Skip Ribbon Commands
Skip to main content

Risk Management and Governance – A Prudential Regulator Perspective

Download speech 


Deputy Chairman

Macquarie University Financial Risk Day, Sydney 

13 March 2015 



Risk and governance: two topics that go to the heart of what APRA does, so I am very pleased to be here to talk about them today.

I’m going to comment today on the following:

  • APRA’s expectations of boards
  • Why risk management and governance are so important
  • How we approach risk management and  governance
    o Prudential standards
    o Supervision
  • Some observations on APRA meetings with boards

For clarity, my comments primarily relate to ADIs (Authorised Deposit-taking Institutions) and insurers, though in principle much of it will be relevant for superannuation trustees also. 

First, it is worth asking what is different about an ADI or an insurer? Why are they subject to prudential regulation and why might requirements for risk and governance be any different for them?

The simple answer is that they make financial promises to their customers which the community expects will be honoured.

And so as prudential regulator, APRA imposes requirements on these institutions, and on their boards in particular, that go beyond what might be required of, say, an industrial company.

Having said that, much of what APRA requires is just fundamentally good practice, but we have specific requirements that provide a framework and discipline for prudent management and strong governance.

Diagram of Directors' responsibilities
View a larger version of this slide

Sometimes our requirements for boards are misconstrued. In particular, APRA is occasionally accused of expecting too much of boards, and there is sometimes a belief that we expect boards to take responsibility for certain tasks that would normally belong to management.

It is unambiguously the case that we have significant requirements for boards of regulated institutions. However, there is no intent that any of those additional responsibilities would in the normal course of events lie with management. So let me be clear: APRA does not expect that the board takes on responsibilities that fall within the province of management under generally accepted practice.  The APRA requirements for boards are about strong governance.

We recently produced a reference document: An Aid for directors of ADIs1 and insurers . This gives some background and insights into this issue, and I would encourage those of you with an interest in prudential regulation to read it.

I will draw on some of the points the Aid makes today, but will also give you insights into a number of other matters.

While on the topic of the scope of directors’ duties, let me make a few comments about regulated subsidiaries within a conglomerate - for example, an insurance company within a banking group.  These sorts of structures can present particular challenges for the board of the subsidiary.  It is entirely appropriate that the group sets certain aspects of strategy and various policies that cover the subsidiary.  However, the board of the subsidiary cannot abrogate its responsibilities.  It still needs to meet the standards of good governance, including APRA’s requirements.  For example, before adopting a group remuneration policy, the subsidiary board would need to satisfy itself that the group policy was appropriate and effective in meeting regulatory requirements for the subsidiary’s business. It also would need to ensure that it is applied to senior staff of the subsidiary, not just to group senior management.  As another example, it would be inappropriate for a subsidiary board to simply defer to the group board in the oversight of a major issue emanating from within the subsidiary without due consideration of the implications for the subsidiary by its board.


Let me give you a bit of context for the rest of my presentation.

Those of you from the financial services industry will be familiar with some of what I am about to say, but it will help with the main points later in my talk today and I will be brief.

You may have a general understanding that we have a role in protecting the interests of beneficiaries of various financial institutions.  Our Mission expresses it as helping ensure promises made by institutions to beneficiaries are met in all reasonable circumstances.

APRA's core mission statement
View a larger version of this slide

Of course, promises made by an institution are much more likely to be kept if it is prudentially sound.

Graphic depicting a prudentially sound institution based on foundations of Capital management, Risk management and governance
View a larger version of this slide

And a prudentially sound institution must have very solid foundations.

Those foundations have three key elements:

  • Capital management 
  • Risk management 
  • Governance 

Adequate financial strength and sound financial management are fundamental to the ongoing health of an ADI or insurance company. In particular, it is vital that adequate capital is maintained against the risks associated with its activities and that the minimum requirements in this respect as set down in the prudential standards are met.

I won’t dwell further on capital management today, but note that it is a critical complement to risk management, and governance plays a fundamental role in effective capital management.

All three elements of the foundation – capital management, risk management and governance must be strong. 

If any one of them is weak, then the foundations will be unstable, prudential soundness will be in doubt, and the promises to beneficiaries at risk.  

Our aim is to ensure each of the elements of the foundation is strong - but at the same time not over-engineered, so that efficiency and competition are not unduly compromised. 

Prudential Standards

We address risk management and governance in Prudential Standards (basically rules issued by APRA, which have the force of law).

There are specific requirements with respect to risk and governance in our prudential standards – in these ones in particular:

     Risk Management (CPS 220)
     Governance (CPS 510)
     Fit and Proper (CPS 520)

I will now touch on some key aspects covered by these prudential standards, starting with risk management.

Risk management

Significant financial and other risks are inherent in the business models of financial institutions. Robust risk management therefore lies at the heart of the prudent management of ADIs and insurers.

The prudential standards make it clear that the board must oversee, and is ultimately responsible for, the establishment and maintenance of an effective risk management framework.  The risk management framework is defined in a quite a broad way, and so this is a significant aspect of the prudential requirements and a major responsibility for the board.

I want to focus on a two key aspects of risk management – risk appetite and risk culture.

First the board must set the risk appetite within which it expects management to operate.  A well-considered, clearly-articulated risk appetite is the very foundation of sound risk management. Without this, risk management throughout the business will be carried out with unclear boundaries and expectations, subject to the interpretation of the various individuals involved and driven by their personal inclinations and incentives.  On the other hand, a tight, well-crafted risk appetite statement will ensure clarity for management, consistency across business lines, avoidance of over-exposure to a particular risk across the business, sensible allocation and use of capital, and few surprises for the board.

So setting a well-defined risk appetite should be top of the risk management list for the board.  This should be supported by a formal risk management strategy which describes the institution’s strategy for managing risk and the key elements of the risk management framework that give effect to this strategy.

Culture is a more nebulous concept. It is about what is truly important in an organization. It is about the way people actually behave (rather than what they should do, or even would like to do).

It is generally accepted that inappropriate culture was at the root of many of the problems that emerged in the GFC (such as the packaging of poor quality mortgages into AAA securities and the way they were sold). And in the problems that came to the surface since then (such as the LIBOR scandal and the attitudes that allowed it to evolve). And indeed in many of the problems that emerged before the GFC.

And so an understanding of risk culture and its importance to prudent management is core to good supervision. What is risk culture? A reasonably simple way to look at it is like this: those aspects of the organisation’s culture that influence its management of risk.

APRA is significantly increasing the attention it gives to risk culture – which I sometimes refer to as the “soft stuff”2 , because it is so different to other aspects of prudential management and rather contrarily is actually quite hard to manage.

So what is needed for a sound risk culture? Here are a few thoughts:

Describes effective risk culture drivers
View a larger version of this slide

The risk appetite must be clear and unambiguous; the espoused values must be clear and consistent with the risk appetite and the business strategy; those values must be embraced across the organisation; and decision-making must be consistent with the values, risk appetite and business strategy.

All of those nice words will be just that – nice words – if remuneration and incentives are not aligned with the desired behaviour and culture, or if senior management or the board are seen to act inconsistently with the words.  I can’t stress this enough.   Reward staff to behave as you would want them to. Act as you would want them to act.

Under prudential standard CPS 220, the board must ensure that “it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the

institution to operate consistently within its risk appetite, identifies any desirable changes to the risk culture and ensures the institution takes steps to address those changes.”

So how does the board form such a view? Well we are seeing a range of practices emerging  - surveys, focus groups, views sought from the risk function and auditors, input from organisational psychologists, one-off exercises by consultants and more.


Let me now turn to governance.

Good governance is critical to the long-term viability of any company. APRA’s prudential standards require that regulated institutions have a rigorous governance framework, founded on the premise that a well-governed institution is critical to the protection of the interests of depositors and policyholders.

The ultimate responsibility for the sound and prudent management of an APRA-regulated institution rests with its board.

Key requirements of the prudential standards concern board size and composition, independence of the chair, and board renewal and board performance assessment.

There are requirements for specific board committees for each of remuneration, audit and risk.

Finally, persons who are responsible for the management and oversight of an institution need to have appropriate skills, experience and knowledge, and act with honesty and integrity. These skills and qualities strengthen the protection afforded to depositors and policyholders.  Accordingly there are minimum requirements in determining the fitness and propriety of individuals in positions of responsibility.

Ratings and quality assessments

That’s all very well and good, but how do we assess risk and governance matters?

APRA has a formal system for rating the institutions which we regulate.  We call it PAIRS – Probability and Impact Rating System3. This system helps us to identify risk priorities, and is also used for organisational planning and resource allocation.

To build up the overall rating, we do a quality assessment of various aspects of the institution’s operations.  I thought it might be helpful if I gave an overview of how we build up the rating in the two areas in APRA’s methodology which are particularly relevant to today’s discussion:

  • risk governance; and
  • the board. 

In doing these quality assessments, we take a proportionate approach. That is, we take into account the size and complexity of the entity’s operations.  Small, simpler businesses may have relatively basic risk governance arrangements, for example, which are quite adequate for prudential purposes.  Larger and more complex entities will generally have far more comprehensive risk governance arrangements that provide, for example, more frequent reporting, tighter monitoring of complex activities and the aggregation of risks across all business lines and activities.

Practical aspects of quality assessments

In a practical sense, there is a guide for APRA supervisors as to how each of these factors should be considered and rated. 

The guide includes suggestions for documents and other sources which would help in the quality assessment, and these are used to compile the assessment.  They include board papers and minutes, prudential consultations, risk reviews, and discussions with management and board.

The area under consideration for the institution (i.e. risk governance or the board in our particular case today) is then assigned to one of six rating bands, from strong down to extremely weak.


We want to be consistent in our quality assessments of each area and in the ratings of institutions. It is important therefore that we tackle this systematically, given the wide variety of institutions and the many different APRA staff involved.

We produce written guidance and training for staff to help in this process. But we also carry out various benchmarking exercises. These are done on a regular basis, typically with institutions with a broadly similar profile e.g. large general insurers. This process includes peer comparisons which are reviewed by senior management.

All of this is complemented by occasional one-off thematic benchmarking exercises – typically when a new requirement is introduced, for example, the remuneration arrangements a few years ago, and more recently with respect to capital targets set by each company in the insurance industries.

Risk Governance

APRA’s quality assessment of risk governance addresses various aspects, including the following:

  • The role, responsibilities and effectiveness of the board in relation to risk governance.
  • The board committee structure and its effectiveness, as well as the role, composition and functioning of the three main committees - Audit, Risk and Remuneration.
  • The risk management framework.  This includes risk appetite, risk management strategy, policies, procedures and reporting, the risk management function, the capital adequacy assessment process, the review of the framework and so on.
  • Remuneration policy and work of the Remuneration Committee.
  • Compliance.
  • Internal and external audit.

Not surprisingly, this is all quite consistent with the prudential standards.

We don’t formally assess risk culture at present. Rather, our intention is to rely heavily on the board’s assessment of the institution’s risk culture and the process followed for this assessment.  Of course we do form opinions of risk culture through our various interactions with the institution, and I will talk more on this shortly.

The board

The quality assessment of the board considers the following broad areas:

  • Board charter and self-assessment.
  • The quality, skills and experience of all directors.
  • The board composition and independence.
  • Fitness and propriety matters.
  • Conflicts of interest.
  • Dominance of individuals.
  • Key person risk for the board.

Again, this is quite consistent with the prudential standards.


You might find this overview of the results of our quality assessments of risk governance and the board of interest.  You can see that there is scope for improvement for most institutions.  This partly reflects the increased focus APRA has given to these areas in recent years.

Graphical representation of the results of APRA quality assessments of risk governance
View a larger version of this slide

Graphical representation of the results of APRA quality assessments of the board of interest
View a larger version of this slide

Some views based on experience

To finish up today, I thought it might be helpful if I were to pass on some views formed from my discussions with boards and directors over the five or so years of my time at APRA. I have participated in many such meetings and so inevitably have formed some thoughts on boards, how they carry out their role, and how they interact with APRA. And it is worth noting that my APRA experience has given me quite different insights to those gathered over many years in the industry serving on boards and reporting to them.

Before making further observations about our interaction with boards, I should say that by and large the boards that I have dealt with (mostly insurers, mostly the larger companies) are competent, have a diversity of skills, take their responsibilities seriously, and generally carry out their duties well. But I now want to delve a little deeper.

I mentioned earlier that we meet with boards of our regulated institutions at least once a year, and that for the larger institutions in particular we also have meetings with the chairs of the board and the main committees.

We meet with the board for a few different reasons.  First, it is an opportunity for the board to hear first-hand APRA’s views on the particular business and what is important to us as prudential supervisor.  At the same time, these meetings give APRA insights into the board’s thinking about the business – strategy, operations, people and so on.

It is also an opportunity to exchange views on the industry, which again is of benefit to both parties.

We form a view about the board itself based on experience at these meetings. This might be anything from a feeling of unease to quite strong positive or negative opinions based on objective criteria. These views are obviously important in a subjective sense in that they consciously or otherwise influence our attitude to the institution.  Also, they feed into the formal assessment of the board under the PAIRS process mentioned earlier. 

The starting point for interactions with the board could easily be misconstrued as a meeting of two parties with quite differing interests. However, the interests of the board and APRA are actually quite closely aligned. The board will generally have a keen interest in the institution being prudently managed, and it will be quite intent on promises to beneficiaries being met.  Yes, directors will often have the interests of shareholders foremost in their minds, but this need not be at the expense of beneficiaries.  It is all about balance.  Indeed, APRA has an interest in shareholders getting a fair return on their capital, because that helps maintain a viable and sustainable business, which is in the interests of both beneficiaries and the community.

One can argue that not only is there alignment of interests, but that we can, and do, provide strong support for each other.  For example, APRA’s requirements result in information and insights which might not otherwise be produced for the board.  A good example of this is the Financial Condition Report required for insurers, which over time has become a well-regarded resource for boards. At the same time, an effective board will make APRA’s job that much easier, and result in less intensive supervision.

And so these meetings are not inquisitions or examinations by APRA. They are about an exchange of views and opinions, and an opportunity to gain deeper insights for both parties. In the great majority of cases, the meetings reflect this broad intent. However there are occasions when the discussion is stilted or not as open as it might be.  This immediately causes our antennae to vibrate, and will therefore influence the way the meeting then plays out. On other occasions, we may need to convey clear and direct messages about concerns we have, and of course this too influences the tone of the meeting.

As is the case more generally, the Chair of the board has a strong influence on proceedings at these meetings, and that can manifest itself in both positive and negative ways.

Sometimes the Chair will dominate the contribution by the board to the discussion. They might tend to answer each question from APRA, without seeking views from their colleagues.  While it is important that we hear the views of the Chair, it is every bit as important that we hear from the other directors. 

Sometimes, individual directors appear reluctant to comment.  We then wonder why that is so.  Was there agreement beforehand that the Chair would do the running, and other directors would stay quiet unless they really have to make a comment? Or is the Chair unduly dominant, and what we are seeing is just normal behaviour for that particular board?

In other situations, we sometimes see too much deference to the views of the CEO, and that is always a concern.  We can and do meet with the CEO separately from the board, and so we don’t come to a meeting with the board to hear opinions from management. When this happens, we will try to redirect the discussion so that we hear the views of individual non-executive directors.

Sometimes, the meetings appear a little orchestrated. It looks like each director has been assigned a task or a topic on which they will comment. Now this may not be a bad thing - it’s to be expected that the board will discuss how to best approach a meeting with APRA and so it is not surprising that some boards will choose a disciplined and structured approach. In a similar vein, we sometimes will be invited to meet over lunch, which is not necessarily conducive to a robust conversation. In any of these sorts of circumstances, the challenge for us is to elicit the real views of the individual directors, and to convey the messages we think are important - even if they cause indigestion!

We sometimes have to change the dynamic of the meeting to do this. We invite views from other board members and see what response we then get; or we direct questions to individual directors, even when the Chair has already given views on the matter at hand.  We particularly expect the Chairs of the main board committees to participate in the discussion about the area of responsibility of their committee.

As with any board, a good mix of skills and backgrounds is very desirable, so that there is diversity of thought and a variety of experiences to draw on.  We don’t expect every director to be an expert in the industry, nor to have a deep understanding of the business.  However, we do look for the board as a whole to demonstrate these capabilities.  In particular, we hope to engage the board in a meaningful conversation about the business’s strategy.

We also don’t expect the board to have a detailed understanding of APRA’s prudential standards, but we do look for a working knowledge.  As an aside, management has an important role here to support the board.  A systematic way of informing the board of requirements – particularly at the point when they are relevant - can make it much easier for the board to stay abreast of its responsibilities.

As mentioned earlier, it is fundamentally important for the board to set clear bounds and expectations for management about acceptable levels of risk. So we look to see if the board has a good understanding of the importance of the clear articulation of its risk appetite, and is able to talk sensibly and with purpose about it. We also look to see that the risk appetite statement is used in a meaningful way in the management and governance of the business. Much progress has been made in recent years in this area, though it would be fair to say that most boards are still developing their thinking and understanding, and so we look for signs of ongoing improvement.

It is always good to see directors that are highly engaged in their board work.   This comes through with the way individual directors contribute to the discussion - the quality of their comments, the knowledge and understanding they demonstrate, their enthusiasm for the business and their role, their willingness to stand up for their position when challenged, and so on.  More than anything, this is what influences my own view of the board.  It is what most strongly contributes to the “gut feel” when I walk out of the meeting.

Let me touch briefly on the separate meeting with the Chairs (the board and main committees) that I mentioned earlier.  The dynamics here are quite different to the meeting with the full board.  This is for a few reasons I think.  First, the meetings have only a few participants from both parties.  Secondly, we deliberately pitch the meetings as being relatively informal, and we often don’t have a structured agenda. Thirdly, management are not present.  The conversation therefore tends to be much more open and free-wheeling, and in that sense can complement the board discussion quite well.  It is a great opportunity for us to understand the issues most exercising the minds of the Chairs, and for them to gain better perspective on our views of the business and industry.  We certainly get real benefit from the meetings, and from feedback, so too do the Chairs.


I hope you have found these thoughts interesting, and that they have provided some insight into our views on risk management and governance, and how that influences our approach to supervision.
If there is one message for you to take away it would be this:  risk appetite and risk culture underpin risk management; and strong risk management and governance are crucial for the prudent management of an institution.


1 Improving APRA's board engagement - October 2014