The story behind the numbers: Combatting the high cost of non-financial risks
John Lonsdale, Deputy Chairman – 2019 Actuaries Summit, Sydney
Good morning, and thank you for the opportunity speak to the Actuaries Institute’s premier annual event.
APRA has good relationships with all the industry associations we engage with, but our connection with the Actuaries Institute is closer than most. I think that’s because APRA and actuaries have a great deal in common; we specialise in identifying and managing risks; we aim to rectify problems before they cause harm, rather than trying to fix them after the damage is done; and we have a commitment, not only to the soundness of individual companies, but to the interests of the community and the greater good. It should be no surprise, therefore, that APRA employs many actuaries, including my fellow Deputy Chair Helen Rowell, and that we highly value submissions from the Actuaries Institute to our various consultations.
As ex-ante risk managers, both APRA and actuaries face the challenge of evolving in response to changing circumstances in the Australian financial sector, including those driven by the Hayne Royal Commission. As I noted in a speech to the Insurance Council of Australia in February, too often the misconduct or poor industry practices highlighted by the Royal Commission were well-known, yet companies had failed to address them. In many cases, that was due to short-term financial gains from practices such as charging fees for no service, or relying on outdated medical definitions. As we have seen, the companies involved paid a high price in the long-run.
Financial sector trust is now tarnished, while banks, insurers and superannuation licensees face a lengthy period of heightened scrutiny, increasing the possibility of further reputational damage. Amid clear evidence that risk management remains weak in financial institutions, it is apparent that boards and senior managers need a stronger, louder and more insistent voice on their shoulder urging them to think again. Someone senior and trusted. Someone independent. Someone with expertise in identifying and assessing risks. You can probably see where this is heading.
In a matter of weeks, APRA’s new cross-industry standard, CPS 320 Actuarial and Related Matters, comes into effect. APRA is introducing this standard to strengthen the influence of the Appointed Actuary in general, life and private health insurers, especially on the most material matters. My message today is that this influence cannot be confined to traditional financial risks, given the substantial damage to prudential soundness that can arise from the poor management of non-financial risks. Actuaries must learn to find the story behind the raw numbers – and then have the courage to speak up – if they are truly to fulfil their role of assisting with the sound and prudent management of an insurer, and ensuring the protection of policyholder interests is adequately considered.
Non-financial risks – a misleading description
I don’t want to imply that actuaries’ traditional focus on financial risks has become less important. The financial environment remains a challenging one for many APRA-regulated entities, especially in the insurance space. Private health insurers, in particular, face challenges to their long-term viability reflecting declining affordability driving down membership, especially among the young and healthy. Life insurers have been adversely impacted by the surge in mental health-related claims, taking heavy losses in individual disability income insurance, and will need to adjust to important superannuation reforms aimed at consolidating inactive accounts. General insurers have paid out more than a billion dollars to policyholders due to the Townsville floods, while banks and superannuation funds face their own pressures to perform. But, on the whole, the issues that have caused industry the most grief over recent years stem from the failure to identify and mitigate against non-financial risks.
A little over a fortnight ago, APRA released a paper analysing the findings of 36 self-assessments by some of the country’s leading banks, insurers and super funds. We wrote to their boards last June asking them to conduct the self-assessments in the wake of the landmark Prudential Inquiry into Commonwealth Bank of Australia (CBA) to gauge whether similar weaknesses existed in their own institutions. Our analysis determined that they did, although not to the same extent or depth as CBA. Among the most consistent themes to emerge were that non-financial risk management was frequently weak; and many of the issues raised were known to entities and were often long-standing. As a result of the self-assessments, we have intensified and more precisely targeted our supervision of entities, and in some cases we are considering imposing additional capital requirements due to the materiality of the weaknesses identified.
That’s the thing about non-financial risks: left unaddressed, the consequences become distinctly financial in nature. In the wake of the Royal Commission, our major banks have seen their profits eroded by the cost of remediating aggrieved customers and upgrading or putting in place systems to stop it happening again. The four major banks have already collectively spent or set aside nearly $7 billion and that number is likely to rise further. Failing to adequately manage risks relating to anti-money laundering and counter-terrorism financing laws saw our largest bank fined $700 million by AUSTRAC. Overseas, successful cyber-attacks have caused major financial and reputational damage to some of the world’s largest companies, including Yahoo, Marriott and eBay. APRA has warned repeatedly that it’s only a matter of time before an Australian bank, insurer or super fund falls victim to a cyber-attack, and noted that – in a worst-case scenario – such an attack could threaten the entity’s viability.
The need to manage non-financial risks is not new – cyber-attacks have been a threat for decades – but the range of risks and the speed with which they can undermine the prudential soundness of a business have perhaps never been greater. Much of this relates to technology, and the proliferation of online news and social media. Former APRA Deputy Chair Ian Laughlin – and current Actuary of the Year – made this point last year in an article published by the Actuaries Institute
. He wrote that society’s tolerance for egregious practices is much lower than it once was, while society’s ability to see and to call out unacceptable practices, and to highlight poor outcomes, is much more powerful. With financial sector trust damaged, it only takes one media exposé or social media outcry to cause a company serious financial damage, often in the space of days or hours, rather than weeks or months.
In the aftermath of the Royal Commission, financial sector companies face the additional threat of regulators with a lower tolerance for misconduct or poor risk management, and a higher appetite for exercising their formal enforcement actions, including litigation where appropriate. Our colleagues at ASIC are now asking “Why not litigate?” when confronted by breaches of the law, and have demonstrated several times over the past year that they are not bluffing. APRA is also moving on unacceptable practices. Last month, we launched our new Enforcement Approach, including a commitment to adopt a “constructively tough” appetite towards enforcement action. As a prudential regulator, rather than a conduct regulator, APRA will still focus on preventing harm with the use of non-formal supervisory tools. However we will be less patient with the time taken by uncooperative entities to remediate issues, more forceful in expressing specific expectations, and prepared to set examples using public enforcement to achieve general deterrence.
Added to this, entities must also contend with the Banking Executive Accountability Regime (BEAR), which applies to all authorised deposit-taking institutions from 1 July, and will soon be expanded to cover insurance and superannuation. Not only does this regime make boards and executives (including – potentially – senior actuaries) more accountable for their individual performance, companies themselves face penalties for failing to meet their obligations under the BEAR, or whatever threatening-sounding acronym is created for the insurance and super sectors. In short, the consequences of failing to properly identify, assess and mitigate risks, especially non-financial risks, are higher and potentially more expensive than they have been for many years.
Time to act-uary
In such a high risk environment, the role of the Appointed Actuary becomes more crucial to protect both the interests of the institution and its customers. Unfortunately, APRA has held concerns over recent years that the influence of the Appointed Actuary has been downgraded in many financial institutions. Rather than acting as an independent voice of wisdom and challenge on the most material concerns facing institutions, we were receiving feedback that Appointed Actuaries were being worn down by compliance obligations. Turnover was increasing, tenure was declining, as was seniority, as the role got pushed ever further down the corporate hierarchy.
To address our concerns about the potential flow-on effects for risk management, APRA embarked on a consultation in 2016 to streamline and sharpen the role of the Appointed Actuary in general and life insurers. Midway through the consultation, we expanded the scope to include private health insurers, recognising that many of the issues existed in all three sectors, and that there were benefits in harmonising the prudential requirements in a new cross-industry standard.
The outcome was the new prudential standard CPS 320, which takes effect from 1 July. One of the most important parts of the new standard is its purpose statement which guides the role and its relationship with the Board and senior management. It states that the purpose of the Appointed Actuary is to ensure that the board and senior management have “unfettered access to expert and impartial actuarial advice and review”. With that in mind, APRA has designed the new standard to ensure the voice of the Appointed Actuary is appropriately prominent in institutions, and able to act as a trusted advisor to the board. Other provisions in CPS 320 are aimed at giving Appointed Actuaries the flexibility to work with insurers to design a framework for obtaining actuarial advice that suits their business. We want Appointed Actuaries to have the discretion to delegate so they can focus on the most relevant matters, and not be weighed down by a tick-box approach of considering a set list of matters specified in a prudential standard.
Although an important step in reinforcing the status of Appointed Actuaries, a prudential standard can only do so much. APRA has provided the platform and handed over the microphone; actuaries need to turn it on and speak up. To be truly effective, actuaries must be prepared to probe, test and challenge boards and management about the wisdom of their decisions, and potential risks they may not have fully considered. Vitally, actuaries need the ability to do this beyond the realm of traditional financial risks. We want them to broaden their thinking about what constitutes a financial risk into areas such as culture, governance, remuneration and consumer outcomes. This applies not only to Appointed Actuaries, but all actuaries, and across all APRA-regulated industries.
A reflexive reaction may be to argue that we’re asking actuaries to go beyond their training and expertise. That’s not the case. APRA doesn’t expect actuaries to be running their eye over marketing campaigns, signing off on board appointments or conducting staff surveys seeking signs of a poor culture. We understand that actuaries are focused on numbers, but numbers can tell a story beyond simply profit or loss. If a particular policy that your insurer sells pays out less than 20 cents in the dollar of premium raised in claims, what does that suggest to you about the value for money that policyholders are getting? If your life insurer is taking an average of eight months to pay death cover claims, or accepting only one in four total and permanent disability claims, does that raise alarm bells for you? We don’t expect actuaries to always know what the precise story behind the numbers is, but we do believe they need the nous to recognise there may be a problem, and the courage to push boards and senior executives to examine and address it.
I’ve personally seen this kind of actuarial influence in action. In my previous role at Treasury, I worked closely with the Australian Government Actuary, and saw first-hand the invaluable contributions they were able to add to discussions around some of most vexing and contentious policy questions the country faces: retirement incomes, the impact of an ageing population on welfare and health expenditure, defence and national security.
APRA’s evolving approach
Before concluding, I’d like to provide an update on some of the work that APRA is undertaking, especially on the management of non-financial risks. This is an area where APRA has stepped up its focus in recent years, especially in the wake of the global financial crisis as it became clear that poor culture and a lack of accountability were major drivers of the downturn. Last year we released a review of executive remuneration practices at large financial institutions
, and we will shortly follow that up by releasing draft changes to the prudential framework to strengthen the management of that issue. You can expect it to propose longer vesting periods, greater scope for malus or clawback, and less focus on short-term financial metrics in setting variable remuneration, as part of our efforts to ensure incentives are appropriately structured and there are meaningful consequences for individuals when poor outcomes arise.
Our new Information Security prudential standard, CPS 234, takes effect from 1 July to shore up entities’ resilience against the risk of cyber-attack, and we will shortly be releasing updated prudential guidance in this area. We’ve stepped up our supervisory focus on the management of climate risk, and we intend to review our cross industry governance and risk management standards this year to ensure they encourage a sharper focus on non-financial risks. We have also started looking at how to refresh our guidance to superannuation licensees around environmental, social and corporate governance.
On the Royal Commission, we continue to gather evidence on each of the 12 referrals to APRA, and expect to be able to make an assessment on the merits of further action in coming months. With respect to the 10 recommendations which fall within APRA’s responsibilities, we released the first proposed policy changes – in relation to land valuations, particularly for agricultural land – in March. Other actions remain on track against the action plan for each recommendation that we published in the week after the Final Report was released.
APRA’s heightened focus on the management of non-financial risks does not in any way diminish the responsibility that boards and management have for the performance of the companies they oversee. APRA will not be determining what executives get paid; we will not be dictating what companies’ corporate culture should be, or prescribing the composition of their board. Our role is to ensure the companies we supervise have effective systems and frameworks in place that optimise their ability to meet the financial commitments they make to their customers. And like a good actuary, we intend to continually challenge boards and executives to ensure the standards they aspire to are being met in practice, and unnecessary risks avoided.
A higher standard
In the course of preparing this speech, I went back and read the June 2016 discussion paper that accompanied APRA’s consultation into the role of the Appointed Actuary. The opening paragraph of the executive summary states: “The Appointed Actuary plays an important role by providing independent, expert advice to boards and senior management on the key financial risks facing an insurer”.
Three years on that statement might seem slightly antiquated, with no reference to the non-financial risks that have caused such damage to trust, reputation, profits and share values. But as I have said, the term “non-financial risk” is arguably misleading; a failure to quickly identify, assess and mitigate against these risks – be it misconduct, weak governance or just poor customer service – can become prohibitively expensive. Just as APRA has needed to evolve its approach and update the prudential framework to put greater emphasis on issues of culture, conduct, governance and accountability, so must the entities we regulate. Newly empowered by CPS 320, Appointed Actuaries can play a key role on taking a broader of view of what represents a financial risk, but all actuaries can benefit by adopting this mindset.
In an environment where financial entities face sharper scrutiny and steeper penalties for mistakes, actuaries must find the story behind the numbers, ask boards and management the difficult questions, and be prepared to challenge them if dissatisfied with the answers. Speaking out is not always easy, and a dissenting voice is not always welcome; actuaries’ may find their louder voice is occasionally jarring for those whose decisions they question. Where actuaries need the courage to speak up, the companies they work for need the wisdom to listen, and the foresight to act when new risks are presented. The numbers always tell a story, and it is far safer – and less costly – if it is uncovered by an Appointed Actuary than an investigative journalist or a regulator with an enhanced appetite for enforcement.