Risk management: Made to measure
Good morning and thank you for inviting me to be part of another RMA event.
As many of you know, I have long been a supporter of the RMA Australia. A strong risk management profession is essential for a stable, efficient, and competitive financial system. Your objectives are therefore well-aligned with APRA’s, and your vision – to support the professional development of risk managers through the enhancement of their risk management skills, knowledge and capabilities – is one we readily endorse.
So, I am pleased to be able to play my part in another RMA Australia event. Of course, this is the last one I will participate in with my APRA hat on. After eight years as APRA Chair, I am standing down at the end of next month. There’s a certain symmetry in giving one of my last speeches to an RMA Australia event because, back in 2014, my first speech as APRA Chair was to this same forum.
Seen through a 2022 lens, that speech is very much a product of its time. It was heavy with references to traditional prudential matters such as the global financial crisis, the Basel III capital reforms and the need to minimise the risk and impact of bank failure. There is no mention of some of the major contemporary risks APRA has spent more recent years working on. Nothing on climate change. Not a word on cyber or crypto. No warnings about the risk of a global pandemic. To the extent there was an element of foresight in my remarks, the speech did seek to raise awareness of the importance of culture and the need for the financial sector to address poor behaviour and misaligned incentives.
Today’s event is focused on the theme of disruption. These days, the term “disruption” is used as shorthand for the recent technological innovations that have suddenly up-ended long standing business models and practices. That’s a narrow perspective on the term. Certainly, my experience as Chair of APRA for eight years, and a prudential supervisor for 38, has taught me that disruption to the financial system in some shape or form is almost a permanent state of affairs. Economic disruption from events like the 1990s recession, Asian financial crisis and GFC; regulatory disruption flowing from the collapse of HIH Insurance, post-GFC reforms and Financial System Inquiry; disruption from the Royal Commission’s challenge to the behavioural standards and remuneration arrangements of the industry; pandemic-related disruption from COVID-19; climate-related disruption that is growing in impact and urgency; geopolitical disruption from the sudden outbreak of war in Ukraine. Technological disruption from digitisation, while undoubtedly far-reaching, is just one of many changes that continually challenge the fundamentals of financial businesses.
As this audience knows well, change inevitably involves risk. Identifying, assessing, preparing for and responding to these risks is your job as risk management professionals. Given it is also my job as a prudential supervisor, I can sympathise with you that it is not easy.
That is especially the case because many risks that need to be managed today do not readily lend themselves to quantification and measurement. In another speech to one of these events, this time in 2018, I asked whether the risk management profession had a blind spot to risks that couldn’t be measured in dollars and cents, percentages and basis points. If what gets measured gets managed, then it is not surprising that risks that are difficult to quantify (such as behaviour and reputation) or where good data is scarce (such as cyber and climate) have less well-developed risk management frameworks and techniques to deal with them.
Unfortunately, those risks are real and significant. Managing risk well in these important areas is not optional. So, I thought today might be a useful opportunity to reflect on progress in recent years, and some of the challenges that remain.
Let me start with a risk that is not new, but certainly wide-ranging and of increasing prominence: operational risk.
COVID-19 certainly drew sharp attention to the issue. At relatively short notice, the financial system was put through a significant stress test of its operational resilience. Financial institutions had to adjust to the challenge of having most, if not all, of their employees working from home, while still providing their normal services to their customers as well as quickly responding to emergency programs such as loan deferrals and superannuation early release.
While some corners were cut in the haste to adapt, the operational resilience of the system held up well, as evidenced by the lack of any notable disruption to essential financial services. However, as I noted a couple of years ago (again, to this forum), that reflected a trilogy of long-term planning and investment, on-the-spot ingenuity and judgement, and an element of luck. Our collective goal needs to always be to reduce our reliance on the latter.
The lessons from recent years – both in Australia and elsewhere – have been important inputs into the design of our new prudential standard on operational resilience. Given that disruptions to financial services – even temporarily – can have a major detrimental impact on the community, Prudential Standard CPS 230 Operational Resilience seeks to ensure that financial institutions have robust frameworks in place to protect and preserve the reliability of their critical operations – for the benefit of their customers and the broader financial system. In particular, CPS 230 establishes new requirements for each financial institution to:
- identify, assess and manage their operational risks, with effective internal controls, monitoring and remediation;
- be able to continue to deliver its critical operations within tolerance levels through severe disruptions; and
- effectively manage the risks associated with the increased usage of service providers, through a comprehensive service provider management policy, formal agreements and robust monitoring.
A key element of the new standard is an increased emphasis on data and analytics to inform risk management and decision-making. For example, the standard requires each institution to:
- undertake an assessment of its operational risk profile, with a defined risk appetite supported by indicators and limits;
- maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the board and senior management; and
- ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner.
With this goal in mind, APRA has been spending some time lately examining the availability and quality of data at the largest institutions, including interrogating each institution’s own data from their governance, risk and compliance systems. What we have seen is that, unlike some other areas that I will come onto shortly, the challenge is less about a lack of data, and more about how to draw together a wide array of data – often produced at a quite granular level – to “join the dots” and produce information and insights that are useful for decision-makers. In promoting a stronger focus on data, metrics, limits and tolerances, we do not want to see executives and boards flooded with numbers. That would not be helpful. Rather, we need risk managers to use that information to provide meaningful insights. Doing so will aid the detection of genuine shortcomings and vulnerabilities, as well as improve the ability to take timely action to address the root cause of problems.
Governance, culture, remuneration and accountability
As I mentioned earlier, my speech in 2014 highlighted the need to lift standards of governance and culture.
Much has changed since then. Risk culture was once seen as at the periphery of (if not beyond) the mandate of a prudential supervisor. The advent of CPS 220 Risk Management with its requirement for boards to form a view on risk culture, the CBA Prudential Inquiry, and the Hayne Royal Commission, have collectively changed that. Getting risk culture right is now recognised as critical not just to good risk management, but also to broader organisational success and reputation; indeed, the right culture can be a meaningful competitive advantage.
Needless to say, however, assessing the behaviours, mindsets and motivations of people – both individually and collectively – is not easy. Behaviour and culture, and data and metrics, have not traditionally gone hand-in-hand. APRA is trying to do its bit to change that.
An important initiative that is providing empirical information to both institutions and APRA has been our risk culture surveys. The surveys provide insights from employees within financial institutions on perceived risk behaviours and the effectiveness of the risk management architecture they work within. Over time, the responses will help identify the extent to which positive changes are (or are not) taking place within individual institutions, as well as areas for improvement. It also provides APRA with the ability to benchmark results across institutions, facilitating peer analysis and comparison. At this stage, we are one of only a few supervisory bodies worldwide that directly collect such survey data, although a number of our peers are interested in following suit.
This was the first time many institutions could see how their employees’ perceptions of various risk culture elements compared directly against their peers. Institutions have been keen to understand the underlying factors that contributed towards their results, as well as the degree of variability amongst the individual business areas within their organisations. We have also seen institutions comparing the insights from the survey with their own internal indicators (such as employee survey results, risk culture metrics and internal risk culture reviews), and other data points (such as non-financial risk metrics) to build a more comprehensive picture of their risk culture.
Both the more empirical approach to culture assessment, and the improvements to analysing operational risk profiles that I mentioned earlier, should prove handy as CPS 511 Remuneration comes into force from the beginning of next year.
As you know, a critical goal of CPS 511 was to produce a better overall measure of executive performance by requiring a material weighting to be given to non-financial risk metrics within performance assessments. That was contentious – within the consultation process for the new standard, there were quite a few submissions expressing concern that non-financial metrics were subjective and/or lacked reliability.
But in response, the new standard has forced investment in meaningful measures of non-financial risk. There is still a way to go to embed robust non-financial risk measurement – we are not declaring victory yet. But pleasingly, we have seen improvement in remuneration practices underpinned by better analysis of data, facilitating a strengthening of the relationship between their remuneration and risk frameworks, improvements in the interaction and quality of reporting to Remuneration and Risk Committees, and providing the foundations to support more consistent and proportionate remuneration adjustments in light of risk events or risk assessments. This is an area we will be focusing on closely as the new standard comes into effect next year, especially as our new disclosure and reporting requirements will give better visibility of how remuneration is awarded and adjusted for risk.
Climate change is another disruptive issue, bringing with it the potential for wide-ranging changes to the financial system, the broader economy, and society more generally.
The complex interactions between climate risks and business activities present genuine challenges for risk management, as does the extended time horizon over which climate risks may materialise. The risks that could emerge are novel in nature, and hard to measure with precision. Moreover, the potential for climate risks to have a compounding effect on traditional risk types such as credit, market, liquidity and operational risks, adds to this complexity.
The good news is there is no lack of attention to the issue. Our recent climate risk self-assessment survey, which covered 64 of the larger banks, insurers and superannuation funds, confirmed that climate change is widely recognised across the financial sector as a risk to be managed like any other. This has been APRA’s goal since my former colleague Geoff Summerhayes first raised it in 2017.
But recognition only gets us so far. As APRA has noted many times, a changing climate provides both risks and opportunities for the financial sector. Key to managing those risks and grasping the opportunities is data.
Therein lies the rub, because the weakest area in our survey was “metrics and targets”. Almost a quarter of respondents reported they had no metrics to measure and monitor climate risks. Facing into new risks, there is a natural tendency to begin with qualitative aspects such as governance and risk principles, rather than quantitative measures. It is clear, however, that metrics (and their disclosure) are areas where investors, standard-setters, and regulators are demanding more sophisticated climate risk information. Empirical measurement, rather than a subjective judgement, is going to be needed fairly urgently.
A critical capability in this regard is to translate non-financial climate risk factors, such as physical climate events and longer-term scenarios, into financial impacts. This has been one of the biggest challenges for the climate vulnerability assessment (CVA) we are undertaking with the five largest banks, and why the exercise has taken longer than we originally hoped. Unlike the self-assessment, which aimed to gauge how well institutions are aligning with APRA’s guidance on climate risk, the CVA looks specifically at the potential financial exposure of entities to the physical and transition risks of climate change. Starting with global scenarios and translating them into what they will mean for regions, industries and large customers is difficult. The level of granularity is critical – broad averages will hide the real story.
Another common theme from the CVA was the need for input across multiple disciplines. When we first embarked on the CVA, our initial meetings were typically with stress testing and ESG teams within banks. It was quickly realised that, because of the wide-ranging nature of the potential impacts, a much broader involvement was needed from right across the business – from risk, from finance and from frontline business functions. An understanding of climate-related risks needs to be embedded right throughout the business if the impacts – positive and negative – are to be properly understood.
We are currently in the final stages of the CVA and working through the bank-by-bank results to build up an overall picture. At an aggregate level, the results – which I expect will be ready for release in a month or two – do not appear to be dissimilar to that produced by our overseas peers. But beyond that, the analysis provides valuable insights into how different parts of banks’ domestic loan books will be impacted by different climate scenarios, as well as showing how banks envisage responding in the face of increasing risks (for example, through changing the price, terms and/or availability of credit). They also highlight the extent to which issues like the availability of insurance – something that increasingly cannot be taken for granted – can influence the provision of finance.
Made to measure
So, to wrap up today I would like to leave you with two thoughts.
The first, which has been the main theme of my remarks today, is the importance of continuing to invest in reliable data to enable more informed risk management and decision-making. This is not simply about having more data, it is also about the need to store and manage data well – particularly data related to non-financial matters – and then to be able to use it to deliver actionable insights.
Our recent work in this area has shown a marked improvement in the discipline being brought to identifying critical data elements, mapping data lineage, and measuring ongoing enhancements in data quality. This is very important. But it is also essential to emphasise the linkage between data quality and the use of data to make key business and risk decisions. Particularly with respect to non-financial risk management, where judgement and interpretation necessarily plays a critical role, senior executives and boards must have confidence in knowing the information that is presented to them is complete and reliable. As risk managers, you are critical to providing that assurance (and highlighting when it is not the case).
But then, having emphasised how important the availability of good data is to risk management, the second and final thought I want to leave you with is that it would obviously be a mistake to think that good data will solve all our collective challenges. It is necessary, but not sufficient.
To go back to where I started today – RMA Australia’s vision – we also need risk managers with the requisite skills, knowledge and capability to make something of that data. If I could add to the list, they also need integrity to do what’s right, intuition to sense what’s wrong, and a heathy dose of courage to pursue both.
That package of attributes doesn’t come easily. It is therefore essential that we continue to invest in and develop the risk management profession in Australia. My parting observation is that we have not done that as well as we could in the financial system. If you think that understanding the business is a key prerequisite for a good CRO, then internal succession into senior risk roles is not that common – suggesting the talent pipeline is not as large as it could be.
I don’t need to tell this audience that being a risk manager is not easy. In a stable world, it is hard enough; in one that is continually being disrupted, it is many times harder. So, I am loathe to add to your already long “to do” list. I commend RMA Australia for the work that it does, but playing a part in developing a risk management profession with a deep pool of talent must absolutely be part of every risk manager’s agenda.
After all, being prepared for tomorrow – even if we have no idea what it will look like – is what being a good risk manager is all about.