APRA’s evolving approach to supervising risk culture
"... there has not been a case of a major prudential or conduct failing in a firm which did not have among its root causes a failure of culture..."
Andrew Bailey, Deputy Governor of Prudential Regulation and Chief Executive Officer of the Prudential Regulation Authority at the Bank of England, May 20161
What is risk culture?
Risk culture is complex. It is shaped and influenced by all the features of an entity but is intangible because it is based on perceptions and behaviours, and is constantly changing. It should be no surprise therefore that APRA’s 2019 review of risk governance in 36 of the country’s largest banks, insurers and superannuation licensees found the concept wasn’t well understood.
So what is it?
When APRA talks about risk culture, it is referring to an entity’s behaviours and attitudes towards risk taking and risk management. It is the “norms of behaviour for individuals and groups that shape the ability to identify, understand, openly discuss, escalate and act on an entity’s current and future challenges and risks”. Risk culture is not separate to organisational culture but reflects the influence of organisational culture on how risks are managed.
Risk culture therefore presents challenges to the traditional model of prudential regulation which has focused on assessing financial risks. APRA is unable to supervise risk culture using traditional models. In recognition of this, APRA is employing a broader range of supervisory tools and continues to incorporate a range of new practices within its own supervision philosophy, including surveys, interviews and focus groups, case studies and self-assessments.
Before and after the Royal Commission
APRA’s focus on risk culture predates the 2018-19 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission). Beginning in 2013, APRA reviewed how the prudential framework established the roles and responsibilities for risk management within financial institutions. The result was Prudential Standard CPS 220 Risk Management, which came into force in January 2015. Among other things, it introduced a new requirement for boards of APRA-regulated entities to form a view of risk culture within their entities2.
Supporting this new requirement, APRA established a small specialist risk team focused on issues of governance, culture, remuneration and accountability3 (GCRA), followed by the publication of an information paper4 in 2016 which outlined APRA’s increased focus on risk culture and observations around current risk culture practices.
In August 2017, APRA established a Prudential Inquiry into governance, culture and accountability frameworks and practices at the Commonwealth Bank of Australia. Its findings highlighted cultural issues at CBA including a widespread sense of complacency, a reactive stance in dealing with risks, being insular and not learning from experiences and mistakes. The findings were widely shared across the industry and it led to an enforceable undertaking by CBA to rectify identified weakness, and an additional $1 billion capital requirement4.
APRA subsequently wrote to the boards of 36 of the country’s largest banks, insurers and superannuation licensees asking them to conduct a self-assessment against the findings of the CBA prudential inquiry, and provide that assessment to APRA. APRA published a report on the findings of those self-assessments in May 2019, and imposed additional capital requirements on a number of entities.
The Royal Commission highlighted that the prudential soundness and reputation of a regulated entity can be seriously damaged by poor governance, misaligned remuneration structures and accountability mechanisms, leading to and reinforcing a poor risk culture5.
Royal Commission recommendation 5.7 - Supervision of culture and governance
In conducting its prudential supervision of APRA regulated institutions and in revising its prudential standards and guidance, APRA should build a supervisory program focused on building culture that will mitigate the risk of misconduct; use a risk based approach to its reviews; assess the cultural drivers of misconduct in entities; and encourage entities to give proper attention to sound management of conduct risk and improving entity governance.
Accordingly, APRA is intensifying its approach to the supervision of governance, culture, remuneration and accountability within regulated entities by further developing the tools available to assess them.
These issues have been further emphasised in APRA’s 2019-2023 Corporate Plan where transforming governance, culture, remuneration and accountability across all APRA-regulated financial institutions was identified as a key community outcome.
In November 2019 APRA published an information paper outlining an ambitious and comprehensive agenda for transforming GCRA across the industries it regulates. This approach represents a significant enhancement – in the resourcing, capability and intensity – of APRA’s supervisory focus on GCRA issues, and responds to the recommendations from the Royal Commission and the 2019 APRA Capability Review.
As described in the information paper, APRA’s approach to risk culture works on three strategic levels:
- Firstly, by strengthening CPS 220 to ensure it remains fit for purpose, APRA will set the foundation for clearer and firmer minimum expectations, and lifted minimum GCRA standards.
- Secondly, by sharpening supervisory practices, APRA has refreshed existing practices and adopted innovative techniques in supervision. To support this, internal resources and the size of the specialist risk culture team have increased6. The risk culture team has developed a framework for assessing risk culture across APRA-regulated entities and will have trained 155 supervisors in how to use the framework by the end of March 2020. A scalable and effective approach for conducting risk culture deep dive reviews has also been developed, and this has been used to undertake two risk reviews in recent months. The approach will be further refined and enhanced as more reviews are completed. An industry-wide tool to benchmark risk culture across industry sectors and cohorts of entities is also in scope.
- Finally, APRA will be more transparent in its approach by sharing its supervisory approach and findings7, promoting better practice, conveying key messages that can help to deter poor behaviour, and driving individual and entity accountability.
The intended outcome of this intensified approach to risk culture is to drive genuine change across the financial services industry. Its success will be measured by organisations that, while continuing to deliver sound prudential outcomes, understand and enable a risk culture that supports effective risk management practices.
1 Andrew Bailey: Culture in financial services – a regulator’s perspective: https://www.bis.org/review/r160519d.pdf
2 As set out in CPS 220, APRA expects boards to establish and maintain the risk culture that they consider to be appropriate for their institutions, given their strategy and risk appetite. APRA also makes clear that the board – supported by management – forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those changes.
3 The team was initially established to focus on governance, culture and remuneration issues. The Accountability stream was added following the implementation of the Banking Executive Accountability Regime.
4Information Paper: Risk Culture - PDF 756.36KB, October 2016.
5For an overview of APRA’s response to the Royal Commission, see 'Twelve months on: APRA’s progress on the Royal Commission recommendations' article, March 2020.
6 The GCRA team has grown significantly over the recent year to over 20 FTE, with 10 specifically dedicated to risk culture.
7 For an update on APRA and ASIC initiatives, including closer collaboration and information sharing, see ‘APRA and ASIC: a new era in cooperation’ article, March 2020.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $8.6 trillion in assets for Australian depositors, policyholders and superannuation fund members.