Helping regain the trust
Thank you for the opportunity to be part of this year’s RMA CRO Conference. As many of you will know, I’ve appeared at a number of these events over the years, and am a strong supporter of the RMA’s goals and objectives. Quite simply, a strong risk management profession is essential for a strong Australian financial system.
The theme of today’s event – ‘Regaining the trust’ – is both timely and important. The broader community has lost confidence that the financial sector understands and acknowledges the privileged position that it holds in society, and the obligations that come with it. While many issues being examined by the Royal Commission have long been public knowledge, they have not been at the front and centre of the public’s consciousness in such sharp detail as they are today. At the heart of many of these issues has been a miscalculation of the risk-return trade-off in the way business has been conducted. Reputation and trust have been undervalued in that calculation, and therefore squandered.
It is not the regulators’ job to regain that trust for you: the industry needs to earn and sustain the community’s trust through its own actions. There are, however, a range of regulatory and supervisory activities that APRA is pursuing that will support and reinforce your own efforts to restore the industry’s standing. I’d like to outline a few of these today. The message I want to leave you with is that, in each case, the risk management profession has an important role to play in making sure that change is not simply a regulatory compliance exercise, but rather a genuine transformation in the way business is conducted.
Our work on risk culture is an area that has attracted a lot of interest. In its early stages, some questioned whether APRA should even be playing a role in this space at all. Needless to say, I disagreed – indeed, my first public speech as APRA Chairman was to this forum four years ago, in which I highlighted culture as a critical but underappreciated component of the post-crisis regulatory response. Understanding attitudes to risk – the risk culture – are fundamental to gaining confidence that an institution has robust risk management and is likely to remain in a sound financial position. Traditional prudential requirements for adequate financial resources may not be sufficient if faced with poor governance, weak culture, or ineffective risk management. Documented frameworks, policies and procedures aren’t much value if the risk culture doesn’t reinforce them.
I do acknowledge, though, that our work on culture should be focused on those areas that are naturally of interest to a prudential regulator. That means we view it very much through a risk lens. Others, such as colleagues at ASIC, will have a different perspective. The most obvious example is in lending: APRA is primarily interested in the potential for a poor risk culture to produce bad outcomes for the bank (and hence depositors), whereas ASIC will place greater emphasis on looking for the potential for bad outcomes for the borrower. Nevertheless, these perspectives are quite complementary, and hence we work closely together as we go about our tasks.
The early goal in our risk culture work, coinciding with the commencement of CPS220 Risk Management in January 2015, was to raise awareness of the issue and make sure it was on everyone’s radar screen. On that score, we can largely say mission accomplished. But as you all know well, getting a good handle on the risk culture of an organisation – particularly a large and complex one – is no easy task. Moreover, in your organisations there will invariably be multiple variants, shaped not only by the core organisational culture but also by factors such as geography, business line and leadership style. Therefore, a challenge for the community of risk managers (and I include prudential supervisors within that community) is not only creating a sound infrastructure of limits and controls to guard against financial risks, but also to instil a culture of risk awareness and stewardship across the entire business, including for behavioural and reputational risks.
Following the publication of our October 2016 information paper on risk culture, we commenced a cross-sectoral pilot program of risk culture reviews. Our first attempts proved very informative, but also very resource intensive. Unfortunately, we concluded they were not going to be scalable. We then had to direct our resources to the CBA Prudential Inquiry, which is widely regarded as having produced a very comprehensive assessment but again is not something we could regularly replicate. So we are currently re-scoping our pilot risk culture assessment program – capturing the areas and techniques where we gained biggest ‘bang for our buck’ in our early work – to endeavour to make it more useable on a wider basis within our overall supervisory framework.
Importantly, though, in the same way that we don’t prescribe the business models and strategies that financial institutions must adopt, we don’t seek to prescribe the risk culture either. We expect executives and their Boards to establish and maintain the risk culture that they consider (and note, we do expect a conscious consideration) to be appropriate to their organisations, given their strategy and risk appetite. As set out in CPS220, we also make clear that it is the Board’s job – but inevitably supported by management – to form a view as to whether their risk culture is appropriate, and insist on changes when they consider it not to be the case.
In terms of this event’s theme – ‘Regaining the trust’ – it is clear there remains much to do. Not everything that the community regards as having gone wrong in the financial sector has been a product of poor culture or bad intent. In some cases it has been unwieldy infrastructure, cumbersome bureaucracy and blind adherence to process that has been at fault. But those factors can’t explain everything. As I alluded to earlier, risk – and hence risk culture – has too narrowly been looked at through a financial lens (‘what will it cost our bottom line?’), without regard to reputational impacts (‘what will it cost our good name and standing?’). The latter has been materially underestimated. This will need to change if the industry is to regain the trust, but it will challenge the risk (and regulatory) profession because it will require skills, expertise and insights that may not be in the domain of a traditional risk manager.
As you know, the Banking Executive Accountability Regime (BEAR) formally came into effect on 1 July 2018 for the largest banks. Other ADIs have until mid next year to get themselves ready, but our experience to date tells us that the earlier the preparation, the better.
For the largest ADIs now operating under the BEAR, our immediate goal was to have a credible implementation on Day 1. With a significant amount of work on both sides, we achieved that. The major banks have identified and registered their accountable persons, developed reasonably detailed accountability statements, and from these put together accountability maps for their organisations. All up, 85 individuals across the four banks have been registered – by and large, the directors and senior executive team, plus a few others.
Feedback has been that the set-up process did create some organisational challenges, including debate about where some accountabilities did actually lie. Clarifying that accountability has been valuable in itself. Having got the system operational, however, we do not regard the job as done. For a start, we will need to see how well the allocated responsibilities work in practice, and we are quite open to revisiting these as we learn from experience. Moreover, we will be looking to see how accountable persons understand and oversee their areas of accountability in practice – to repeat a point I have made already, having the paperwork in good shape is not enough.
With respect to those ADIs that will be subject to the regime from the middle of next year, my advice is it would be a good idea to start your preparations now if you haven’t already done so. The obligations of BEAR are significant, so it’s important that you take the time to get them right.
Returning to today’s theme, the BEAR will not necessarily aid the industry to regain the community’s trust, at least directly. The BEAR clearly has teeth, and use of the BEAR’s enforcement provisions will demonstrate to the community that there are going to be clear and material consequences for poor prudential outcomes. That will be welcomed. But it will only come after some event that has damaged the trust and standing of the industry in the first place, so at best the BEAR might help square the ledger ex post. Where I hope the BEAR will have a positive impact – albeit indirectly, and over time – is through forcing the industry to hold itself to account much more firmly and quickly than has been the case to date. This appears to have been the case in other jurisdictions that have introduced BEAR-style regimes, and I certainly hope that we will see a similar impact here.
One of the components within the BEAR that has attracted quite a bit of attention is the remuneration requirements, which come fully into effect during the course of 2019. The BEAR requires ADIs to defer a minimum proportion of an accountable person's variable remuneration – generally 40 per cent for executives, or 60 per cent for the CEO, of a large bank – for a minimum of four years. It also requires ADIs to have remuneration policies that provide for the reduction in variable remuneration should an accountable person fail to comply with their obligations, and – importantly – to exercise the provision should circumstances warrant it. I would like to remind everyone – because a perception still seems to persist to the contrary – that it does not involve APRA determining who gets paid what.
We are starting to meet with industry groups to ensure there is a clear understanding about how these provisions will work. They also provide an opportunity for us to get an update on the industry’s thinking as part of our broader work on remuneration. As you know, earlier this year we released the findings from the review of remuneration policies and practices across a sample of large APRA-regulated entities. The review found that remuneration frameworks and practices across the sample did not consistently and effectively meet our objective of sufficiently encouraging behaviour that supports risk management frameworks and long-term financial soundness. Though all institutions had remuneration structures that satisfied minimum requirements, implementation was often some way from better practice.
There are several areas for improvement highlighted in the remuneration information paper but today I would like to flag three key areas in which improvement is needed. All will aid your objective of ‘regaining the trust’.
The first is outcomes. Our review noted multiple examples where employees at lower levels received downward adjustments to their remuneration, but these were not always matched by corresponding adjustments at an executive level to recognise overall line or functional accountability. As I have said previously, that is not to imply there should be a one-for-one adjustment. However overall, senior executives seemed somewhat insulated from the consequences of poor risk outcomes. This must change.
The second aspect is metrics. Financial metrics should be part of any performance assessment. However, excessive weightings can drive behaviours that don’t support the long-term success of the company. One reason that there seemed to be a misalignment between outcomes and remuneration was that measures by which performance was judged are too focused on shareholder metrics such as return on equity (RoE) and total shareholder return (TSR). The current structure of long-term incentives in Australia is particularly problematic in this regard, and is out of step with how best practices in remuneration are evolving internationally. This will also have to change.
The third aspect is oversight. Our review also found shortcomings in the oversight by Board Remuneration Committees (BRCs) of remuneration practices and framework. From insufficient challenge to insufficient documentation, it was clear that stronger governance of executive remuneration is needed. For those of you in banking, the BEAR will oblige this. BRCs cannot do this without help, however. To provide a proper risk lens to any performance assessment, a more structured and systemic contribution from the risk functions within banks will be needed. Many of you in this audience have a critical role to play in making that happen.
We have signalled that we intend to strengthen our prudential requirements in these areas. But we have also made clear that boards and senior executives shouldn’t wait to take action themselves to improve the design and implementation of their remuneration frameworks. Pleasingly, a number of entities have already told us about changes they are making in response to the issues we have raised. As senior leaders in the risk profession, I’d encourage you all to take a leadership role in this area to drive change. That will do far more to demonstrate a genuine commitment to ‘regaining the trust’ than simply complying with new requirements imposed on you by regulators.
Many of you will have cut your teeth on concepts such as value at risk, probability of default and loss given default, Monte Carlo simulations and dynamic financial analysis. These quantitative risk management techniques remain critical to managing the day-to-day business risks of a financial institution: after all, taking financial risks is how financial institutions survive and (hopefully) prosper.
With hindsight, however, it’s open to question whether the ‘quantification’ of the risk management profession has created something of a blind spot for those types of risk that are difficult to quantify. The finance industry, and the risk profession that serves it, has a natural affinity for measuring things in dollars and cents, percentages and basis points. But that means the conventional risk management frameworks and processes find it difficult to grapple with difficult-to-quantify risks, such as those relating to behaviour and reputation. If what gets measured gets managed, then I suspect that has played some role in bringing the industry to where it is today.
As risk professionals, rectifying this is one of the key challenges before you, and events such as this indicate you understand the challenge very well. For our part, we see the industry’s efforts to strengthen risk culture, improve accountability and develop more balanced performance measurement and remuneration practices as highly aligned with good prudential outcomes. Our prudential agenda will be therefore be supportive of yours. But to borrow from the former President of the New York Fed, Bill Dudley, increased regulation is an insufficient substitute for trust. As much as we might help, you will have to do the heavy lifting. It will ultimately be the industry’s collective behaviour that determines the extent to which the trust and confidence of the community is regained.