APRA Executive Director, Superannuation Division, Suzanne Smith - Speech to the ASFA Spotlight on Risk & Compliance event

Building a culture for success
 

Good afternoon, and thank you for the opportunity to provide an APRA perspective on conduct, culture and “what good looks like”.

It’s a timely conversation to have. As the outline for this session makes clear, instances of workplace misconduct have rarely been more high profile in the media and general public discourse than the past few months. The financial sector has not been exempt from this debate, while the Royal Commission also aired plenty of examples of misconduct where APRA-regulated entities were squarely culpable for poor behaviour.

A single serious accusation of misconduct can cause immense damage to an organisation’s reputation, eroding public trust, deterring customers and investors, or attracting financial penalties such as fines. That in itself is a prudential risk. APRA’s chief concern when it comes to misconduct, however, is what it says about an institution’s culture, and whether that culture potentially enables or even encourages damaging behaviour. 

In recent years, APRA has stepped up its focus on transforming governance, culture, remuneration and accountability across our regulated entities with a view to rectifying sub-standard industry practices. While general organisational culture is of interest, our primary focus is risk culture, which refers, in simple terms, to an entity’s attitude to risk management. This stronger emphasis on risk culture has seen APRA take enforcement action against several of the country’s biggest banks and insurers, including capital and liquidity penalties and enforceable undertakings. 

As with banking and insurance, the superannuation sector also has more work to do. Building on the risk governance self-assessments of 2018/19 and the recent Supervisory Risk and Intensity (SRI) assessments undertaken by APRA supervisors, we have found superannuation funds present a number of concerns. These include instances of immature risk cultures, an approach to risk management that has not kept pace with the growth and maturity of the organisation, sub-optimal board compositions including the lack of specific trustee capabilities, and conflicts of interest.

Supervising risk culture

In reaching those conclusions about risk culture in superannuation, APRA doesn’t look at any one measure. Instead, we assess trustees against 10 different factors using a framework we refer to as the Risk Culture 10 Dimensions. In answering the question – “What does good look like?” – I will now take you through what APRA wants to see in terms of conduct and culture, using the Risk Culture 10 Dimensions as a backdrop. 

The 10 Dimensions of Risk Culture are:

1. Leadership
2. Risk appetite and strategy
3. Decision-making and challenge
4. Communication and escalation
5. Risk capabilities
6. Risk governance and controls
7. Responsibility and accountability
8. Performance management and incentives
9. Shared values
10. Risk culture assessment

In the short time we have today, I have selected a few of these to cover in more detail, and will walk through what constitutes good practice and what types of behaviour give us cause for concern. 

It’s no coincidence leadership is number one on the list; nothing influences an institution’s risk culture more than the words and actions of its board and senior executives – the tone from the top. Organisations that do this well have strong role models who champion the importance of risk culture and ensure good risk management is embedded across the business. They also have leaders who regularly monitor risk culture and take effective actions to address identified weaknesses, deal proactively with poor risk outcomes and aim to mitigate risks from manifesting. 

On the flip side, organisations that are poor on this front have leaders who are perceived as being cynical of good risk management practice, don’t genuinely portray the importance of risk management and who don’t “walk the talk” – that is, they might say the right thing in meetings but what happens in the day to day is a different matter.

Another critical element of risk culture is decision-making and challenge, which refers to the willingness to give and receive constructive challenge across the entity. Here we are looking to see whether decision-making is dominated by one individual or a small group of individuals. Our supervisors will be assessing if risk is recognised as a critical part of the decision, or whether the voice of risk is silenced. We also expect to see that staff are encouraged and feel comfortable giving constructive challenge on decisions, are given feedback and that decision-making shows respect for differing viewpoints.

Conversely, in organisations that are immature on decision-making, we are likely to see little evidence of challenge being encouraged or well-received, and where a lack of openness is apparent. On a related note: if someone in your entity contacts APRA or ASIC as a whistle-blower, it’s worth considering why they felt unable or unsafe to do so through your own internal complaints-handling processes.

An organisation’s attitude to inclusion and diversity can be a key factor in creating a culture where everyone feels safe to speak up. In a supervision context, APRA considers this through the dimension of communication and escalation, which speaks to how well risk issues are openly communicated across regulated entities, and whether people feel safe to speak up without fear of retribution.

It is critical that responsibility and accountability for risk are clearly understood and discharged across the three lines of defence to foster an effective risk culture. Core to this is individuals taking personal ownership of risk. APRA gets concerned when we see evidence of individuals who avoid taking responsibility for risk in case they are blamed if something goes wrong, where individuals are not held accountable when things do go wrong, where issues drag on with no attempt to identify underlying causes, and where accountabilities for risk are not defined across the entity. 

The introduction of the Financial Accountability Regime (FAR) will be an important lever in bringing greater transparency to those accountable in superannuation, and something trustees should be thinking about now in readiness for its implementation. APRA recently had a look at how the BEAR, the pre-cursor to FAR, had been implemented in three major Australian banks. It found that, in addition to greater clarity of individual accountabilities, it had sharpened challenge by boards on actions taken by accountable persons to meet their obligations. It also led to more targeted engagement between APRA and the entities to deliver prudential outcomes.

It is essential that an individual’s behaviours are aligned with the entity’s espoused values around risk management, which we assess through the dimension of shared values. Here we are looking to understand the “echo from the bottom” demonstrated through the myriad of day-to-day decisions made within the business. Our goal is to assess whether the values of the entity are well-articulated and sound, and if there is evidence of active consideration of these values when decisions are made.

In terms of what good looks like, we expect to see values being lived throughout the entity, where time and effort is spent by people to refresh and communicate shared values and that the values are maintained, even in periods of significant growth or crises. Simply posting a set of values somewhere on an intranet, or putting up a motivational poster on the wall, is some distance from best practice in this area.

The final dimension I will cover is performance management and incentives, which is also timely given the recent release of draft prudential guidance related to our forthcoming cross-industry standard on remuneration. This new standard should lead to stronger incentives for individuals to proactively manage non-financial risks, and appropriate financial consequences where material risk incidents have occurred. It should also lead to increased transparency to drive stronger board accountability for remuneration outcomes.

At its core, this dimension is about ensuring good risk management behaviour is rewarded and poor risk behaviour faces proportionate consequences. Organisations that are mature on this dimension will generally will be rewarding “doing the right thing”, including non-financial dimensions such as good risk management. They will also penalise poor risk behaviour, even when that behaviour has contributed to a good financial outcome. Signs of a weak risk culture in this area include performance objectives that don’t reference risk management or risk culture, or hiring and promotion decisions that fail to incentivise staff to demonstrate sound risk management behaviours. 

Bringing this altogether, APRA is piloting its own risk culture survey, with plans to roll it out to a number of superannuation entities in 2022. APRA will directly survey staff within entities with questions focusing on all 10 dimensions. We will discuss our findings with entities, including how they shape up against peers, so that we can help enhance and reinforce risk culture across the sector. 

Before I wrap up, I also want to note that we are working very closely with ASIC on these issues. An inadequate risk culture, and instances of misconduct, often go hand-in-hand. They are therefore of interest to both regulators. We have slightly different perspectives, and different tools to deal with issues we identify, but both of us are ultimately working to the same objective: making sure trustees have an unwavering focus on protecting and enhancing the interests of superannuation fund members. 

Setting the standard

As we have been reminded too often in 2021, people sometimes make poor decisions, motivated by a wide range of factors. While boards and trustees are ultimately responsible for creating and maintaining a culture that minimises these risks, it is not their responsibility alone.

Responding to a serious scandal in 2013, then Chief of Army, Lieutenant-General David Morrison, famously observed that “the standard you walk past is the standard you accept”. His powerful message of intolerance for bad behaviour wasn’t simply aimed at senior officers, but at every rank and file soldier, recognising that everyone has a role to play in preventing and calling out misconduct. That maxim applies in every organisation and industry, including superannuation.

A sound risk culture emboldens employees to speak up and voice concerns with their leaders. It produces better decisions by ensuring a broader range of views is considered and questionable ideas are appropriately challenged. It incentivises trustee boards and senior executives to prioritise what’s right over what’s simply profitable or expedient. In doing so, it helps to deliver better outcomes for superannuation members. In short, a sound risk culture is a recipe for success. APRA is determined to accept nothing less, and neither should you.