Piloting a way forward
Good afternoon, and thank you for the invitation to speak today.
In the almost seven years I’ve been Chair of APRA, APRA’s operating environment has constantly evolved. What’s been asked of us has only expanded. The onset of COVID-19, however, saw our priorities sharply narrow. We paused a range of policy and supervision initiatives so our attention – and the finance industry’s – could prioritise dealing with the immediate, severe economic and financial impacts of the pandemic. Safety and stability were paramount, and the strength of the financial sector allowed it to play a critical role in supporting the Australian community through a very difficult period.
The eruption of a crisis, however, doesn’t mean other issues go away. Now the economic recovery is well underway, it’s important we start to look more broadly again.
With that in mind, APRA published its supervisory and policy priorities at the beginning of the year. They cover quite a wide range of issues and activities. I won’t attempt to run through them all here, as I couldn’t do them justice and if you are interested they’re available to read at your leisure.
Instead, I’m going to focus on three important issues that are relevant right across the financial sector, and are critical to its long-term strength and resilience. In doing so, I will highlight some new programs of supervisory activity that we are piloting. Just as the world we operate in is always evolving, so must the way APRA goes about its task.
The first is climate-related risks.
Since the Australian Government became a party to the Paris Agreement in 2016, APRA has been raising awareness of climate-related risks to the financial sector.
In many respects, this has been pushing on an open door. The industry as a whole has been increasingly alert to the potential risks of a changing climate. The general insurance sector, for example, which is at the forefront of many of the physical climate risks, needs no regulatory impetus to want to understand the issue better. And there are a number of industry-led initiatives underway, such as the Australian Sustainable Finance Initiative, that seek to build a more resilient and sustainable financial system.
However, given the long-term and unprecedented nature of climate risks, understanding and managing them is easier said than done.
Scientists and governments have been discussing how to respond to a changing climate for decades, and over time the relevance of climate risks to businesses and economies has been increasingly recognised. Even so, the processes, tools and data to measure, monitor and manage climate-related financial risks are still developing. There is a deficit of data on how these risks will unfold, in what areas, and over what timeframe. Added to that, the complexity of financial risks and global supply chains means that understanding where and how climate risks will impact on the finance sector is not easy.
Against that backdrop, last Thursday APRA released a draft prudential practice guide to help financial institutions to better understand and manage the financial risks flowing from climate change.
The draft guidance responds to climate-related risks that are growing in size and importance. Financial institutions need to understand where, how and to what extent those risks will impact their business, and consider how they should respond.
Importantly, the guidance doesn’t tell banks who to lend to, it doesn’t tell insurers what to insure, and it doesn’t tell superannuation funds where to invest. Those are decisions for financial institutions themselves.
The draft guide does, though, emphasise that climate considerations need to be part of any decision-making process if financial institutions want to make well-informed decisions. And an improved understanding of the impacts of climate change should equip the financial sector to grasp the business opportunities that a changing climate will generate, as new investment is needed, new technologies emerge, and economies and new businesses grow.
On the day we released the guidance, I was asked by a journalist what I thought the biggest risk was from a climate perspective. I said it was that financial institutions might be caught unawares by, and hence unprepared for, the changes occurring around them. Those changes are not just the physical risks from a changing climate itself but also from government policy changes occurring around the world, which are in turn changing the dynamics of economies and industries, as well as changing investor demands and community expectations.
The risks are increasingly very real, and immediate:
- The physical risks of a changing climate are manifesting in extreme weather events. After a year of not just COVID, but also devastating bushfires, storms and floods, the latest CSIRO-Bureau of Meteorology State of the Climate report presents a future of more extreme weather events – more heat extremes, more time in drought, more intense rainfall events.
- Transition risks are evident in the shifts occurring in the value of climate-affected assets.1
- And we saw an example of liability risks in the legal action launched against superannuation fund Rest; in November last year, the fund settled the suit by agreeing to set a net zero investment strategy and to implement climate risk considerations into its management processes.2
Thankfully, boards of financial institutions have the same interest in not being caught unawares, which explains why the impetus for the practice guide came from industry requests for clearer guidance on APRA’s expectations, and examples of better practice.
As the Prime Minister said recently, “the world’s response to climate change is simultaneously reshaping the global economy, global politics and the global energy system.”3 Australia has developed the Technology Investment Roadmap to accelerate the development and commercialisation of low emission technologies. Last week’s virtual climate summit of world leaders saw a number of jurisdictions announce new plans to cut emissions.4 The EU is examining a carbon border adjustment mechanism. New Zealand introduced into Parliament two weeks ago a law to require the financial sector to disclose the impact of climate change on businesses, and how they will manage the risks and opportunities. The UK is consulting on a similar proposal.
International regulatory bodies are also active. The Financial Stability Board, the Basel Committee on Banking Supervision, and the International Association of Insurance Supervisors all have task forces actively working on the issue.
All of these developments underline the importance of understanding the significant shifts that are not just underway, but gathering momentum. Financial institutions need to think about how these actions will impact on their businesses, as well as those of their customers.
One of the biggest challenges in doing so is to shift from subjective judgements to data-driven analysis. The scientific link between rising carbon emissions and warming temperatures is clear, but the tools and methods for risk analysis are still in their relative infancy. Not only are the direct impacts difficult to assess, but so are the potential technological and policy responses.
But that’s no excuse for not trying. Therefore, the second major plank of APRA’s current work program on climate-related financial risks is our pilot climate vulnerability assessment (CVA).
Starting with the five largest banks, the CVA will help to measure the potential financial exposure of institutions, the financial system and economy to climate-related risks; and boost understanding of how institutions might adjust their business models in response to different climate scenarios. Our goal is to better identify and measure the links between climate science and financial risk within the context of existing industry risk assessment frameworks. Without this linkage, climate-related financial risk cannot be effectively considered nor managed by the Australian financial sector.
Of course, APRA is not a scientific body, so we face many of the same data and modelling problems as financial institutions. Fortunately, Australia has some world-class scientific bodies, and APRA is working with the CSIRO to see whether it is possible to leverage their expertise in climate change and modelling as part of the CVA pilot. This would, when combined with the climate scenarios developed for international use by the Network for Greening the Financial System, provide a strong science-based foundation and a degree of international comparability to the analysis.
We are approaching the pilot CVA very much on a partnership basis, working with the participant banks on the principles, method, scope and timeline as we finalise the design of the assessments. Once we have the results – likely to be later this year – we will look to see what lessons learned about the overall outcomes can be published to aid other industry participants. We will also be able to give some thought to how the CVA exercise can best be expanded to other parts of the financial system. A better understanding of this complex issue can only help the financial system to manage the risks.
To sum up, our work on climate risks reflects our preventative, prudential role. Financial institutions exist to take risks, and our role is to make sure those risks – from whatever source – are identified, measured, monitored and (most importantly) managed. Climate risks pose some unique challenges, but the broad objectives for APRA are no different.
Governance, culture, remuneration and accountability
The second area I want to discuss today is the set of topics that we have come to short-hand as GCRA: that is, governance, culture, remuneration and accountability.
APRA’s work in this area started, in many respects, just after the GFC. Risk culture, or more correctly an absence of an adequate risk culture, lay at the heart of the sub-prime crisis that emanated from the US. Poorly structured incentives and an absence of accountability for poor outcomes created a recipe for excessive risk-taking that proved very costly for society.
The Hayne Royal Commission, and APRA’s own CBA Prudential Inquiry, showed that Australia was not immune to the failings that had been uncovered elsewhere, and that much more needed to be done when it came to culture, incentives and accountability in the financial system.
Public attention on GCRA issues has faded somewhat since the Royal Commission. I think this partly reflects the overwhelming nature of COVID-19, but also reflects that many banks, insurers and superannuation funds are working to lift their games. We also deliberately slowed down our work in 2020, and reallocated resources to more pressing issues.
Our GCRA initiatives, however, didn’t stop, and we remain of the view that systemic weaknesses in GCRA are often the root cause of problems that crystallise into significant, unexpected and damaging financial losses. With that in mind, I’d like to mention two important initiatives that evidence our continued commitment to lifting standards of governance, culture, remuneration and accountability across the financial system.
The most notable – and often the most emotive – is our ongoing work on remuneration. Late last year, we released for comment an updated prudential standard on remuneration. Later this week, we will release for consultation a draft prudential practice guide to aid in its implementation.
In releasing our updated prudential standard late last year, probably the most significant change was a shift from a more prescriptive approach to a more principles-based one. That was done in response to industry feedback that the level of prescription was unnecessary, created problems for the diversity of institutions to which it applied, and in some cases could even be counter-productive. We accepted that argument, but the principles-based approach has in turn led to requests for more guidance on how to turn the principles into practice. Our draft guidance being released this week is designed to help in that regard, particularly as many boards are not sitting and waiting for the final standard to be released, and want to get on and make changes to their arrangements now.
Just as our work on remuneration is challenging long-standing conventions, we are also trialling a new approach to examining risk culture.
Our traditional engagement with financial institutions occurs primarily through boards, senior executives, and risk and compliance personnel. We can form views about an organisation’s culture from those engagements, but it’s always going to be highly judgemental, less than comprehensive, and very difficult to benchmark against others.
To improve on that, we’ve recently commenced a pilot risk culture survey involving 10 general insurers. The survey is similar to the successful British Banking Standards Board Employee Survey, and involves staff in the pilot institutions completing an online survey of 40 odd questions that explore attitudes and behaviours in relation to risk, and willingness and capacity to speak up when things aren’t right.
The results have just come in, and it is too early to say much about them beyond that we got a good coverage of staff across each of the pilot entities. If the pilot proves successful, our ambition is to launch the survey to around 60 institutions across the banking, insurance and superannuation industries from the second half of this year.
All going well, we plan to use the survey to identify themes across the industry that are impacting risk culture, as well as particular institutions that we might want to look at more closely. For participants, the survey will help them assess their risk culture maturity over time and relative to peers, identify areas where action is needed, and fulfil their obligations under APRA’s standards.
Most importantly, we hope the survey will provide important evidence of whether all of the efforts to improve risk culture, within individual institutions as well as across the industry, are having a genuine impact.
Cyber security risks
The last, but definitely not least, of the topics I want to talk about is cyber risk. Of the three areas I’ve covered, cyber presents arguably the most difficult prudential threat: unlike GCRA or climate risk, it’s driven by malicious and adaptive adversaries who are intent on causing damage. Cyclones and bushfires can be devastating, but they’re not doing it on purpose.
There will be few organisations that don’t have cyber near the very top of their risk registers. It’s also high on ours. Our first prudential standard related to cyber, CPS 234 Information Security, came into effect in July 2019, and in November last year, we unveiled our new Cyber Security Strategy. The strategy has three primary focus areas: to establish a baseline of cyber controls; to enable boards and executives of financial institutions to oversee and direct correction of cyber exposures; and to rectify weak links within the broader financial eco-system and supply chain.
The financial sector is a piece of core economic infrastructure for the country, and its cyber defences are therefore of great importance. However, the Australian financial system is an ecosystem of many thousands of interconnected financial entities, markets and infrastructure – not to mention all of the related service providers. The system is only as strong as its weakest link, but APRA only directly supervises around 680 of these.
Our new strategy therefore recognises the necessity to work closely with other arms of government, including our peers within the Council of Financial Regulators (CFR) as well as the national security agencies and the Department of Home Affairs, if we are to achieve our objectives. Working collectively to share intelligence, pool resources and respond quickly to plug gaps and fix weak links are essential tactics to keep adversaries at bay.
Given the nature of the issue, we all need to move with speed. Work is now well underway to finalise a process of independent cyber security reviews across all APRA-regulated industries. We are close to completing an initial assessment process with nine pilot entities. Based on learnings from the pilot, this will be followed by a 12 month period where all APRA entities will be asked to conduct independent assessments against CPS 234, providing an important baseline level of assurance across the system.
We also want better information on an ongoing basis, so are piloting a new data collection exercise on technology and cyber risks. And we are working on a more active cyber defence testing regime in conjunction with our colleagues in the CFR agencies. This involves enlisting specialist expertise to actively probe for gaps and weaknesses in an institution’s cyber defences, using tools and techniques employed by real life adversaries. We have a pilot exercise underway, which we hope will give us valuable insights into not just the cyber resilience of individual institutions that are part of the pilot program, but also any systemic weaknesses that may present a risk to the integrity of the Australian financial markets and financial system.
None of what I’ve said today should suggest APRA is being any less vigilant in areas that might be regarded as its more traditional areas of focus.
The Australian financial system has been resilient through the COVID period because of its underlying financial strength, and evidence from around the world is that strong financial systems have been a major advantage in responding to the crisis.5 For those reasons, we remain focused on the system’s core financial health. It needs to be there when we need it most.
But the threats to that health are always evolving. So, APRA cannot stand still; we need to evolve our tools and methodologies in response. I’ve outlined today some issues which are not new, but where the risks have very much come to the fore in recent years. We are adapting our supervision in response, launching a number of pilot projects to trial new ways of doing things. We need the financial system to adapt and respond as well.
After all, it would be a cruel irony for a financial institution to come through the deepest economic crisis in a century only to be caught unprepared for risks they had ample warning about and should have seen coming.
1 See, for example, Bluewaters coal-fired power station written off as worthless as renewables rise.
2 See Rest reaches settlement.
3 See Speech to AFR Business Summit, 9 March 2021.
4 See, for example, the UK announcement to enshrine new emission targets in law.
5 For example, see the recent speech by Basel Committee Chair, Pablo Hernández de Cos, which highlighted evidence that jurisdictions with banks that had the largest capital buffers experienced a less severe impact on their expected GDP growth; that better-capitalised banks increased their lending during the pandemic relative to their peers; and that the uptake of public support measures, such as loan guarantee programmes, was higher for better-capitalised banks.