach, including a shift in mindset, behaviours,
and changes to the supporting infrastructure. Failing to address these root causes may lead to the re-
emergence of shortcomings outlined in this report or allow new vulnerabilities to surface.
Executive summary
6
I.AM Amplified non-financial risk program
I.AM Amplified is a Group-wide non-financial risk uplift program that has been ongoing since 2020.
Through this review, we considered the extent to which the I.AM Amplified Program (the Program) is likely
to remediate the issues identified in Markets, and if not, why not. This included analysis of the original
I.AM Amplified problem statements, objectives, project charter, and recent documents related to the
Program’s delivery and governance in Markets.
While the Program has established a Group-wide approach to non-financial risk management and
reporting, many of the Markets specific observations in this report will not be directly addressed. For the
most part, the shortcomings observed in Markets fall outside the Program’s current scope or are highly
specific to the Markets business.
The Group intends to build on the foundations from I.AM Amplified and other risk initiatives with an
enterprise-wide non-financial risk program. The goal of this program is to embed effective non-financial
risk management across the Group. The draft plan covers frameworks and governance, Three Line of
Defence and risk culture, systems and data, operational resilience including process value chains, and a
focus on culture, capability and consequence management processes. We anticipate the Markets
recommendations outlined in this report will be included in a separate Institutional or Markets dedicated
program of work.
Group-wide implications
The review scope also included an evaluation of the likelihood that the shortcomings identified in Markets
may be present in other areas of the Group. To assess this, we performed a high-level review of data and
documents from ANZ’s Retail Division, as the next largest Division, to determine if there were any
indicators suggesting that the themes identified could also be relevant outside Markets.
We observed many indicators, both positive and negative, of the operating effectiveness of the risk
governance infrastructure in the Retail Division that were similar to those observed in Markets. As such, we
anticipate a reasonable degree of likelihood that some of the root causes and risk governance
shortcomings identified in Markets may be found elsewhere within the Group. However, it is important to
note that the nature of our review, which was driven by summary documents and data without the
inclusion of interviews, tools and process assessments, or independent surveys, does not provide definitive
evidence of specific gaps or their nature. Oliver Wyman recommends that ANZ either conduct a further
detailed assessment of whether the gaps identified in Markets are present elsewhere and/or operate on
the assumption they are and apply appropriate remediation on a Group-wide basis, tailored to the specific
businesses within each Division or Function.
Recommendations
The paper contains detailed recommendations to address the identified issues. However, we suggest
prioritising the following initiatives to significantly enhance risk management in Markets.
• Leadership: Clarify and reinforce Markets leadership standards to align leaders’ actions with the
desired culture and conduct to drive improved outcomes. Support leaders to effectively communicate
and embed risk, culture, and behavioural expectations through practices such as storytelling and role
modelling.
• First and Second Line of Defence: Refresh Markets’ articulation of how its governance model should
work in practice to create distinct and differentiated roles for Markets front office, Markets first line
risk (especially the Desk Risk Managers), and Risk to improve consistency in risk governance execution
and independent challenge.
Executive summary
7
• Front office supervision: Ensure that expectations for supervisors are clearly articulated, reinforced,
and monitored. Enhancing the tools and data available to supervisors will empower them to fulfil these
responsibilities more effectively.
Other recommendations are focused on cultural change; improving reporting capabilities; controls testing
practices and capabilities; improving root cause remediation and sharing lessons learnt; and simplifying
policies and frameworks to support consistent adoption across the business.
We observed strong focus and attention from Markets leaders to improve the business’s non-financial risk
practices. As Markets moves forward to address the issues identified in this report, the primary challenge
will be to embed these changes in a sustainable and consistent manner throughout the business. Markets
must evolve its approach to culture and risk remediation governance to one that drives accountability for
outcomes and demonstrates incremental risk and culture improvement. This will help ensure that the
improvements in culture and risk governance not only take root but also become the standard way of
working across the whole business.
Conclusion
Based on our review, the behavioural issues that led the ANZ Board and APRA to request an independent
assessment were isolated incidents. Overall, the culture and risk culture within Institutional and Markets is
positive. Staff are broadly willing to speak up and raise conduct issues with management. However,
leadership did not take effective action when behavioural issues arose and fell short on staff engagement
and role modelling. These leadership shortcomings, alongside gaps in non-financial risk management,
made it possible for instances of unacceptable and inappropriate behaviour to persist. We observed
inconsistencies in the effectiveness of risk governance infrastructure, which should have otherwise
identified vulnerabilities and more effectively escalated issues as they arose. The way in which these issues
were managed, and the perceived lack of effective action by Markets leaders have negatively affected staff
sentiment toward leadership; rebuilding this trust will take time.
Oliver Wyman has concluded that all the Markets conduct issues identified through this review were
isolated incidents; our review did not identify any other significant Markets risk events. However, we
believe that the weaknesses in culture, leadership, and infrastructure could lead to material issues in the
future if they are not addressed.
Throughout the engagement, Markets, Institutional, and ANZ Group leaders and staff were open and
transparent, providing both candid accounts of how the business operates and recommendations for
improvement. The feedback of many interviewees showed a sense of pride in the Markets business,
together with an awareness of the gravity of the issues that have emerged and the challenges currently
facing the business. Staff commitment to addressing these challenges and getting Markets on to a stronger
footing in terms of culture, conduct, and non-financial risk management was also very apparent. Based on
these attitudes, and the fundamental strengths of Markets and Institutional’s culture and risk management
framework, we are optimistic that this goal can be achieved. There is nevertheless much work to be done
on multiple fronts to address the identified root causes. The Markets business needs to foster greater non-
financial risk awareness and strengthen leadership, culture and accountability. These improvements need
to be supported by more consistent execution and more robust risk infrastructure. Making these
investments will enable Markets to capitalise on its many cultural and commercial strengths, build trust in
leadership, and mitigate the risk of recurring issues.
Background, scope and approach
8
2. Background, scope and approach
2.1. Background
The Australia and New Zealand Banking Group Limited (ANZ or the Group) is a diversified financial services
firm providing retail, commercial, and institutional banking products and services.01F
a
The Institutional
Division services global institutional and business customers across three product sets: transaction
banking, loans and specialised finance, and markets.1F2F
ANZ’s Global Markets business operates within the broader Institutional Division, employing over 1,600
staff across 18 markets.
b
It offers a range of financial services to assist clients including trading, risk
management, and investment solutions.
In 2019, the Australian Prudential Regulation Authority (APRA) mandated 36 financial institutions, including
ANZ, to conduct a Risk Governance Self-Assessment due to observations arising from the CBA Prudential
Inquiry.126F
1
2F During this assessment, ANZ self-identified areas for improvement in culture, governance,
and accountability and subsequently developed a roadmap to address these areas.127F
2
3F As a result, APRA
required that ANZ hold an additional $500 million capital to cover associated non-financial risks, consistent
with requirements applied to other major Australian banks at the same time.4F3F
c
Since then, ANZ has made significant progress in enhancing its risk management practices through
initiatives such as the I.AM Amplified program, the CPS 230 uplift, and other discrete programs of work.5F4F
d
In
addition to the Group-wide risk management remediation programs, Global Markets has delivered several
dedicated risk management and cultural remediation programs, including those related to the FX and
BBSW Court Enforceable Undertakings (CEUs) and the Markets Culture Plan.6F5F
e
Despite various initiatives
and significant investment, subsequent reviews continued to identify areas for improvement to embed risk
governance practices.7F6F
f,
128F
3
Recently, ANZ’s Global Markets business has drawn stakeholder and media attention due to concerns
related to non-financial risk governance and alleged inappropriate workplace behaviour in the Sydney
dealing room.8F7F
g
In response to these concerns, the ANZ Board and APRA initiated an independent review
into the Global Markets culture and risk governance.9F8F
h
Reflecting their heightened concerns about
ANZ’s non‑financial risk management practices, APRA also increased the Group’s capital charge to $750
million.129F
4
10F
a
The Group refers to the ANZ Bank Group, which houses ANZ’s business activities and material risks.
b
Institutional operates across 21 markets.
c
ANZ, Westpac, and NAB had capital charges of $500 million, and CBA had a $1 billion capital charge applied.
d
I.AM Amplified is the Group-wide non-financial risk uplift program; more details on the scope of this program are included in
Section 5. I.AM Amplified.
e
Following two CEUs in 2017,
ANZ initiated two remediation programs: the FX and BBSW CEU programs.
These programs,
implemented between 2017 and 2024, involved updates to Global Markets policies, procedures, systems, controls, training,
guidance, and frameworks aimed at preventing, detecting, and responding to misconduct and concerns identified by the Australian
Securities and Investment Commission (ASIC).
Global Markets has engaged in a risk culture and culture uplift program (the Markets
Culture Plan) since 2013, with structured initiatives to improve speak up culture, leadership capability, and learning.
f
Consistent themes are present in Promontory’s 2021 report assessing ANZ’s progress against the 2018 Risk Governance Self-
Assessment (RGSA) actions, ANZ’s 2022 Internal Audit report, and APRA’s 2023 RGSA feedback.
g
Concerns relate to alleged inappropriate workplace behaviour in the Sydney dealing room, bond reporting data, and bond trading
activity.
h
The ANZ Board refers to both the ANZGHL Board and the ANZBGL Board (and their Board Risk Committees) unless otherwise
indicated. ASIC are also conducting a separate investigation into the bond trading matter.
Background, scope and approach
9
2.2. Scope
This report represents the output of the independent culture diagnostic, risk governance review, and root
cause assessment for ANZ’s Global Markets business, commissioned by the ANZ Board and APRA. Referred
to as the Global Markets Business Review, the work was conducted over a five-month period, from
October 2024 to mid-March 2025. It excludes any matters currently subject to regulatory investigation or
legal action, as agreed with ANZ and APRA prior to the commencement of the review. Oliver Wyman did
not investigate any instances of inappropriate workplace behaviour; where inappropriate behaviour is
referred to throughout the report, this relates to instances where staff have alleged or reported such
events.
Oliver Wyman provided periodic updates on material observations to the ANZ Board, ANZ Management,
and APRA throughout the engagement. Involved stakeholders were also provided an opportunity to review
the case fact base which formed part of the risk governance assessment. Oliver Wyman has retained full
editorial ownership of the final report. The views contained in this report are based on our experience in
performing similar reviews with Australian and global financial services firms.
Culture diagnostic
The culture component of the review sought to determine whether the concerns within the Sydney dealing
room were localised or systemic. The Board aimed to understand the following within the context of Global
Markets:
• The tolerance and consequences for behaviours that conflict with ANZ’s values and Code of Conduct,
including substance abuse (alcohol or drug use), racism, and bullying;
• The strength of the speak-up culture, focusing on support for individuals raising concerns about
misconduct, process failures, potential breaches, or systemic issues;
• The risk culture, including emphasis on risk management behaviours, adherence to ANZ policies and
values, and the willingness to exploit grey areas;
• Leadership behaviours and capabilities, including role modelling, risk management, and addressing
misconduct; and
• The effectiveness of controls and leadership in identifying, responding to, and holding staff
accountable for cultural issues.
The review also included an initial assessment of the current Institutional Division culture and any variation
from Global Markets.
Risk governance assessment
The risk governance component of the review fulfils APRA’s requirement of ANZ to appoint an independent
party to review the root causes of recent workplace behaviour issues and risk governance concerns in the
Global Markets business and assess the potential impacts across the broader bank.130F
5
12F The review included:
• A detailed assessment of Global Markets risk governance infrastructure against Oliver Wyman’s
assessment framework;
• An assessment of ANZ’s risk culture measurement approach, and a comparison of Oliver Wyman’s
findings with ANZ’s internal risk culture findings;
• An assessment of the root causes that led to recent issues and risk governance concerns;
• A review of the I.AM Amplified program to determine its effectiveness in addressing any identified
Markets weaknesses; and
• An assessment of the extent to which Markets weaknesses may be present elsewhere in the Group.
Background, scope and approach
10
This report also presents comprehensive recommendations aimed at addressing the identified weaknesses,
as well as targeted strategies to tackle the underlying root causes.
2.3. Approach
We assessed culture, conduct, risk infrastructure, and risk governance and culture outcomes to derive a
comprehensive view of the Markets business.
Culture is a combination of employee beliefs, thoughts, and biases, and is often not homogenous across an
organisation of ANZ’s scale. Conduct is the tangible manifestation of culture through the actions,
behaviours, and decisions of individuals. Culture outcomes are observable consequences of both culture
and conduct including business performance, resilience, continuous improvement, and employee and
customer engagement. Risk culture and governance outcomes include risk exposure, compliance, business
performance, and continuous improvement.
The following sections outline the research methods and assessment frameworks Oliver Wyman used
during the review to assess the business’s current culture and risk governance.
2.3.1. Research methods
Oliver Wyman used a number of complementary research methods to gather information across Global
Markets and the broader ANZ Group, employing three key research methods: document review, an
employee survey, and interviews.
Document review: Oliver Wyman conducted a detailed document review to assess the current state of risk
management, culture, and accountability at ANZ. We reviewed over 1,400 artefacts from ANZ, including
documents related to ANZ Group, Institutional, and Global Markets. Our evaluation relied on the
completeness and accuracy of the data provided by ANZ.13F9F
a
Survey: Oliver Wyman surveyed over 3,400 employees to gain insights into their perspectives on the
culture, conduct, and risk governance practices within the Global Markets and Institutional Division. This
survey aimed to identify strengths and areas for improvement by leveraging a standardised set of
questions, informed by previous ANZ employee engagement and risk culture surveys, APRA’s risk culture
survey, and Oliver Wyman’s culture diagnostic framework. Each participant answered 57 questions,
including one open-ended response, to provide a comprehensive understanding of employee views and
experiences.10F
b
Interviews: Interviews were conducted with over 110 stakeholders across ten locations to supplement
insights from the document review and survey. These confidential interviews allowed Oliver Wyman to
gain a deeper understanding of stakeholders’ attitudes and understanding of risk governance, leadership,
and culture practices.16F11F
c
Interviewees included ANZ Board members, Group executives, Institutional Division
executives, Global Markets leadership and staff (including revenue-generating staff across different teams,
a
Documents reviewed include key risk management documents, such as frameworks, policies, procedures, Board and Board
committee papers, management committee papers, audit reports, project documentation, internal staff communications, and
human resources data. A summary of the documents reviewed is included in the Appendix.
b
Prior to the commencement of the review, the survey scope was expanded to include all Institutional Division employees to
better understand any cultural variances compared to Global Markets and understand areas requiring further investigation in
agreement with ANZ and APRA. The survey was issued to approximately 7,500 staff: all Institutional Division staff and Global
Markets-aligned support function staff. 3,495 responses were received, with 2,016 free-text responses. Refer to the Appendix for
further detail.
c
The discussions primarily centred on Markets, while also engaging with Institutional Leadership to explore any differences in
approaches, behaviours, attitudes, and mindsets in Institutional regarding culture and risk governance.
Background, scope and approach
11
locations and roles) and aligned support function staff.17F12F
a
Oliver Wyman committed to interviewees that
individual comments would remain confidential in order to enable candour, and had full discretion over
the interview list, ensuring a representative sample was selected. Interviews were conducted using
consistent interview formats and discussion guides to facilitate the comparison of feedback across
interviewees.18F13F
b
To protect the anonymity of ANZ employees, direct quotes from the survey and interviews have not been
included in this report.
2.3.2. Culture diagnostic
Measuring and observing culture within an organisation can be challenging. Culture encompasses both
observable behaviours, such as actions and statements, and underlying mindsets, which include the often-
unconscious attitudes and assumptions shared among individuals. To address this, we have developed a
comprehensive, research- and data-driven model to qualitatively and quantitatively measure culture and
provide a clearer understanding of its dynamics within the organisation.
Oliver Wyman’s approach to culture describes six primary traits that shape the social and cultural
behaviour of all organisations. Each trait represents a distinct and valid way to view the organisation, solve
problems, and understand how leaders approach and role model expected standards. While these traits
are present to varying degrees across all organisations, their unique combinations and strengths shape
shared norms and behaviours. Each cultural trait can yield both positive and negative outcomes if not
managed effectively; none of these traits represent universal characteristics of a ‘high-performance’ or
‘best’ culture.
1. Affinity: emphasises strong, supportive relationships but may also experience slow decision making
and stifled competitiveness. Risk may be managed socially, requiring consensus building, which may
result in slower response to risk events.
2. Productivity: emphasises achievement-orientation and ambition, where determination and drive are
important. Risk management may be approached with an execution mindset; however, over-emphasis
may lead to behaviours that deviate from established rules and guidelines.
3. Authority: emphasises strength and influence, often resulting in a competitive environment. This can
result in fast decisions and responsiveness to crises but may also result in centralised risk decision
making through established governance structures or dependency on the knowledge of select
influential individuals.
4. Universality: emphasises purpose and values where compassion and making a difference are
important. Risk decisions are typically guided by a long-term perspective and a deeply-held belief in the
mission but may result in a lack of attention to immediate, short-term risks.
5. Stability: emphasises predictability, where efficiency and order are important. However, this may be
characterised by a low risk tolerance, careful planning, and avoidance of uncertainty which may lead to
rigidity in the face of evolving risk factors.
6. Adaptability: emphasises flexibility, where new ideas are easily sparked and curiosity flourishes. This
may result in a flexible, ‘test and learn’ approach to risk that affords greater resilience in times of
change but can result in increased risk-taking behaviours.
This model allows us to test both the nature and strength of the culture. By culture strength we mean how
consistent, widespread, and well-liked a company’s culture is across people and teams. A strong, unified
a
Interviews were primarily conducted in person across Sydney, Melbourne, Auckland, Wellington, Singapore, Hong Kong, Seoul,
Tokyo, London, and New York. Support functions included staff in Risk and Compliance functions aligned to Global Markets.
b
Interviews covered culture experiences, conduct, risk culture outcomes, and perspectives on leadership and risk governance.
Background, scope and approach
12
culture serves to guide and constrain behaviours, mindsets, and conduct by influencing or even overriding
individual tendencies. Less unified cultures allow individual or localised preferences to dictate behaviour
and can lead to poor risk culture outcomes, including conduct risk, if left unchecked.
Culture strength is measured through three parameters:
• Agreement: the degree of consensus on shared norms and behaviours;
• Intensity: how strongly people are motivated to align behaviours within the culture; and
• Favourability: how people feel about the culture and the degree which they identify with the culture.21F14F
a
Oliver Wyman used both the survey and interviews to assess the culture topics identified by ANZ’s Board.
This assessment was further supported by a targeted document review of over 150 cultural artefacts,
which provided insights into the espoused culture, risk culture, and conduct expectations within the Group,
Institutional, and Global Markets.
2.3.3. Risk governance assessment
Oliver Wyman’s risk governance assessment framework was used to structure the Markets review and
ensure coverage across relevant areas.22 The framework covers:
• People and culture: the extent to which the Markets culture and risk culture supports effective risk
management, including the capability of leaders and the efficacy of performance management,
remuneration, and consequence management as incentive mechanisms.
• Governance: the effectiveness of governance structures in supporting sound risk management,
including Board and Management committee reporting as well as roles, responsibilities, and
accountabilities for managing risk across the Three Lines of Defence.
• Policies and frameworks: the appropriateness and effectiveness of strategies, policies, and
frameworks critical to managing risk in the Markets business, including risk appetite statements.
• Tools and processes: the design and operating effectiveness of tools, processes, systems, and
approaches to manage risk, with a specific focus on the efficacy of controls and incident management.
Detailed areas for assessment were identified across the framework and tested through a set of case
studies, interviews, document review, and additional deep dives.
In consultation with ANZ and APRA, we selected five case studies to examine the practical operation of the
Markets risk governance infrastructure. These case studies encompassed a range of Markets risk events
and change programs, reflecting various time periods, locations, degrees of escalation, and levels of
remediation.15F
b
An overview of the case studies is included below and in the Appendix.
• Case study A: control and process breakdown involving teams across Markets and Group functions,
which could have, but ultimately did not, result in a loss.
• Case study B: trade surveillance control failings and remediations, that provide insights into the control
environment and processes across the 3LOD.
• Case study C: FX and BBSW Court Enforceable Undertaking programs of work from 2017 to 2024,
reflecting Markets’ approach to material risk governance improvement over a multi-year period.
a
Agreement was measured through individual and group differences in the Oliver Wyman Culture Diagnostic Survey and
interviews. Intensity was measured through a combination of questions that test whether respondents think others will disapprove
of inconsistencies in values, and by variability over time. Favourability was measured through questions that test whether
respondents like a culture, feel proud, and have a shared sense of identity with culture norms.
b
Refer to the Appendix for further information on how the case studies were selected.
Background, scope and approach
13
• Case study D: distribution of a Markets product that was subsequently discontinued, which provided
opportunities to assess policy effectiveness and risk awareness.
• Case study E: Institutional and Markets culture programs from 2013 onwards with a focus on
leadership capability improvement, highlighting leaders’ influence on cultural change.
ANZ have confirmed that there were no material financial losses related to case studies A, B or D, and cases
C and D were change programs.
Additional deep dives on controls, governance, and risk culture were conducted to gain additional insight
into Markets practices beyond the case studies. Oliver Wyman established a formal fact-check process with
ANZ stakeholders to confirm our understanding of the provided documents. In addition, Oliver Wyman
assessed control and remediation processes relevant to the issues observed.
To assess the suitability of the I.AM Amplified program in addressing the identified issues, we conducted
targeted interviews with staff involved in the program and reviewed over 100 relevant program
documents. This review included the original I.AM Amplified problem statements, objectives, project
charter, and recent documents related to the program’s delivery and governance.
Oliver Wyman’s review focused on Markets-specific risk governance and assessed Institutional or Group-
wide policies and procedures applicable to Markets. We also evaluated whether identified Markets risk
governance issues had the potential to be present across the broader Group, reviewing a broad range of
Group-wide data to support this review.
Our observations of industry practice from work with other local and global banks informed the evaluation
of the existing infrastructure and provided concrete examples of effective risk management practices and
recommendations for enhancing Markets risk management practices.
2.3.4. Overall assessment
The observations gathered from the culture diagnostic and risk governance assessment were integrated to
form a comprehensive assessment of the Global Markets business.
Figure 1 illustrates how the different research methods were combined to assess their impact on Global
Markets, identify the relative significance of the observations, and offer clear, actionable
recommendations for improvement. This integrated approach enabled us to identify common root causes
contributing to the shortcomings observed in Global Markets, which intersect both the scope of the culture
diagnostic and risk governance review.
Figure 1: Oliver Wyman’s approach to risk governance and culture assessment
Oliver Wyman
Document reviewSurveyInterviews
Culture diagnos cRisk governance assessment
People and cultureGovernancePolicies and frameworksTools and processes
Root cause 1Root cause 2Root cause 3Root cause Root cause 5
Recommenda ons to address ndings
Background, scope and approach
14
2.4. Report structure
Section 3 of this report contains our key findings relating to risk governance and culture, across each
dimension of our risk governance assessment framework. For each dimension, we present our findings,
summarise the key supporting evidence and provide recommendations for improvement.
• Section 3.1. People and culture
• Section 3.2. Governance
• Section 3.3. Policies and frameworks
• Section 3.4. Tools and processes
The following sections discuss root causes, I.AM Amplified, the Group-wide applicability and more detailed
recommendations for consideration.
• Section 4. Root causes
• Section 5. I.AM Amplified
• Section 6. Group-wide applicability
• Section 7. Recommendations
This report is supported by the following appendices:
• Appendix A. Oliver Wyman Culture Diagnostic Survey
• Appendix B. Case study selection
• Appendix C. Documents reviewed
• Appendix D. Glossary of terms and abbreviations
Throughout the report, we refer to key terms that are defined here as well as in the glossary. We have
highlighted two specific sets of terminology that are important to understand:
• We use the term ‘issues’ to refer to actual events or identified gaps, and the term ‘concerns’ to refer to
observations that have the potential to give rise to unintended outcomes or employees’ beliefs about
potential issues
• The term ‘Markets leaders’ refers to members of the Markets Leadership Team (MLT)
Footnotes are included throughout the report to provide further explanation or detail, and endnotes are
listed at the end of the report to cite key sources. Footnotes appear as letters and endnotes are numbered.
People and culture
15
3. Detailed findings
3.1. People and culture
a
The culture of ANZ Institutional and Markets has notable strengths. Most Institutional employees express
pride in working at ANZ, appreciate its culture, and operate within the Group’s risk culture expectations.
The culture emphasises positive traits such as collegiality, commercial drive, and reliability. However, the
way staff experience the culture is variable; sub-cultures exist where people understand the culture in
different ways, and the culture is not always strong enough to compel staff to act in line with expected
behaviours. This creates the potential for isolated behaviours, at odds with the overall culture, to emerge.
There have been allegations of multiple instances of unacceptable workplace conduct in Markets in recent
years, relating to a small number of individuals, including bullying and alcohol and substance abuse. These
alleged incidents were serious, and in some cases sustained over time. However, we did not find evidence
of widespread or systemic misconduct. Most staff members do not recognise the inappropriate behaviour
that has been reported as representative of the culture they experience and are disappointed by what has
occurred.
A significant number of staff members in Sydney and London across various roles and seniority levels
within Markets shared that they had raised concerns to management about the observed inappropriate
workplace behaviour. Staff believe Markets leadership did not take decisive action to address the reported
misconduct, allowing it to persist. This has undermined confidence that speaking up about concerns drives
action, as well as eroding trust in leadership and negatively impacting morale. Some Markets leaders have
compounded these challenges by not effectively role modelling leadership standards and risk management
behaviours.
The Group’s employee-related processes, including the remuneration framework and consequence
management process, appear to be soundly designed overall. However, their application in Markets did
not effectively contribute as intended to preventing or addressing the instances of inappropriate workplace
behaviour which were reported to Oliver Wyman.
A positive but variable culture, leadership shortcomings, and limitations in the supporting infrastructure
allowed misconduct to emerge and persist. This ultimately resulted in a loss of trust among staff. Regaining
this trust and attaining confidence that similar problems will not re-emerge will require work, including
strengthening the culture, leadership capabilities, and supporting employee processes.
Key observations
1. Institutional has a largely positive culture and risk culture; employees appreciate the culture and are
proud to work at ANZ
2. The culture is variable, staff often understand it in different ways, and it was not always strong enough
to consistently drive behaviours
3. We identified localised examples of alleged workplace misconduct in Markets relating to a small
number of individuals, but not widespread or systemic misconduct
4. Staff reported raising conduct issues with management and are broadly willing to speak up
5. Staff believe Markets leadership did not take effective action on reported misconduct, leading to a loss
of trust in leaders
6. Markets leadership fell short on staff engagement and role modelling
7. Some employee-related processes require improvement to operate effectively
People and culture
16
1. Institutional has a largely positive culture and risk culture; employees appreciate the culture and are
proud to work at ANZ
Staff across Institutional generally appreciate the culture they experience and take great pride in working
for ANZ. They perceive the organisation to be well managed, and value the strong proposition it offers: an
inclusive culture that supports work-life sustainability, which many staff describe as relatively unusual in
the institutional banking industry. Across Institutional, 82% of survey respondents are proud to work at
ANZ, and 80% like the culture. For Markets employees, the results are 76% and 77%, respectively. The
results within Markets are materially lower in two locations, with just over 60% of Markets Australia and
Korea staff being proud to work at ANZ, and around half of Markets Australia and Korea liking the culture.
Numerous staff mentioned that the culture and risk culture at Institutional, and in particular within
Markets, have improved significantly over the last decade, as a result of the leadership team’s efforts and
cultural change programs. There is a significantly greater emphasis today than in the past on professional,
inclusive, and risk-aware behaviours.
Our culture survey and interviews revealed several consistent cultural strengths for the Institutional
Division. The culture emphasises stability, productivity, and affinity.16F
a
Organisations with stability-oriented
cultures are reliable, value established ways of working and are generally risk aware; such cultures are
common in the financial services industry. A productivity-focused culture is results-oriented, placing a high
value on delivery and commercial drive. High affinity within a culture indicates a collaborative and collegial
environment. Interviewees frequently described the culture as friendly, cooperative, respectful, and
inclusive, which fosters a positive atmosphere that encourages teamwork and mutual support among
colleagues. These traits are important cultural assets for ANZ, helping it attract and retain staff and
contributing to both business results and risk management. The dominant cultural traits also have
downsides at times; employees reported that the collegiality and emphasis on consultation in the culture
could lead to slow decision-making and that the orientation to stability sometimes discourages innovation.
Institutional staff perceive the risk culture to be effective, and for the most part, both ANZ’s Risk Culture
Survey and the Oliver Wyman Culture Diagnostic Survey indicate favourable perceptions of risk culture
among Institutional and Markets staff.17F
b
Both ANZ and Oliver Wyman’s surveys indicate that over 90% of
Institutional staff believe that risks are well managed, and are actively considered in decision making, and
that when issues arise, appropriate changes are made to prevent recurrence. Oliver Wyman’s survey shows
that 90% of Institutional staff view Risk and Compliance as respected functions.18F
c,
131F
6
Markets staff generally act in line with ANZ’s values and risk appetite. They are mindful of navigating grey
areas appropriately and often consult with support functions for clarity in ambiguous situations.19F
d
Most
staff effectively manage operational risk issues, often responding promptly once issues are identified.20F
e
Oliver Wyman found no evidence of tendencies to exploit grey areas or intentional breaches of risk
policies, processes, guidelines, or frameworks.
a
Institutional staff were asked 24 questions about how strongly they perceive different culture traits. Of the top 12 questions
where staff expressed the strongest perceptions, all but one related to the stability, productivity, and affinity traits. Refer to the
Appendix for further detail on Oliver Wyman’s Culture Framework and supplementary analysis from the Culture Diagnostic.
b
Several questions relating to risk culture received favourability scores of over 80%, including questions relating to: understanding
risk appetite, raising issues when something is not right, leadership demonstrating accountability for risk, leaders effectively
managing critical risks, having the appropriate skills to manage risk, discussing risk daily, considering risk in decision-making,
respecting the Risk and Compliance functions, and preventing issues from recurring. See Appendix for full survey results.
c
There were instances where the two surveys yielded materially different results; these are discussed below.
d
About 20% of interviewees explained that they consult DRMs in ambiguous situations or grey areas to ensure that risk is managed
appropriately and policies and procedures are adhered to.
e
Refer to Section 3.4. Tools and processes for details on event management and escalation.
People and culture
17
2. The culture is variable, staff often understand it in different ways, and it is not strong enough to
consistently drive behaviours
Despite the positive features of the Institutional and Markets culture, it is not experienced evenly across
locations, functions, and seniority levels. Our analysis suggests that staff within Institutional, including
Markets, have a relatively low degree of agreement or consensus on the core norms and behaviours of the
culture. This indicates a degree of variability in how the culture is expressed.21F
a
For example, we noted a
significant difference in the culture of Markets Sydney compared to the broader Institutional culture. Staff
in Sydney described a culture that places a strong emphasis on authority over affinity. Authority in this
context refers to an environment where decisions are often guided by influential individuals, and
leadership is generally characterised by a focus on power and the ability to influence others.
Several of our survey and interview questions were designed to understand how motivated Institutional
staff are to align their behaviours with the cultural norms. We refer to this as the culture’s
intensity. Responses to these questions revealed that Institutional has a mixed or moderate degree of
cultural intensity. This suggests that personal preferences and team norms, especially those set by
managers, often have a greater influence on behaviour than the overall culture. As a result, the culture is
not as effective in consistently guiding staff behaviour as it ideally should be.
The overall culture’s variability and its limited ability to consistently compel and guide behaviour led us to
conclude that several distinct sub-cultures exist across the Institutional business, particularly within
Markets. These sub-cultures can emerge from factors such as geographic diversity, inconsistent leadership
messaging, and variations in how official communications convey cultural and behavioural expectations.22F
b
Institutional is a geographically diverse business, operating in 21 markets. However, while large and
geographically diverse organisations often exhibit sub-cultures, we observed greater variability in
Institutional and Markets that we would expect to observe at other global institutions with a similarly
diverse geographic footprint.23F
c
The presence of multiple subcultures within a business heightens the risk that some may establish
behavioural norms that conflict with the expectations of the overall culture. This can lead to undesirable
behaviours, such as workplace misconduct or a lack of risk awareness in decision-making. This can help
explain how instances of inappropriate behaviour can emerge in an otherwise positive culture.
3. We identified localised examples of alleged workplace misconduct in Markets relating to a small
number of individuals, but not widespread or systemic misconduct
Oliver Wyman did not find evidence of widespread or systemic misconduct within Markets. Interviewees
expressed concerns about multiple instances of unacceptable behaviour within Markets over a number of
years, including bullying, aggression, and substance misuse among a small number of Markets employees.
About 30% of the staff interviewed were aware of these behaviours, with many providing first-hand
reports of various incidents. Oliver Wyman received isolated reports from staff of inappropriate
behaviours, including bullying, and alcohol and substance misuse in Sydney and London and bullying in
Singapore. Multiple interviewees reported that the individuals in question engaged in this inappropriate
behaviour for periods of several months or even years without effective intervention.
a
The Institutional culture scores low on Agreement. It is measured through individual and group differences in Oliver Wyman
Culture Diagnostic Survey and interview responses.
b
Official communications in this context refers to the ANZ ICARE Values, ANZ Behaviours, Risk Principles, Institutional Culture Plan,
Institutional Aspirational Culture, Markets Culture Plan, Markets Aspirational Culture, and the Global Markets Behaviours.
c
Based on Oliver Wyman’s proprietary benchmarking of several hundred organisations, including other global banks with a similar
scale, global footprint, and business mix.
People and culture
18
Most staff members were clear that they do not view bullying, or alcohol and substance abuse to be
reflective of the ANZ culture they experience and consider these instances to be outliers. Our review of
anonymised Markets employee relations data also did not produce any evidence of more widespread
misconduct of this nature.
Ultimately, despite a generally positive culture, localised instances of inappropriate workplace behaviour
occurred and persisted in Markets. This shows that, in these cases, the culture was not strong enough to
guide leaders and align behaviour in line with ANZ’s expectations and values.
4. Staff reported raising conduct issues with management and are broadly willing to speak up
Numerous staff members who reported incidents of inappropriate behaviour expressed that they, or
colleagues they knew, had previously sought to address these conduct concerns with management through
both formal and informal avenues.
More broadly, staff in Markets are willing to speak up on risk or conduct issues that concern them. Indeed,
86% of Markets staff agree that individuals within their area raise issues when they believe something is
not right.132F
7
The established speak-up channels, such as through the Incident Management Framework,
Employee Relations, and Whistleblower channels, routinely receive reports from Markets staff. Numerous
interviewees indicated they had previously raised concerns regarding risk management or cultural issues
through formal or informal channels.
Despite this general willingness to speak up, staff identified several barriers to doing so with confidence.
Some staff voiced concerns about the confidentiality of speak-up channels, sharing first-hand experiences
of breaches and instances where complainants faced retaliation from respondents or their managers and
leaders. Only 74% of Markets staff agree they can raise issues without fear of reprisals or negative
consequences.25133F
8
Employees also highlighted challenges regarding confidentiality during investigations,
noting that managers and relevant support function staff sometimes fail to handle confidentiality
appropriately. Although verification of these issues did not form the scope of our review, a broad
perception regarding the confidentiality of escalation channels was evident across many Markets locations.
5. Staff believe Markets leadership did not take effective action on reported misconduct, leading to a
loss of trust in leaders
There is a strong and widespread perception among staff that Markets leadership either acted too slowly
or not firmly enough on the inappropriate workplace behaviour reported in Sydney, London and, to a
lesser extent, Singapore. Interviewees felt that Markets leadership did not manage the issues escalated to
them, allowing the conduct to persist. In some cases, staff reported experiencing threats of recrimination
for raising these issues. Despite senior Markets staff and leaders being aware of the conduct, these
behavioural issues were allegedly not addressed through the Markets Incident Management Framework or
other reporting mechanisms for an extended period. Markets and ANZ leaders also acknowledged through
our engagement that these issues should have been dealt with more effectively.
Leaders play a key role in determining consequences. As such, this contributed to the perception that
Markets leaders specifically were not effective in sufficiently addressing inappropriate workplace
behaviour and preventing repeat offences. Whilst staff do not have visibility of the actions taken or
consequences applied to individuals, only 73% of Markets staff believe that consequences for behaving out
of line with policies and values are appropriate. For example, only a little over half of the Markets Sydney
People and culture
19
team believe that appropriate consequences are enforced when staff engage in misconduct.26F
a,
134F
9
Staff
reported that this situation resulted in diminished trust and confidence in Markets’ standards of behaviour
and the perceived value of speaking up. Additionally, only 70% of Markets staff believe that the input they
provided in Oliver Wyman’s survey would be acted upon to improve the organisation.135F
10
Ultimately, there has been a loss of trust among Markets staff. Only 65% of Markets staff feel that senior
leaders’ actions align with their words.27F136F
11
This trust is notably lower in Australia where staff were closer to
the Sydney dealing room behaviour; only 43% of Markets Australia staff believe that leaders ‘walk the
talk’.137F
12
Many of these staff also appear to have lost confidence in the effectiveness of risk governance and
people management processes that rely on the capabilities of their leaders. Some Markets Australia staff
do not believe leaders demonstrate personal accountability for managing risk and promoting sound risk
behaviours, nor do they believe that their leaders effectively manage critical risks.28F
b,
138F
13
6. Markets leadership fell short on staff engagement and role modelling
Markets leaders are expected to play a key role in managing conduct, culture, and risk: both role modelling
and reinforcing desired behaviours, and executing front office supervision responsibilities where
applicable.29F
c
However, we have identified areas where Markets leaders did not consistently meet these
expectations, including insufficient physical presence in the Sydney dealing room, mixed effectiveness in
communication and engagement with staff, and some cases of not consistently role modelling the right
behaviours.
A lack of on-the-ground presence in Sydney has hindered Market leaders’ ability to effectively supervise
certain areas of the Markets business and connect meaningfully with staff.30F
d
To a lesser extent, insufficient
site-visits to and engagement with the offices outside Australia, New Zealand, and Singapore were also
noted. Although there were senior Markets and enablement staff in Melbourne, there was insufficient
presence in Sydney by Markets leaders or Talent and Culture. We believe the absence of senior leaders and
enablement staff likely contributed to the emergence of inappropriate behaviours in the Sydney dealing
room; numerous Markets leaders and staff shared similar perspectives with us. Markets has recently made
significant changes to bolster the Sydney leadership presence through the addition of senior leaders and
enablement partners.31F
e
In addition, the business has made changes to the seating arrangements on the
dealing room floor to evenly distribute risk and compliance staff across the floor.
Markets staff based outside Australia, New Zealand and Singapore reported limited interaction with senior
leadership beyond standard all-staff communications. While having senior leaders concentrated in key
locations is necessary, regular communication and site visits will foster improved connectivity among
senior leaders, junior leaders, and staff. More direct engagement by senior leaders with staff in the smaller
Markets offices could help to reduce the cultural variability we observed.
a
52% of Markets Sydney staff believe that at ANZ there are appropriate consequences when people behave in a way that does not
align with ANZ’s policies and values.
b
Only 71% of Markets Australia staff agree that leaders in their part of the business demonstrate personal accountability for
managing risk and promoting sound risk behaviours and only 72% believe that leaders effectively manage the most critical business
risks. These results are more pronounced than across Global Markets as a whole, where the figures are 81% and 83%, respectively.
c
Refer to Section 3.2. Governance for further information on front office supervision. Behavioural expectations are primarily
defined in the ANZ Behaviours and Global Markets Behaviours which collectively establish the standards Markets staff must
embody and promote.
d
About 15% of interviewees believe that the absence of senior leaders from the front line, T&C, and Risk, contributed to persistent
inappropriate behaviour in the Sydney dealing room.
e
This includes the Head of Markets Australia, Deputy Head of Markets Australia, Senior Talent and Culture Partner, and Head of
Markets Risk who are all co-located in Sydney.
People and culture
20
Additionally, concerns were raised about a perceived lack of communication and transparency from
Markets leadership regarding critical topics such as strategic direction, resource allocation, FY24
remuneration outcomes, and the media attention surrounding the Markets Australia business.
Interviewees consistently highlighted their frustration with the insufficient communication from Markets
leaders regarding the Sydney dealing room matters. Furthermore, a material number of interviewees
mentioned they believed that while Markets leaders have strong technical skills and a solid understanding
of the business, they need to improve their people management skills. This includes their ability to manage
difficult conversations, address inappropriate behaviour, and build meaningful connections with staff.
Finally, despite what we consider to be strong financial risk awareness and management across some
Markets leaders, the role modelling of desired behaviours in relation to non-financial risk management
varies. We observed instances in case studies and interviews where Markets staff at all levels of seniority
did not consistently model the desired risk behaviours. For example, in one of the transactions we
reviewed, senior staff did not ensure that they had enough visibility and did not urgently involve
themselves upon learning that settlement failed. This meant that multiple red flags across the transaction
were not connected to understand and manage the level of risk, ultimately resulting in a near miss.32F
a
The shortcomings in engagement and role modelling by Markets leadership have likely contributed to the
cultural variations we observed across the business. These issues also played a material role in the
emergence of the misconduct discussed earlier, and have made it harder to rebuild staff morale and trust.
7. Some employee-related processes require improvement to operate effectively
Processes such as remuneration and management of misconduct play a significant role in fostering the
desired culture and, when required, managing behaviour at odds with it. Ultimately, they provide
guardrails and establish the organisation’s expectation on staff conduct. Given the confidentiality
associated with individual performance, remuneration and consequence outcomes, Oliver Wyman’s ability
to review the operating effectiveness of the key employee processes was limited. As such, our observations
are largely focused on the design and general operation of these processes, rather than any specific
examples. We identified areas for improvement in relation to the application of the remuneration and
consequence management frameworks within Markets.
ANZ’s remuneration processes establish clear expectations and standards for employee performance and
are an important tool to incentivise the right behaviours. The Group’s remuneration policies and processes
place significant emphasis on risk, customer, people and culture, and financial outcomes.33F
b
Within Markets,
these outcomes are weighted equally, which relative to industry norms implies a sufficiently high emphasis
on non-financial matters.34F
c
However, some Markets leaders involved in remuneration decisions confirmed
that they have primarily based their variable remuneration decisions on financial performance and given
limited attention to behavioural, leadership, or risk outcomes, despite clear guidance and review
processes. This deviation from documented processes compromises the effectiveness of performance
a
As observed in Case A.
b
The ANZBGL Performance and Remuneration Policy outlines What and How objectives that must be set by staff across financial,
risk, customer, and people and culture outcomes. Financial objectives cannot exceed 30% in determining performance and
remuneration outcomes for all roles other than certain Finance roles. The Policy also states that Growth objectives are set to
support learning and development but are not formally assessed in determining performance outcomes.
c
Each outcome type carries a 25% weighting. Extract provided by ANZ titled “Performance Management Requirements and
Objective Setting”.
People and culture
21
assessment and remuneration in reinforcing the expected standards. It also underscores the existing
perception among Markets staff that effective risk management is not recognised or rewarded.35F
a,
139F
14
Consequence management refers to the approach for investigating, assessing, and responding to reports of
employee misconduct or non-compliance with ANZ’s expectations. This includes determining disciplinary
actions if required. Effective consequence management processes reinforce the importance of adhering to
policies and procedures and help to mitigate risks by addressing undesirable behaviours and outcomes in a
timely and structured manner. The Group has clearly defined policies and processes for escalating and
managing workplace performance and unacceptable workplace behaviour. However, we observed
opportunities to improve consequence management in Markets in three areas.
Firstly, Markets has an additional consequence management step which may result in the process differing
to the Group-wide approach by only requiring Employee Relations engagement on more concerning
allegations.36F
b
This creates the risk that leaders in Markets may not consistently treat conduct matters with
the same weight, seriousness, and consequences as would be expected across the rest of the Group. This
may partially explain why the reports of misconduct submitted by staff did not appear to lead to decisive
action. Ensuring consistent involvement from Employee Relations in these matters would help align
investigations and disciplinary decisions in Markets with the approach in the rest of the Group.
Secondly, there is currently no formal process in place to review employee behaviour after consequences
have been delivered, which would help ensure that employee behaviour has changed, or identify if further
intervention may be required. Introducing such a process would help ensure that behavioural interventions
are effective.
Finally, where consequence management affects variable compensation, the decision on any reduction
remains open until the year-end remuneration review, except for the Final Written Warning and
Mandatory Learning outcomes which result in 100% reductions. This delay can result in significant time
elapsing before a decision is reached, which introduces the risk of recency bias. As a result, less severe
consequences may appear more appropriate for older cases, potentially undermining the fairness and
effectiveness of the disciplinary actions taken.
a
Only 64% of Markets staff feel that people are incentivised to manage risk and are recognised or rewarded for good risk
behaviour. 10% of interviewees feel that remuneration in Markets is still primarily driven by financial performance. This included
front office staff across multiple levels of seniority as well as enablement staff.
b
The line manager will recommend whether they believe the incident warrants a formal or an informal outcome. If an informal
outcome is selected, the incident will follow an ‘informal’ pathway and ER will not be informed of the incident or outcome.
People and culture
22
Recommendations for improvement
• Refine existing Institutional and Markets cultural (including risk culture) collateral to support consistent
articulation of the culture for storytelling and engagement across the business; this should include
clarity on the mindset shifts and behaviour change required to embed effective non-financial risk
management
• Refine existing Institutional and Markets leadership standards, including explicit references to their
role in effective non-financial risk management (including conduct matters) and provide additional
training and skills development support to Markets leaders
• Embed leadership standards, culture and risk culture aspirations in employee processes including
recruitment, onboarding, promotion, remuneration and enhance assessment processes to inform
selection and development
• Improve the volume and quality of staff communication and engagement mechanism including
leadership visits, emails and town hall communications
• Review Markets’ adoption of Group behaviour investigation and remuneration processes, including the
requirement to escalate all behavioural issues to ER
• Consider refinements to the Group consequence management processes, including a lookback within a
defined period after consequences have been applied to ensure they have had the desired impact
Governance
23
3.2. Governance
A well-defined and embedded Three Lines of Defence model is an essential part of a bank’s overall risk
governance framework. The Markets model is well designed and forms an effective foundation but is not
consistently executed as intended. In the first line, there are several issues. The role and mandate of Desk
Risk Managers (Markets first line risk), have in practice expanded over time to take on responsibilities from
both the front office and Risk. There have been failings of front office supervision responsibilities.
Additionally, front office staff were not sufficiently involved in risk remediation activities, contributing to
ambiguity about risk ownership and impacting their non-financial risk capability development. We also
observed instances of the second line Risk function providing insufficient independent review and
challenge of Markets activities related to non-financial risk.
a
The execution of the Three Lines of Defence
model in Markets has led to non-financial risk management weaknesses and made it harder for Markets to
develop consistent risk capabilities across the business.
The oversight governance model for the Group and Markets provides a solid framework for effective
oversight, with the Board and management highly engaged. However, enhancing reporting to include
meaningful insights and trend analysis would better empower the Board and management committees to
engage in discussion and challenge.
Key observations
1. The Markets Three Lines of Defence model is appropriately designed but is not consistently executed
as intended, leading to non-financial risk management weaknesses
2. Over time, the mandate of the Desk Risk Management function has shifted from its original purpose,
leading to decreased risk ownership and perceived accountability among Markets staff
3. Markets front office supervisors do not consistently perform their responsibilities, leading to instances
of first line accountability failure
4. Markets front office staff have played a limited role in non-financial risk remediation activities,
constraining their ability to improve their risk awareness and capability
5. There have been instances of insufficient second line independent review and challenge of Markets
non-financial risk activities
6. Internal Audit’s approach is generally sound, with some areas for refinement in approach and coverage
7. Markets risk governance oversight is appropriate; however, reporting could be improved to enhance
management decision making and support the Board in executing their responsibilities.
1. The Markets Three Lines of Defence model is appropriately designed but is not consistently executed
as intended, leading to non-financial risk management weaknesses
The Group’s Three Lines of Defence (3LOD) model sets out the roles and responsibilities for managing risk
and escalating risk issues. Day-to-day owners of risks and controls form the first line of defence; for
Markets, this includes front office staff and risk teams who support the business in executing risk
management activities.37F
b
These first line risk teams include the Markets Front Office Support and
Governance (FOSG) team and the Business Governance and Controls (BG&C) team. The FOSG team, which
includes Desk Risk Managers (DRMs), supports operational risk management and front office supervision.
a
The risk management components of Oliver Wyman’s review were predominantly focused on non-financial risk.
b
ANZ’s Three Lines of Defence model is set out in the Group’s Risk Management Strategy.
Governance
24
The BG&C team supports control testing and assurance processes.38F
a
Second line, primarily the Risk function,
designs core risk management frameworks, provides subject matter expertise and provides oversight
through independent review and challenge of business activities.39F
b
Third line, Internal Audit, provides
independent assurance through the review of select policies, procedures, events and incidents.40F
c
The Markets 3LOD model is designed appropriately and it provides effective risk management oversight,
while offering specialised support to the front office. However, over time, the execution of this model
within Markets has resulted in lack of role clarity across first and second lines. This has diminished front
line non-financial risk management accountability and has limited the degree to which front line staff could
improve their non-financial risk capabilities.41F
d
The following observations outline the specific challenges identified in the Markets 3LOD model which
impact its operating effectiveness.
2. Over time, the mandate of the Markets Desk Risk Management function has shifted from its original
purpose, leading to decreased risk ownership and perceived accountability among Markets staff
The Markets DRM function is designed to support the business and front office supervisors in fulfilling their
non-financial risk management responsibilities by providing advice and challenge. Their intended mandate
is to support the Markets business in their ownership and execution of risk management roles,
responsibilities, and accountabilities. The function’s design serves a valuable purpose, equipping front
office staff with specialist support, as well as improving the robustness of the control environment through
additional challenge.
Markets staff shared they rely heavily on DRMs to perform their role; most interviewees indicated that
they would reach out to their DRM immediately when faced with situations that involve grey areas or
when they need assistance navigating risk management policies and frameworks. In this regard, the
function operates as intended. However, many Markets staff and aligned functions perceive the DRMs as
having a mandate that overlaps with responsibilities designated for front office staff, as well as other
independent enablement functions like the Risk function and Talent and Culture.42F
e
We observed
inconsistencies in the understanding of DRMs’ roles across Markets. Some interviewees, including senior
Markets staff, perceive DRMs to be risk owners. Discussions with DRMs revealed similar ambiguity
regarding their roles, with some articulating their responsibilities in line with the formal definition of the
DRM position, while others indicated a broader scope that included ownership of non-financial risk
management or functioning in a commercial enablement capacity.
Many DRMs actively participate in daily risk management activities, leading some Markets staff to perceive
them as risk owners. Interviewees shared examples of DRM involvement in activities including executing
risk and control remediation activities and addressing interpersonal issues or serving as escalation points
for concerns related to inappropriate workplace behaviour. At times, Markets staff also shared examples of
the DRMs operating in a capacity more aligned to an independent Risk role, granting risk approvals, and
reviewing and challenging risk management activities on behalf of the second line.
Aligning the DRM mandate with its original purpose and clearly communicating this to all Markets staff will
ensure risk management activities are executed by the right teams across the Markets 3LOD. Ensuring
a
The BG&C team is an Institutional Division team, with specialists in Markets Controls. ANZ Internal Review Report for the FX Court
Enforceable Undertaking for the period of January 2020 to August 2021.
b
Certain risk theme officers under the NFR Framework sit outside of the Risk function.
c
ANZ’s Three Lines of Defence model is set out in the Group’s Risk Management Strategy.
d
Lack of role clarity between first line front office staff, first line risk support functions, and second line Risk teams.
e
Oliver Wyman interviews.
Governance
25
DRMs understand their responsibilities to engage with other enablement functions, such as Risk and Talent
and Culture, will ensure these independent functions are appropriately engaged where required.
3. Markets front office supervisors do not consistently perform their responsibilities, leading to
instances of first line accountability failure
Front office supervision is essential for ensuring compliance with business standards, measured risk taking,
and fair treatment of customers. These supervisory responsibilities are focused on staff whose actions
could negatively impact the business and the effective operation of Markets, as well as those who have the
potential to take on business risks.140F
15
The Markets Front Office Supervision Manual clearly defines the expectations for front office supervision,
including the scope, rules, principles, and responsibilities that supervisors must follow when managing and
guiding front office staff.43F
a
However, around 30% of front office employees interviewed reported
experiencing inadequate supervision that did not align with the principles outlined in the Manual. We
observed gaps across several of the principles outlined in the Manual.44F
b
This discrepancy highlights a gap
between established requirements and actual supervisory practices.
Multiple interviewees expressed concerns about their ability to perform the front office business activities
asked of them, citing issues such as backfilling roles with less experienced staff or failing to backfill
positions during leave or attrition. Markets staff across a few locations reported not knowing who their
manager was. Some employees felt they were managing higher-risk or larger portfolios than their skills or
capacity allowed, without the necessary additional oversight or support to handle these responsibilities
effectively. Additional observations on gaps in effective supervision are set out in Section 3.1. People and
Culture, relating to supervisors not identifying behavioural reg flags; failing to instil and foster a positive
culture focused on compliance, risk, and controls; and not escalating misconduct or suspected breaches.
The Front Office Supervisor Dashboard is used to monitor supervisor compliance with applicable
guidelines, obligations, and requirements.45F
c
Produced monthly, this dashboard presents metrics and annual
trends for various revenue-generating activities, including credit limit and market risk breaches, as well as
conduct metrics such as mandatory learning compliance and trading activity during block leave. However,
it lacks metrics related to workplace behaviour, which would help supervisors identify behavioural red
flags. The data is also only produced monthly which presents a challenge for supervisors to manage their
direct reports’ conduct and compliance. For example, certain metrics such as trading while on block leave,
warrant more immediate escalation.
Effective front office supervision is critical for maintaining compliance with business standards and
managing conduct risk. In a Markets business with highly manual controls, the business is relying on
effective supervisors and supervisory tools to manage this risk.
4. Markets front office staff have played a limited role in non-financial risk remediation activities,
constraining their ability to improve their risk awareness and capability
First line risk ownership involves owning remediation processes, addressing problems that have emerged,
as well as day-to-day risk-taking activity. Involving business risk owners and risk takers in remediation
a
Front office Markets staff include Sales, Trading, Capital Markets, Balance Sheet and Structuring.
b
Gaps apply to the principles for the following Conduct Rules: Control, Red flags, Delegation, Culture, and Escalation to relevant
parties.
c
Annual testing is conducted to ensure that supervisors are effectively using and reviewing the dashboards. It was last tested in
June 202 , and the control was deemed to be ‘effective’.
Governance
26
activities sends a powerful message to the broader business about the importance of risk ownership. This
engagement also provides an opportunity to enhance risk awareness and capability among front line staff.
However, participation of Markets front office risk-takers in material Markets risk management
improvement activities, including the CEUs and I.AM Amplified, has been limited. As mentioned above, the
CEUs led to significant improvements in the Markets control environment. This work was primarily
executed by the BG&C team, with limited participation by the risk owners themselves. Front office staff
could have provided valuable business knowledge and operational insights to inform control design and
assess efficacy, as well as deepening their own experience.46F
a,
141F
16
Similarly, the Front Office Support and
Governance function is leading the I.AM Amplified adoption within Markets, and is responsible for
implementing the adoption steps for each Risk Theme as well as for leading the scoping and delivery of
new and enhanced controls.142F
17
Whilst this approach is efficient, as programs are delivered by staff who have specialist skills and
experience, it also limits the potential benefits gained by engaging front office staff, including improved risk
awareness and capability. Reinforcing that effective risk management is the responsibility of the business
will reduce the perception that it is the domain of first line risk support roles.
5. There have been instances of insufficient second line independent review and challenge of Markets
non-financial risk activities
ANZ’s Risk function has clearly defined responsibilities, including providing appropriate oversight and
independent review and challenge over business activities, developing and maintaining the Risk
Management Framework, and providing subject matter expertise on relevant policies and procedures to
support consistent implementation.
Oliver Wyman identified several instances where risk governance practices could have been strengthened
with further independent review and challenge prior to issues arising. For example, key Markets policies
and control testing have not been consistently reviewed for operating effectiveness, despite these risks
presenting ‘extreme’ inherent risk ratings.47F
b
While these areas may undergo first line assurance, any such
review does not constitute independent review and challenge. During the BBSW and FX CEUs, Institutional
Risk’s control testing review scope was significantly reduced towards the end, with many controls no
longer subject to review. This was despite the Independent Expert consistently identifying a materially
greater number of deficiencies than ANZ and, in some instances, reopening deficiencies that had previously
marked as closed.48F
c,
143F
18
We also observed instances where Institutional Risk take on first line design or coordination activities,
compromising their ability to provide independent review and challenge. For example, Institutional Risk
was accountable for coordinating the Institutional Culture Plan program of work, measuring and
monitoring progress towards the aspirational culture, and identifying actions to progress.49F
d
Given the scope
a
The team’s responsibilities included testing controls, managing and maintaining the Control Inventory, and re-assessing controls
following the remediation of deficiencies.
b
As observed in Case B, control testing for ‘Extreme’ inherent risks was not reviewed. The Front Office Supervisor Manual is not
assessed by Institutional Risk to ensure front office supervisors are performing their responsibilities.
c
In Phase 4 Year 1, second line reviewed and challenged all first line testing outcomes. In Phase 4 Years 2 and 3, second line
prioritised their testing reviews based on the level of risk associated with controls, recurring areas of deficiencies, newly added
controls, and recently remediated controls. Groups of controls that were no longer subject to second line review and challenge
included: all existing Low EU Risk Scenario controls, all existing Medium and High EU Risk Scenario controls with no deficiencies
identified in the previous year, some existing Medium EU Risk Scenario controls with deficiencies identified in the previous year,
and any controls subject to third line validation.
d
Under the Institutional Culture Plan (ICP), Institutional Risk was part of the ICP Project Management Office, which defined the ICP
priorities.
Governance
27
of its role, Institutional Risk was unable to challenge the design of the program to meet its intended
objectives.50F
a
Institutional Risk takes a risk-based approach to conducting review and challenge, control testing, and
reviewing activities for Institutional material risks.51F
b
The approach aims to ensure that significant risk areas
are thoroughly reviewed, ensuring appropriate management of a subset of material risks. The focus of
Institutional Risk’s independent review and challenge has been largely related to implementation of the
NFR Framework and the high-level design of remediation activities for the past two years.
The NFR
Framework does not specify consistent guardrails for risk-based review and challenge, providing limited
guidance to Risk Officers and the business on where it is required.52F
c
As such, there may be instances where certain activities may not be prioritised for review for an extended
period of time. Supplementary guidance documents to support Risk Officers to execute these activities are
currently under development. ANZ may also benefit from establishing minimum standards or periodic
reviews to ensure appropriate coverage for specific activities, for example relating to controls associated
with ‘extreme’ or ‘high’ risks. Implementing minimum requirements alongside a risk-based approach would
ensure first line assurance is supplemented by strong independent review and challenge and allow the
Divisional Risk teams and business areas flexibility in identifying areas requiring more robust review.
6. Internal Audit’s approach is generally sound, with some areas for refinement in approach and
coverage
Internal Audit plays an important role in providing independent assurance of Markets activities. We
observed evidence of Internal Audit reviewing key Markets activities, providing independent reporting with
clear deficiencies noted.53F
d
Internal Audit employs a process to identify root causes for audit issues and
applies a risk-based approach to ensure that these issues are remediated effectively; refer to Section 3.4.
Tools and Processes, for further details. Oliver Wyman also observed evidence of continuous improvement
through the integration of behavioural root causes into these assessments.
We observed instances where Internal Audit assumed a second line role where Institutional Risk was
unable to do so based on their involvement in the design of risk and culture activities, for example during
the Institutional Culture Plan as mentioned above. This limited their ability to effectively act as an
independent assurance function.
We also observed aspects of the Markets risk governance infrastructure that have not been subject to
Independent Audit review in recent years. This includes the approach to supervision, effectiveness of the
3LOD model (including the DRM model) and material culture change programs (as noted above). We
acknowledge that in any given year there is fixed capacity for audit reviews and prioritisation is required.
Notwithstanding this, given the importance of the areas above, we would have expected greater focus on
their effectiveness.
a
The “Institutional Culture Plan: and the role of Risk, T&C and Internal Audit” includes an Accountability Matrix defining the roles
under the plan (October 2019).
b
Institutional Risk prioritises thematic reviews based on a comprehensive set of internal and external risk data points, including
residual risk ratings, risk events, audit issues, and key risk themes identified by external agencies, to reflect known areas of
concern. It is also responsible for developing the Group Judgemental Credit Policy.
c
Under the NFR Framework, Risk Officers are responsible and accountable for reviewing and challenging Divisional NFR
management. Specifically, this includes review and challenge of the Division’s: NFR profile, including activities and decisions that
may affect it, to ensure risks and controls are being managed within Group and Division’s risk appetite and risk theme guardrails;
implementation of NFR Framework and NFR management maturity; and compliance with CPS 220 requirements relating to NFR.
d
Oliver Wyman reviewed a sample of 23 Markets reviews performed by Internal Audit.
Governance
28
7. Markets’ risk governance oversight is appropriate; however, reporting could be improved to enhance
management decision making and support the Board in executing their responsibilities
The ANZ Board plays an active role in overseeing risk management, supported by committees that serve as
a link between operational management and the Board, enabling timely escalation of issues, risks, and
strategic initiatives to inform Board decisions.
The Board Risk Committee (BRC) assists the Board in discharging certain risk management obligations by
overseeing the implementation and operation of the ANZ Group’s Risk Management Framework.54F
a
Oliver
Wyman did not observe the Board or BRC during routine meetings; however, interviews and engagement
with Board members indicated their active involvement in overseeing non-financial risk management. They
demonstrated a clear understanding of the need for sustained and embedded change. Additionally, a
review of BRC papers and minutes confirms that they consider both financial and non-financial risk.55F
b
The Markets Business Management Forum (MBMF) acts as the central body for managing risk within the
Markets business, and is tasked with reviewing and addressing significant operational risk and compliance
issues, misconduct mitigation activities and enhancing conduct risk maturity.56F
c
The MBMF has appropriate
representation from the Markets Leadership Team and across the 3LOD; this diversity enables them to
effectively oversee the Markets risk profile and encourages meaningful review and challenge. The MBMF is
supplemented by risk-specific forums, country-specific forums and additional forums for high-risk or critical
remediation work to ensures that there is appropriate focus on material risks and related remediation
programs.57F
d
The MBMF is an effective governance forum, with appropriate membership and relevant
matters tabled for discussion and decision.
Regular reporting is provided to the Board and management committees, but the effectiveness of this
reporting could be improved to enhance oversight. The BRC receives routine, concise updates on
Institutional and Markets-related programs, which include information on a core set of recurring financial
and non-financial risk topics. Markets management committees, including the MBMF, receive extensive
reporting that covers a wide range of risk information, such as risk indicators, events, complaints, incidents,
audit issues, and the overall risk profile. However, while the reports provide an array of data and facts,
they often lack the sort of comprehensive and actionable insights or relevant trends which are critical to
bringing meaningful changes to the fore and enable effective oversight.58F
e
The absence of long-term trends,
thematic presentations, and insightful analysis hinders members’ ability to analyse patterns and identify
specific risk management issues. This limitation makes it more challenging for committees to detect
persistent concerns that may show temporary or periodic improvements but are not sustained or
embedded, ultimately limiting the effectiveness of their oversight.59F
f
a
The Board charter also includes responsibilities relating to workplace health and safety and customers. The BRC charter identifies
specific roles and responsibilities relating to areas such as: risk appetite, risk management strategy, risk reports from management,
challenge of management, oversight of the Chief Risk Officer, and compliance with regulatory obligations and internal policies.
b
Oliver Wyman reviewed a sample of approximately 30 BRC papers and minutes over a five-year time frame. These related to risk,
risk culture, and culture uplift programs as well as specific risk events.
c
Other purposes include oversight of the Markets investment portfolio and approving Markets-owned policies.
d
For example, the Unauthorised Trading Forum, the Electronic Governance Forum, the Non-Financial Risk Transformation Steering
Committee and the Markets BBSW/FX Steering Committee.
e
Oliver Wyman reviewed a sample of BRC and MBMF papers and minutes. Only one MBMF paper from November 2024 included
consideration of themes across near misses and rapid recoveries ‘for noting’.
As an example, the BRC was presented with multiple updates relating to the Markets Culture Plan and the CEUs, describing
progress towards culture and risk culture aspirations. However, the updates did not provide insight or rationale on how they had
determined progress was being made towards improving risk culture or risk outcomes, limiting the BRC’s ability to understand
decisions made by Markets management or to determine appropriate actions.
f
As observed in Case B, the pattern of control failure was not identified by the Global Surveillance Governance Forum as the
reporting only covered a three-month period.
Governance
29
Regular and insight-driven reporting enhances the Board and management committees’ ability to make
informed decisions based on a comprehensive understanding of the organisation’s risk landscape. It allows
them to identify emerging risks, recognise patterns, and anticipate future challenges more effectively.
While the Board and committees can, and do, perform their roles based on the information provided, the
current approach to reporting presents a missed opportunity to focus on key insights and enrich their
discussion of the data. Refining the existing reporting with valuable insights, trend analysis, and contextual
information will facilitate more effective oversight and meaningful challenge rather than data
interpretation.
Recommendations for improvement
• Clarify Markets 3LOD model and provide communication and training to embed the changes, ensuring
teams have appropriate capacity and capability. This includes:
– Roles and responsibilities and the boundaries of the Front Office, DRM, FOSG, and BG&C roles
– Scope of Institutional Risk review, including guidance on the risk-based approach, minimum
standards, and any required changes to the Non-Financial Risk Framework RACI
– Consider refining Internal Audit root cause approach, and coverage across Markets business
activities
• Consider refining the approach for Markets non-financial risk and culture change program governance
with front office representation engagement in oversight and delivery roles
• Refine the front office supervision framework, including refreshing the manual, enhancing supervision
data and metrics, supervisor training, refining the supervisor effectiveness assessment, completing a
post-implementation review post changes to assess its operating effectiveness
• Refine governance forum reporting to consistently include thematic insights and trend analysis, root
cause remediation tracking, and other metrics and thematics related to workplace behaviour including
ER issues
Policies and frameworks
30
3.3. Policies and frameworks
Markets has a comprehensive suite of risk policies and frameworks effectively designed to guide risk
management and operations. We believe these are appropriate for an organisation of ANZ’s size, business
mix, and complexity, covering all required policies and material risk types.
While thorough, some of the current policy documentation suffers from inconsistency and complexity,
making it challenging for employees to navigate and apply these policies as intended. This can result in
inconsistent application. Simplifying and clarifying current policies will enable Markets staff to
independently and confidently operate within established guardrails, without the need to rely on support
functions in a way that diminishes their own risk ownership. Similarly, Markets’ approach to setting and
managing to its risk appetite is appropriate and within the Group’s limits, although there are opportunities
to make incremental improvements to the framework’s usefulness.
Key observations
1. Policies and frameworks are for the most part designed effectively, with clear roles and responsibilities
defined across the Three Lines of Defence
2. Some policies are inconsistent and difficult to navigate, leading to varying application and the business
not consistently operating within the intended bounds
3. Markets sets its risk appetite within the Group’s limits, but could enhance the design with clear metric
thresholds and actions pathways as these thresholds are approached
1. Policies and frameworks are for the most part designed effectively, with clear roles and
responsibilities defined across the Three Lines of Defence
The key risk governance policies and frameworks are appropriate for an organisation of ANZ’s size,
business mix, and complexity, covering all required policies and material risk types. The Risk Management
Strategy clearly sets out the organisational and risk governance structure, detailing roles and
responsibilities under the Three Lines of Defence (3LOD) model.24F60F
a
It also outlines the approach to managing
material risks, the relevant policies, and the methods used to assess and embed risk culture.
The Non-Financial Risk Framework (NFR Framework) outlines the Group’s non-financial risk (NFR)
management lifecycle, including appropriate detail on the context, defining key terms, summarising
procedure steps with examples, and establishing minimum standards for execution.25F61F
b
It sets out the roles of
the first and second line functions throughout the risk management lifecycle, providing step-by-step
information on accountabilities and responsibilities.26F62F
c
Group-wide policies are in place for all material risks, clearly defining roles and responsibilities across the
3LOD, in line with the Risk Management Strategy. These are supplemented by additional policies and
guidelines specific to Markets activities, such as the Derivative Credit Policy and the Material Size
Transaction Management Guidelines. Markets policies, such as the Capital Markets Issuance and Bond
a
See Section 3.2. Governance for further information on the 3LOD roles and responsibilities.
b
The NFR Framework is governed by the Non-Financial Risk Policy and covers the end-to-end risk management lifecycle from
setting risk management guardrails to identifying, managing, and monitoring risks to governing and overseeing risk management.
c
The NFR Framework also specifies which roles are Responsible, Accountable, Consulted, and Informed for each activity.
Policies and frameworks
31
Underwriting Procedure, appropriately outline the roles involved in different transactions and identify the
required approvers in Markets and Markets Risk for various transaction types in each region.
Despite the clarity of the 3LOD roles in formal policies and frameworks, their execution is inconsistent,
reducing the overall effectiveness of the risk governance infrastructure. See Section 3.2. Governance for
further information on this topic.
2. Some policies are inconsistent and difficult to navigate, leading to varying application and the
business not consistently operating within the intended bounds
While policies are designed effectively, it is important that they can be used consistently for them to
operate as intended. Certain policies do not clearly define relevant details, resulting in varying
interpretations of applicable requirements.63F
a
Oliver Wyman observed instances where pertinent terms were
not defined, or the process steps required were not fully explained. This was also seen in relation to the
NFR Framework, which is not by itself clear on when Risk needs to be engaged in certain Markets activities,
requiring users to navigate a hierarchy of additional documents. This distribution of expectations across
documents creates a risk that the policies are not executed as intended. See Section 3.2. Governance for
more details on the role of Risk under the NFR Framework. In some cases, conflicts arise between Group-
wide policies and Division- or Function-specific policies for the same process. For example, Markets policies
define different escalation processes for cases of unacceptable behaviour to those defined in Group-wide
policies.64F
b
See Section 3.1. People and culture for more details on the application of employee-related
processes in Markets.
As such, front office staff place a heavy reliance on support functions to interpret policies. Most Markets
interviewees indicated they rely on support functions such as Desk Risk Managers (DRMs) to interpret
policies or verify their own interpretations. See Section 3.2. Governance for more details on the role of the
Markets DRMs. In some instances, the ambiguities in Group and Markets policies resulted in staff not
applying policies as intended, reducing the overall effectiveness of an otherwise well-designed framework.65F
c
3. Markets sets its risk appetite within the Group’s limits, but could enhance the design with clear
metric thresholds and actions pathways as these thresholds are approached
The Group Risk Appetite Statement is cascaded to Markets through the Institutional Risk Appetite
Statement, ensuring that risk-taking in Markets aligns with the Board’s defined appetite. Markets defines
its appetite through the Markets Risk Appetite Statement. There is clear traceability between the different
hierarchies of risk appetite statement.66F
d
a
As referred to in Section 3.1. People and culture, there are variations in how official communications convey cultural and
behavioural expectations. Until recently, product management policies did not clearly define changes in product presentation,
reducing clarity on when formal product variation processes apply. In Case A, policies and processes did not provide sufficient
clarity to: confirm that delegation of operational authority does not override escalation requirements, define funds and trusts, and
set out work flows for performing pre-deal checks, determining pricing and settlement structures, and escalating settlement
issues. This contributed to the failure of the transaction. In another example, the Risk Culture Assessment framework does not
provide explicit guidance on weighting the different Risk Culture Principles, leading to ambiguity in aggregating these principles to
determine a Divisional risk culture maturity rating. See Section 3.3. Tools and processes for further detail.
b
Group-wide Employee Relations (ER) policies mandate that all cases of unacceptable behaviour be escalated to T&C, regardless of
perceived seriousness, whereas the Markets Incident Management Framework only requires escalation for certain cases. See
Section 3.1. People and culture for further information on the Markets Incident Management Framework.
c
For example, in Case A, there was a failure to follow the required process, including obtaining the necessary approvals.
d
The Group RAS articulates the Board-approved risk appetite, including quantitative tolerances for material risks and specific risk
indicators. It also outlines the processes for setting, monitoring, and reviewing the risk appetite. The Institutional RAS specifies the
Policies and frameworks
32
The Markets Risk Appetite Statement defines specific metrics and thresholds for Markets risks at the
business unit level. Some metrics, such as those relating to Market Risk, are cascaded directly from the
Institutional RAS. Others are unique to Markets, such as credit concentration and credit portfolio quality.67F
a
The Markets RAS clearly defines appetite statements with corresponding quantitative metrics and
thresholds.
Regular risk metric monitoring is critical to ensure the business consistently operates within risk appetite,
allowing management to take timely action if metrics approach thresholds. The RAS Dashboard, presented
monthly in the Markets Business Management Forum (MBMF), provides the Markets Leadership Team
with regular visibility of Markets’ risk exposure using red, amber, and green indicators for each metric.
However, the Markets Risk Appetite Statement lacks defined thresholds for each colour status and does
not provide clear guidance on the necessary escalation or actions when metrics near thresholds. While
some policies, such as the Limit Setting, Delegation, and Controls procedure for traded market risk metrics,
outline notification and escalation protocols as metrics approach certain thresholds, not all risk types have
a form of early warning.
As a result, Markets leadership do not have consistent visibility of how closely the business’s risk profile
aligns with appetite, or a common view on the appropriate level of action required to address potential
issues. This could be addressed by including thresholds for each metric status and what action is required
as they are approached.
Recommendations for improvement
• Review policies for consistency across the Group and Institutional or Markets-specific documentation,
including cultural aspirations, Employee Relations policies, and the Markets Incident Management
Framework
• Review Group and Markets policies to ensure all pertinent details are defined, including product
management requirements, the Markets Customer Suitability Framework and the Capital Markets
Issuance and Underwriting Procedure
• Consider implementing metric thresholds for each metric status and escalation and action planning
requirements for the Markets Risk Appetite Statement, with accountable owners
Division-specific risk appetite, cascading relevant metrics from the Group RAS with Divisional thresholds, such as customer
concentration metrics for wholesale credit risk. It also includes metrics developed for the Division, including business unit limit
breaches.
a
Markets risks include capital usage and performance, liquidity and funding, earnings volatility, business mix, credit concentrations,
credit portfolio quality, market risk, and operational risks.
Tools and processes
33
3.4. Tools and processes
The Markets business has made significant progress in evolving its risk infrastructure, particularly since the
FX and BBSW CEUs. However, while the risk tools and processes in place are appropriate, there is more
work to be done to ensure they are used consistently and effectively.
The control framework is well-designed to mitigate key risks; however, the highly manual control
landscape is not sufficiently supported by key processes to prevent control failings. Limitations in the
quality of control testing and independent oversight may contribute to an overly optimistic perception of
how effectively risks are managed. Similarly, ANZ’s tools for measuring risk culture are soundly designed
but there are opportunities for refinement to ensure they are producing accurate results.
Markets has a strong track record of rapid response to operational risk events; however, this does not
always translate into effective monitoring and remediation of issues. The absence of an end-to-end view of
key processes exacerbates these gaps, limiting the business’s ability to identify or remediate interrelated
risks. Greater emphasis on controls verification processes and systematically embedding lessons learnt
across the business will enhance the overall effectiveness of Markets’ risk management framework.
While this report identifies a number of shortcomings, we also acknowledge that Markets has made
significant improvements in recent years to improve culture, conduct, and risk governance. Initiatives such
as I.AM Amplified, the Markets Culture Uplift Program, and the FX and BBSW CEU Programs illustrate that
significant change is achievable when there is a strong focus and commitment.
Key observations
1. ANZ’s risk identification and assessment processes are designed appropriately, and the Non-Financial
Risk Framework has supported the identification of a material number of new risks
2. The business does not take an end-to-end view of operations, limiting the identification of related risks
3. The control framework is well-designed to mitigate key risks; however, the highly manual environment,
coupled with insufficient testing rigour and second line oversight, increases the risk of control failures
4. Operational incidents and issues are appropriately escalated and well managed, with material risk
events addressed swiftly
5. There is insufficient investigation and remediation of root causes to prevent recurrence of issues
6. Systematic reviews for broader issues and application of both internal and external ‘lessons learnt’
across the business areas are not consistently performed, limiting continuous risk management
improvements
7. ANZ’s risk culture assessment framework is soundly designed and evaluates employee perceptions and
objective outcomes, but it can be refined to better identify underlying weaknesses
Tools and processes
34
1. ANZ’s risk identification and assessment processes are designed appropriately, and the Non-
Financial Risk Framework has supported the identification of a material number of new risks
Non-financial risk management
ANZ’s Non-Financial Risk Framework (NFR Framework) outlines the process for managing non-financial risk,
including identifying non-financial risks that may impact the business, developing suitable controls,
assessing residual risk, and monitoring the overall risk profile.68F
a
The approach is designed effectively,
enabling the identification of a breadth of risks, while ensuring they are appropriately managed with
robust controls on an ongoing basis.
The risk identification step includes thorough consideration of risks relating to both internal and external
factors that influence the business environment, ensuring a diverse range of sources are considered.69F
b
The
control step focuses on identifying relevant controls and testing their effectiveness against identified risks.
The assessment step considers the impact of the controls on the risks and determines whether this aligns
with risk appetite or if further mitigation is required. The monitoring step develops metrics to track risk
exposure, providing a continuous understanding of the risk profile and allowing for timely action when
necessary.
These processes are designed effectively, including all relevant steps and clearly outlining specific
expectations. Mapping obligations, risks and controls through the NFR Framework implementation has
improved Markets’ visibility of its non-financial risk profile and supported the identification of new risks
and control gaps; the scoping and delivery of remediation activities is underway.70F
c
Effectively addressing
the identified gaps will significantly strengthen Markets’ non-financial risk management efforts.
Financial risk management
Markets actively manages financial risks, including market risk, credit risk, and counterparty credit risk,
through well-defined policies and limit frameworks.
Markets sets limits for traded market risk using the risk limit framework, ensuring that risk-taking activities
align with risk appetite. The framework delegates limits to staff, ensuring that more material activities are
undertaken by more senior staff. The Limit Setting, Delegation and Controls procedure establishes clear
guidelines on how limits should be assigned at appropriate levels.71F
d
Each desk maintains its own limit
schedule, which outlines specific Value at Risk, loss, and detailed control limits.72F
e
As such, senior staff are
appropriately empowered with greater accountability for financial risk-taking, whilst ensuring that risks
remain within acceptable thresholds.
The Derivative Credit Policy outlines the principles for managing derivative counterparty credit risk. The
Markets XVA desk actively monitors credit concentration and the quality of the credit portfolio within
defined limits, providing strong oversight of credit-related risks.
The financial risk management processes provide Markets with a strong understanding of its risk profile
and there are appropriate structures in place to ensure the business operates within risk appetite and in
line with its strategic objectives.
a
See Section 3.3. Policies and Frameworks for further detail on the NFR Framework.
b
This step involves identifying applicable risks, determining the factors that could lead to risk occurrences, and articulating their
potential impacts.
c
To date, Markets has identified 61 areas for further improvement in the control environment across 17 unique Level 2 Risks.
d
The Limit Setting, Delegation and Controls procedure governs limit setting and the delegation of authority.
e
Oliver Wyman reviewed the Limit Schedule for the G10 Currency business.
Tools and processes
35
2. The business does not take an end-to-end view of operations, limiting the identification of related
risks
A business with the risk profile, operational complexity and global footprint of the Markets business should
ensure appropriate visibility of key processes from start to finish, minimising the potential for gaps in its
risk identification process. Markets activities depend on effective collaboration among various teams
across different geographies and functions. Appropriate oversight of the end-to-end process helps prevent
control gaps and process failures during handoffs between distributed teams. Individuals involved in these
cross-team or business processes must understand the interdependencies to recognise the implications of
their decisions on other parts of the business and identify potential risks that may arise.
Oliver Wyman observed multiple instances in which the implications of certain decisions or issues were not
adequately considered, resulting in poor risk outcomes. In one example, during a control remediation,
there was no escalation to other teams who may have been affected by the control failure type. This
limited the ability of the business or Group to consider whether similar issues were present more broadly.73F
a
In another case, the distribution of a Markets product had implications for credit risk exposure and product
terms in other areas of the Group; this resulted in different credit terms being offered to customers than
originally intended.74F
b
In another example, insufficient communication among teams during the investor
onboarding for a transaction led to the acceptance of a customer outside the organisation’s risk appetite.75F
c
Additionally, Markets and staff in enablement functions shared that they observe elements of siloed
operations within Markets, highlighting the ongoing need to reinforce this capability and mindset shift
within the business.76F
d
Institutional’s inflight CPS 230 high-impact process mapping will support building this capability in Markets.
Markets leaders can encourage the required mindset shift through sharing lessons learnt and role
modelling this broader perspective with their teams.
3. The control framework is well-designed to mitigate key risks; however, the highly manual
environment, coupled with insufficient testing rigour and second line oversight, increases the risk of
control failures
Control environment
The Group’s control management framework effectively defines processes for designing, operating,
testing, and monitoring controls.77F
e
Our review of the design of key control processes and critical Markets-
specific controls, including surveillance controls and material-sized transaction controls, found no material
design weaknesses. Although we have not conducted a detailed mapping of the Markets’ obligations, risks,
and controls landscape, the existing Control Library shows adequate coverage of key Markets non-financial
risks.
a
As observed in Case B. A control was rendered ineffective on multiple occasions due to changes to the upstream data feed,
resulting in a gap in trade surveillance for several months. Although the issue was remediated, the team who identified it failed to
escalate the control failure to other teams that may have relied on the control or where data ingestion may have been used in a
similar way.
b
As observed in Case D. A Markets product was distributed to certain clients, resulting in favourable credit assessment for
products in other areas of the Group. The downstream impact of the assessment lead to the Group offering different credit terms
to customers than originally intended. Following escalation of the issue, the distribution of the product was discontinued for
certain customer segments.
c
As observed in Case A. In a past transaction, multiple teams were involved in onboarding a new investor. However, despite
potential risks being indicated during the onboarding, there was limited communication between teams to ensure that these risks
were fully factored into the decision-making process.
d
Oliver Wyman interviews.
e
The Control Management Procedures define the processes to design, operate, test and monitor controls.
Tools and processes
36
However, Markets has a significant reliance on manual controls. Only about 8% of its control environment
is partly or fully automated, compared to approximately 12% across the Group.78F
a,
144F
19
This level of automation
is lower than we would have expected for an organisation of ANZ’s size, business mix, and complexity.
Multiple reviews have recommended greater automation and ANZ have stated it as their preference.79F
b
Given this focus, we would expect a mechanism to provide more rigorous challenge for new controls such
that automated solutions are prioritised over more manual alternatives. However, limited automation
persists, and we did not observe any structural or design processes to systemically encourage its
adoption.80F
c,
145F
20
While manual controls can be effective, they require robust monitoring and oversight to
ensure their consistent and reliable operation.
Control design and testing
Markets is an operationally intensive business where the current reliance on manual controls requires
robust design and testing. This rigour is critical for Markets management to confidently assess the
business’s residual risk profile; any gaps in control design and monitoring processes undermine the
accuracy of that profile. However, consistent with multiple internal and external reviews, we observed
insufficient rigour in Markets’ control design and testing, which has led to control failures and unintended
risk outcomes.
ANZ has noted several instances of ineffective Markets control design, highlighting that controls often lack
the necessary robustness.81F
d
Oliver Wyman observed an example where a control failed due to data gaps,
and was then remediated without measures to ensure data completeness. After further remediation, the
controls were deemed ‘effective’, despite acknowledged weaknesses in the reconciliation processes which
ensure data completeness and accuracy.82F
e
Markets controls have not been tested with an appropriate level of rigour to identify control weaknesses;
for example, the CEU Independent Expert identified nearly double the number of deficiencies compared to
ANZ’s internal control testing.83F
f,
146F
21
The CEU Independent Expert also identified multiple instances where
controls testing lacked the requisite depth and precision to be effective.84F
g,
147F
22
Oliver Wyman identified
limitations in the control sample testing approach; in one instance, the procedure overlooked a control
that failed over multiple months by relying on only three samples from a single month. This narrow
sampling hindered the timely identification of the control failure, highlighting the need for a more robust
testing methodology that considers what period would need to be tested to identify control failures.85F
h
a
Non-financial risk controls. Partly or fully automated refers to the Automated, Semi-automated, and Automated/IT Control
classifications.
b
The NFR Framework states that automation is ANZ’s control design preference and should be considered when identifying
controls that could be optimised. ‘Largely manual controls’ identified as an I.AM problem statement in the NFR Transformation
Outcomes Framework (August 2023).
c
During the control uplift exercise for the FX and BBSW CEU programmes, the Independent Expert recommended an increase in
the automation of controls across both Programs in all three reviews in Phase 4. Despite these recommendations, only five out of
over 100 developed controls were automated.
d
ANZ’s 2023 Internal Review Report for the FX CEU program acknowledged that “while further steps have been taken during the
year to increase the sustainability of some controls, observations were made about gaps in those automation processes”.
e
As observed in Case B.
f
The number of deficiencies identified by the Independent Expert across both Programs was approximately 20% greater than the
number identified by ANZ in Phase 3. In Phase 4, the Independent Expert consistently identified more than double the number of
deficiencies ANZ had self-identified.
g
The Independent Expert noted “A need for greater level of understanding of the automated elements and corresponding depth
and precision of testing of these elements before concluding on the effectiveness of the controls”.
h
As observed in Case B.
Tools and processes
37
Independent oversight
Risk is responsible for review and challenge of the control environment; however, the level of challenge
provided does not consistently ensure the effectiveness of the Markets control environment.86F
a
Refer to
Section 3.2. Governance for further detail on Risk’s review and challenge of controls.
As a result, failures of manual controls have contributed to material risk events in some instances. For
example, Oliver Wyman observed an incident where the control to ensure customer suitability
assessments are performed was rendered ineffective, potentially allowing a transaction with an
unassessed investor to proceed to settlement.87F
b
Multiple audit reviews have identified audit issues related
to manual controls, which could lead to further risk events.88F
c,
148F
23
Refining the approach to control design and testing and providing greater guidance specific to automated
controls would enhance the robustness of the control environment and minimise the risk of control failures
and any associated risk events.
4. Operational incidents and issues are appropriately escalated and well managed, with material risk
events addressed swiftly
ANZ’s event and issue management procedures are designed appropriately, providing structured processes
for monitoring, communicating, and reporting risk events and issues.89F
d
Interviews with Markets staff and
aligned enablement functions indicated that the prompt escalation and remediation of operational
incidents is a distinct strength within the Markets business. This agility reflects a key advantage of the
collaborative culture within Markets, even in high-pressure situations.
Risk events are reported to the Markets Business Management Forum (MBMF), with more significant
events escalated to the Group Operational Risk Executive Committee (OREC) and, in some cases, the Board
Risk Committee (BRC).90F
e
These processes require investigation of drivers and root causes following an
event, as well as consideration of impacts on other business units.
We observed appropriate escalation and timely remediation for material Markets risk events. For example,
in an instance when Markets encountered substantial and unintended credit risk from a transaction, senior
stakeholders were quickly engaged. The transaction was promptly reversed to mitigate potential loss, and
reported to relevant forums. To ensure the appropriateness of these actions, stakeholders from various
Group functions were engaged.91F
f
In another instance, when concerns arose regarding a potentially
inappropriate product strategy, the issue was recorded in the NFR Hub on the same day. This issue was
escalated to senior Risk stakeholders, and swift action was taken to cease sales of the product to certain
a
The NFR Framework defines responsibility and accountability. Specifically, the Risk Officer is responsible and accountable for
reviewing and challenging their Division’s NFR management. The Risk Theme Officer is responsible and accountable for monitoring
the Risk Theme profile.
b
As observed in Case A. The ‘Customer Suitability Exception Identification & Management’ control generated an exception report
for transactions lacking a Customer Suitability Assessment. If counterparty IDs were not entered into the system when the
counterparty record was created, they were excluded from the report.
c
Oliver Wyman reviewed a sample of audit reviews performed by Internal Audit. Issues identified included manual processes for
limit monitoring and report production; omission of pricing curves from the Observability Matrix to monitor the observability of
Rates, FX and Commodity prices; and the highly manual communication monitoring for Markets participation in certain chatrooms.
d
The Event Management Procedures define roles and responsibilities for key activities including event identification, escalation,
impact and compliance assessment, remediation, monitoring, and reporting. The Issue Management Procedure then outlines the
process for addressing issues that require remediation, including developing, implementing, and monitoring the remediation plan.
Breaches and behavioural issues are managed through the Markets Incident Management Framework.
e
Events that have a financial, reputational, compliance, or customer impact classified as ‘High’ or ‘Extreme’ are reported to OREC.
Where events result in an actual financial net loss exceeding $15 million, they will be reported to the BRC.
f
As observed in Case A.
Tools and processes
38
customer groups while the matter was under investigation.92F
a
The Markets approach to event and issue
management is designed and operating effectively, with evidence the business responds appropriately to
operational issues and events.
5. There is insufficient investigation and remediation of root causes to prevent recurrence of issues
Root cause analysis is a vital part of an organisation’s event management process which, when performed
effectively, enables the business to identify and address underlying issues, prevent recurrence of similar
issues, improve processes, and strengthen overall resilience.
Oliver Wyman observed that detailed post-event reviews were conducted for each incident to understand
the context and drivers of the issues.93F
b
However, there was limited evidence that involved teams and
governance forums thoroughly examined or effectively addressed root causes.94F
c,
149F
24
A more thorough
examination of the root causes could have driven improvements in control testing capabilities and
heightened risk awareness within Markets. Oliver Wyman noted multiple instances following risk events
where meetings presented lessons learned without accompanying root cause investigations or outlining
necessary follow-up actions.95F
d,
150F
25
Additionally, a second line review found that “50% of the events sampled
illustrated a lack of evidence captured in NFR Hub to evidence the Root Cause Analysis was complete or
performed to sufficient depth”.96F
e
Remediation activities are not also consistently addressed or tracked to closure. Root causes are addressed
through issue remediation tasks. However, issues can be closed either once all remediation tasks are
completed, or once sufficient progress has been made to bring the risk or impact within appetite.97F
f
As a
result, root cause remediation activities may be closed off without the underlying issue being addressed.
Where remediation plans to address root causes are discussed at the MBMF, progress in addressing them
is not explicitly tracked to ensure that tasks are completed such that no further issues will arise.
Group Internal Audit’s review process captures root cause categories for all audit issues, including high-
level causes like “ineffective roles and responsibilities” and “governance failure”.98F
g
While this approach
provides consistency, it lacks the necessary detail to identify similar trends or generate actionable insights
and introduces the risk that specific root causes are not remediated effectively through a lack of tailored
remediation. Audit issue remediation plans are designed to tackle any identified root causes, and Internal
Audit conducts validation on a risk-based sample of these; however, by nature, this does not cover the full
a
As observed in Case D.
b
These covered different risks such as credit risk, conduct risk, and customer risk across Cases A, B, and D.
c
For example, the Independent Expert consistently identified a significantly higher number of deficiencies compared to ANZ’s
internal processes. The underlying causes were not explored, and only minimal action was taken to resolve the issues. Although
the Steering Committee and the Credit and Markets Risk Committee were made aware of these discrepancies, there is no evidence
that the drivers of these differences were discussed or why the disparity persisted for multiple years. The Steering Committee was
informed on at least two occasions, in November 2021 and December 2022. The CMRC was informed on at least one occasion in
June 2022.
d
As observed in Case D. The MBMF paper only commented on control weaknesses rather than root causes. The MPC paper
outlined key observations as part of the remediation action overview but did not reflect on any root causes. The ‘What are the
learnings’ section of the IRMC paper refers to inflight actions to address learnings from the event but does not discuss these
learnings in depth or link them to root causes.
e
Institutional Risk performed a post adoption review of Events Management under the NFR Framework.
f
If the issue is closed but there are outstanding remediation activities, it will be marked as ‘closed incomplete’.
g
Group Internal Audit’s review process captures root causes, outlines actions to address them, and validates the completion of
audit actions. The root cause categories are selected from the Cause Taxonomy, which is part of the Non-Financial Risk Taxonomy,
and sets out five L1 causes (employees, process failure, external, systems and data) and about 34 applicable L2 causes. Detailed
root cause analysis is also performed for repeat issues, issues rated ‘3’ or ‘ ’, and control weaknesses that may result in high or
extreme levels of residual risk respectively.
Tools and processes
39
suite of root causes identified. This review process is well-structured and ensures the completion of audit
actions, yet it does not explicitly validate whether the root causes have been adequately addressed.99F
a
Group Internal Audit launched a Test and Learn initiative to integrate behavioural root causes into their
existing root cause analysis; this has been part of their methodology since October 2024.151F
26
However, we
did not observe consistent reporting and discussion of audit-identified root causes, whether behavioural or
otherwise, within Markets governance forums.
Ineffective execution of root cause analysis makes it harder for the Markets business to identify the
underlying drivers of incidents, leading to superficial remediation and increasing the risk of recurring
issues. Without adequate remediation, governance forums will not have certainty the issues are truly
remediated and will not re-emerge. Greater discipline in interrogating and tracking root causes will ensure
they are appropriately addressed.
6. Systematic reviews for broader issues and application of both internal and external ‘lessons learnt’
across the business areas are not consistently performed, limiting continuous risk management
improvements
Lessons learnt refer to the insights gained from past experiences that help improve future practices.
Analysing lessons learnt after risk events allows the business to learn from mistakes, ultimately reducing
the likelihood of similar incidents occurring again. Markets’ current approach to retrospective reviews is
typically confined to specific events, with minimal consideration of potential thematic issues across the
business or wider Division. This narrow focus misses opportunities to identify related risk governance and
cultural weaknesses and hinders proactive risk management practices.
Oliver Wyman did not observe this broader review in the case studies examined. For example, when a
control dependent on external data feeds failed, the investigation was limited to similar controls and did
not consider data completeness and accuracy checks across the wider control environment, contributing to
a subsequent control failure.100F
b
Remediation conducted under the CEU programs was largely treated in
isolation, with repeated deficiencies not framed as systemic issues.101F
c,
152F
27
For example, controls needing
further automation were treated as isolated weaknesses, with minimal recognition of the need for a
systematic approach to automate all applicable controls. In another instance, reporting on a material risk
event to multiple forums included limited analysis of lessons learnt and their application to the broader
business context.102F
d,
153F
28
Employee Relations, T&C and Markets lack a structured process to identify systemic concerns, with data
only considered on an ad-hoc basis, hindering proactive management of behaviour.103F
e
Despite data on
a
Internal Audit validate all audit issues rated 3 and 4, and a minimum of 25% of 2-rated issues. Oliver Wyman reviewed a sample of
three validations performed by Internal Audit on Markets audit issues.
b
As observed in Case B. Once the Global Surveillance Governance Forum (GSGF) identified the control issue, they reviewed the
trade surveillance control environment to uncover other dependencies on external data feeds that had not produced alerts for
extended periods. However, they did not conduct a comprehensive review of data completeness and accuracy checks.
c
In Phase 4 Year 1, the Independent Expert recommended that ANZ pursue continued automation of the Control Inventory across
both the FX and BBSW Programs, with specific key controls identified for automation. In Phase 4 Year 2, ANZ automated two key
FX controls but no key BBSW controls. Again, the Independent Expert recommended further automation across both Programs. In
Phase 4 Year 3, ANZ automated two key BBSW controls but no key FX controls (despite the Independent Expert identifying a
candidate FX control for automation the previous year).
d
As observed in Case D. Based on reporting to the Markets Business Management Forum, Markets Product Committee, and the
Institutional Risk Management Committee.
e
Data on behavioural incidents is collected from three key sources: the Markets IMF, ER, and the Whistleblower channels. Under
the Markets IMF, trend analysis is performed in the IMF Forum but “informal” concerns are not reported elsewhere. As such, ER
does not have visibility of these cases. Further, the ER function does not routinely conduct analysis on cases across the ER and
Whistleblower channels; while this analysis may be conducted on an ad-hoc basis, it is not regularly reported to management.
Tools and processes
40
behavioural incidents being recorded by the functions, there is no cross-channel aggregation of this data
within Markets to enable identification of common trends or drivers. Together, this limits ER, T&C, and the
business’s ability to recognise behavioural patterns or identify employees involved in multiple lower-
severity issues. It also limits the business’s ability to identify recurring challenges, or to support managers
in responding to emerging issues more effectively.
Governance forums play an important role in ensuring insights are synthesised, shared more widely and
action taken. Whilst we observed evidence that management forums discuss lessons learnt after
implementing post event remediation action, there is limited evidence to suggest that these discussions
consistently lead to actionable outcomes with defined owners. Oliver Wyman observed several instances
where Markets governance forums failed to translate the lessons learnt into actionable steps that could
improve risk management in other relevant areas of the business.104F
a
The narrow focus of retrospective reviews hinders the business from identifying thematic challenges that
may reveal broader areas for improvement. When lessons learnt are identified, action is not consistently
pursued to completion, resulting in missed opportunities for meaningful improvement and risk mitigation.
These reviews also play a critical role to illustrate to front office staff the importance of effective risk
management, enhancing risk awareness and capability across a population not typically engaged in
remediation activities.105F
b
A refined approach that brings together thematically aligned but discrete data
would allow the business to recognise similar issues, or identify the extent to which the challenge is
localised or present more broadly. This could include enhancing the approach to sharing lessons learnt
within the MBMF to include tracking of subsequent actions to drive accountability with Markets to apply
these across the business.
7. ANZ’s risk culture assessment framework is soundly designed and evaluates employee perceptions
and objective outcomes, but it can be refined to better identify underlying weaknesses
An effective risk culture assessment framework enables the Board and management to form an accurate
view on the Group’s risk culture. The Group’s framework is generally well designed, considering both
employee sentiment and objective risk outcomes, but it can be refined to better identify underlying
weaknesses.
The Group uses its Risk Culture Survey to contribute to its view on the risk culture. However, the Markets
results from the most recent ANZ Risk Culture Survey presented a more favourable outlook to
management and the Board than the perspectives shared with Oliver Wyman. For example, Markets staff
responses to Oliver Wyman’s survey questions related to risk management resourcing, appropriate
consequences for inappropriate behaviour, and fear of reprisals for speaking up were 17 to 20 percentage
points lower.106F
c
Moreover, some staff expressed scepticism about the accuracy of the internal survey. The
discrepancy between survey responses may stem from a perception among Markets staff that more
favourable survey outcomes could positively influence individual remuneration outcomes, due to a
a
In Case B, the GSGF reviewed the trade surveillance control environment to ensure that other controls could not run without first
receiving external data feeds. They also investigated trade surveillance controls with no alerts for extended periods of time.
However, they did not trigger an assessment of the presence and effectiveness of data completeness and accuracy checks more
broadly across the control environment.
In Case D, papers were submitted to the MBMF, the Markets Product Committee (MPC), and the Institutional Risk Management
Committee (IRMC). However, there was limited analysis of root causes and lessons learned. The MBMF paper only commented on
control weaknesses rather than root causes (12 September 2024). The MPC paper outlined key observations as part of the
remediation action overview but did not reflect on any root causes (October 2024). The ‘What are the learnings’ section of the
IRMC paper refers to inflight actions to address learnings from the event but does not discuss these learnings in depth or link them
to root causes (19 November 2024).
b
See Section 3.2. Governance for details on the approach to risk remediation activities within Markets.
c
Refer to the Appendix for an analysis of differences in results for questions used in both surveys.
Tools and processes
41
perceived link between these results and the Group Performance Dividend (GPD).107F
a,
154F
29
Other potential
drivers may include question wording changes, survey timing, sampling, data cleaning, and perceptions of
confidentiality of results.
ANZ’s risk culture assessment framework is intended to provide an accurate evaluation of the enterprise
risk culture. ANZ’s approach incorporates a degree of subjectivity at various stages of the assessment
process. This subjectivity allows for data to be aggregated in multiple ways, such that poor results for a
given indicator may or may not end up having a material impact on the overall assessment, which could
obscure inconsistencies within the risk culture.108F
b
Whilst some degree of subjectivity is anticipated during
the review and challenge process, the use of subjectivity at various stages of the assessment may indicate
that the risk culture metrics are not properly calibrated to indicate the underlying risk culture of the
business. If the metrics do not present a picture consistent with the perspectives of management, they
may need to be refined or recalibrated to produce more useful signals.
Recommendations for improvement:
• Refine approach to control design and testing, including providing greater guidance for automated
controls, ensuring teams have appropriate skills and capability, and providing refresher training
• Consider implementing a Markets controls Design Authority to provide advice and challenge for the
planned controls change exercises
• Progress and finalise high impact process mapping across Markets to provide an end-to-end view of
operations across product lines (inflight under CPS 230 program)
• Refine approach to root cause remediation including reviewing the requirements to close remediation,
considering review and challenge processes and performing a look-back across certain closed issues
• Enhance processes for applying and communicating lessons learnt across Markets, with a mechanism
to record and track actions
• Consider providing greater guidance on the aggregation of information for the risk culture assessment
a
The GPD is a component of variable remuneration for eligible staff and considers performance against the Group Scorecard. The
FY25 Group Scorecard included an objective to “maintain sound risk culture”.
b
There is no defined process to aggregate different Risk Culture Principles and Divisions/functions.
Root causes
42
4. Root causes
Oliver Wyman has identified five root causes that we believe contributed to both the emergence and
persistence of the shortcomings discussed in this report. Addressing these issues is essential to prevent the
re-emergence of similar problems in future. The root causes identified are:
1. Markets leadership shortcomings with regard to the importance and ownership of non-financial risk
management (including conduct risk) that has resulted in a lack of effective embedding of these
responsibilities across the business
2. Inconsistent execution of first and second line non-financial risk management activities by the
appropriate functions, leading to unclear risk ownership and insufficient independent review and
challenge
3. A tendency to view issues as isolated and overlook dependencies or systemic concerns, impacting
Market’s ability to identify broader risks requiring holistic remediation
4. A focus on execution that drives action, but centres on implementing activities rather than driving
towards outcomes to embed change and reduce risk
5. A variable Markets culture that was not always strong enough to constrain inappropriate behaviour
Previous independent reviews and ANZ’s Risk Governance Self-Assessments have highlighted themes
similar to several of those identified here, underscoring their persistence and the importance of
comprehensively addressing them.109F
a
Addressing each of these root causes will require a shift in mindset, behaviours, and, in some instances, the
supporting infrastructure.
Root cause 1. Markets leadership shortcomings with regard to the importance and ownership of non-
financial risk management (including conduct risk) that has resulted in a lack of effective embedding of
these responsibilities across the business
Although Markets leaders have stressed the need for effective non-financial risk management, they have
not consistently taken action to embed the expected behaviours into their teams. This is evident from the
widespread perception that they have not ‘walked the talk’ in relation to conduct risk management. We
believe that this has contributed to a slower adoption of the required non-financial risk management
mindsets and behaviours in Markets than should have been the case.
As highlighted in Section 3.1. People and Culture, staff believe that Markets leadership did not take timely
action to address the reported issues of poor conduct. As a result, only 65% of Markets staff say they
believe that senior leaders’ actions align with their statements.
30
When leaders do not consistently act to
address behaviour out of line with the Group’s stated conduct expectations or role model appropriate and
effective oversight, they undermine their credibility and communicate to employees that the organisation’s
conduct expectations are open to interpretation rather than being absolute requirements.
Based on our discussion with Markets leaders and feedback from colleagues, we do not believe they have
consistently demonstrated a high level of understanding and ownership of non-financial risk management.
For example, some Markets leaders indicated they do not use the remuneration framework as intended.
This framework is meant to hold staff accountable for non-financial risk issues, in addition to other matters
a
These reports include the RGSA, as well as reports by Internal Audit, Promontory and APRA.
Root causes
43
unrelated to financial outcomes. Additionally, some leaders indicated a belief that risk ownership in
Markets sat with Desk Risk Managers.111F
a
As a consequence of these factors, many staff members believe there is not a strong incentive to promote
risk management. This makes it less likely that staff will develop and adopt Institutional’s desired non-
financial risk management capabilities and behaviours, and embed these into their day-to-day work.112F
b,
156F
31
Unless addressed, this dynamic will likely obstruct ANZ’s efforts to improve non-financial risk management
in Markets.
This creates an imperative for leaders in Markets to change their behaviours, mindset, and capabilities in
relation to non-financial risk and integrate it more tightly and effectively into the way they lead. Equipping
leaders with the right tools and training is essential. This capability enhancement can be achieved through
better use of existing ANZ training and development resources, along with specific and tailored support for
leaders in key roles. Such support will ensure that leaders possess the necessary skills to effectively lead,
inspire, and drive change across the organisation, including risk management awareness, interpersonal
skills and cultural context.
Root cause 2. Inconsistent execution of first and second line non-financial risk management activities by
the appropriate functions, leading to unclear risk ownership and insufficient independent review and
challenge
First and second line activities related to risk management are not consistently executed by the
appropriate functions, leading to unclear risk ownership and insufficient independent review and
challenge.113F
c
This inconsistency has sometimes resulted in critical non-financial risk management activities
not being performed by those closest to the risks (the business) or with sufficient and consistent
independent oversight from the second line. As discussed in 3.2. Governance we believe the challenge here
lies in the way the Three Lines of Defence model is executed, not in its design.
In many cases, front office risk-takers were not recognised as the ultimate risk owners, relying heavily on
first line risk teams for essential tasks such as supervision, intervention in inappropriate workplace
behaviour, and risk change initiatives. There was also a lack of clarity regarding the role of first line risk
support teams; some employees viewed Desk Risk Managers (DRMs) as risk owners, while others saw them
as responsible for independent review and challenge.
There are opportunities for Risk to play a greater role in independent review and challenge. Oliver Wyman
identified several instances where risk governance practices could have been strengthened prior to issues
arising with further independent review and challenge.114F
d
Additionally, when Risk engages in first line design
or coordination activities, it compromises their ability to provide independent oversight.
115F
e
When the distinctions between first line and second line are not where they should be in practice, the
effectiveness of both execution and the review and challenge processes is significantly diminished.
Effective risk management is predicated on clear accountability and ownership within the business,
complemented by appropriate and timely challenge from Risk to promote continuous improvement.
a
Refer to Section 3.1. People and culture for further detail on operating effectiveness of remuneration and performance
management policies in Markets. Refer to Section 3.2. Governance for an explanation of staff perceptions of the DRM role.
b
Only 63% of Institutional staff and 64% of Markets staff believe that people are incentivised to manage risk and are recognised
and rewarded for good risk behaviours.
c
Refer to Section 3.2. Governance for further detail on the imbalance in roles and responsibilities across the first and second line.
d
Refer to Section 3.2. Governance for further detail on instances of insufficient independent review and challenge.
e
Given their scope of role, Institutional Risk were unable to challenge the design of the Markets Culture Plan to meet its intended
objectives.
Root causes
44
Although the design of the Markets Three Lines of Defence model is sound, there is a pressing need for
greater clarity and consistent execution of roles and responsibilities across these functions.
Root cause 3. A tendency to view issues as isolated and overlook dependencies or systemic concerns,
impacting Market’s ability to identify broader risks requiring holistic remediation
Issues within Markets are often viewed as isolated rather than as symptoms of deeper issues; as such,
there can be insufficient probing for underlying issues when things go wrong. As a result, potentially similar
or consistent weaknesses go undetected and unresolved. On a day-to-day basis, some staff show a limited
wider consideration of how their individual role fits into the broader business processes.
While Markets has an established practice of investigating operational incident root causes, there is no
consistent thematic review of root causes across all incidents and issues. This means that the same
underlying issues, such as limitations in control testing, have contributed to multiple risk events.116F
a
Risk
management tools and processes are designed to capture lessons learnt, and some instances show
Markets lessons learnt being applied locally. However, we did not observe evidence to suggest these
processes are being used to their full potential within Markets.117F
b
The case studies and interviews we conducted indicated that some Markets staff take a narrow view of
their role and accountabilities, which can allow risks to go unidentified or persist.118F
c
Multiple instances
indicate staff are highly focused on their own remit in business operations, and do not consistently
contemplate the dependencies of their actions and decisions. Several operational incidents have been
observed where staff did not sufficiently consider the impact of their decisions and actions, leading to
knock-on impacts such as control failures and operating beyond tolerance. As a result, the business is
exposed to greater risk than appreciated.119F
d
Consequently, opportunities to identify risks are missed, and subsequent remediation activities do not
consistently address the underlying drivers. A fundamental shift in mindset is needed within Markets,
transitioning from a perspective that is willing to views issues as isolated, to one that always questions
what general lessons need to be learned from risk events. This could mean including mindsets and
behaviour shifts into Markets culture narratives to support leaders and staff in communicating the target
state aspiration. This new approach should encourage curiosity into whether issues are applicable in other
areas or have the potential to be relevant elsewhere before deciding on a course of action. An end-to-end
view of operations can support this shift, as will oversight and direction from leaders and governance
forums to drive the necessary change.
Root cause 4. A focus on execution that drives action, but centres on implementing activities rather than
driving towards outcomes to embed change and reduce risk
As observed in Section 3.1. People and culture, the Markets culture’s emphasis on productivity drives
action. However, it does not consistently ensure that initiatives are designed to achieve their intended
objectives or that their impacts are monitored effectively.120F
e
When reporting primarily focuses on delivery of
tasks as opposed to impact, it sends a signal to staff and management about what is considered important.
a
Refer to Section 3.4. Tools and processes for details on control testing limitations.
b
Refer to Section 3.2. Governance and Section 3.4. Tools and processes for details on the effectiveness of Markets lessons learnt
and root cause remediation.
c
Refer to Section 3.4. Tools and processes for further detail on instances where staff demonstrated a narrow view of their roles.
d
Refer to Section 3.4. Tools and processes for details on a lack of end-end view of operations.
e
Refer to Section 3.1. People and culture for further detail on the focus on execution and results in the Markets culture.
Root causes
45
This approach can lead to an emphasis on the fastest path to compliance, rather than the goal being to
sustainably embed changes that reduce the risk the program is intended to address.
Markets’ reporting on interventions and change programs places greater emphasis on delivery status
rather than progress against established outcome measures. Multiple material change programs were
deemed successful based on execution metrics or when future work has been identified and scoped, rather
than when the intended risk governance uplift or cultural change had been achieved.121F
a
Under the Group’s
Cause Taxonomy, root causes can be considered closed when risk has been reduced but are only partially
remediated.122F
b
This approach can contribute to a culture characterised by a prolonged backlog of work that
remains partially complete or partially remediated, rather than fully resolved. Under the I.AM Amplified
implementation guidelines, control gaps do not need to be remediated and controls do not need to be
operating effectively before the central program is considered ‘done’.123F
c,
157F
32
This was also observed in the
execution of consequence management processes, where the intervention is deemed complete when the
consequence is delivered, but fails to include follow up to ensure the intervention has achieved the
intended behavioural change. This approach limits management’s ability to assess effectiveness of the
change intervention and course-correct if required.
For any future remediation work to be impactful, success measures should be tied to the outcomes the
business is seeking. For example, when considering the ‘Day 2’ backlog, this could include metrics like
changes to the residual risk profile through enhanced controls or relative proportion of the control
landscape that is automated. Measuring progress through impact will allow Markets to assess whether
initiatives are effective and course correct as required. This would also drive more effective change
management and non-financial risk ownership within Markets.
Root cause 5. A variable Markets culture that was not always strong enough to constrain inappropriate
behaviour
The cultural experience within Markets is largely positive but also variable. Staff do not have a consistent
and aligned definition of the Markets culture, and experience the culture in a highly localised manner,
strongly influenced by local leadership and peers. Given the geographical footprint and structure of the
Markets business, this often manifests as sub-cultures specific to the individual’s desk.124F
d
As discussed in
Section 3.1. People and culture, the intensity of Institutional’s culture is mixed. This means it is not always
strong enough to compel staff to operate in line with its norms, which was one of the drivers of the
conduct issues observed within Markets.
A strong organisational culture serves to align and constrain behaviours, effectively reinforcing
expectations that limit deviations from the norm. To strengthen the culture, Institutional needs to
communicate standards clearly and consistently and establish a strong set of leadership expectations,
ensuring leaders actively model the desired cultural attributes. Additionally, implementing effective
reinforcement mechanisms, such as acknowledgement, incentives, and consequences for behaviours,
along with appropriate communication materials, is crucial for embedding these cultural standards. Given
the diversity and breadth of Markets’ operations, the business should intentionally drive consistency using
such tools to avoid perpetuating cultural variability which would significantly limit the effectiveness of any
future culture program.
a
For example, the primary metric used to manage and monitor the CEU programs was the number of deficiencies. In the I.AM
Amplified program, measures referenced in the Executive Summary of Steering Committee papers and Quarterly Targets related to
delivery status, such as scheduling, budget, resourcing, delivery risk, and completed tasks.
b
If the issue is closed but there are outstanding remediation activities, it will be marked as ‘closed incomplete’ under the NFR
Framework.
c
Refer to Section 5. I.AM Amplified for further detail on the program’s “Definition of Done”.
d
Given the global nature of the Markets business, most teams in each location have under 10 employees. This number is far
smaller in branch locations.
I.AM Amplified
46
5. I.AM Amplified
I.AM Amplified is a Group-wide non-financial risk uplift program that has been ongoing since 2020. In 2022,
ANZ placed a renewed focus on the program with additional Executive sponsorship and a revised delivery
approach. Through this review, we considered the extent to which the I.AM Amplified program (the
Program) is likely to remediate the issues identified in Markets, and if not, why not. This included analysis
of the original I.AM Amplified problem statements, objectives, project charter, and recent documents
related to the Program’s delivery and governance in Markets.
The Program’s objective is to implement a Group-wide non-financial risk (NFR) management system to
improve obligations and control management. This was to address problem statements including
inconsistent NFR management practices, reliance on manual controls, a lack of guidance in areas of risk
management, poor data quality, lack of clarity on roles and responsibilities across the Three Lines of
Defence (3LOD), and risk management capability gaps across the first and second lines of defence.158F
33
The
initiatives in scope for the current phase of the Program relate to implementing an improved NFR
framework, operating model and governance, and associated risk and compliance system. While some of
these problem statements will be resolved through the Program, many will rely on the Group’s next phase
of NFR work, planned to commence in mid-2025 (further details below).
Group Risk is responsible for delivering the NFR Framework through 16 “Risk Themes”. Institutional is
responsible for leading the adoption and overseeing progress across the Division, and Markets is then
responsible for adopting these within the business unit. The adoption process includes identification of
risks, applying controls, and assessing residual risk. As part of this process, risk remediation activities have
been identified for the Markets business, including addressing control weaknesses and control gaps. The
Definition of Done for the program is met when each Risk Theme is live and has been adopted for each
Division, as well as ongoing capability being in place.159F
34
This does not require the NFR framework to be
embedded and operating effectively, or for any remediation activities identified through the adoption to
be completed.
Markets has developed a “Day 2” backlog of activities, including developing and implementing new
controls, to address areas for improvement. This backlog largely consists of technical solutions to specific
issues, including: the development of new controls and changes to existing controls to meet enhanced
Control Objectives; automation of specific manual controls and processes; updates to specific policies and
procedures; improvements to data governance for certain data; and targeted training. To date, Markets
has identified 61 areas for further improvement in the control environment. However, this work is not
governed by the Program and will be completed by the first line risk support teams.
While there are similarities between the challenges and gaps identified through this review and the
Program’s initial problem statements, most issues identified through our review are unique to Markets and
will not be directly addressed as they fall outside the Program’s scope. Some are anticipated to be
addressed through the Group’s Enterprise Non-Financial Risk Program (see below); others will need to be
addressed through additional programs of work.
Some of our observations on Markets relate to culture and conduct outcomes including perceived
tolerance of inappropriate workplace behaviour, leadership effectiveness, and operating effectiveness of
existing frameworks and controls. However, we would not typically expect such a non-financial risk
program (focused on framework implementation and reporting) to address the longer-term outcomes of
embedding cultural and risk principles, such as fostering a speak-up culture, promoting appropriate
workplace behaviour, or monitoring leadership behaviours. These should be considered outcome
measures in the subsequent Markets and Enterprise NFR program of work.
Other shortcomings we observed relate to how Markets has applied and embedded Group standards. The
Program was not designed to directly address improvements related to Markets’ risk governance
I.AM Amplified
47
infrastructure. For instance, while the Program establishes standards for the 3LOD, Markets observations
relate to the distribution and execution of roles between Markets front office staff and first line risk
support teams. Addressing these specific observations will require a more tailored approach, that goes
beyond the current mandate of the Program to improve NFR management consistently across the Group.
The Group is designing a comprehensive Enterprise NFR Program to build on the foundations established
by the Program and CPS 230 uplift. The goal of this work is to consistently embed non-financial risk
management practices, address underlying root causes and achieve a sustainable target state across all
Divisions and Functions.160F
35
The draft plan covers frameworks and governance, Three Line of Defence, risk
culture, systems and data, operational resilience including process value chains, and a focus on culture,
capability and consequence management processes.125F
a
Although we have not reviewed the detailed
program plans or the underlying initiatives, the draft program demonstrates comprehensive coverage of
the essential components expected in a program aimed at embedding non-financial risk management.
Defining clear outcome measures in terms of effective and embedded NFR management, aligned to the
impact the Group and Markets is seeking to achieve, will be critical to addressing some of the underlying
Markets shortcomings.
a
Other requirements identified include: leaders role modelling behaviours; ongoing learning to sustain and improve capability; risk
built into reward, recognition and performance; and, risk built into decision-making via advanced analytics and insights.
Group-wide applicability
48
6. Group-wide applicability
Oliver Wyman’s review focused specifically on culture and risk governance within the Markets and
Institutional Division and covered Group-wide policies and procedures only where these were relevant to
our focus area in Markets. All findings in this report are therefore specific to the Markets business, or the
Institutional Division where specified. However, our scope of work also required us to form an assessment
on the potential for any identified gaps or weaknesses in risk governance identified in Markets to be
present across other parts of the Group, with reference to data and documents from other parts of the
Group.
To this end, we conducted a high-level assessment of data and documents from ANZ’s Retail Division to
determine if there were any indicators suggesting that the themes identified within the Markets could also
be relevant outside Markets. The Retail Division was selected as the next largest Division after Institutional.
Documents reviewed included risk events, incidents, breaches, CPS 220 attestations, risk culture self-
assessments, Internal Audit reports, Employee Relations data and My Voice and Risk Culture survey results.
We observed many indicators, both positive and negative, of the operating effectiveness of the risk
governance infrastructure in the Retail Division that were similar to those observed in Markets. As such, we
anticipate a reasonable degree of likelihood that some of the root causes and risk governance
shortcomings identified in the Markets may also be found elsewhere within the Group. However, it is
important to note that the nature of our review, which was driven by summary documents and data
without the inclusion of interviews, tools and process assessments, or independent surveys, does not
provide definitive evidence of specific gaps or their nature.
While we have not specifically assessed ANZ’s risk remediation plans for areas outside of Institutional, we
understand that management is considering how such shortcomings and root causes could be addressed
across the Group through the Enterprise NFR Program.
Given the findings, we recommend that ANZ either conduct a further detailed assessment of whether the
gaps identified in Markets are present elsewhere and/or operate on the assumption they are and apply
appropriate remediation on a Group-wide basis, tailored to the specific businesses within each Division or
Function.
Recommendations
49
7. Recommendations
This section contains the recommendations to address the Markets issues identified throughout the report,
with additional guidance for consideration. However, we suggest prioritising the following initiatives to
significantly enhance risk management in Markets:
• Leadership: Clarify and reinforce Markets leadership standards to align leaders’ actions with the
desired culture and conduct to drive improved outcomes. Support leaders to effectively communicate
and embed risk, culture, and behavioural expectations through practices such as storytelling and role
modelling.
• First and Second Line of Defence: Refresh Markets’ articulation of how its governance model should
work in practice to create distinct and differentiated roles for Markets front office, Markets first line
risk (especially the Desk Risk Managers), and Risk to improve consistency in risk governance execution
and independent challenge.
• Front office supervision: Ensure that expectations for supervisors are clearly articulated, reinforced,
and monitored. Enhancing the tools and data available to supervisors will empower them to fulfil these
responsibilities more effectively.
Throughout our engagement, we observed strong focus and attention from Markets leaders looking to
improve the business’s non-financial risk practices. As Markets commits to addressing the issues identified
in this report, the primary challenge will be to embed these changes in a sustainable and consistent
manner throughout the business. Markets must ensure that the approach to culture and risk governance
remediation is one that drives accountability for outcomes and demonstrates incremental risk and culture
improvement. This will ensure that the improvements in culture and risk governance become the standard
way of working.
Table 1: Full list of recommendations and guidance for consideration
Recommendations Additional guidance for consideration
3.1. People and culture
1. Refine existing Institutional and
Markets cultural (including risk
culture) collateral to support
consistent articulation of the culture
for storytelling and engagement across
the business; this should include clarity
on the mindset shifts and behaviour
change required to embed effective
non-financial risk management
A. Refresh the Institutional and Markets aspirational cultures with a clear
articulation of how they align to ANZ’s aspirational culture, values,
purpose and expected behaviours
B. Refresh the Institutional and Markets risk culture narratives with a
clear articulation of how they align to ANZ’s aspirational risk culture and
Risk Principles, and the required mindsets and behaviour shifts to achieve
the target state
C. Cascade refreshed culture and risk culture aspirations to all staff
through training, communications
2. Refine existing Institutional and
Markets leadership standards,
including explicit references to their
role in effective non-financial risk
management (including conduct
matters) and provide additional
training and skills development
support to Markets leaders
A. Update Markets culture and risk culture artefacts to support
leadership narrative and storytelling, this should include the required
mindsets, and behaviour shifts that will need to occur. These artefacts
should be specific and clear allowing the business and leaders to know
what good looks like
B. Refine Markets leadership standards, including the Front Office
Supervision Manual
C. Consider performing leadership capability diagnostics for Markets
senior leaders to inform the design and delivery of personalised
leadership development plans
Recommendations
50
Recommendations Additional guidance for consideration
D. Consider making leadership capability training and feedback tools
mandatory for Markets leaders to increase participation in line with the
Group
E. Integrate formal upward and downward feedback into leaders’
performance assessments, leveraging existing tools such as Leadership
180, Leader 360, and Team Health Check
3. Embed leadership standards, culture
and risk culture aspirations in
employee processes including
recruitment, onboarding, promotion,
remuneration and enhance
assessment processes to inform
selection and development
A. Embed and explicitly reference leadership standards, culture and risk
culture expectations in talent management policies and procedures
B. Enhance recruitment processes for senior Markets roles to support
assessment against leadership culture and standards; this may include
developing interview guides and specific assessment criteria
4. Improve the volume and quality of
staff communication and engagement
mechanism including leadership visits,
emails and town hall communications
A. Provide timely leadership communication to reinforce culture and risk
culture priorities; for example, leader updates should also highlight
positive examples of non-financial performance
5. Review Markets’ adoption of Group
behaviour investigation and
remuneration processes, including the
requirement to escalate all
behavioural issues to ER
A. Increase the level of centralisation and review and challenge by Talent
and Culture in the Markets remuneration process to align policy
expectations with execution
B. Consider mandating formal ER investigations for cases with allegations
of confidentiality breaches, recrimination or retribution; this process
should be managed independently of Markets business leaders
6. Consider refinements to the Group
consequence management processes,
including a lookback within a defined
period after consequences have been
applied to ensure they have had the
desired impact
A. Align the Markets Incident Management Framework with Group policy
by mandating that all cases of misconduct and inappropriate behaviour in
Markets are escalated to T&C and ER to create Group-level visibility of
inappropriate workplace behaviour matters irrespective of severity
B. Consider expanding the Markets IMF members to include additional
representatives from the Markets front office
C. Consider an indicative determination of variable compensation
impacts at the time of consequences are determined to mitigate recency
bias in process
D. Aggregate and analyse data from across Incident Management
Framework, ER, and Whistleblower channels to create visibility of trends
and drivers of unacceptable behaviour
E. Use trends and drivers to inform proactive management of potential or
actual hotspots, such as: notifications and training for managers and
proactive training to larger audiences on cultural drivers of misconduct
F. Consider incorporating retrospective reviews into ER case
management processes to ensure that cases are not closed until the
behaviour change has been achieved
3.2. Governance
1. Clarify Markets 3LOD model and
provide communication and training to
embed the changes, ensuring teams
have appropriate capacity and
capability
A. Clarify roles and responsibilities, and the boundaries of the Front
Office, DRM, FOSG, and BG&C roles
B. Finalise the detailed design of the Institutional second line “risk-based
review and challenge” approach under the NFR Framework guidance and
process documents (currently inflight)
Recommendations
51
Recommendations Additional guidance for consideration
C. Consider implementing minimum standards for periodic independent
second line review and challenge of critical controls that may fall outside
of “risk-based thematic reviews”
D. Consider whether changes to the NFR Framework RACI model across
the risk management lifecycle is required to include explicit guidance on
where second line engagement is required as well as the nature of the
engagement (for example, thematic, all critical controls, etc.)
E. Following the above recommendations, consider capability and
capacity requirements across Markets first line (including DRM, FOSG,
BG&C teams) and Institutional Risk teams to execute risk management
responsibilities
F. Deliver communication and training across Markets first line and
Institutional Risk to implement and embed these changes, this should
include boundaries and minimum expectations of each role, expected
escalation pathways for operational and conduct related matters, and
enablement function engagement
G. Consider refining Internal Audit root cause approach, and coverage
across Markets business activities
2. Consider refining the approach for
Markets non-financial risk and culture
change program governance with front
office representation engagement in
oversight and delivery roles
A. Consider Markets front office staff, not front office support functions,
as accountable owners for relevant workstreams
B. Include Markets business representation in program steering or
governance committees to drive ownership and accountability with first
line teams
C. This approach should also be considered for the Institutional and/or
Markets delivery of the Enterprise NFR Transformation program
3. Refine the front office supervision
framework, including refreshing the
manual, enhancing supervision data
and metrics, supervisor training,
refining the supervisor effectiveness
assessment, completing a post-
implementation review post changes
to assess its operating effectiveness
A. Refresh the Front Office Supervision Manual to align with FMSB best
practice (currently in flight)
B. Consider enhancements to the current approach to front office
supervision data and metrics; this could include aligning with FMSB best
practice and increasing the frequency of data provided to supervisors
C. Consider refining the current approach to assess Markets supervisors’
effectiveness beyond the approach in the Markets Incident Management
Framework; this could include periodic assessment of supervisors against
Front Office Supervision Manual principles
D. Complete a post-implementation review, conducted by Institutional
Risk or Internal Audit, once changes to the Front Office Supervision
Manual are implemented
4. Refine governance forum reporting
to consistently include thematic
insights and trend analysis, root cause
remediation tracking, and other
metrics and thematics related to
workplace behaviour including ER
issues
A. Refine Board reporting to consistently include thematic insights and
trend analysis to support enriched discussion and challenge of the risk
profile
B. Refine MBMF reporting to include:
i. Thematic insights and trend analysis to support improved
challenge of the risk profile
ii. Markets root cause remediation tracking of issues identified
Internal Audit and other and independent reviews
iii. Other metrics and thematics related to workplace behaviour
including Employee Relations issues
Recommendations
52
Recommendations Additional guidance for consideration
3.3. Policies and frameworks
1. Review policies for consistency
across the Group and Institutional or
Markets-specific documentation,
including cultural aspirations,
Employee Relations policies, and the
Markets Incident Management
Framework
A. Review the following policies for consistency in the definition,
structure, and interrelation of cultural and behavioural expectations
across Group-, Institutional-, and Markets-specific documents:
i. ANZ ICARE Values
ii. ANZ Behaviours
iii. Risk Principles
iv. Institutional Culture Plan
v. Institutional Aspirational Culture
vi. Markets Culture Plan
vii. Markets Aspirational Culture
viii. Markets Culture Plan
ix. Group-wide Employee Relations policies
x. Markets Incident Management Framework
B. Consider Artificial Intelligence and Machine Learning based tooling to:
i. Support policy management including simplification,
consolidation, and consistency
ii. Support employees to navigate policies efficiently
2. Review Group and Markets policies
to ensure all pertinent details are
defined, including product
management requirements, the
Markets Customer Suitability
Framework and the Capital Markets
Issuance and Underwriting Procedure
A. ANZ Product Management Requirements: Provide clearer explanations
of the criteria that constitute a change in product presentation (currently
in flight)
B. Markets Customer Suitability Framework: Clarify definitions of funds
and trusts and relevant exemptions for customer suitability assessments
C. Capital Markets Issuance and Underwriting Procedure: Consider a
more explicit reference that delegation of operational authority does not
supersede escalation requirements, and formally document existing
Markets processes for pre-deal checks, the determination of pricing and
settlement structures, and the escalation of settlement issues
3. Consider implementing metric
thresholds for each metric status and
escalation and action planning
requirements for the Markets Risk
Appetite Statement, with accountable
owners
A. Consider defining red, amber, and green thresholds in the Markets
Risk Appetite Statement along with clear requirements for escalation and
action planning, with accountable owners
3.4. Tools and processes
1. Refine approach to control design
and testing, including providing
greater guidance for automated
controls, ensuring teams have
appropriate skills and capability, and
providing refresher training
A. Consider refining existing control design and testing documents to
include specific guidance on effective automated control design and
testing methodology to align with best practice approaches
B. Review Markets BG&C control design and testing experience and
capacity to ensure appropriate coverage and skills within Markets
C. Deliver refresher training to BG&C and Institutional Risk on control
design and testing best practice approaches, and consider including
content specific to automated controls
2. Consider implementing a Markets
controls Design Authority to provide
advice and challenge for the planned
controls change exercises
A. Consider implementing a Markets Control Design Authority to support
risk reduction programs like I.AM Amplified, the Enterprise NFR
Transformation program, and Markets-specific risk uplift work.
This forum could be chaired by the Divisional Controls Officer and include
representation from relevant and qualified support functions, such as
Recommendations
53
Recommendations Additional guidance for consideration
Control Owners, Institutional Risk, and other relevant Enablement
functions like Technology.
The intention of the forum would not be to provide assurance, but to
advise on and challenge control designs prior to implementation, acting
as a mechanism to support strategic remediation, including increases in
the level of control automation.
3. Progress and finalise high impact
process mapping across Markets to
provide an end-to-end view of
operations across product lines
(inflight under CPS 230 program)
A. Progress and finalise high impact process mapping across Markets
across product lines to create an end-to-end view of operations
(currently inflight under CPS 230 program)
4. Refine approach to root cause
remediation including reviewing the
requirements to close remediation,
considering review and challenge
processes and performing a look-back
across certain closed issues
A. Consider redefining the Group-wide criteria for root cause remediation
in the Risk, Control, and Issue Management Procedures to require that all
remediation is completed prior to issue closure
B. Consider implementing Institutional Risk “risk-based review and
challenge” of root cause remediation for extreme or high-risk issues prior
to closure
C. Review all current Markets root causes that have been closed as
“closed but incomplete” and provide closure tracking of these at the
MBMF
5. Enhance processes for applying and
communicating lessons learnt across
Markets, with a mechanism to record
and track actions
A. Enhance the Markets Incident Management Framework to include
comprehensive guidance for applying lessons learnt across all Markets
functions
B. Establish a formal process within the MBMF to ensure that post-
incident lessons are communicated effectively, with explicit expectations
for attendees to disseminate insights throughout their business units and
identify necessary actions; this should be formally recorded and tracked
in the Markets Business Management Forum
C. Embed sharing lessons learned in Markets all-staff communication and
Town Halls to showcase opportunities for continuous improvement
6. Consider providing greater guidance
on the aggregation of information for
the risk culture assessment
A. Consider enhancements to the risk culture self-assessment framework,
this could include:
i. Adding metrics for the Reward and Recognition Risk Principle, which
currently does not have metrics
ii. Refining existing metrics or adding new ones for Proactive Risk
Management Risk Principle, as current metrics do not effectively
measure proactiveness
iii. Ensure all metrics have defined thresholds, as metrics are less
informative of risk culture when there is no aspiration or tolerance
for comparison
iv. Ensure all thresholds are set based on absolute tolerance or target
state rather than historical averages
v. Establishing Principle weightings and defining minimum standards
for the number of Risk Principles that must be rated as “Sound” to
achieve an overall “Sound” rating
Appendix
54
Appendix A. Oliver Wyman Culture Diagnostic
Survey
The following provides further detail on Oliver Wyman’s Culture Diagnostic Survey and the results.
A.1. Overview
The survey was issued to approximately 7,500 Institutional and Markets-aligned staff in enablement
functions. Each respondent was asked 57 quantitative and qualitative questions, based on a blend of prior
ANZ employee engagement and risk culture surveys, APRA’s risk culture survey, and Oliver Wyman
research. In total, 3,495 responses were received, including 2,016 free-text responses.
Staff were asked to provide certain personal details including their location, business unit and seniority. To
maintain respondents’ anonymity, responses were aggregated where this introduced the potential to
identify respondents.
Survey responses were subject to a standardised data cleaning process, removing respondents who
responded too quickly to each question to have considered them carefully or those with unchanged results
throughout.
A.2. Data cleaning process
Oliver Wyman applied a data cleaning process to survey responses to improve the accuracy and reliability
of the results. This involved removing responses where staff either completed the survey in under five
minutes or did not modify their answers throughout the survey at least four times.
We removed 362 of 3,495 responses through the data cleaning process, leaving 3,133 responses in the
cleaned dataset. The data cleaning process reduced the favourability results by less than one percentage
point on average.
A.3. Survey question scores
The table summarises the question scores for the survey questions related to conduct. Respondents
answered the questions using a five-point scale from ‘Strongly Disagree’ to ‘Strongly Agree’. ‘Strongly
Agree’ and ‘Agree’ responses are considered as ‘favourable’ and are used to calculate the percentages
below.
The Institutional results are inclusive of Markets staff, and the Markets results are inclusive of Markets
Australia staff.
Table A1: Survey question scores for Institutional, Markets, Markets-aligned enablement functions and
Markets Australia
# Question Percent favourable
Institutional Markets
Enablement
functions
Markets
Australia
Sample size 2,850 968 283 253
29
The values and standards of conduct at ANZ are
clearly communicated and well understood
91% 90% 88% 82%
Appendix
55
# Question Percent favourable
Institutional Markets
Enablement
functions
Markets
Australia
30
Senior leadership’s actions are consistent with
what they say (they ‘walk the talk’)
69% 65% 63% 43%
31
People in my part of the business understand
the level of risk they can take in their roles
88% 90% 84% 86%
32
People in my part of the business are neither
defensive nor aggressive when their views are
challenged
65% 65% 59% 57%
33
People in my part of the business raise
dissenting views
60% 62% 59% 54%
34
People in my part of the business can raise
issues without fear of reprisals or negative
consequences
75% 74% 72% 64%
35
I believe the input I provide here will be acted
on to improve our organisation
70% 70% 72% 50%
36
Risk management roles and responsibilities are
well understood
85% 85% 76% 74%
37
People are incentivised to manage risk and are
recognised or rewarded for good risk
behaviours
63% 64% 54% 44%
38
At ANZ there are appropriate consequences
when people behave in a way that does not
align with our policies and values
73% 73% 70% 54%
39
People in my part of the business raise issues
when they think something is not right
86% 86% 83% 80%
40
Leadership in my part of the business
demonstrate personal accountability for
managing risk and sound risk behaviours
84% 81% 78% 71%
41
If someone acts in a way that is inconsistent
with our values, people in my part of the
business will strongly disapprove
77% 79% 72% 73%
42
I believe ANZ’s investments in non-financial risk
management has added value to my part of the
business
66% 64% 63% 42%
43
In my part of the business, sufficient resources
(budget, systems, skills, capacity) are
committed to improve how we manage risk
59% 57% 45% 39%
44
Leaders in my part of the business effectively
manage our most critical business risks
86% 83% 83% 72%
45
People in my part of the business have the skills
required to identify, act on, and monitor risks in
their role
86% 86% 80% 82%
46
Managers and leaders here promote and
discuss the management of risks day-to-day
81% 79% 72% 65%
47 Risk is actively considered in decision-making 92% 91% 88% 83%
Appendix
56
# Question Percent favourable
Institutional Markets
Enablement
functions
Markets
Australia
48
In my part of the business, Risk and Compliance
are both respected functions
90% 90% 87% 81%
49
ANZ’s risk frameworks and policies strike the
right balance between risk management and
business outcomes
70% 69% 71% 52%
50
People I work with tend to exploit
inconsistencies or grey areas in policies and
procedures to their advantage
64% 66% 57% 76%
51 In my team, we manage risks well 92% 92% 90% 87%
52
In the past 12 months I have observed
improved risk management behaviours
67% 68% 65% 51%
53
In my team when things go wrong, we make
changes to ensure it does not happen again
91% 90% 87% 86%
54
My part of the business puts customers at the
center of business decisions
81% 80% 75% 69%
55 I am proud to work at ANZ 82% 76% 77% 61%
56 I like the culture here at ANZ 80% 77% 73% 58%
A.4. Comparison of Oliver Wyman and ANZ survey results
Oliver Wyman’s Culture Diagnostic Survey included some questions that were the same as, or similar to,
ANZ’s Risk Culture Survey. The table compares the results of the two surveys for the Global Markets
business unit. Where there are differences in the question wording, the ANZ Risk Culture Survey questions
have been included below. ‘Strongly Agree’ and ‘Agree’ responses are considered as ‘favourable’ and are
used to calculate the percentages below.
Table A2: Comparison of Oliver Wyman and ANZ’s 2024 Risk Culture Survey scores
#
Oliver Wyman Culture Diagnostic Survey questions
ANZ Risk Culture Survey questions (where different)
Percent favourable
ANZ Oliver Wyman Difference
Sample size 817 968 +151
31
People in my part of the business understand the level of risk they can
take in their roles
ANZ: I know the level of risk I can take in my role
95% 90% -5%
34
People in my part of the business can raise issues without fear of
reprisals or negative consequences
ANZ: In my team I can raise issues about risk management without fear
of reprisals or negative consequences
91% 74% -17%
36 Risk management roles and responsibilities are well understood
ANZ: The risk management roles and responsibilities shared between
the business, the risk function and internal audit are well understood
88% 85% -3%
38
At ANZ there are appropriate consequences when people behave in a
way that does not align with our policies and values
91% 73% -18%
Appendix
57
#
Oliver Wyman Culture Diagnostic Survey questions
ANZ Risk Culture Survey questions (where different)
Percent favourable
ANZ Oliver Wyman Difference
ANZ: At ANZ there are appropriate consequences when risk
management processes and behaviours are not followed
39
People in my part of the business raise issues when they think
something is not right
ANZ: I escalate risk issues when I see something is not right
97% 86% -11%
40
Leadership in my part of the business demonstrate personal
accountability for managing risk and sound risk behaviours
ANZ: My manager (the person I report to) demonstrates personal
accountability for managing risk and sound risk behaviours
92% 81% -11%
43
In my part of the business, sufficient resources (budget, systems, skills,
capacity) are committed to improve how we manage risk
77% 57% -20%
45
People in my part of the business have the skills required to identify,
act on, and monitor risks in their role
ANZ: I have the skills required to identify, act, and monitor risks in my
role
96% 86% -10%
47 Risk is actively considered in decision-making 97% 91% -6%
49
ANZ’s risk frameworks and policies strike the right balance between risk
management and business outcomes
79% 69% -10%
51 In my team, we manage risks well 96% 92% -4%
52
In the past 12 months I have observed improved risk management
behaviours
77% 68% -9%
53
In my team when things go wrong, we make changes to ensure it does
not happen again
95% 90% -5%
Appendix B. Case study selection
Oliver Wyman selected five case studies to test ANZ’s risk governance management framework.
Oliver Wyman prepared a long list of potential case studies based on input from ANZ stakeholders, a
review of risk event and employee relation data over the past five years, and any regulator determinations.
To refine the shortlist, Oliver Wyman sought examples that covered different elements of the risk
governance framework and considered the following criteria to ensure the cases tested an appropriate
breadth of the infrastructure. The final shortlist of cases was shared with APRA and ANZ for approval.
• Business units: whether multiple teams were involved in the event
• ANZ locations: number of teams involved in the event
• Time period: when the event took place
• Financial impact: whether there was an actual or potential financial impact to ANZ
• Number of customers affected: number of customers impacted, where applicable
• Regulator involvement: whether the event was escalated to regulators
• Frequency: whether the event was isolated or part of a broader pattern of similar repeated events
• Board engagement: the level of Board involvement in event and remediation processes
Appendix
58
Appendix C. Documents reviewed
The table below provides a summary of the documents Oliver Wyman reviewed.
Table C1: Summary of documents reviewed
Category Sub-category # of documents
Policies and
frameworks
Group policies and frameworks 104
Markets-specific policies and frameworks 18
Risk appetite documents 7
Risk culture documents 44
Policies and frameworks 173
People and
culture
Culture standards and expectations 74
Talent management processes, procedures, and tools 74
External culture reviews 3
People and culture 151
Governance Governance structure 31
Board, BRC, IRMC, MBMF papers and minutes 388
Governance 419
Risk and Internal
Audit reviews
Group-wide audit papers 60
Markets-specific audit papers 49
Risk Governance Self-Assessment 17
Risk and Internal Audit reviews 138
Case studies Case A 41
Case B 35
Case C 57
Case D 60
Case E 84
Case studies 277
I.AM Amplified Design and delivery 55
Governance and reporting 46
External interactions 23
I.AM Amplified 124
Other Staff lists and organisation charts 4
Risk data including operational issues, breaches and employee cases 76
Employee engagement surveys 22
Control design and testing papers 68
Other 14
Other 184
Total 1,454
Appendix
59
Appendix D. Glossary of terms and abbreviations
The terms and abbreviations used in this report are explained below.
D.1. Glossary of terms
Term Definition
ANZ Australia and New Zealand Banking Group
ANZ Board
Both the ANZGHL Board and the ANZBGL Board (and their Board Risk Committees)
unless otherwise indicated
Concerns
Observations that have the potential to give rise to unintended outcomes, or
employees’ beliefs about potential issues
FX/BBSW CEU Program
ANZ entered into two Court Enforceable Undertakings (CEUs) in 2017 and stood up
two remediation programs as a result: the FX and BBSW Court Enforceable
Undertaking (CEU) programs (referred to as the Programs)
First line
The first line in the Three Lines of Defence model, typically referring to front office
staff and Divisional support functions
Group
The Group refers to the ANZ Banking Group, which houses ANZ’s business activities
and material risks
I.AM Amplified ANZ’s non-financial risk program
Independent Expert
ASIC engaged PwC to complete Independent Expert activities as per the
requirements of the CEUs. PwC reviewed ANZ’s Internal Review Reports and other
artefacts relating to the CEU Programs against the requirements laid out by ASIC,
and provided findings and recommendations relating to the Programs’ effectiveness
Institutional ANZ Division which services global institutional and corporate customers
Institutional Culture Plan A program of work that aimed to uplift Institutional culture, launched in 2019
Issues Actual risk events or identified gaps
Markets ANZ’s Global Markets business
Markets leaders Members of the Markets Leadership Team (MLT)
Markets Culture Plan
A program of work within the Global Markets business that aimed to improve
culture and risk culture
Risk Governance Self-
Assessment
A written self-assessment of the effectiveness of risk governance, accountability,
and culture practice endorsed by the Board of Directors.
Second line The second line in the Three Lines of Defence model, primarily the Risk function
Sub-culture
A smaller subset of a larger group that shares distinct values, beliefs, and
behaviours that differ to those that prevail across the larger group.
Third line Internal Audit
D.2. Glossary of abbreviations
Abbreviation Definition
3LOD Three Lines of Defence
ANZBGL Australia and New Zealand Banking Group Limited
ANZGHL ANZ Group Holdings Limited
Appendix
60
Abbreviation Definition
APRA Australian Prudential Regulation Authority
ASIC Australian Securities and Investments Commission
BBSW Bank Bill Swap Rate
BG&C Business Governance & Controls
BRC Board Risk Committee
CEU Court Enforceable Undertaking
CMRC Credit and Market Risk Committee
CPS 220 Prudential Standard CPS 220 Risk Management
CPS 230 Prudential Standard CPS 230 Operational Risk Management
DRM Desk Risk Managers
ER Employee Relations
FOSG Front Office Supervision & Governance
FX Foreign Exchange
GPD Group Performance Dividend
GSGF Global Surveillance Governance Forum
ICARE Integrity, Collaboration, Accountability, Respect, and Excellence
ICP Institutional Culture Plan
IMF Incident Management Framework
IRMC Institutional Risk Management Committee
MBMF Markets Business Management Forum
MLT Markets Leadership Team
MPC Markets Product Committee
NFR Non-Financial Risk
OREC Operational Risk Executive Committee
RACI Responsible, Accountable, Consulted, Informed
RAS Risk Appetite Statement
RGSA Risk Governance Self-Assessment
T&C Talent & Culture
Qualifications, assumptions, and limiting conditions
This report sets forth the information required by the terms of Oliver Wyman’s engagement by ANZ and is
prepared in the form expressly required thereby. This report is intended to be read and used as a whole
and not in parts. Separation or alteration of any section or page from the main body of this report is
expressly forbidden and invalidates this report.
This report is not intended for general circulation or publication, nor is it to be used, reproduced, quoted or
distributed for any purpose other than those that may be set forth herein without the prior written
permission of Oliver Wyman. Neither all nor any part of the contents of this report, any opinions expressed
herein, or the firm with which this report is connected, shall be disseminated to the public through
advertising media, public relations, news media, sales media, mail, direct transmittal, or any other public
means of communications, without the prior written consent of Oliver Wyman.
Information furnished by others, upon which all or portions of this report are based, is believed to be true,
complete and not misleading. Oliver Wyman will not be responsible for the consequences of any information
provided in the course of preparing this report not being complete, accurate or current. Other than as set
out in the engagement contract between Oliver Wyman and ANZ (the "Agreement") Oliver Wyman did not
audit or otherwise test or verify the information provided in the course of preparing this report. No warranty
is given as to the accuracy of such information. Public information and industry and statistical data, where
applicable are from sources we deem to be reliable; however, we make no representation as to the accuracy
or completeness of such information and have accepted the information without further verification.
The findings contained in this report may contain predictions based on current data and historical trends.
Any such predictions are subject to inherent risks and uncertainties. In particular, actual results could be
impacted by future events which cannot be predicted or controlled, including, without limitation, changes
in business strategies, the development of future products and services, changes in market and industry
conditions, the outcome of contingencies, changes in management, changes in law or regulations. Oliver
Wyman accepts no responsibility for actual results or future events.
The opinions expressed in this report are valid only for the purpose stated herein and as of the date of this
report. No obligation is assumed to revise this report to reflect changes, events or conditions, which occur
subsequent to the date hereof.
This report has been prepared solely for ANZ for the purposes set out in the Agreement and cannot be relied
upon for any other purpose. All decisions in connection with the implementation or use of advice or
recommendations contained in this report are the sole responsibility of ANZ. This report does not represent
investment advice nor does it provide an opinion regarding the fairness of any transaction to any and all
parties.
This report is for the exclusive use of ANZ. Other than as set out in the Agreement, there are no third party
beneficiaries with respect to this report, and Oliver Wyman does not accept any liability to any persons other
than as stated in the Agreement. In particular, Oliver Wyman's liability in respect of the contents of this report
or any actions taken or decisions made as a consequence of the results, advice or recommendations set forth
herein shall be as stated in the Agreement.
Sources
1
APRA Information Paper: Self-Assessments of Governance, Accountability, and Culture (22 May 2019).
2
Australia and New Zealand Banking Group Limited – Report to APRA on Self-Assessment (30 November 2018).
3
Promontory Review of ANZ’s Risk Governance Self-Assessment Implementation (18 October 2021); Internal Audit
Report – Risk Governance Self-Assessment (February 2022); APRA RGSA Engagement: Feedback (August 2023).
4
APRA media release titled “APRA increases ANZ’s capital add-on to $750 million over non-financial risk management
concerns” (23 August 2024).
5
Ibid.
6
Oliver Wyman Culture Diagnostic Survey:
Q 7 “Risk is actively considered in decision-making” – Institutional 92%;
Q 8 “In my part of the business, Risk and Compliance are both respected functions” – Institutional 90%;
Q51 “In my team, we manage risks well” – Institutional 92%;
Q53 “In my team when things go wrong, we make changes to ensure it does not happen again” – Institutional 91%;
ANZ Institutional FY24 Risk Culture Survey:
“In my team, we manage risks well” – All respondents 95%
“Risk is actively considered in decision-making” – All respondents 97%
“In my team when things go wrong, we make changes to ensure it does not happen again” – All respondents 95%.
7
Oliver Wyman Culture Diagnostic Survey: Q39 “People in my part of the business raise issues when they think
something is not right” – Global Markets 86%.
8
Oliver Wyman Culture Diagnostic Survey: Q3 “People in my part of the business can raise issues without fear of
reprisals or negative consequences” – Global Markets 74%.
9
Oliver Wyman Culture Diagnostic Survey: Q38 “At ANZ there are appropriate consequences when people behave in
a way that does not align with our policies and values” – Markets Sydney 52%.
10
Oliver Wyman Culture Diagnostic Survey: Q35 “I believe the input I provide here will be acted on to improve our
organisation” – Global Markets 70%.
11
Oliver Wyman Culture Diagnostic Survey: Q30 “Senior leadership’s actions are consistent with what they say (they
‘walk the talk’)” – Global Markets 65%.
12
Oliver Wyman Culture Diagnostic Survey: Q30 “Senior leadership’s actions are consistent with what they say (they
‘walk the talk’)” – Markets Australia 43%.
13
Oliver Wyman Culture Diagnostic Survey:
Q 0 “Leadership in my part of the business demonstrate personal accountability for managing risk and sound risk
behaviours” – Global Markets 81%, Markets Australia 71%;
Q “Leaders in my part of the business effectively manage our most critical business risks” – Global Markets 83%,
Markets Australia 72%.
14
Oliver Wyman Culture Diagnostic Survey: Q37 “People are incentivised to manage risk and are recognised or
rewarded for good risk behaviours” – Global Markets 64%.
15
FMSB Statement of Good Practice titled “Front Office Supervision of Wholesale Traded Markets”.
16
Papers presented on inclusion of the FX/BBSW CEU Control Inventory within COR to SteerCo on 5 April 2023.
17
I.AM Amplified Organisation Chart (16 October 2024) and discussions with ANZ stakeholders.
18
FX CEU Phase 4 Year 2 ANZ Internal Review Report (September 2021 – August 2022).
19
Markets control library; ANZ NFR Dashboard (December 2024).
20
FX CEU Phase 4 Year 1 – 3 Independent Expert Reports (12 November 2021, 28 October 2022, 27 October 2023);
BBSW CEU Phase 4 Year 1 – 3 Independent Expert Reports (16 December 2021, 15 December 2022, 15 December
2023).
21
Ibid.
22
BBSW CEU Phase 4 Year 3 Independent Expert Report (15 December 2023).
23
Markets Internal Audit Reports: APS117 Accreditation Phase 1 Checkpoint (March 2024); Commodities (May 2024);
Targeted Review of Rogue Trading / Conduct Risk (January 2024).
24
Email replacing cancelled FX & BBSW CEU Steering Committee meeting scheduled for 1 December 2021 (30
November 2021); Email relating to a FX & BBSW CEU Steering Committee meeting scheduled for the same day (7
December 2022); FX and BBSW Enforceable Undertakings Update presented to the CMRC (21 June 2022).
25
Markets Business Management Forum papers (12 September 2024); Markets Product Committee papers (17
October 2024); Institutional Risk Management Committee papers (19 November 2024).
26
Discussions with ANZ Internal Audit stakeholders; Internal Audit Final Report – CPS 220 Risk Management
(December 2024).
27
FX CEU Phase 4 Year 1 – 3 Independent Expert Reports (12 November 2021, 28 October 2022, 27 October 2023);
BBSW CEU Phase 4 Year 1 – 3 Independent Expert Reports (16 December 2021, 15 December 2022, 15 December
2023).
28
Markets Business Management Forum papers (12 September 2024); Markets Product Committee papers (17
October 2024); Institutional Risk Management Committee papers (19 November 2024).
29
ANZBGL Performance and Remuneration Policy.
30
Oliver Wyman Culture Diagnostic Survey: Q30 “Senior leadership’s actions are consistent with what they say (they
‘walk the talk’)” – Global Markets 65%.
31
Oliver Wyman Culture Diagnostic Survey: Q37 “People are incentivised to manage risk and are recognised or
rewarded for good risk behaviours” – Institutional 63%, Global Markets 64%.
32
Operational Risk and Compliance Management Remediation Plan (31 August 2022).
33
NFR Transformation Outcomes Framework (August 2023).
34
Operational Risk and Compliance Management Remediation Plan (31 August 2022).
35
ANZ Enterprise NFR Management Program – Draft (February 2025).
Data sourced from publicly available filings. Our datasets may not be complete. Automated analysis can produce errors. If you believe any data on this page is incorrect, please contact us at hello@nzxplorer.co.nz. For informational purposes only. Not investment advice.