The Australian Prudential Regulation Authority (APRA) today released an information paper that provides a snapshot of current practice in risk culture in a range of banking, insurance and superannuation businesses.
Risk culture is the influence of organisational culture on how risks are managed in an organisation. It is how staff identify, understand, discuss and act on the risks an organisation confronts and takes. All organisations have a risk culture regardless of whether it is actively considered or managed.
The paper released by APRA today notes that while there has clearly been a stronger focus on risk culture in recent years amongst APRA-regulated institutions, continued effort and ongoing attention is required by institutions to better understand and manage their risk cultures.
APRA began an information gathering exercise in relation to industry practices on risk culture in late 2015, and in the paper released today finds that:
- approaches to understand and manage risk culture are at a relatively early stage of development; and
- many institutions are grappling with how best to:
- clearly articulate what type of risk culture they aspire to;
- identify any specific weaknesses in their current risk culture; and
- effectively address those weaknesses.
Underpinning much of this work has been APRA’s Prudential Standard CPS 220 Risk Management, which came into effect on 1 January 2015. Amongst other things, CPS 220 requires each Board of an authorised deposit-taking institution (ADI) or insurer to form a view of the risk culture in their institution, identify any desirable changes to that risk culture, and ensure the institution takes steps to address those changes.
APRA Chairman Wayne Byres said that although the findings released today show there’s been a welcome focus on improving risk culture in recent years, it’s critical that industry sustain its focus on strengthening risk culture.
‘It’s the responsibility of each institution’s leadership – led by their CEO and supported by their Board of Directors – to ensure they have a sound risk culture that supports its ability to operate in accordance with its strategy and risk appetite. This is not an easy task, but nonetheless it is critically important for an institution’s long-run health,’ Mr Byres said.
‘APRA cannot regulate sound risk culture into existence. However, APRA will apply greater supervisory intensity to institutions that are either unwilling or unable to address behaviours that are inconsistent with prudent risk management practices.’
APRA will also continue to work to identify practices that are associated with sound, and less sound, risk cultures, and share these observations with regulated institutions and other stakeholders. As part of its increased focus in this area, APRA will also commence a review of remuneration policies and practices among its regulated institutions and examine how these interact with risk culture.
The Information Paper Risk culture is available on APRA’s website.
Q: What is risk culture?
A: Risk culture is the influence of organisational culture on how risks are managed in an organisation. It is how staff identify, understand, discuss and act on the risks an organisation confronts and takes. All organisations have a risk culture regardless of whether it is actively considered or managed.
Q: Who is responsible for the risk culture of an organisation?
A: It is ultimately the responsibility of each APRA-regulated institution’s CEO and senior executives to establish a sound risk culture, supported and overseen by their Board of Directors.
Q: What are the other findings from APRA’s information gathering exercise on risk culture?
A: In addition to the findings listed above, other findings from APRA’s information gathering exercise on risk culture are:
- most APRA-regulated institutions’ efforts have focussed on understanding and assessing the current state of risk culture;
- less progress has been made to define a target state of risk culture;
- approaches to understand and manage risk culture varied by institutional size, business mix and complexity;
- larger institutions noted that their size and complexity introduced additional challenges, particularly regarding the greater prevalence of sub-cultures — as a result, their efforts were often segmented, typically by geography or business unit; and
- all institutions were in agreement on the central role of leadership in shaping and driving both organisational and risk culture.
Q: What action will APRA take against its regulated institutions with poor risk cultures?
A: APRA’s existing requirements on risk management (Prudential Standard CPS 220 Risk Management) require Boards of ADIs and insurers to form a view of the risk culture in the institution, identify any desirable changes to risk culture, and ensure the institution takes steps to address those changes. APRA will apply greater supervisory intensity to institutions that are either unwilling or unable to address behaviours that are inconsistent with prudent risk management practices.
Q: Why has APRA decided to review remuneration practices?
A: Remuneration frameworks, and the outcomes they produce, are important barometers and influencers of risk culture. APRA intends to review current industry remuneration policies and practices to gauge how well existing requirements in Prudential Standard CPS 510 Governance are being implemented, and how they are interacting with the risk cultures of regulated institutions. This will include reviewing the remuneration arrangements and outcomes for some senior executives, risk and control staff, and material risk takers at a sample of institutions.