Beyond the bottom line: The journey to better governance
Good morning. Thank you for inviting me to address you in what will be my final speech for APRA. As many of you no doubt know, I will end my term as Deputy Chair at the end of June after more than 21 years as a prudential regulator – a role I have enjoyed immensely. Today is an opportunity for me to provide reflections on key changes over that time, with a particular focus on governance and risk management practices across the financial sector.
The past two decades have been an extraordinary journey, where I’ve been fortunate to have a front row seat, and sometimes provide a guiding hand, as the financial system has evolved in the face of a variety of technological, health, financial and geopolitical challenges, each with unique and lasting impacts.
Most recently, the collapse of Silicon Valley Bank and Credit Suisse gave a stark reminder that we are in a new digital age in which social media significantly increases the speed with which bank runs may now occur. These events raised fears of contagion risk undermining stability here and signalled that an organisation’s distress may have systemic consequences, even if it is not extremely large, highly connected to other financial counterparties or involved in critical financial services. While this most recent test is still playing out, APRA and peer regulators have already begun examining what happened, learning lessons, and considering whether regulatory settings or supervisory responses need to be adjusted.
In my time at APRA, we’ve experienced several crises or stresses of varying nature. I arrived in the aftermath of what remains the biggest corporate collapse in Australian history – the failure of HIH Insurance. Entity failures in the years since have been blessedly rare, but the financial system has faced other major challenges: a global financial crisis (GFC), another Royal Commission, major anti-money laundering failures, a global pandemic and – more recently – material cyber breaches, including at APRA-regulated entities.
Each of these episodes was different but look closely and you will find things in common. Indeed, all can be traced in one way or another to failures in governance, risk culture, remuneration or accountability, which (because you know we love an acronym at APRA) we term GCRA. To quote, ECB (European Central Bank) Supervisory Board Member Elizabeth McCaul: “Supervision comes down to the idea that all roads lead to governance. Indeed, throughout my career, I have seen that strong governance is the true north that guides a sound bank.”1
Looking ahead, there are gathering clouds that threaten the resilience of the financial sector – including growing cyber threats, digital disruption to business models, a challenging path through climate transition, and rising geopolitical risk. APRA has a role to play in making sure industry is positioning itself well to meet these challenges. However, ultimately it is entity boards that need to effectively manage their risks and always run their institutions prudently. When they do not, it only serves to emphasise the critical importance of learning lessons and continuing to adapt and evolve as risks emerge or accelerate – and boards and senior management must lead by example in how they learn and grow from setbacks.
The HIH Insurance collapse is a good case study in poor governance and risk management, for which the directors paid an extremely heavy price, including jail in some cases. The company no longer exists after being placed into liquidation in 2001, but far from being a footnote in Australian financial history, its demise is an entire chapter.
The final report of the subsequent Royal Commission headed by Justice Neville Owen found an insurance company that simply hadn’t put aside enough money to pay claims – its core business activity and a significant lapse in basic risk management. Cultural failings also contributed, evidenced by extravagant spending and a reluctance to question leadership decisions2. HIH’s failure saw thousands of employees lose their jobs, tens of thousands of shareholders lose their investments and had a devastating impact on policyholders and the community as insurance cover was suddenly withdrawn3.
The HIH collapse was a turning point for APRA’s supervision approach. Until then, APRA was largely expected to take a light touch, low intervention approach. In its aftermath, the Royal Commission recommended APRA develop a “sceptical, questioning and, where necessary, aggressive approach” to prudential supervision4. We tightened up our communication with entities, and more clearly recognised the importance of holding them to account and not allowing our desire for an open and constructive relationship to discourage us from acting when needed.
I was closely involved in implementing the reforms to the insurance prudential framework and changes to supervision practices necessary to strengthen regulation of the insurance industry and reduce the likelihood of similar collapses occurring in future. Ironically, the scale of the crisis worked in our favour, as it enabled regulatory changes resisted by industry to be pushed through, including significant changes to the capital framework and the requirement for an appointed actuary and financial condition report. In the case of the latter, pleasingly boards quickly came to see the value of an objective report that looked at financial performance in a more holistic way and provided a different perspective on issues and risks to that provided by other management reports.
The general insurance industry in 2023 is further advanced in its governance and risk management practices than it was at the time of HIH’s collapse. However, as we saw during the pandemic in relation to business interruption insurance, and the insurance risk management reviews that APRA subsequently required, there is no room for complacency when it comes to sound governance and risk management.
A key lesson for all boards – whether in the insurance industry or not – is the importance of embracing a culture of independent review and challenge, seeking different perspectives, and continuing to evolve and strengthen practices when it comes to managing core business risks. It is not a one-off, set and forget exercise but rather requires ongoing attention and enhancement.
Boards need to ask for, and be provided with, the information needed to support them in meeting their governance and risk management responsibilities, and to be able to show evidence of how they are satisfied that management is proactively overseeing the effective management of the risks to which their business is exposed.
A new paradigm
The changes underway to APRA’s regulatory approach in the aftermath of HIH went well beyond insurance. Until that point, APRA’s regulatory framework had little in the way of standards for so-called behavioural issues. We had a clear set of financial requirements, but gaps existed in areas that related to behaviours – such as governance, board composition and independence, fitness and propriety, remuneration and incentives.
That began to change post-HIH and in 2006 we introduced the first prudential standards on board governance and fitness and propriety. Two other events accelerated recognition of the role played by GCRA in financial soundness.
One was the collapse of Trio Capital in 2009. Once again poor governance and risk management were front and centre as contributing factors, with APRA’s investigation finding inadequate investment governance processes; failure to adequately manage conflicts of interest from dealings with related parties; and failure to have adequate controls to mitigate fraud-related investment risk. And again, the board paid a heavy price for its failings, with 13 former directors banned from the industry. More importantly, there were significant losses for many members of the Trio funds.
At the time of the Trio failure, compulsory superannuation had been in place for 17 years but the regulatory settings and industry practices hadn’t kept pace with the industry’s increasing size and importance. As a result, we faced an industry growing rapidly in both size and complexity, but without the governance and risk management capabilities to match.
It wasn’t until the Stronger Super reforms of 2013 that APRA gained the power to create prudential standards for superannuation. One of APRA’s key focuses in superannuation today is improving outcomes for members, but in the initial implementation of our prudential standards much of our focus was on lifting the practices of trustees in key areas of running their businesses. That included elevating their focus on robust governance and risk management practices, such as having directors with the right mix of skills and experience, and appropriately managing conflicts of interest.
The second and perhaps more consequential, event that underlined the significance of GCRA was the GFC, where the financial sector’s dual Achilles heels were exposed as remuneration and accountability – too much of the first and not enough of the second!
As the international regulatory community began to understand the role that misaligned financial incentives played in encouraging dangerously risky behaviour, especially in the US, APRA responded by introducing the first prudential requirements on remuneration in 2010. Then, in 2015, we introduced new risk culture requirements for boards, with boards expected to form a view of the risk culture in their organisation, and the extent to which that culture supports the organisation operating consistently within its risk appetite. Further, boards were expected to identify any desirable changes to their organisation’s risk culture and ensure steps were taken to address those changes.
That the financial services industry was subject to a Royal Commission in 2018 following a series of scandals shows those reforms – and the industry response to them – probably didn’t go far enough. At the heart of almost every case study highlighted during the Royal Commission were failures in GCRA – in particular, remuneration models that incentivised poor behaviour and few consequences for those who did the wrong thing.
One key lesson for industry from the 2018 Royal Commission was the importance of identifying and addressing GCRA issues – or so-called non-financial risks – early rather than after the event. No entities faced financial failure as a result of the Royal Commission, but the impact on the entities, and the financial sector more broadly, in terms of loss of trust, reputation and confidence, was clear. Putting customers at the centre of your business strategy, and having business practices, accountabilities and incentives that align with that customer focus, are more likely to deliver sustainable outcomes for both the business and its customers over the long-term.
Embracing lessons learned
There were also lessons for APRA from this period, as we too felt the intense scrutiny of the 2018 Royal Commission. When I reflect on my career, taking the witness stand at the Royal Commission is certainly one of the more challenging experiences and one that I am unlikely to forget.
I had been called in relation to APRA’s supervision of superannuation in response to the Commission’s unearthing of damaging allegations about poor conduct by trustees, especially the charging of fees to members for no service. APRA Chair Wayne Byres also testified about APRA’s approach to supervision more broadly. The issues that had prompted the inquiry related primarily to poor conduct; and no-one was raising concerns about the financial soundness of these institutions, which is APRA’s key focus. The primary criticism we faced was failing to take sufficient action to hold those responsible accountable or deter future poor behaviour.
The Capability Review5 of APRA undertaken after the Royal Commission called for APRA to make changes, including to structure, our approach to public communication and enhancing our focus on GCRA – which we did. Collectively the reviews – uncomfortable though their findings may have been at the time – were catalysts for APRA taking steps to be a more effective and proactive regulator and respond to the lessons provided, just as we expect of the entities that we regulate.
We deliberately sought to become more “constructively tough”, being willing to use the full range of our formal powers to achieve prudential outcomes and deter unacceptable practices. And the transformation of GCRA across all regulated institutions became one of the four key focus areas underpinning our Corporate Plan, which led to significant investment in embedding GCRA in how we supervise.
Times had changed, so had community expectations, and we needed to evolve our approach accordingly.
Leadership culture is key
The critical importance of boards and senior management leading by example in how they learn and grow from setbacks cannot be under-estimated.
As a regulator for over 20 years, I have had plenty of experience providing feedback to boards. Sometimes, it’s sharing insights and pointing out where they could do better. At other times, it is a much sharper message about significant remediation steps required, or APRA’s plans to impose a penalty, such as licence conditions or a capital overlay.
Better boards embrace feedback and lean into dealing with issues, see them as an opportunity for reflection, and to take steps to remedy the root causes and make genuine and enduring changes throughout their organisation. Others are more begrudging or half-hearted in their response, and do not nurture a culture that facilitates embedding of better governance and risk management practices throughout their organisation. And that approach almost inevitably leads to lessons not genuinely being learned and mistakes of the past being repeated.
There are a few examples of both good, and not so good, board responses that I could talk to – some of which are in the public domain. The most prominent example of what I would call the more positive approach to change is CBA (Commonwealth Bank), which went through one of the most public processes of criticism, including APRA’s court enforceable undertaking. What led to the successful removal of the capital overlay late last year was APRA being satisfied that the bank had sustainably driven internal change in its risk governance. Crucial to this was the board and senior management not doing it only because APRA required it, but because they saw it as essential to being a successful business.
There is a range of reasons why some boards do better than others in leading their companies, but the composition of the board itself is paramount. Over my time at APRA, the breadth of risks and issues that boards need to be able to deal with has only expanded. In 2017 APRA began to speak about the financial risks of climate change; the following year we announced plans for our first prudential standard on information security; and last year we issued our first guidance to industry on digital assets such as cryptocurrencies. In other areas such as remuneration and accountability, we have also strengthened our expectations of boards.
These increased demands have elevated the importance of boards that are equipped to analyse and make strategic decisions relating to a far broader range of issues than was once the case. Further, we know that better outcomes – including financial ones – result from bringing in a broader range of perspectives6. As a result, we now see a much greater focus on building boards with the right mix of skills and experience for the challenges their organisation faces, now and into the future.
In addition, the intrinsic importance of boards comprising a diversity of backgrounds and perspectives is recognised, as well as the need for an orderly renewal process to refresh directors over time to maintain independent perspectives and constructive challenge. Despite progress on this since 2002, I still see much room for improvement in all sectors, with genuine diversity still lacking around too many board tables. The ability to bring in fresh perspectives is often stymied by long-standing directors not stepping down. As an example, consider this: there are 38 directors on the boards of APRA-regulated credit unions and mutual ADIs (authorised deposit taking institutions) that were there when I arrived at APRA in 2002!
The need for enhanced diversity and inclusion is rapidly becoming the next frontier in ensuring sound governance and risk culture practices. In February, APRA shared a report by the International Association of Insurance Supervisors (IAIS) that reviewed the breadth of diversity, equity and inclusion (DEI) initiatives being undertaken globally by insurers and insurance regulators. We believe the report contains important considerations for all industries. Effective DEI practices support a more resilient financial services sector by strengthening governance and risk management and providing better outcomes for customers.
At heart, this focus on DEI extends APRA’s long-standing view of the need for broad perspectives on boards. By bringing together people from different backgrounds, broader perspectives can be shared, leading to a wider view of potential risks and opportunities. Businesses can attract and keep skilled employees by creating an inclusive and welcoming work culture, while a wider range of perspectives can help companies better understand and meet the needs of their existing customer base or tap into new markets.
At the moment, APRA is content to raise awareness of DEI and start a conversation, but we are also considering how we can strengthen this aspect of governance and risk management as part of upcoming reviews of Prudential Standards CPS 510 Governance and CPS 220 Risk Management.
Keep on moving
APRA will always have a strong focus on bottom line financial metrics because of the importance of capital, liquidity, reserving and investment returns to the protection of depositors and insurance policyholders and outcomes for superannuation members. But, compared to when I joined APRA more than 20 years ago, there is far greater emphasis on how easily those numbers can be undermined by poor leadership, a weak risk culture, inappropriate financial incentives and a lack of accountability when things go wrong.
The best leaders are those that move with the times and anticipate trends and risks, always looking ahead to the next challenge and continuing to evolve their organisation’s practices – both financial and non-financial. In an environment where new risks are constantly emerging, standing still is going backwards.
In that spirit, I’m also moving on, recognising the need for APRA to renew its leadership in the same way we demand of the entities we supervise. After signing off at the end of June, I plan to spend some time at my property in the Hunter Valley, which my husband and I named the 100 Aker Wood. While I will enjoy having more time on my ride-on mower, I’m not yet ready for the pasture, and – like Winnie the Pooh himself – it won’t be long until I embark on a new adventure. In the meantime, I’m reminded of one of the bear’s most beloved quotes, as he observed: "How lucky I am to have something that makes saying goodbye so hard."
It has been a privilege to play a role in influencing practices and outcomes across the financial sector over the last 21 years. While it will be hard to say goodbye to APRA and a role that I have loved, I am very much looking forward to this next chapter of my career.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $8.6 trillion in assets for Australian depositors, policyholders and superannuation fund members.
Subscribe for updates
To receive media releases, publications, speeches and other industry-related information by email