No room for complacency on bank risk culture
Key Points:
- Results from APRA’s risk culture survey serve as a reminder for boards and senior management that continual vigilance is needed
- Banks have undertaken a lot of work to transform governance, risk culture, remuneration and accountability practices, but now is not the time to slow momentum
- A continued and sustained focus on improving risk management practices and behaviours is required
Having a strong risk culture is recognised as critical for effective risk management, and broader organisational success and reputation. It is for this reason that APRA has focused on transforming governance, risk culture, remuneration and accountability (GCRA) in recent years. APRA’s risk culture survey represents internationally leading regulatory practice, expanding its supervisory toolkit and enabling APRA to better assess the perceived risk behaviours and effectiveness of risk management practices within participating entities and across industries.
Following the successful risk culture survey pilot in early 2021, APRA rolled out its survey to 18 authorised deposit-taking institutions (ADIs) between October and December 2021, inviting all employees in these ADIs to share their views on their organisation’s risk management practices.
Since the release of the Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA) (Prudential Inquiry) in 2018, and the subsequent outcomes of the Risk Governance Self-Assessments (RGSAs), ADIs have undertaken a lot of work to transform GCRA practices, with many having implemented enterprise-wide risk transformation projects. However, the ADI risk culture survey results emphasise that regulated entities must continue to focus on lifting their risk management capabilities.
On a positive note, the survey results highlight the work undertaken to improve the communication and escalation of risk issues, as well as establishing and monitoring of desired risk cultures, as reflected in the high levels of agreement by ADI employees in those risk culture dimensions.
However, the survey results also indicate that employees think some of the tell-tale markers that contributed to the mismanagement of non-financial risks, identified by the Prudential Inquiry and visible in the RGSAs, are still prevalent today. These include instances of lack of clarity regarding risk management roles and responsibilities, and less-than-effective risk management frameworks and practices.
ADI Risk Culture Survey Results
The risk culture survey results, while an important new source of data for both entities and APRA, reflect the responses of entities’ employees and do not represent APRA’s assessment of an entity’s risk culture.
Nonetheless, for most entities, there was a clear correlation between the risk culture survey results and APRA’s supervision experience of that entity. That is, areas where employees had lower levels of agreement, for example, in a particular risk culture dimension, or a specific business unit/functional area, were often areas for improvement that had been previously identified through APRA’s ongoing supervision activities.
In total, the five largest banks (in this paper, referred to as Major ADIs) took part in the risk culture survey, along with 13 entities consisting of a mix of regional banks, foreign bank subsidiaries/branches, mutual banks, credit unions and building societies (collectively referred to as Other ADIs).
APRA sent a survey invitation to every employee at each participating ADI, amounting to approximately 165,500 invitations.
The fairly high response rates and low “attention check” failure (i.e. where respondents selected an incorrect response to an attention check question designed to assess data quality) indicate that ADI employees were highly engaged in the risk culture survey.
Figure 1 below shows that Major ADIs tended to have a lower response rate than Other ADIs. It is often the case that organisations with larger number of employees tend to have a lower response rate.
Figure 1: Average % Agreeable Results vs Entity Response Rate
Overall, Major ADIs and foreign subsidiaries/branches tended to have similar levels of agreement, while regional ADIs, credit unions, building societies and mutual banks had lower (and similar) levels of agreement across all APRA Risk Culture Dimensions. These results are likely to reflect the level of business complexity of the respective ADIs, and subsequently the maturity of risk management practices.
Figure 2: Average % Agreeable by APRA Risk Culture Dimension – ADI Type
Key risk culture survey insights
1. Executives are overconfident regarding their entity’s risk management capabilities
Effective oversight of risk, and risk management, is necessary to support appropriate risk frameworks, policies, controls and reporting.
APRA’s survey found that the perspectives of Executives about the effectiveness of their risk governance and controls were more optimistic than the views of their Legal, Risk and Compliance areas.
Figure 3: Risk management effectiveness – Executives vs Legal, Risk and Compliance
Three-quarters of Executives believed that sufficient resources had been committed to improving risk management, while Legal, Risk and Compliance employees were far less positive. This observation serves as a reminder that the critical “voice of risk” needs to continue to be heard and acted upon, particularly regarding the need for sustainable investment in risk management capability and architecture.
Matters for ADIs to consider
Lower levels of agreement from Legal, Risk and Compliance employees is a commonly observed trend. These employees have an intimate understanding of the improvements in risk management that are needed. How can ADI Executives ensure that the voice of risk is sufficiently heard and acted upon?
2. Risk management practices vary widely
The effective operation of frameworks and processes helps the board and management evaluate the risks to business strategy, the appetite for these risks, and how they are governed, monitored and managed.
Figure 4: Risk management practices across the cohort
The risk management practices across the ADI cohort varied in their perceived effectiveness and, by extension, their likely maturity. Responses to questions 1 to 3 in Figure 4 varied by 22 per cent to 26 per cent from the highest level of agreement to the lowest level of agreement. As identified by the Prudential Inquiry, effective risk management frameworks rely on adequately resourced functions. The risk culture survey results highlight a need to continue to ensure that sufficient resources are committed to improving risk management within ADIs. Question 4 in Figure 4 shows a variance of 28 per cent in levels of agreement. In addition, on average a third of respondents were unable to agree that they had adequate budget, systems, skills and capability to improve risk management.
Matters for ADIs to consider
How will ADIs ensure that risk management practices are appropriately supported (budget, system, skills, capacity) to evolve and mature, thereby improving the way risks are managed?
3. Executives are prone to blind spots
For employees to be willing to raise difficult matters, they need a psychologically safe environment and their willingness to speak up to be supported.
Executives and senior management held similar views to those of the rest of the organisation about being encouraged to escalate risk issues promptly, suggesting high levels of psychological safety. However, there was an 8% difference between executives and individual contributors (i.e. employees with no people management responsibility), both in response to questions about feeling safe to speak up, and in relation to people admitting mistakes. This highlights potential blind spots by executives and a missed opportunity for ensuring that people continue to feel safe to speak up.
Figure 5: Psychological safety – Management vs Individual Contributors
Matters for ADIs to consider
Declining levels of psychological safety among different levels within an organisation is a commonly observed trend. How can Executives encourage people across the organisation to speak up?
4. Risk management roles and responsibilities require further clarity
Being clear on risk management responsibilities in one’s role, as well as across the organisation, ensures there is end-to-end coverage and effective management of risk.
The wide variation in Executive responses regarding whether individuals in their business are clear on their risk management accountabilities (24 per cent response range between the highest and lowest level of agreement) and whether the risk management roles and responsibilities across the organisation (i.e. three lines of defence model) were well understood (42 per cent response range between the highest and lowest level of agreement), indicate this is an area where capability and practices could be improved. As noted in the Prudential Inquiry, clearly delineated responsibilities across the organisation would promote effective accountability, encouraging the prompt identification and escalation of new and emerging risk issues.
Figure 6: Risk management roles and responsibilities – Executives vs Individual Contributors
From a business unit/functional area perspective, employees in Technology had the lowest level of agreement and weren’t as confident as other parts of the ADI, such as Institutional Banking, Financial Control and Retail Banking, regarding whether there was clarity on their risk management accountabilities, or whether there was a clear understanding of what needed to be done to improve risk management practices.
Figure 7: Risk management roles and responsibilities – Business Units/Functional Areas
Matters for ADIs to consider
How are ADIs ensuring that risk management expectations are clearly communicated and implemented throughout the organisation? How are risk management responsibilities and accountabilities cascaded through the entity monitored and reported?
5. Executives and individual contributors experience decision-making and constructive challenge differently
Effective decision-making means that there is a demonstrated willingness to proactively consider diverse viewpoints and to give and receive constructive challenge across an organisation.
Figure 8: Decision-making effectiveness – Executives vs Individual Contributors
Executives and individual contributors agreed that risk management was regularly considered in decision-making. Executives also believed that leaders were appropriately challenging decisions, and that constructive challenge was encouraged in their organisation. Individual contributors experienced this differently, indicating more could be done to facilitate an environment that supports constructive challenge and diverse viewpoints within and across all levels of the organisation.
Matters for ADIs to consider
How can an ADI promote an environment in which individual contributors feel able to constructively challenge decisions?
How to use the risk culture survey results
The risk culture survey insights represent only one set of data points, at a single point in time. Using the risk culture survey results alone is insufficient for determining an entity’s risk culture – by the entity, or by APRA in its supervision of that entity.
Building a comprehensive view of an entity’s risk culture is a continual and evolving process that should consider multiple qualitative and quantitative measures and observations over time.
Many entities have reviewed their risk culture survey results alongside other relevant data points (e.g. internal risk culture reviews/assessments, risk management metrics, etc.) to build a more holistic view of their risk culture. The above insights and matters identified should be considered by entities, including those that didn’t participate in the ADI risk culture survey, as part of their ongoing work on risk culture.
Similarly, APRA will review the risk culture survey results as part of a range of supervisory data collected from the entity (e.g. reporting on RGSA remediation progress, quarterly data returns, risk governance reporting, breach reporting, etc). These will be considered alongside entity engagements and activities to inform APRA’s view of the entity’s risk culture, contributing to the entity’s supervision action plan and the supervisor’s assessment of risk culture as part of the APRA’s Supervision Risk and Intensity (SRI) model.
Where to from here?
APRA has now rolled out the risk culture survey to 18 ADIs and a further 33 insurers and superannuation funds, in addition to the 10 pilot entities. As a result, the risk culture survey has enabled APRA to undertake analysis across industries to help identify similarities and systemic differences in risk management practices and behaviours.
APRA will continue to share risk culture survey insights to help uplift risk management practices in a meaningful and targeted way, while reinforcing APRA’s prudential expectations with respect to risk culture. APRA expects to provide insights on the risk culture survey results for insurers and superannuation entities in the coming months.
APRA believes there is value in undertaking the risk culture industry-wide survey on a periodic basis and developing time series data. At this time, a decision on the appropriate frequency and timing of any future risk culture survey is yet to be made.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.