The story behind the numbers: Combatting the high cost of non-financial risks
APRA has good relationships with all the industry associations we engage with, but our connection with the Actuaries Institute is closer than most. I think that’s because APRA and actuaries have a great deal in common; we specialise in identifying and managing risks; we aim to rectify problems before they cause harm, rather than trying to fix them after the damage is done; and we have a commitment, not only to the soundness of individual companies, but to the interests of the community and the greater good. It should be no surprise, therefore, that APRA employs many actuaries, including my fellow Deputy Chair Helen Rowell, and that we highly value submissions from the Actuaries Institute to our various consultations.
As ex-ante risk managers, both APRA and actuaries face the challenge of evolving in response to changing circumstances in the Australian financial sector, including those driven by the Hayne Royal Commission. As I noted in a speech to the Insurance Council of Australia in February, too often the misconduct or poor industry practices highlighted by the Royal Commission were well-known, yet companies had failed to address them. In many cases, that was due to short-term financial gains from practices such as charging fees for no service, or relying on outdated medical definitions. As we have seen, the companies involved paid a high price in the long-run.
Financial sector trust is now tarnished, while banks, insurers and superannuation licensees face a lengthy period of heightened scrutiny, increasing the possibility of further reputational damage. Amid clear evidence that risk management remains weak in financial institutions, it is apparent that boards and senior managers need a stronger, louder and more insistent voice on their shoulder urging them to think again. Someone senior and trusted. Someone independent. Someone with expertise in identifying and assessing risks. You can probably see where this is heading.
In a matter of weeks, APRA’s new cross-industry standard, CPS 320 Actuarial and Related Matters, comes into effect. APRA is introducing this standard to strengthen the influence of the Appointed Actuary in general, life and private health insurers, especially on the most material matters. My message today is that this influence cannot be confined to traditional financial risks, given the substantial damage to prudential soundness that can arise from the poor management of non-financial risks. Actuaries must learn to find the story behind the raw numbers – and then have the courage to speak up – if they are truly to fulfil their role of assisting with the sound and prudent management of an insurer, and ensuring the protection of policyholder interests is adequately considered.
Non-financial risks – a misleading description
A little over a fortnight ago, APRA released a paper analysing the findings of 36 self-assessments by some of the country’s leading banks, insurers and super funds. We wrote to their boards last June asking them to conduct the self-assessments in the wake of the landmark Prudential Inquiry into Commonwealth Bank of Australia (CBA) to gauge whether similar weaknesses existed in their own institutions. Our analysis determined that they did, although not to the same extent or depth as CBA. Among the most consistent themes to emerge were that non-financial risk management was frequently weak; and many of the issues raised were known to entities and were often long-standing. As a result of the self-assessments, we have intensified and more precisely targeted our supervision of entities, and in some cases we are considering imposing additional capital requirements due to the materiality of the weaknesses identified.
That’s the thing about non-financial risks: left unaddressed, the consequences become distinctly financial in nature. In the wake of the Royal Commission, our major banks have seen their profits eroded by the cost of remediating aggrieved customers and upgrading or putting in place systems to stop it happening again. The four major banks have already collectively spent or set aside nearly $7 billion and that number is likely to rise further. Failing to adequately manage risks relating to anti-money laundering and counter-terrorism financing laws saw our largest bank fined $700 million by AUSTRAC. Overseas, successful cyber-attacks have caused major financial and reputational damage to some of the world’s largest companies, including Yahoo, Marriott and eBay. APRA has warned repeatedly that it’s only a matter of time before an Australian bank, insurer or super fund falls victim to a cyber-attack, and noted that – in a worst-case scenario – such an attack could threaten the entity’s viability.
In the aftermath of the Royal Commission, financial sector companies face the additional threat of regulators with a lower tolerance for misconduct or poor risk management, and a higher appetite for exercising their formal enforcement actions, including litigation where appropriate. Our colleagues at ASIC are now asking “Why not litigate?” when confronted by breaches of the law, and have demonstrated several times over the past year that they are not bluffing. APRA is also moving on unacceptable practices. Last month, we launched our new Enforcement Approach, including a commitment to adopt a “constructively tough” appetite towards enforcement action. As a prudential regulator, rather than a conduct regulator, APRA will still focus on preventing harm with the use of non-formal supervisory tools. However we will be less patient with the time taken by uncooperative entities to remediate issues, more forceful in expressing specific expectations, and prepared to set examples using public enforcement to achieve general deterrence.
Added to this, entities must also contend with the Banking Executive Accountability Regime (BEAR), which applies to all authorised deposit-taking institutions from 1 July, and will soon be expanded to cover insurance and superannuation. Not only does this regime make boards and executives (including – potentially – senior actuaries) more accountable for their individual performance, companies themselves face penalties for failing to meet their obligations under the BEAR, or whatever threatening-sounding acronym is created for the insurance and super sectors. In short, the consequences of failing to properly identify, assess and mitigate risks, especially non-financial risks, are higher and potentially more expensive than they have been for many years.
Time to act-uary
To address our concerns about the potential flow-on effects for risk management, APRA embarked on a consultation in 2016 to streamline and sharpen the role of the Appointed Actuary in general and life insurers. Midway through the consultation, we expanded the scope to include private health insurers, recognising that many of the issues existed in all three sectors, and that there were benefits in harmonising the prudential requirements in a new cross-industry standard.
The outcome was the new prudential standard CPS 320, which takes effect from 1 July. One of the most important parts of the new standard is its purpose statement which guides the role and its relationship with the Board and senior management. It states that the purpose of the Appointed Actuary is to ensure that the board and senior management have “unfettered access to expert and impartial actuarial advice and review”. With that in mind, APRA has designed the new standard to ensure the voice of the Appointed Actuary is appropriately prominent in institutions, and able to act as a trusted advisor to the board. Other provisions in CPS 320 are aimed at giving Appointed Actuaries the flexibility to work with insurers to design a framework for obtaining actuarial advice that suits their business. We want Appointed Actuaries to have the discretion to delegate so they can focus on the most relevant matters, and not be weighed down by a tick-box approach of considering a set list of matters specified in a prudential standard.
Although an important step in reinforcing the status of Appointed Actuaries, a prudential standard can only do so much. APRA has provided the platform and handed over the microphone; actuaries need to turn it on and speak up. To be truly effective, actuaries must be prepared to probe, test and challenge boards and management about the wisdom of their decisions, and potential risks they may not have fully considered. Vitally, actuaries need the ability to do this beyond the realm of traditional financial risks. We want them to broaden their thinking about what constitutes a financial risk into areas such as culture, governance, remuneration and consumer outcomes. This applies not only to Appointed Actuaries, but all actuaries, and across all APRA-regulated industries.
A reflexive reaction may be to argue that we’re asking actuaries to go beyond their training and expertise. That’s not the case. APRA doesn’t expect actuaries to be running their eye over marketing campaigns, signing off on board appointments or conducting staff surveys seeking signs of a poor culture. We understand that actuaries are focused on numbers, but numbers can tell a story beyond simply profit or loss. If a particular policy that your insurer sells pays out less than 20 cents in the dollar of premium raised in claims, what does that suggest to you about the value for money that policyholders are getting? If your life insurer is taking an average of eight months to pay death cover claims, or accepting only one in four total and permanent disability claims, does that raise alarm bells for you? We don’t expect actuaries to always know what the precise story behind the numbers is, but we do believe they need the nous to recognise there may be a problem, and the courage to push boards and senior executives to examine and address it.
I’ve personally seen this kind of actuarial influence in action. In my previous role at Treasury, I worked closely with the Australian Government Actuary, and saw first-hand the invaluable contributions they were able to add to discussions around some of most vexing and contentious policy questions the country faces: retirement incomes, the impact of an ageing population on welfare and health expenditure, defence and national security.
APRA’s evolving approach
Our new Information Security prudential standard, CPS 234, takes effect from 1 July to shore up entities’ resilience against the risk of cyber-attack, and we will shortly be releasing updated prudential guidance in this area. We’ve stepped up our supervisory focus on the management of climate risk, and we intend to review our cross industry governance and risk management standards this year to ensure they encourage a sharper focus on non-financial risks. We have also started looking at how to refresh our guidance to superannuation licensees around environmental, social and corporate governance.
On the Royal Commission, we continue to gather evidence on each of the 12 referrals to APRA, and expect to be able to make an assessment on the merits of further action in coming months. With respect to the 10 recommendations which fall within APRA’s responsibilities, we released the first proposed policy changes – in relation to land valuations, particularly for agricultural land – in March. Other actions remain on track against the action plan for each recommendation that we published in the week after the Final Report was released.
APRA’s heightened focus on the management of non-financial risks does not in any way diminish the responsibility that boards and management have for the performance of the companies they oversee. APRA will not be determining what executives get paid; we will not be dictating what companies’ corporate culture should be, or prescribing the composition of their board. Our role is to ensure the companies we supervise have effective systems and frameworks in place that optimise their ability to meet the financial commitments they make to their customers. And like a good actuary, we intend to continually challenge boards and executives to ensure the standards they aspire to are being met in practice, and unnecessary risks avoided.
A higher standard
Three years on that statement might seem slightly antiquated, with no reference to the non-financial risks that have caused such damage to trust, reputation, profits and share values. But as I have said, the term “non-financial risk” is arguably misleading; a failure to quickly identify, assess and mitigate against these risks – be it misconduct, weak governance or just poor customer service – can become prohibitively expensive. Just as APRA has needed to evolve its approach and update the prudential framework to put greater emphasis on issues of culture, conduct, governance and accountability, so must the entities we regulate. Newly empowered by CPS 320, Appointed Actuaries can play a key role on taking a broader of view of what represents a financial risk, but all actuaries can benefit by adopting this mindset.
In an environment where financial entities face sharper scrutiny and steeper penalties for mistakes, actuaries must find the story behind the numbers, ask boards and management the difficult questions, and be prepared to challenge them if dissatisfied with the answers. Speaking out is not always easy, and a dissenting voice is not always welcome; actuaries’ may find their louder voice is occasionally jarring for those whose decisions they question. Where actuaries need the courage to speak up, the companies they work for need the wisdom to listen, and the foresight to act when new risks are presented. The numbers always tell a story, and it is far safer – and less costly – if it is uncovered by an Appointed Actuary than an investigative journalist or a regulator with an enhanced appetite for enforcement.
 Social Risks for a financial services business - Ian Laughlin
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6 trillion in assets for Australian depositors, policyholders and superannuation fund members.