Skip to main content

The importance of good governance

Wednesday 27 February 2013

John Laker, Chairman - Australian British Chamber of Commerce, Melbourne

I am pleased to make a return appearance before the Australian British Chamber of Commerce, my third since the global financial crisis erupted.

My two earlier appearances, both in 2009, came in the wake of the global market turmoil triggered by the failure of Lehman Brothers. Though the deepest gloom was lifting, the tone of my remarks at that time was cautious and cautionary. That tone was right, since the crisis had further episodes in store. Indeed, bouts of severe market volatility have continued up to the latter part of 2012, when eurozone tensions, concerns about the US fiscal outlook and faltering growth in the US and Chinese economies weighed heavily on sentiment.

At this moment, we seem to be in somewhat calmer waters. Sentiment in global financial markets has improved and the sense of relief that the global economy negotiated 2012 without major mishaps — when many threatened — is almost palpable. APRA’s caution remains, nonetheless. Global markets have been buoyed by the assertive stance of monetary policy in major economies and by some positive policy commitments. Ultimately, however, outcomes matter most. Until there is firm progress in repairing public finances and banking systems in Europe and putting the US fiscal accounts onto a sustainable footing, market setbacks cannot be ruled out.

In my earlier appearances, I could not help but contrast the performance of the Australian and United Kingdom economies and banking systems during the crisis. I wish I could say that the gap in performance has since closed. Not so! The UK economy is facing the spectre of a ‘triple-dip’ recession, significant parts of the UK banking system remain in public ownership, and community confidence in UK banks has been further dented by the unfolding LIBOR scandal and more revelations about the mis-selling of financial products.

The global regulatory response to the crisis has, as we all know, been comprehensive and aggressive. In the areas of particular interest to APRA — bank capital and liquidity standards and executive remuneration — global reforms have now largely moved into the implementation phase. Indeed, I believe we are over the hump of reforms to the prudential regime in Australia. That is not to say that our policy team will not be very busy for some time to come. Of the global reforms, APRA still needs to conclude its consultations on the new Basel III liquidity and funding standards and develop a framework for domestic systemically important banks and, possibly, insurers. But beyond these and some domestic initiatives, APRA has no major prudential reforms up its collective sleeve.

Even so, the topic of regulation continues to fill the column inches in media and industry commentary. Recent revisions to the Basel III liquidity standard by the Basel Committee, for example, attracted a double-page spread in our financial press. We welcome this scrutiny, but it can reinforce the impression that regulation is still the ‘main game in town’. It is not.

Yes, global regulatory frameworks before the crisis were inadequate and were not applied consistently in major economies. And some supervisory agencies were not as effective as they would have wanted to be. But a focus on regulation and supervision alone cannot answer one fundamental question. Why within many individual jurisdictions, where the regulatory framework was uniform and the supervisory approach common, did some financial institutions fail or need public rescue, some come close to the brink but many others weather the storm and continue to operate profitably?

Part of the answer is differences in business models. But a significant part, surely, must be differences between institutions in the quality of their corporate governance.

A board of a financial institution has the ultimate responsibility for setting the institution’s overall strategy, determining its risk appetite and overseeing the management and control of risk within that appetite, and ensuring there is a robust decision-making process with appropriate executive talent in place. When a board does not exercise that responsibility astutely, the consequences for the institution can be severe —poor strategic decisions, excessive risk-taking, substantial losses, and financial failure. Ineffective governance is as much, if not more, the story of the crisis as are inadequate regulation or supervision. As the UK Financial Services Authority noted:

‘The crisis exposed significant shortcomings in the governance and risk management of firms and the culture and ethics which underpin them. This is not principally a structural issue. It is a failure in behaviour, attitude and in some cases, competence.’[1]

Not surprisingly, much of the energies of supervisory agencies are now being devoted to promoting more effective governance in financial institutions. Around the globe, supervisors are:

  • increasing their level of engagement with boards;
  • developing a better understanding of board dynamics and the effectiveness on governance arrangements; and
  • heightening their expectations of boards, particularly in the governance of risk.

This work is being carried on largely behind the scenes, as part of supervisors’ more intensive interactions with institutions, and with little attendant publicity. It has been given impetus lately by bodies such as the Financial Stability Board, the Group of Thirty and, in banking, the Basel Committee on Banking Supervision. Unlike bank capital and liquidity, there is no single set of global principles and standards for governance arrangements and there is wariness about trying to capture desirable behaviours in formal regulations. That said, the Financial Stability Board has just released a list of sound risk governance practices that are intended to serve as guidance on the journey towards more effective governance.[2]

This journey is the subject of my address today.

Corporate governance failings in the crisis

Let me start with a brief overview of the key governance failings identified in some major global financial institutions during the crisis. These failings have naturally shaped the lines of response by supervisors.

A number of reviews and studies have now been published on this topic. Official bodies, supervisory agencies and government enquiries have probed the failings in general and in specific cases, often with a view to strengthening domestic governance standards or guidance. The Group of 30 and some industry associations have drawn on their members’ experience in their valuable contributions. And the boards of some major international banks have themselves released frank post mortems, including one by a major US bank into its recent trading losses.

A number of themes emerge from these various reports.

The first theme is the professionalism of the board. Many boards simply lacked the financial industry experience and understanding of market complexities needed to ensure they could perform their fundamental role of independent and objective oversight. In some cases, non-executive directors were not sufficiently empowered — due to inadequate skills, technical expertise or confidence — to challenge a dominant or ‘imperial’ chief executive officer (CEO) pursuing aggressive growth strategies. That dominance may have been reinforced by the longer tenure of some CEOs compared to that of board members. And some non-executive directors were not able to dedicate the time necessary for good governance of a large, complex financial institution.

A second theme relates to risk governance. The inability of many boards to accurately identify and understand the risks inherent in their businesses — particularly in new, highly complex financial products — and ensure there were robust structures for managing and reporting on these risks, is seen as the main governance failure leading to the crisis. In some cases, boards did not clearly define, or define at all, the degree of risks they were prepared to assume in pursuing their strategic and business objectives. Their risk appetite was vague. In other cases, the risk management function lacked the stature, authority and independence to challenge the business areas; the function’s accountability and lines of reporting to the board were not clear; and risk committees — where they did exist — did not have adequate experience or independence from management. An unhappy litany of shortcomings!

A third theme, and integral to the effectiveness of risk governance, concerns the flow of information to the board. The lack of timely, relevant and comprehensive risk information was often a critical weakness. There might have been too much information — voluminous and detailed reports that could not be easily digested by the board — or too little, with reports out of business silos without an enterprise-wide perspective. In some cases, information was heavily filtered through the management hierarchy and reached the board late and/or distorted. Whatever the reasons, some boards did not have a holistic view of the risk exposures of their institution and, hence, were unable to recognise the warning signs. A potentially fatal ‘wood for the trees’ problem.

A fourth theme relates to values and risk culture. These are more amorphous concepts but, as the Group of 30 has noted, they are a fundamental aspect of a governance framework:

‘Values and culture drive people to do the right thing even when no one is looking … Although value and culture cannot always be measured quantitatively, they impact governance in powerful ways.’[3]

In some high-profile cases, the risk culture was not consistent with the risk appetite of the board or with the personal values they expected of their staff. A poor risk culture can manifest itself in a number of ways. It can be seen in a lack of understanding of or respect for risk and for the risk management function, in a lack of candour in the relationship between board and management, particularly when bad news needs to be shared, in headstrong front-office leaders always looking to push the risk control boundaries, or in a risk mentality in business areas that passes the ownership of risk to the risk management function or internal audit. Business areas must be the owners of risk. Some well-intentioned boards may have thought they had set an appropriate ‘tone at the top’ for their institution only to learn too late that the ‘tone at the bottom’ was poor.

For completeness, I would add that poorly designed executive remuneration arrangements have also been identified as a key governance failing in the crisis. That is a large subject in itself and not one for my remarks today.

The promotion of more effective governance

These various governance failings have obviously been a ‘call to action’ for supervisory agencies around the globe. Some of their responses will, if not already, reflect in enhancements to prudential requirements or guidance on governance. However, this is an area where more intensive supervision, rather than regulation, will deliver better outcomes. Supervisors have raised the bar, in particular, for the risk management function and the overall risk governance framework and are pressing boards for progress.

Let me give you a flavour of the broad lines of supervisory response, drawing on the valuable peer review report just released by the Financial Stability Board[4] and commenting as I go on the implications for APRA’s approach to governance.
To be fair, it is important to note that many major global financial institutions have not been waiting to be prodded by supervisors. Spurred by the crisis, they have taken substantial steps to improve their risk governance practices that go well beyond national prudential guidance. That is the discipline of shareholders, investors, and industry associations at work.[5] Directors’ institutes have also been active in promoting the education and training of directors. Here, I am pleased to acknowledge the extensive and world-leading programs of the Australian Institute of Company Directors and its recently expanded compulsory professional development requirements.

The first area of supervisory focus is the structure and membership of boards and their committees.

General requirements or guidance on board structures — with an emphasis on independence — are quite common. So too are specific skills requirements for directors. Requirements for a permanent audit committee are also longstanding. However, only a few supervisory agencies have had formal requirements for a stand-alone board risk committee and a tightening of requirements in this area is underway globally.

Beyond structures, however, supervisory agencies want to better understand the actual workings of the board. They want to see the collective skills and experience of the board in action, the independence of mind and spirit — not just form — contributed by directors, and the quality of board deliberations. They are particularly interested in the balance of authority between the board and management — that is, the strength of the board’s ‘constructive challenge’. Gaining this understanding will involve more frequent meetings with boards, chairs of board committees and other key directors; analysis of board papers and minutes; and reviews of board self-assessments of performance. For a few agencies, it has involved supervisor attendance at regular board meetings.

APRA already has requirements on board composition, board renewal and board performance assessment in its prudential standard on governance. These requirements were the source of lively debate when first proposed and we do not intend to revisit them; they have served Australia well before and during the crisis. However, we will consider the need to add requirements for an independent board risk committee. Our major regulated institutions have such committees and a prudential requirement would underpin this good practice. As I will discuss later, APRA too has stepped up its engagement with boards, but short of attending regular board meetings as an observer. Not our normal style!

Some supervisory agencies have also become more deeply involved in assessing the quality of individual board directors and key executives. Some require prior supervisory approval of appointments and the UK Financial Services Authority now interviews candidates for significant influence functions in major financial institutions, including the chairs of the board and of its risk and audit committee. From what we hear, these interviews are robust and not all candidates make the cut. We understand the motivations of our UK counterparts, who are seeking to address what they saw as a lack of technical competence in some key board positions. However, APRA will not be going down this same path. Such appointments are the prerogative of the board and shareholders. Nonetheless, under our ‘fit and proper’ standard, we retain a right to intrude on that prerogative if we have concerns about a particular appointment, and powers to act if our concerns fall on deaf ears.

The second area where supervisory focus has become more intense is the risk management function. Here, supervisory agencies have clearly raised their expectations. They want a strong, independent risk management function that covers risks across the entire institution and has the stature, skills and authority to ensure risk-taking remains within the board’s risk appetite.

Let me start with the risk appetite framework. A well-considered risk appetite statement approved by the board is at the core of risk governance. It sets the tone for the risk culture of the institution. This key tool is still under development globally, hampered somewhat by a lack of common terminology. Supervisory agencies expect a comprehensive risk appetite statement that is fully consistent with the institution’s strategy and capital planning, that establishes risk limits that can be understood, measured and managed, and that links risks to rewards. The risk appetite framework needs to be cascaded through the institution and embedded in its risk culture. This requires timely and open communications, clarity about how actions will be assessed, risk education programs and manuals, and performance and compensation incentives that are risk-based. Nominating risk ‘leaders’ throughout the institutions can also be useful. All in all, though, it can be a challenging task for institutions.

APRA itself has been active on the issue of risk appetite. We had earlier identified a need for significant improvement in industry practice in this area; some institutions lacked a clear board risk appetite statement or even an understanding of the concept. Boards are now getting more involved and the quality of risk appetite statements is improving. However, much work remains to be done, particularly in ensuring there is a clear linkage between an institution’s risk appetite and its risk, capital and operational management.

Globally, improvements are also being sought, and achieved, in the governance of the risk management function. Supervisory agencies expect that function to be independent of business lines, to report and have direct access to the board risk committee or board, and to have the ability to clearly influence risk-taking within the institution. The function must be an effective counterweight against overheated ambitions but not a dead weight on sensible business decisions. Adequate resourcing and skills are required to get this right. APRA does not have prudential requirements covering all aspects of risk governance but it has the same set of expectations. And, as I discuss later, assessing the independence and effectiveness of the risk management function is central to our supervisory reviews of institutions.

The authority of the risk management function, these days, often reflects the stamp of the chief risk officer (CRO). One welcome improvement spurred by the crisis has been the much more general establishment of a CRO role with group-wide responsibility for risk management. That role should be distinct from other executive functions (no ‘dual hatting’), should have a direct reporting line to the CEO rather than another business unit, and should also have unfettered access to the board. The board would be expected to approve the appointment, remuneration and dismissal of the CRO. Personal attributes are likely to contribute most to elevating the stature of the CRO within the institution — the appointee’s business acumen, visibility in the institution, power to persuade and, when necessary, the courage and conviction to confront excessive risk-taking. Again, APRA has no specific prudential requirements for a CRO position though this issue is on our agenda.

The third area of supervisory focus is the independent assessment of the risk governance framework.

Boards need assurance that the risk governance framework they have endorsed, and the internal controls and oversight processes that support it, are working as intended. That assurance must be independent of business units and the risk management function. Supervisory agencies have well-established expectations for the independent assessment of internal control systems by internal audit or by third parties. However, such assessments tend to be compliance-focussed. Supervisors to date have not generally expected internal audit (or a third party) to periodically provide an overall opinion on the adequacy and effectiveness of the risk governance framework. Yet, such an opinion is now being viewed as better practice by some supervisory agencies and financial institutions. Nor do supervisors generally expect internal audit to opine on whether an institution’s risk governance processes are keeping pace with trends and/or align with best practices.

This is an area where supervisors may need to bring their expectations into line with emerging industry practice. APRA itself has explicit expectations in this area in the case of insurers, and will be looking more generally at ways to strengthen the independent assessment process.

A final — but most elusive — area of supervisory focus is values and risk culture. This is obviously a challenging area for supervisors, taking them from the familiar territory of the so-called ‘hardware’ of governance (structure and processes) to the ‘software’. However, it is territory of vital important to boards. If the crisis and subsequent scandals have demonstrated one thing, it is that society expects the highest ethical values from institutions that deal with others’ money and enjoy the benefits of prudential supervision. To rebuild public confidence, some major international banks have been revisiting and restating their values and purpose. One can only imagine how different the destiny of some institutions might have been if their statement of values had required them to set, and pass, two simple tests:

  • Do the financial products they provide meet a genuine customer need?
  • Would the customer buy the products if they had the same knowledge as the institution?

There are some metrics available to boards, and supervisory agencies, to give a reading on risk culture. These include the number and frequency of limit breaches, the number of risk issues that are self-reported, the number of problems identified by internal audit and the number that are not being closed, and the results of employee surveys. The views of external auditors can also be sought. However, there is really no substitute for getting to know how the risk culture of the institution plays out in its day-to-day operations. For supervisors, that will inevitably mean spending more time in institutions at the working level. And supervisors will need to be imaginative. One of our European counterparts has hired a small team of psychologists to assist in assessments of board dynamics and risk culture and the team, we are told, is earning its keep!

APRA’s assessment of risk governance

APRA is part of global efforts to promote more effective governance in financial institutions. One of our senior executives participates in a Financial Stability Board working group on the topic. APRA can contribute from a solid base. Broadly speaking, the institutions we supervise have sound boards and risk management systems. Obviously, Australia’s crisis experience supports this judgment: good governance has been one of the silent strengths contributing to the enviable performance of the Australian financial system. Not every strategic decision or commercial foray has proved right, but boards of our larger institutions in particular have generally provided clear and effective leadership on risk.

More persuasive for APRA are the findings of our own detailed assessments of boards and risk governance, which are essential inputs into our risk-rating of individual institutions. As some of you may know, some years ago now APRA developed two key supervisory tools — our Probability and Impact Rating System (PAIRS) and our Supervisory Oversight and Response System (SOARS) — to ensure that risks are being assessed rigorously and consistently across APRA and that our supervisory response is targeted and consistent. The risk-ratings from the PAIRS system act as an early warning of emerging distress and feed directly into our SOARS system, which provides for a measured series of supervisory responses stepping up in intensity.

The starting point in our rating process is an assessment of the quality of the board and of risk governance. The first focuses mainly on structural matters, the second on behavioural matters. To be rated ‘low risk’ on board quality, a board would need to go well beyond minimum prudential requirements to demonstrate, inter alia, that:

  • directors are of high quality and, as a group, have an appropriate skill set for that institution;
  • its ‘fit and proper’ policy is robust, properly applied and regularly reviewed;
  • the right balance of authority is struck between independent directors and
  • executives to ensure that board decision-making is well-informed and objective; and
  • any conflicts of interest at the board level are appropriately managed and no one person, or group, dominates board discussion.

Our ratings are based on supervisory reviews of a board’s appointments process, any self-developed skill matrix (which many boards maintain), its fit and proper policy and its own performance assessments. Reviews of board minutes can confirm the proper functioning of conflict of interest procedures and can provide a clue about dominant directors, who might be prevalent in the minutes as key decision-makers. Face-to-face discussions with boards also give valuable insight into board dynamics and whether the CEO clearly works to the board, not the reverse.

The distribution of our supervisors’ ratings for boards across all APRA-regulated industries is shown in the first graph. The PAIRS ratings scores range from zero to four. A rating below one would be deemed low risk; between one and two is medium risk; between two and three is high risk and three to four is extreme risk. Since no two financial institutions have the same risk profile, we would expect a spread of risk ratings, and there is. There are a number of institutions with very effective board structures. The median rating is 1.2, at the lower end of what we call an ‘adequate’ range of 1.1 to 1.5. The term ‘adequate’ means that this aspect of the business is meeting our minimum expectations and, I would add, our supervisors are conservative in their ratings. The outliers at the extreme risk end of the graph are a small number of institutions undergoing restructuring.


Graph 1: APRA’s rating of boards (31 December 2012)

To be rated ‘low risk’ on risk governance, a board would need to demonstrate, inter alia, that:

  • it is providing clear direction and leadership for the institution, evidenced in a clearly articulated risk appetite statement, risk management strategy and overall business strategy;
  • effective reporting, with metrics showing performance against board policies, flows up to it regularly;
  • the risk appetite framework is clearly embedded in the institution;
  • the board promotes, through both actions and words, an organisational culture that expects integrity and a prudent approach to risk; and
  • there is a strong and independent compliance framework and internal audit function.

In this area, our ratings are based very importantly on our on-site reviews, as well as on reviews of board papers and minutes. This ‘tyre-kicking’ gives insights into the quality and effectiveness of reporting to the board, including from board committees; the level of management oversight and follow-through of issues raised by the board; the escalation of issues from internal audit; and whether compliance issues — bad news and good — are raised in a timely fashion.

Our supervisors also review relevant documentation on the risk management framework. Here, a degree of healthy scepticism is necessary. One of my senior supervisors commented that he had yet to read a risk management strategy that failed to give a warm inner glow. What counts is how that strategy is put into effect. What marks out a good board is its activism in embedding a strong risk culture throughout the institution. Behaviours, not structure.

The distribution of ratings on risk governance is shown in the second graph. The ratings are not quite as strong as those for the board. The median score is 1.5, at the more risky of the ‘adequate’ rating, and there are more institutions with a rating above 2. This is confirmation that APRA has indeed raised its expectations for risk governance and there is more work to be done.


Graph 2: APRA’s rating of risk governance (31 December 2012)

Concluding comments

Those last words echo the global view. In its November 2012 report to the G-20, the Financial Stability Board noted that ‘… weak risk controls at financial institutions are still being witnessed and there remains room for improvement in supervision to ensure that it is effective, proactive and outcomes-focussed’.[6]

To sum up, APRA’s commitment to promoting good governance is likely to mean some enhancements to our prudential requirements, mainly to make our expectations for the risk management function more explicit. Beyond that, we will be getting more ‘up close and personal’ with boards and key risk management personnel. APRA already has extensive engagement with its institutions and that would typically include, in the case of our largest institutions, one to three meetings a year with the board and its risk, audit or remuneration committees. In its list of sound risk governance practices, the Financial Stability Board has recommended that the board meet with the supervisor, either individually or as a group, at least quarterly.

Like a good guest intending to visit more often, we will be bringing something to the table. We are conscious of industry concerns that APRA’s requirements for boards may be too detailed and onerous, and require board involvement in areas that many would see as the preserve of management. We will be responding to those concerns where we see them as valid. We intend to develop an ‘information pamphlet’ for distribution to new (and current) board members. It will give a concise and plain-English view of what APRA expects of board members in their oversight of prudential matters. We also intend to undertake a stock-take of our existing requirements for boards and assess whether they are consistent across industries and whether there are any that are unreasonable, cumbersome or unduly onerous. In short, are boards being asked by APRA to do too much, too often? Conversely, as the bastions of risk culture, are they being asked to do the right things, often enough?

We will, in the usual way, consult with interested parties on any changes that may follow from this stock-take. Our motives will be clear: reinforce good governance but minimise any ‘box ticking’ so that boards and supervisors can direct their focus where it is most appropriate — on desirable values and behaviours implemented by strong management teams.



  1. Sants, H, Delivering effective corporate governance: the financial regulators role, Speech at Merchant Taylors’ Hall, April 2012.
  2. Financial Stability Board, Thematic Peer Review Report on Risk Governance, February 2013.
  3. Group of Thirty, Toward Effective Governance of Financial Institutions, Washington, 2012.
  4. See footnote 2.
  5. See, for example, the Institute of International Finance, Governance for Strengthened Risk Management, October 2012.
  6. Financial Stability Board, Increasing the Intensity and Effectiveness of SIFI Supervision, Progress Report to the G-20 Ministers and Governors.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6 trillion in assets for Australian depositors, policyholders and superannuation fund members.