It’s a pleasure to be here today and to have this opportunity to share my perspectives on the challenges of strong risk governance.
Managing risks in the financial sector is like mountain climbing …
The path is often treacherous, and conditions can change without warning.
You need to identify and manage potential risks in a timely way, or the consequences can be devastating.
And just when you think you’re at the summit the next peak is there waiting for you.
As today’s conference agenda bears out, there is no shortage of risk-related challenges confronting Australia’s financial services sector.
Australia’s financial institutions are not only grappling with traditional financial risks; they are facing unanticipated risks, such as COVID-19 in its many iterations, and rapidly evolving risks, including cyber and climate. The environment in which they are operating is complex, changing and often unpredictable.
Fortunately, the banks, superannuation funds and insurers of today are generally better prepared to tackle risks than they were in the not-too-distant past.
They are more sophisticated in their approach to risk, have well-established risk frameworks and a sharper focus on risk by senior management and boards.
But that’s not to say there haven’t been a few slips and stumbles along the way. Or that directors and senior executives have done enough to fully safeguard their organisations against the next rock fall.
When it comes to scaling the challenges of strong risk governance and risk management, there will always be mountains to climb.
The steep slope of insurance risk management
I’d like to focus my comments today on the insurance industry for three simple reasons:
insurers, just like mountaineers, are in the business of risk;
insurers may be in the business of risk, but they are not immune to poor risk management; and
many of the risk governance challenges facing the insurance industry are echoed across the financial services sector.
As the Member responsible for APRA’s oversight of the insurance industry, I have a particular interest in how well insurers identify and manage risk.
The insurance industry, by its very nature, helps Australians to financially manage the risks of everyday life. Historically, it’s done a good job of this, as we’ve seen in the aftermath of the recent bushfires and floods and through the pandemic.
However, the industry faces significant risks of its own. It must maintain a firm footing between remaining commercially viable and keeping insurance accessible and affordable for consumers. And it needs to do this in the face of intensifying competition, evolving customer demand, and an uncertain economic outlook.
It’s a time of challenge and uncertainty for the industry. A time when strong risk governance is critical. And yet, as I alluded to before, some of the most recent high-profile examples of poor risk management have been in insurance.
Disability Income Insurance
A case in point is the life insurance industry and, specifically, individual disability income insurance, or IDII, which provides replacement income to policy holders when they are unable to work due to illness or injury.
The IDII market is complex and highly competitive. Over time, the features of IDII products have become more generous - but at increasingly unsustainable prices.
Generous insurance benefits at competitively low prices might sound like a good outcome for consumers. But it couldn’t last. The reality is that this unsustainable approach has led to substantial losses for the industry and, ultimately, significant premium increases for policyholders. Left unaddressed, the viability of the IDII product – and the protection it offers Australians – would be at risk. It’s what you might call a lose-lose scenario.
Three years ago, APRA called on the life insurance industry to urgently address concerns about the sustainability of IDII. To put it bluntly, however, the call to action went largely unheeded, with each industry participant reluctant to make the first move.
IDII performance continued to deteriorate and by late 2019 the industry had reported a collective loss of $3.4 billion for the preceding 5-year period. That is a significant loss relative to total insurance product profits of $5.8 billion over that period – which were around 37% lower due to the heavy losses incurred on IDII business.
The lack of action by insurers left APRA with no choice but to intervene, putting in place a series of measures, including capital charges, which required life insurers to address flaws in product design and pricing, and to strengthen capabilities in risk governance.
Things started to look more promising and, by the end of 2021, a swathe of new and more sustainable IDII products had hit the market.
Sadly, however, it appears the positive momentum may have been short-lived. Some of the past poor market practices, such as having more generous product features in pursuit of sales rather than ensuring product sustainability, may be resurfacing in the IDII market, potentially putting the viability of this important product in jeopardy once again.
We are also seeing worrying signs of similar trends and practices in other classes of life insurance, such as the group insurance market.
It would appear that risk functions are not having the desired impact in many life insurers, resulting in a lack of long-term management of the end-to-end risk cycle of life insurance products. And boards may not be taking a sufficiently holistic and long-term view when assessing risks and outcomes.
APRA is committed to promoting the sustainability of life insurance products, including IDII, for the long-term benefit of policyholders. We will not shy away from taking decisive and strong actions if required, including potential increases to supervisory capital adjustments when we see imprudent or reckless practice.
However, our firm expectation is that boards will take the lead on driving real and sustainable change in this market. It is also important that insurers take steps to influence other market participants, such as advisers and rating houses, to also focus more on long-term product sustainability.
Business Interruption insurance
Risk management has been a rocky path for general insurers too, as we saw over the last few years with business interruption insurance.
Following the COVID-19 related lockdowns and disruptions, general insurers were inundated with business interruption insurance claims. Unfortunately, it soon became apparent that many insurers had failed to keep the wording of their policies up to date with changes in legislation.
This was a significant lapse in risk management which created uncertainty for policyholders, at their time of greatest need, over pandemic coverage under BI policies. It also put insurers at risk of legal disputes and significant financial exposure.
Frankly, this event was a “near miss” for the insurance industry and, with court proceedings still to fully play out, the ultimate impact on insurer reputations and potential balance sheet implications is yet to be finally determined.
It has certainly been a poor outcome for many policyholders, who rightly expect more clarity and certainty over what is and is not covered under their policies, so that they can better assess the extent and value of their cover in advance. Insurers need to provide this clarity in their communication with policyholders and respond quickly to address any complaints or disputes as and when they arise.
APRA has sought to ensure the industry learns the lessons from what occurred, understands the root causes, and takes action to avoid a repeat in future. To that end, we launched a review process in which relevant general insurers were required to self-assess the robustness of their risk management frameworks and identify areas of weakness and the steps needed to ensure the frameworks were robust across all their products.
The objective of the review is to ensure that insurers are effectively managing the end-to-end insurance product lifecycle - including product design, pricing, distribution, compliance, and claims management – for the benefit of both policyholders and the insurer.
APRA will soon publish the key insights stemming from this review, which we hope other insurers will heed as they consider their own risk management practices.
All participating insurers identified significant weaknesses in how they managed their insurance risk exposures which point to risk culture inadequacies. Common themes included failure to accurately quantify pandemic risk, misalignment of expectations with reinsurers, insufficient regard for strong risk assessment and escalation, product and system complexity and poor oversight of third-party arrangements, for example with brokers and underwriting agents.
All insurers who undertook the BI exercise are executing plans to address the identified weaknesses and APRA will ensure those programs are successfully completed over the coming year. It is imperative that insurers get such basics right if they are to continue providing sustainable insurance cover which policyholders understand and value.
APRA is not the only regulator to have identified risk governance weaknesses in the insurance sector. ASIC’s review of general insurance pricing practices revealed similar concerns, albeit through a different lens, leading in some cases to poor policyholder outcomes and costly remediation. ASIC has also been dealing with some life insurers in relation to poor disclosure practices for level premium products, that have at their heart risk and control weaknesses and have also contributed to poor outcomes for policyholders.
So, looking broadly across the governance and risk management practices of the insurance industry, three themes stand out, namely the need to:
strengthen board oversight and accountability,
embed risk more deeply into every aspect of the business and everyday decision-making, and
cultivate a stronger risk culture.
Strengthening board oversight and accountability
The recent examples of poor risk governance in insurance highlight the need for strengthened board oversight of risk. APRA expects boards to step up and address risk issues and to be accountable for ensuring that needed change occurs.
APRA’s prudential standards make it clear that the board must oversee, and is ultimately responsible for, the establishment and maintenance of an effective risk management framework. The board is expected to provide clear direction and leadership on the approach to risk management.
Directors must lead the way in challenging the status quo and consider the longer-term consequences for decisions made today. Product life cycles in insurance may stretch out 10 years or more. Having an end-to-end view of the product life cycle, and effective risk frameworks that enable ongoing assessment and management of risk across that timeframe, will help insurers design, distribute, and manage products that meet their customers’ needs in a sustainable way.
Sound risk governance is more than ticking boxes or implementing regulatory requirements. It’s an attitude… and needs to start in the boardroom and cascade down through the organisation.
Embedding risk more deeply into every aspect of the business and everyday decision-making
In climbing the risk management hill, it’s the risk function that needs to lead the way and show the rest of the business the path over the mountain.
Yet, too often, the risk team is brought in late to the decision process. Where this occurs, it is a missed opportunity to embed risk conversations more deeply into the day to day running of the organisation. Risk professionals must be an influential voice at decision-making tables.
Of course, risk specialists cannot carry the burden alone. Effective risk management requires robust consideration of risks in everyday decision- making, with risks reviewed and challenged on a continuous basis.
Front line employees need to be risk capable, understand the risks they undertake in their day-to-day activities and promptly escalate risk issues. Their decisions and actions will be constructively challenged by the risk team and other internal control functions.
Then, in the third line of defence, the internal auditor and external professionals will provide further, independent challenge to the assumptions and assurances on which risk judgements are based.
But for the three lines of defence to be truly effective, you need to have a strong risk culture.
Cultivating stronger risk culture
No control framework will be truly effective if an institution’s culture is not appropriately aligned to it. The board has a very important task in this respect:
it needs understand the risk culture in the institution and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite; and
identify when any changes to the risk culture are needed and ensure the institution takes steps to address those changes
Most organisations have more work to do to better understand, assess and strengthen their risk culture. While boards and senior executives may genuinely believe that a sound risk culture is firmly in place, employees may think otherwise.
Over the past 18 months, APRA has conducted risk culture surveys across 61 regulated entities in banking, superannuation, and insurance. The survey has now been sent to over 230,000 employees.
We plan to share more specific insights from the risk culture surveys in due course. The good news is that a high proportion of employees surveyed said they were encouraged to escalate risk issues promptly and many felt safe to speak up.
However, approximately one third of employees did not believe that sufficient resources, including budget, systems, skills, and capacity, had been committed to improving how risks were managed.
In the life insurance risk culture survey, one in five employees indicated that the roles and responsibilities between the business, the risk function and internal audit were not well understood.
This lack of understanding was also highlighted in a cross-industry Risk Governance self-assessment review conducted by APRA. It found that risk accountabilities are not always clear, cascaded or effectively enforced. It also found that risk culture is generally not well understood, and therefore may not be reinforcing desired behaviours.
As a leader, I know this is hard to get right, but it is important that we all continue to work to improve the risk culture within our respective organisations.
Setting a path for better governance
It is pleasing to see that many of Australia’s financial institutions, including insurers, are keenly focused on scaling the challenges of strong risk governance. However, the recent examples of poor risk governance that I have highlighted show that there is further to go to crest the current risk governance mountain.
APRA will continue to work closely with insurers, banks, and superannuation trustees to improve risk management practices and strengthen risk frameworks across the financial sector. This work will include, for example, further risk culture surveys, thematic reviews, and implementation of the recently published Prudential Standard for Remuneration.
However, better risk governance should start in the boardroom, with stronger board oversight and accountability for risk at every level of the organisation.
Risk professionals should be actively involved in risk conversations across day-to-day business operations and be enabled to have a strong voice on key decisions.
And the very best resource for managing risk is your people. Invest in your risk culture and promote ownership of risk right through the business.
Finally, don’t lose focus – particularly if you think you have conquered your mountain. As any mountaineer preparing to climb back down the mountain will tell you, risk management is never ‘done’ and there will always be more mountains to climb.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.
Subscribe for updates
To receive media releases, publications, speeches and other industry-related information by email