Seeing the full picture on GCRA
Good morning, and thank you for inviting me to speak to you today.
A few weeks ago, APRA published an article on our pilot risk culture survey. It quickly became our most-read APRA Insight article ever. Two days ago, we ran an industry webinar providing more detail on our approach to supervising risk culture. We had almost 1000 registrations – more than double the number we’ve ever had for an industry webinar. This gives you a sense of the level of interest we are seeing in risk culture among APRA-regulated entities.
Yet, go back 10 or 15 years and “culture” was not a word you’d expect to hear from a financial regulator. It was in the aftermath of the Global Financial Crisis that risk culture, along with governance, remuneration and accountability – which we collectively call GCRA – started to be recognised as critical determinants of financial success or failure alongside the more traditional factors like capital and liquidity.
In the years that followed, two events in particular further focused industry and regulatory attention on (what is often termed) non-financial risk, and accelerated the response. The first was APRA’s independent prudential inquiry into the Commonwealth Bank of Australia (CBA) focusing on governance, culture and accountability. The second was the subsequent commencement – and more importantly, findings – of the financial services Royal Commission.
What both had in common was that the financial strength and stability of the institutions and industries in the spotlight was not in question. If anything, an excessive focus on (short-term) financial success was a large part of the problem. In the case of CBA, the Inquiry Panel concluded that "CBA’s continued financial success dulled the senses of the institution". Commissioner Hayne decried “greed – the pursuit of short-term profit at the expense of basic standards of honesty”.1 Excessive risk taking, with a short-term focus on profitability, and without a longer-term perspective as to the potential downsides, create an environment in which GCRA weaknesses can lead to serious prudential problems.
Today I will paint you a picture of the work APRA has been doing to promote better GCRA practices through creating a stronger prudential framework, a sharper supervisory focus and sharing insights with industry. But this is not a transformation APRA can or should undertake on its own.
Ultimately, boards and management are responsible for how they assess and improve GCRA in their entities. On this front, there is more to do. The financial industry has come some way on GCRA since the damaging headlines of the Royal Commission. However, industry’s own analysis, through the risk governance self-assessments undertaken since that time, has identified a number of key areas where improvements still need to be made.
A key point I’d like to make up-front is that the various component parts of GCRA – governance, risk culture, remuneration and accountability – are mutually reinforcing. It is ultimately not possible to be highly effective in one area if there are material weaknesses in others. So, it is important that organisations understand whether the various streams of GCRA are aligned and working together. As internal auditors, with the ability to see all aspects of an organisation’s activities, you can play a key role in helping boards and management do just that.
Sketching the prudential framework background
A significant policy step that APRA took to establish new expectations for governance was to create an over-arching, cross-industry risk management prudential standard CPS 220. Released in January 2014 and coming into effect a year later, this standard included the new requirement that boards form a view of the risk culture in the institution, identify any desirable changes and ensure management takes actions to address those changes. Many directors found this new requirement – specifically adding the C to the G – rather challenging, but the intervening years have only strengthened our belief in the importance of a sound risk culture in supporting effective risk management.
We first explicitly identified “transforming governance, culture, remuneration and accountability across all regulated financial institutions” as a strategic goal in our 2019-2023 Corporate Plan. The breadth of our GCRA work has expanded accordingly.
When it comes to the R, in August this year APRA released a final version of its cross-industry prudential standard on remuneration, which comes into effect for the major banks from 1 January 2023, and will be progressively rolled out for other APRA-regulated industries. With its goal of introducing genuine consequences for financial executives when their decisions lead to poor risk management or conduct that is contrary to community expectations, it has certainly been the most controversial of the policy and regulatory steps to address GCRA to date. After a highly contested consultation process, in which we received some very strong views, we believe we have settled a position that takes account of feedback from stakeholders but nevertheless is robust and delivers on the objectives we set out to achieve. Industry is now preparing for its introduction in a little over a year, and I would emphasise the need for boards to be working now to develop non-financial metrics and other changes to remuneration arrangements that will be fit for their organisation. With the policy work complete, from here we will be shifting to ensuring that the new expectations are firmly embedded in the institutions we supervise.
The Bank Executive Accountability Regime, or BEAR, was an important step in ensuring that accountability – the A of GCRA – was clear at the most senior levels of banks. Now the Financial Accountability Regime, or FAR, is not far away. Building on BEAR, the Government plans that it come into effect for banks in 2022 and for insurers and superannuation trustees a year later. It will be a cross-industry regime, jointly regulated by APRA and the Australian Securities and Investments Commission (ASIC), and will increase standards of accountability across the banking, insurance and superannuation sectors.
Filling in the supervision canvas
APRA’s regulatory architecture and supervisory focus on non-financial risks has advanced considerably since 2014. But our mission to transform GCRA across regulated financial institutions is far from over. In fact as recently as 2019, APRA Chair Wayne Byres referred to the regulatory and supervisory approach to GCRA as being “still very much in its infancy” relative to traditional prudential risks. So, that brings me to a picture of where the industry stands today.
Risk governance standards, remuneration standards and accountability regimes provide crucial policy foundations for industry across the G, the C, the R and the A. But APRA is first and foremost a prudential supervisor and regulation provides the foundation for supervision. So, APRA has also been evolving its approach to supervision of industry practice in GCRA to take advantage of the new regulatory framework.
APRA has elevated the profile of GCRA in its risk assessment model. Since 2020, all APRA supervisors have been required to explicitly assess GCRA-related risks when they determine the level of supervisory intensity APRA will apply to each regulated entity.
One step that will assist supervisors in completing the GCRA picture has been the development of our supervisory approach for assessing risk culture. In recent weeks, APRA has sent its risk culture survey to the employees of 18 banks, following the successful completion earlier this year of a pilot survey exercise covering 10 general insurers. The survey, which will be rolled out to up to 40 additional entities over the next year, provides an important new source of information for APRA. By giving a voice to employees from across all levels of an organisation rather than only hearing from a small number of senior executives or board members, we will be able to get a much better picture of how GCRA practices are, or are not, working in practice at an entity.
Another important step has been our review and response to risk governance self-assessments for a cross-industry selection of APRA-regulated entities.
When we released the final report from the CBA Inquiry in 2018, you may recall we asked 36 other APRA-regulated entities to conduct a self-assessment of their own risk governance practices with reference to the findings in that report. These self-assessments showed that many of the issues identified within CBA were not unique to that institution. As my fellow Deputy Chair John Lonsdale said at the time, the self-assessments “confirmed our observation that industry is grappling to manage non-financial risks, such as culture and accountability.”
In recent months we have followed up with the same 36 entities to see whether things had improved.
The first theme APRA identified in the initial risk governance self-assessments was that entities’ management of non-financial risk needed improvement. Our latest analysis reveals that entities have, pleasingly, raised the profile of non-financial risk management practices. Many have either established dedicated non-financial risk committees at the executive level, or include non-financial risk as a standing agenda item at their Board Risk Committee meetings. We have also found that entities have revised their risk appetite statements to incorporate metrics relating to non-financial risks, and are recognising various non-financial risks as material on their risk registers. Many boards now also spend time looking at customer complaints to better understand the underlying causes that generate them.
The second theme APRA identified in 2019 was that accountabilities within entities were not always clear, cascaded and effectively enforced. In response, we have seen increased clarity of ownership and accountability for both risk and compliance. For example, whereas in the past it was often left to employees within the Risk or Audit teams to identify risk-related issues, frontline business units are now identifying more risk issues than they did before. We found more progress has been made clarifying accountabilities in the banking industry, no doubt incentivised by the consequences of the BEAR. However, we know we cannot be complacent – there is still a long way to go to ensure clear end-to-end accountability for risk is embedded in all APRA-regulated entities.
The third theme APRA identified was that the concept of risk culture was not always well-understood and that as a result, boards and senior management sometimes struggled to reinforce the desired behaviours within their organisation. Since 2019, APRA has seen an increased awareness and focus by entities on risk culture. Our GCRA team has reviewed a number of entities’ risk culture approaches, and they generally demonstrate a better understanding and appreciation of the entity’s obligations in relation to risk culture. However, the approach of many entities towards risk culture would still benefit from further maturity through the use of more consistent methodologies, frameworks and a range of different data sources. In some cases, there also remains a lack of expertise in terms of how to meaningfully assess risk culture, therefore impeding the organisation’s ability to move towards its desired risk culture state.
The fourth and final theme APRA identified from the self-assessments was that the weaknesses which entities acknowledged were well-known, and some had been long-standing. That was not necessarily because of neglect: in many cases, rather, efforts to address these weaknesses proved to be ineffective. Often, this was because the actions served only to address the symptom of the problem, without fully understanding the root cause. The risk governance self-assessments have encouraged entities to look beyond the ‘what’ of compliance and issue remediation and ask ‘why’ risk management frameworks and practices had not been working as intended.
Overall, the story of recent years has been one of progress. Of course, it has not all been smooth sailing – the number of capital add-ons and court-enforceable undertakings we have employed to fully incentivise action shows it has not always been easy. However, it is clear that the risk governance self-assessments have helped entities to better consider and work on more effective responses to issues and non-financial risks. What is important is that this has an enduring impact, and we will be following up in 2022 to ensure that is the case.
Providing additional colour
As we head into 2022, APRA’s focus will increasingly shift from working on policy and our own tools to how entities are responding to our enhanced focus on GCRA and whether they are taking steps to embed sound GCRA practices. We will be looking for evidence that work on risk management and compliance controls has shifted beyond design effectiveness to also ensure operating effectiveness and that boards and senior management are being vigilant to ensure the mistakes of the past are not repeated.
With just over a year to go until our new remuneration standard, CPS 511, takes effect, APRA expects banks, insurers and superannuation licensees to be preparing to comply with the new requirements. Our recently published supporting prudential practice guide CPG 511 should be essential reading for entities looking to make sure they understand their obligations under the new standard.
Over the next 18 months, APRA will have a strong supervisory focus on industry’s implementation of the new CPS 511 requirements. For a subset of entities, APRA will undertake a more detailed review of implementation progress, including benchmarking against peers. We will publish thematic findings from this review to help all entities with implementation of the new remuneration standard. In early 2022, we will also release new reporting and disclosure requirements on remuneration for consultation. Ultimately, we want to see risk outcomes having a meaningful impact on remuneration outcomes. In the event of adverse risk outcomes, we expect to see those responsible being held to account and their remuneration adjusted downwards. APRA will intensify its supervision of remuneration to confirm that this is happening.
In relation to the risk culture survey, APRA expects that entities will use insights from the survey results and compare them with their own internal indicators – such as employee survey results, non-financial risk metrics and internal risk culture reviews – as well as other qualitative and quantitative data to build a more comprehensive picture of their risk culture. Entities may also want to draw on the specific areas highlighted in the report they receive from APRA to develop a deeper understanding of the underlying causes of employee perceptions and mindsets, for example through discussions and focus groups with staff.
We will use the results of the risk culture survey to drive further discussions with participating entities, and will focus on the areas of their business where there are strengths as well as areas of opportunity for further improvement. Our aim is for the survey responses, over time, to provide evidence of the extent to which positive changes impacting risk culture are – or are not – occurring. APRA will publish further insights to provide additional transparency on risk culture across APRA-regulated industries, and continue to engage with entities to discuss how issues that are identified through the survey will be addressed. We will also be driving improvements in governance and risk culture practices by continuing to undertake risk culture deep dive reviews, and assessments of risk transformation programs, at a number of entities.
Seeing the big picture
Although it may surprise you to hear a regulator acknowledge this, APRA is well aware that running a major financial institution, often with multiple divisions, scores of products, thousands of employees, and hundreds of thousands of customers, is difficult. And so, what is often found is that the issues that trip up entities, and result in financial losses, reputational damage or large fines, are more likely to be the result of error, carelessness, inadequate attention, or poor systems and processes than ill-intent.
For this reason, internal audit teams have a crucial role to play in helping to enable sound GCRA practices across an organisation. With their independent reporting line to the board, internal audit is ideally placed to highlight issues of concern, including the behavioural and mindset issues, that underlie the more visible symptoms of GCRA weaknesses. Examples of these signs of a poor risk culture include inadequate risk management reporting, long-outstanding risk or compliance issues and poor oversight of, or response to, incidents. We recognise that being able to look through to the underlying GCRA weaknesses is not an easy job and may require different skills and tools in order to see the bigger picture. However the real skill – and value add that auditors can provide – is to look behind the metrics of poor responses to control weaknesses to understand what the fundamental drivers of such behaviours are, and to call those out.
Traditionally, auditors have looked at issues from a controls perspective: does the evidence suggest controls are effective? Now APRA is asking you to look at issues from a people or behavioural perspective. That means thinking differently. You need to look beyond the numbers, beyond the evidence available. It’s still important for you to look at systems, processes and controls, but you need to go deeper and ask why things might be happening from a behavioural perspective. What are the underlying drivers of the control failures, particularly for repeat observations, to understand the behaviours and cultural drivers that may underpin them. Otherwise you could just be seeing a silhouette and not the full picture and your organisation will respond to symptoms, rather than addressing the root causes of the problem.
When it comes to financial institutions, we need internal auditors to ask themselves: how can I get the true picture of the risk culture of my organisation? How do I identify GCRA issues in my organisation before they manifest in a real problem? How do I ensure I’m looking at the right things, that I’m capturing the relevant issues and concerns and – perhaps most importantly – providing real insight back to the board? The recent release by the IIA of “A Practical Guide to Auditing Risk Culture”2 provides a useful reference to help you do this.
Your unique role gives you the opportunity to join the dots to different – and sometimes disparate – pieces of evidence and to provide a more complete picture of GCRA for your board. This will help ensure the board can assess GCRA across the breadth of your organisation: where the strengths and weaknesses lie, where the risks are, and where further work needs to be done in order to transform GCRA.
Over my years at APRA, as both a frontline supervisor, manager and now as Deputy Chair, I have observed – time and again –that a board’s approach to governance, the tone it sets for the risk culture of the organisation, the signals it sends through its approach to remuneration and how it holds the executives – and itself – to account are all very strong determinative factors for the financial and operational resilience of the firm. Aggregated across each of the organisations we supervise, these factors in turn are critical for the stability of the financial system as a whole.
The GCRA policies, as well as the supervisory tools and practices we have developed, are not enough to create a sound risk culture on their own. Just as a frame marks out a space for an artist to create or display a painting, our risk management standard, the finalised remuneration prudential standard, the FAR, and our risk culture survey should together provide a frame within which boards and managers can build a stronger approach to GCRA. There is no doubt that many APRA-regulated entities have made good progress in this area over recent years, but there is more to do. And internal auditors – with their critical eye, unique perspective and ability to join the dots – can play a key role to help organisations see the big picture on GCRA.
1 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, Interim Report pxix.
2 Auditing risk culture - A practical guide (iia.org.au).