Building resilience in three dimensions
Wayne Byres, Chairman – Australian Financial Review Banking and Wealth Summit, Sydney
One consequence of being a prudential supervisor is that I have a large and growing collection of Swiss passport stamps. Sadly, that doesn’t mean I have much opportunity to enjoy the country’s snow-capped peaks or rolling green hills. Most of those stamps are associated with days spent inside the BIS Tower in Basel, discussing regulatory policy, supervisory practices and emerging risks to the financial system.
When I was in Switzerland a few weeks ago for the most recent Basel Committee meeting, it was apparent from the conversations that there are still quite a number of countries that are dealing with legacies of the financial crisis 10 years ago: weak financial systems, high levels of non-performing loans and unprofitable banks. For a number of my peers at the table, financial system repair is still not complete, national fiscal positions remain challenging, and conditions are still dependent on accommodative monetary policy and central bank support. And this is a decade after the crisis, at a time when economic headwinds are starting to blow more strongly, and the outlook is less rosy.
In Australia, the global financial crisis is increasingly a distant memory, particularly as a combination of factors – including a healthy dose of good luck – meant its impact here was much less severe. Our financial conversation over the past few years has been increasingly directed towards conduct risk, amplified greatly over the past 18 months by the Royal Commission. This is entirely appropriate: treating customers fairly is a vital part of maintaining broader trust and confidence in the financial system in general, as well as in individual institutions. The industry, its regulators and government all need to do more to deliver on community expectations.
However, at a time when downside risks to the global economy are increasing and domestic conditions are moderating, it’s important that we don’t take the relative stability and soundness in the Australia financial system that we have enjoyed for some time for granted. A safe and stable financial system doesn’t happen by accident, and the economic and social costs of getting it wrong can be huge. There is a lot that goes on behind the scenes to constantly test the safety and soundness of the system, and strengthen its resilience. That needs to continue.
Today, I want to talk about resilience in the Australian banking system in three dimensions: financial resilience, operational resilience, and organisational and cultural resilience. My simple message is that we have made good strides on the first, need to continue to invest in the second, and have more to do on the third.
As I think most people in this room know, APRA has spent much of the past decade working to improve banking system resilience, primarily by lifting bank financial strength and improving lending standards to address emerging systemic risks. As a result, the risk-based capital ratios of the banking system are higher than they have ever been, the funding profile is more stable, liquidity levels are improved, and lending standards, particularly in relation to mortgages, have been materially strengthened.
We have recently had this work assessed by the IMF, who last year undertook an extensive review of the Australian financial system, and its regulatory framework. Pleasingly, the IMF concluded our actions had lowered financial stability risks and increased financial system resilience. They endorsed our policy efforts, and validated our stress test results, which showed that the large Australian banks are resilient to significant economic and financial shocks.
We can be comforted from this conclusion, especially at a time when the global outlook is becoming more uncertain. However, the IMF also made the point that, notwithstanding the good work done, there is more to do. Now is certainly not the time to take safety and stability for granted.
As we outlined in our recently published Policy Agenda for 2019, APRA will this year work to finalise the details of a new capital adequacy framework that encompasses Basel III and the ‘unquestionably strong’ objective set by the FSI. While the banking system by and large already has the requisite levels of capital, the allocation of that capital in a risk-based manner is also important for preserving resilience over the longer term.
But no matter how well we calibrate the capital framework, the threat of a financial institution failing can never be entirely removed. (Nor, I might add, is that our goal – we have not been tasked, and do not seek, to achieve a zero failure regime.) Therefore another of APRA’s important tasks is to plan for and, if required, execute the orderly resolution of a failing financial institution it regulates.
Planning for orderly resolution is critical for preserving the resilience of the financial system as a whole. There are two main legs to our work. The first is to improve loss absorbing capacity, particularly for large, systemically important banks where resolution is most difficult. We have been consulting on proposals to build greater loss absorbing capacity into bank liability structures. We’ve received feedback that our proposals need some revision. We will look at this carefully, but we do not wish to jeopardise two key objectives: developing a framework that is relatively simple to implement and understand, and that does not jeopardise the access to funding that high credit ratings provide. This will be an important area of work in the months ahead.
The second leg is to build on the important legislative reforms that were passed last year to give us an enhanced toolkit to deal with crises. We will be developing a prudential standard for recovery and resolution planning, which will set out the minimum preparations that are needed to ensure that, should the worst happen, the necessary pre-positioning is in place.
None of this is to suggest that we have immediate concerns about the safety and stability of the financial system. As I’ve noted on many occasions elsewhere, the Australian financial system is fundamentally sound. But I do want to emphasise that this should never be taken for granted. After a long period of benign conditions, it would be easy to do so. That would be a mistake.
Having a robust balance sheet alone won’t protect institutions from other dangers that can pose significant threats to their ongoing viability. Operational resilience is equally important. Financial institutions must have not just the financial capacity, but also the operational wherewithal, to prevent, absorb and respond to shocks in such a manner that critical economic functions are not materially disrupted. Regulators around the world are increasingly making this a priority issue. Our namesake in the UK, the Prudential Regulation Authority, is probably leading in this regard.
Establishing and maintaining operational service standards, and undertaking business continuity planning in anticipation of problems, have been staples of risk management for some time. But in an increasingly technology-enabled world, with a great deal of data and process management being performed by third parties, and many day-to-day services provided online without much in the way of human intervention, this risk is undoubtedly growing more complex to manage.
One of the most recent examples of our work in this area is on information security management. In late 2018, APRA released a new prudential standard: CPS 234 Information Security, and on Monday we released additional guidance to support it. The new standard seeks to strengthen APRA-regulated institutions’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach.
The standard requires institutions to, among other things, clearly define information-security related roles and responsibilities, maintain an information security capability commensurate with the size and the extent of threats to their information assets, implement controls to protect information assets, and undertake regular testing and assurance of the effectiveness of those controls. None of this can be regarded as optional, or a ‘nice to have’.
We have also developed additional industry guidance on the use of shared computing services, such as the cloud, and we have pressed institutions to invest further in the back end of their technology systems to deal with legacy products and obsolescence issues.
Operational resilience is another area that we should never take for granted. Given the evolving nature of potential vulnerabilities, it’s an area where continued investment by banks, and continued attention by supervisors, will be essential. Unlike the build-up of capital, it is a task that has no end. Making sure critical systems are protected, continue to operate reliably, and can be quickly restored when disrupted is just as critical to the ongoing trust and confidence in the financial system as bank capital and culture.
Building organisational and cultural resilience
That brings me to my third theme.
When I first started speaking about issues of culture in 2014, it didn’t attract much attention. Financial resilience – mainly in the form of the Basel III capital requirements – was dominating the discussion at that time. Increasingly, however, the concept of culture, and its link to long-run business success (and reputational damage), came to the fore. It has certainly dominated the discussion over the past year.
Unfortunately, talking about the topic is easy. As a leader of an organisation myself, I know that defining, building, measuring and sustaining the right culture is much more difficult. Many words have been written and spoken on the topic, but it largely remains an area of obvious risk without concrete new tools or frameworks that provide clear solutions.
Our own experience in Australia with the CBA Prudential Inquiry has been highly informative in thinking about how to tackle the issue. The Inquiry identified a number of significant organisational and cultural deficiencies in our largest and most financially successful institution. It was an expensive and resource intensive exercise, but the results were highly valuable, not just for CBA, but for all institutions. Indeed, its impact has stretched well beyond the financial sector, and well beyond Australian shores. Importantly, it illustrated how individual areas of weakness – each of which may not be particularly problematic on its own – can combine and compound one-another to create a broader structural weakness in organisational and cultural resilience. A key insight is that the multi-faceted nature of the problem requires a multi-faceted solution – there is no ‘silver bullet’.
After the CBA Inquiry, we asked all institutions to reflect upon the report and consider whether similar issues could exist within their own organisation. We also asked 36 of Australia’s largest institutions to conduct formal self-assessments against the report’s key findings, and submit those assessments to us at the end of last year. We will soon be publishing a paper on the overall findings. Today, I’ll just highlight a few high level themes that are evident.
First on process. We deliberately didn’t prescribe a process or give a template for the self-assessments. We thought there would be information value in seeing how seriously institutions chose to take the exercise, and the methods they elected to use. On the whole, the banking sector took the exercise very seriously – in some cases seeking to replicate the entire process followed by the CBA Inquiry. Insurers were also fairly diligent in most cases. Superannuation trustees tended to utilise a ‘lighter touch’ process, often justified on the basis that the problems in CBA couldn’t apply to them. Given one of the core CBA findings that success ‘dulls the senses’, and my earlier comment about small individual problems compounding into something more serious, I’d urge some caution against that conclusion.
As for outcomes, most organisations acknowledged a number of the issues outlined in the CBA report were present in their own organisations, albeit not to the same extent or depth. As a result, many reports produced a fairly lengthy list of action items that Boards have committed to address. Flushing out and addressing these issues is a positive, although it will be important that Boards and executives make sure they have truly identified the root cause of the issues – they need to treat the cause and not the symptoms.
A great example is complexity, which has been called-out in many self-assessments. Complexity seems akin to a noxious weed that has spread across the industry. There are many simplification programs currently underway, but unless the root cause of the complexity is tackled – the circumstances that allowed it to take hold in the first place – then what comfort do we have that it will not grow back to strangle businesses again?
To that end, an interesting observation is that while there was a fair degree of self-reflection and acknowledgement of issues under most of the themes in the CBA Report, in two areas the picture was notably more positive: the self-assessments of Board and executive performance. This, of course, begs the obvious question: how can boards and management give themselves a pass mark when they have identified a wide range of weaknesses in a number of key areas? Do Boards and management have a blind spot – that blind spot being themselves? It’s a difficult but important question to ask.
In the issues they have identified, the self-assessments, the Royal Commission and the CBA Inquiry have largely crystallised a number of mutually reinforcing pieces of work into a program of activity for APRA that will help strengthen organisational and cultural resilience:
- Incentives – in particular, work on executive remuneration designed to better align potential rewards with a holistic view of performance (capturing the ‘how’ as well as the ‘how much’). I will say more about this shortly.
- Assurance and compliance mechanisms – many problems have gone undetected too long, or been detected but not escalated quickly enough. Stronger and more effective compliance and assurance mechanisms are clearly needed.
- Accountability and consequences – clear and sharp accountabilities lay at the heart of good governance, and ensure there can be appropriate consequences for poor outcomes.
- Governance and risk oversight – overseeing all of this needs to be a stronger system of governance and risk oversight.
Together, these components of our work program will ideally help to reinforce a sound foundation of organisational and cultural resilience. But as I have said previously, regulators can’t regulate good culture into existence. We can help lay the platform, but ultimately it will be Boards and executives that do the heavy lifting.
I now want to come back to incentives and remuneration.
Last year at this event, I gave a speech titled ‘The incentive to fly safely’. My thesis was that, although flying is a risky activity, pilots and their passengers were highly aligned in their incentives: in that case, to take off and land safely. The incentives of bankers and their customers lack the same alignment. Our challenge was to make bankers more like pilots.
In that speech, I also outlined the results of an in-depth review APRA had done of remuneration practices. To return to my aviation analogy, we found it ‘too easy for financial pilots, unlike those who actually take to the sky, to walk away from the scene of an accident unscathed’. I concluded by saying ‘we are keen for industry participants to take up the challenge of improving themselves …. rather than waiting to be told what to do.’
I think it fair to say that attempts to move away from the conventional model of executive remuneration have not been wholly welcomed. Boards have struggled to gain acceptance that new approaches are needed. So it seems inevitable that regulatory intervention, and a greater degree of prescription, will be required to shift practices. That was also the conclusion of the Royal Commission, which tasked APRA to develop a much stronger framework of regulation and supervision of remuneration.
We will have more to say about this in the coming months – we have committed to commence consultation on revisions to current prudential standards by the middle of the year. But in the context of executive remuneration, I think there are a few aspects where the direction is pretty clear.
The first is metrics. The current system of executive remuneration based largely on the achievement of financial targets, including long-term incentives based primarily if not entirely on relative TSR, will have to change (indeed, the Royal Commission specifically recommended APRA impose a cap on the use of financial metrics for long-term incentives (LTIs)). From APRA’s perspective, we want to see remuneration based on a genuine and even balance of financial and non-financial considerations. We have yet to reach a view as to the right mix, but an obvious question for Boards is to ask themselves why 50:50 wouldn’t be a good starting point. And within whatever financial metrics are used, I’d argue there should be more than a single, share-price based metric. That would mean TSR would go from the primary, if not sole, determinant of LTIs to something less than 25 per cent.
The second aspect is discretion. Boards have a responsibility to ensure executive remuneration is appropriate. Given the complexity and nuance involved in performance assessment, that means more Board discretion, not less. That is, both more discretion in rewarding, and more discretion in judging whether rewards should ultimately vest. Totally formulaic approaches with high leverage that some investors seem to favour are not going to cut it in the future. That will also probably also require more transparency about decision-making, which is no bad thing.
The third aspect is malus and clawback. At this event last year, I noted that it would be disappointing if the industry viewed the minimum deferral requirements of the BEAR as the default. Disappointingly, that is what seems to have largely happened. We will be examining the case for longer deferrals, at least in some instances, to better align vesting with the emergence of risks. In addition, the Royal Commission recommended APRA require additional clawback arrangements. Many Boards argue that it is very difficult to make clawback work in practice. That may well be, but if so it won’t be the case of simply going without – longer deferral and malus periods, possibly combined with post-vesting holding locks, might be needed to compensate.
APRA’s wider focus
Before I conclude, I would just like to say a few words on the evolution of APRA.
As you have heard, the Government announced over the weekend a substantial increase in our funding. It won’t surprise you to hear me say that is very welcome. In the decade since the GFC, our role and activities have expanded notably, yet we still operate with roughly the same headcount we have had for the past 15 years. With the Royal Commission tasking us to increase the intensity of our work in many areas – in governance, culture and remuneration, in superannuation, and in enforcement to name a few – as well as needing to tackle a range of new areas of risk such as cyber, fintech and climate, a material change is needed.
So we very much welcome the announcement of new resourcing for APRA, and we will be utilising the Capability Review currently underway to make sure that resourcing is deployed most effectively. We will also be using some of it to implement the outcome of our soon-to-be-complete Enforcement Review, which we commissioned last year. While the Review is not yet final, APRA will remain a supervision-led agency with prevention as our primary goal. But we will be shifting from our past ‘enforcement as a last resort’ approach to one in which we are, in particular, less patient with uncooperative institutions, especially as we will now have both stronger powers and more capacity to use them.
To return to my core theme of not taking financial safety and stability for granted, the additional resourcing will allow us to have a wider focus, rather than a different focus. We will be able to broaden and deepen the scope of our supervision, while not taking our eye off the core financial strength that we have spent the past decade building.
Financial system resilience has been strengthened considerably over the past decade. Without the bitter experience of failure, it is easy to take the safety and stability that we have experienced in Australia in recent times for granted. But that would not be wise – disaster myopia is to be avoided at all costs. Financial systems are inherently risky, and we must continue to work hard – industry and regulators – to protect and preserve the resilience of our financial system into the future.
A key point I have sought to make this morning is that resilience is multi-dimensional. Financial ratios are not enough to provide the requisite level of organisational resilience that is critical to a sound and stable financial system. Moreover, the non-financial dimensions of resilience, unlike the achievement of a capital target, require continual investment. And experience tells us this level of investment will need to be greater than it has been in the past.
For Boards and executive leadership teams – and, I should add, for APRA’s supervision as well – it is important to make this extra investment in operational and cultural resilience without jeopardising the hard won gains in financial resilience that have been made over the past decade. As the broader economic outlook becomes cloudier, we need to make sure we are operating from a position of strength. Now is not a time to take anything for granted.
 See IMF (2019) available at https://www.imf.org/en/Publications/CR/Issues/2019/02/13/Australia-Financial-System-Stability-Assessment-46611
 See APRA’s Policy Priorities
(February 2019) available at https://www.apra.gov.au/information-papers-released-apra
 See, for example, the joint UK PRA/BoE/FCA discussion paper, Building the UK financial sector’s operational resilience
, available at https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
 See, for example, Peering into a cloudy future
, available at https://www.apra.gov.au/media-centre/speeches/peering-cloudy-future
 My first speech as APRA Chair noted ‘improving culture is … critical to long-run stability’. See Perspectives of the global regulatory agenda
, available on the APRA website at https://www.apra.gov.au/media-centre/speeches/perspectives-global-regulatory-agenda
 See The Incentive to fly safely
, available at https://www.apra.gov.au/media-centre/speeches/incentive-fly-safely
 Recommendation 5.3 of the Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
 Total Shareholder Return (TSR). TSR is a measure of share price appreciation and dividends paid to show the total return to shareholders. A measure of Relative TSR is typically used to determine the vesting of long-term incentives. Relative TSR compares and ranks the company’s TSR with those of a selected group of peer companies.
 APRA’s budgeted headcount since 2005 has fluctuated in a fairly narrow range of 600 ± 30.