Skip to main content

Risk-based supervision: How can we do better? An Australian supervisory perspective

Wednesday 19 June 2013

David Lewis, General Manager - Toronto Centre Program on Supervisory Experiences in Implementing Global Banking Reforms, Toronto

I’ve been asked to talk to you today about risk-based supervision.

There are two reasons why the Toronto Centre might have asked someone from Australia to talk to you on this topic:

  1. at APRA, we have always been strong proponents of risk-based supervision. It’s inherent in our mission and values, and it’s ingrained in our supervisory approach. It’s in our DNA. For us, risk-based supervision is religion; and
  2. compared to most other countries, Australia came through the global financial crisis (GFC) relatively unscathed.

So, of course, the million dollar question is: ‘Is there a causal relationship between these two points?’

With that mandate in mind, I thought that I would focus my remarks to you today around the following:

  1. what lessons should supervisors draw from the GFC?
  2. do risk-based approaches equip us with a more robust supervisory framework?
  3. what issues need to be addressed in implementing a risk-based supervisory framework?

What lessons should supervisors draw from the global financial crisis?

As you would expect, in the aftermath of a collapse of the magnitude of the GFC, there has been an abundance of publications going over the entrails of the corpse. Of course, there have been many populist works focusing on the excesses of the Wall Street banks. These make for entertaining reading.

There have also been more sober inquiries commissioned by governments and international regulatory agencies. Two of the best are the report of the Financial Crisis Inquiry Commission in the United States and the Turner Report in the United Kingdom. Both of these reports are excellent studies into the causes of the crisis. If you haven’t already read them, I can highly recommend that you do. They contain a wealth of useful analysis of the underlying economic and structural factors that precipitated the GFC.

My time with you today does not permit a comprehensive review of the causes of the GFC. Instead, I want to focus on what prudential supervisors could learn from the crisis in terms of how best to implement their oversight programs and what they might do differently in order to avert these sort of financial meltdowns in the future.

‘The fault lies not in the stars, but in us’

This quote - paraphrasing Shakespeare – comes from the conclusions of the US Financial Crisis Inquiry Commission Report. I like it because it makes clear, right from the outset, that this crisis was one of our own making. It wasn’t an accident. It can’t just be dismissed as one of those things that nobody could have foreseen.

And, having made that clear, the Commission goes on to find that there is no shortage of mortal souls on which to lay the blame. No one gets off lightly: not wall street bankers; not mortgage originators; not home loan borrowers; not ratings agencies; not prudential regulators; not governments; and especially not governance and risk management practices across the financial services industry as a whole.

In the United Kingdom, the Turner Report takes a harder look at the economic imbalances that preceded the crisis but, in the ultimate, identifies a similar set of suspects.

If we zero in on what the reports had to say about prudential supervision, again there are some common themes.

In the United States, regulators are criticised for their:

  • failure to read the warning signs;
  • failure to stop the ‘runaway mortgage securitisation train’;
  • failure to make adequate use of the regulatory powers at their disposal to stop the build up of risk in the system; and
  • failure to halt the risky practices that had become prevalent in the big investment banks.

The Commission found that these failures were due, in no small part, to a ‘widely accepted faith in the self-correcting power of markets’.

Similarly, the Turner Report in the United Kingdom criticised the Financial Services Authority’s light touch approach to prudential supervision in the lead up to the crisis. The report highlights how principles that were once articles of faith in the UK, such as:

  • (again) the self-correcting power of markets;
  • that it is not the role of a regulator to interfere with the risk judgements of the board and management of a regulated institution; and
  • that disclosure offers the best means of protecting consumers;

have been discredited by the crisis.

Turner also noted that, in hindsight, too much time had been devoted to putting in place the policy changes needed to support the Basel II capital reforms and not enough attention had been paid to addressing the substantive risks that these reforms sought to avert.

Nevertheless, despite their thoroughness, both these reports still beg the question: ‘Why - after nearly 30 years of regulatory convergence under the Basel framework – were some countries better able to withstand the GFC than others?’

And, importantly, were the different outcomes experienced by different countries during the crisis due to differences in approaches taken to prudential supervision?

Coming from Australia, I am often asked: ‘Why did Australia come through the global financial crisis relatively unscathed?’ And, believe me, we at APRA have asked ourselves the same question many times over.

The answers vary. To some, Australia’s resilience was due to our strong economy. Others put it down to the traditional structure of our banking sector. Others still attribute our relative success to the quality of prudential supervision exercised by APRA over the financial sector. Many say we were just lucky.

Well, there might have been an element of luck to it. But I’m reluctant to attribute anything purely to chance. In my opinion, each of the other three factors – the economy, the structure of the market, and good supervision – played a role in Australia’s success. Where the luck came in was that we were fortunate enough to have all three occur at the same time; should any one of these factors have been absent, Australia’s crisis outcome might have been much more serious.

Looking at each in turn...

A strong economy

There is no doubt that, going into the GFC, the economic fundamentals in Australia were favourable. Sound monetary and fiscal policy settings, combined with a resource-hungry Chinese economy, laid a firm foundation for Australia’s resilience through the crisis.

A traditional banking market structure

On top of that, the domestic financial market structure also had a big impact on the outcome.

The Australian financial sector is dominated by four large full service banks. Their balance sheet assets are made up predominantly of residential mortgages. The vast bulk of their books consist of assets that they originate themselves and hold to maturity. Originate-to-distribute is not the norm. Mortgages in Australia are typically floating rate with full recourse to the borrower. So, when compared to many overseas banks, the risks to a bank from a long-term mortgage portfolio are relatively small.

There have been, of course, active mortgage securitisation markets in Australia. But these serve mainly to adjust the mix of assets on lenders’ books or to manage their liquidity.

There were other structural factors that also proved to be influential in shielding our banks from the crisis:

  • there was the Government’s ‘four pillars’ policy, which effectively prohibits mergers between the big four banks; and
  • the ability of Australian banks to offer fully-franked dividend payments to shareholders;

both of which served to dampen the pressure on our banks to engage in the sort of excessive risk-taking that comes of having surplus unutilised capital. No bank likes lazy capital; they will always find a way to use it – and not always productively.

Prudential supervision by APRA

What about APRA’s prudential supervision? Did that make a difference?

Now, I’m not going to tempt fate and stand here and say that the system of prudential supervision in Australia is better than that of any other country. For one thing, it wouldn’t be true. I can identify aspects of supervisory practice in some overseas jurisdictions that are superior to those in APRA. As in everything, we know that there are always areas in which we can make further improvements to our supervision framework. And I will talk about some of the things we are focussing on later in this presentation.

That said, there are a number of features that distinguish APRA’s supervisory approach from the approaches adopted in many other countries. What we do well in Australia is implementation. We take a very active, ‘hands-on’ approach to supervision, with all of our supervisory activities and interventions guided by an overarching risk-based framework – a framework which has drawn considerable praise from the IMF in its FSAP assessments of Australia.[1]

Distinguishing features of prudential supervision in Australia

1. Active supervision

Many countries define ‘supervision’ to be the enforcement of prudential rules (capital adequacy, liquidity, large exposures and so forth). We do not. To us, ‘regulation’ can be defined as the application of rules and ‘supervision’ as the oversight of the effectiveness of a firm’s risk management. The difference is more than merely one of nomenclature; it is one of regulatory mission. At APRA, we do both regulation and supervision.

At APRA, we do not see our supervisory mandate as being constrained by the rules. To us, a prudential supervisor’s mandate extends beyond the rules to ensuring the effective management of risks by regulated institutions – wherever those risks might arise, and regardless of whether or not those risks are described by prudential rules or standards.

A compliance-based regulator stays in the blue circle; a risk-based regulator operates in the pink one. While the rule-set can help set a baseline, it can never totally deal with the universe of potential risks. Some regulated institutions may label this ‘mission-creep’. But we say that understanding and responding to the risks faced by regulated financial institutions is precisely what a prudential regulator’s mission should be.

2. A risk-based approach to supervision

We are strong believers in risk-based supervision and have tools in place to help our supervisors to direct their prudential interventions at those areas which present the greatest potential risk to an entity’s financial soundness. I’ll elaborate a little more on this in the latter part of this presentation. That said, these tools are still in their infancy; we are constantly working to improve them.

3. A questioning mindset

APRA learnt early on in its history that it doesn’t pay to be timid. Since then, we frequently engage with entities on their risk management strategies and policies – taking a ‘devil’s advocate’ style of questioning.

As a point of supervisory philosophy, we believe in constant mild intervention, rather than ‘light touch’ regulation with the risk of having to take more drastic action further down the track.

4. A conservative approach to capital adequacy

When it comes to exercising national discretions under the Basel capital standards, we have a track record for erring on the conservative side – whether this be in terms of the capital instruments we are prepared to accept; the regulatory adjustments we are prepared to allow; the internal models we approve; or the risk weights we apply.

5. Meta-regulation

We are strong believers in ‘meta-regulation’. By this, we mean encouraging regulated institutions to ‘internalise’ regulatory goals by having in place sound internal risk management and governance processes. To this end, APRA has been devoting considerable attention to the corporate governance framework, risk appetite statements and management strategies adopted by the firms we that regulate. Assessing the effectiveness of these processes is a particular focus for most of our on-site review work.

6. An absence of political interference

APRA is established as an independent statutory authority at arms’ length from government. It has a statutory charter and is funded from levies on industry. In Australia, you never hear political figures saying things like: ‘APRA, you need to adjust your regulatory settings in order to promote Sydney as a regional financial centre’. A sound operating environment is the attraction, never dilution of prudential requirements.

So, even though, by and large, most supervisory agencies around the world now work under the one global prudential framework, there remain marked differences in implementation. Some of these differences are due to differences in methodology and approach. Others are due to differences in underlying market structures, dynamics and behaviours.

I recently saw a PBS documentary on the crisis called ‘The Untouchables’. Among other things, the documentary told the story of the rise and fall of mortgage originators, Countrywide Financial. The story of Countrywide is a perfect case study to draw out just how significant differences in supervisory approach and market structure can be – and serves to reinforce how challenging it can be for a supervisor to stem the tide of risk-taking when the prevailing market paradigm is pushing in the other direction.

The centrepiece of the story can be summed up by just six letters embossed on a personalised numberplate:

"FUND EM" was written on the number plate of a car belonging to Angelo Mozilo, the CEO of Countrywide Financial. Prior to the GFC, Countrywide Financial was the biggest mortgage originator in the United States.

It’s an unusual numberplate. What do you suppose it means?

Well, for all intents and purposes, it was a mission statement. It is saying that Countrywide is in the business of providing funds to home borrowers. Mozilo would proudly state that: at Countrywide, we have a loan for every customer.[2]

And that said volumes about Countrywide’s approach to mortgage origination:

  • Borrower hasn’t got a job? - No problem: fund ‘em!
  • No income? - Fund ‘em!
  • No assets? - Fund ‘em!
  • Pensioner? – No problem! (Some pensioners even received approval for loans where the monthly repayments exceeded the amount of their monthly pension payments.)

Now, aside from sheer stupidity, what’s going wrong here?

To a large degree, the problem is embedded in the lending structure itself.

Figure 2 shows a simplified depiction of an ‘originate-to-distribute’ lending structure. I’m sure that you will all be familiar with it. Mortgage originators, like Countrywide, deal with borrowers to arrange loans. These loans are funded - via a series of interposed special purpose vehicles – by an issue of collateralised securities, all organised by a Wall Street bank.

In many countries, this form of lending is the norm. But it is a flawed structure. There is a misalignment of incentives.

Note that the point at which the lending decision is made is far removed from the point at which the decision to accept the risk is taken.

Contrast this with a traditional lending structure, where the funding bank holds the asset to maturity and, therefore, the risk and lending decisions are aligned. The originating bank has a clear incentive to assess the risks and underwrite carefully because it is on the hook for the credit outcome.

Not so for Countrywide. They were commission sellers. They didn’t hold any ownership interest in the assets that they were originating. If the loan defaulted, none of the losses came back to them. What did they care about asset quality?

And the investment banks in the middle didn’t care too much about it either. They didn’t exercise any credit discipline over the mortgages that they were buying. Volume was also their driver. All they cared about was the income to be made from structuring a parcel of mortgages for securitisation.

You might say – as Alan Greenspan did say – that the credit discipline comes from the market; that the investors – as the ultimate holders of the risk on the mortgages – would price the credit risk when purchasing securities. They should, but did they? Investors were too far removed from the point of lending to do this, and often also had the same ‘pass-the-parcel’ approach to risk that the Wall Street banks had. This is a classic case of market failure.

The experience at Countrywide was repeated over and over, and exemplifies all that went wrong in the lead-up to the crisis. The risks involved weren’t overly opaque or complex. They did not require a PhD in mathematics to comprehend. On the contrary, they went to the basics of prudent underwriting and should have been obvious to any risk manager, and any prudential supervisor, who looked at them. This was a house of cards waiting for an inevitable collapse.

But, despite all the international policy reform that has taken place since the GFC (including all the work that has been done to align performance incentives to prudent risk-taking and ‘skin-in-the-game’ requirements for issuers), this structural misalignment still exists. So, my concern is that, next time we have a credit bubble, the same thing could happen again.

There are a lot of lessons to be gleaned from what happened in the lead-up to the GFC. But, to me, the one over-arching takeaway for supervisors is that effective prudential supervision of financial institutions is about risks, rather than rules. It goes without saying that a financial institution can never have enough capital or liquidity if there are material flaws in its risk management practices. Only by understanding the risks that financial institutions take on can prudential supervisors begin to take action to protect financial stability.

Can risk-based supervision make a difference?

The challenge for supervisors is how to go about this in an objective, thorough and systematic fashion. This is where risk-based supervision comes in.

But first, what do we mean by ‘risk-based supervision’?

The Basel Committee on Banking Supervision defined risk-based supervision to be:

‘a forward-looking approach where the supervisor assesses the various business areas of the [financial institution], and the associated quality of management and internal controls to identify the areas of greatest risk and concern…[and] directs supervisory focus to these areas.’[3]

And a working group for the 14th International Conference of Banking Supervisors described it as follows:

‘The essence of risk-based supervision, and its key distinguishing feature, is that supervisory resources are allocated where they are needed most, based on the supervisor’s explicit assessment of risk.’[4]

But it’s hard to go past the elegant simplicity of Harvard Professor Malcolm Sparrow’s definition: "Pick important problems and fix them".[5]

At its heart then, risk-based supervision is about the efficient allocation of supervisory resources to their most effective use.

I haven’t met a supervisor yet who can tell me that their organisation has all the resources – both the quantity and the quality - it needs to do the job to the standard expected of it. Every supervisor must make choices about how to best deploy its limited supervisory resources. Naturally, other things being equal, supervisory agencies will choose to direct their resources toward those areas that they perceive to represent the greatest risk to the financial stability of their institutions.

This is self-evident. But it can be difficult to do in practice, mainly because the environment in which we work is so uncertain. Faced with this uncertainty about the risk horizon, it is hard for supervisors to come up with a reliable and structured process that enables them to target their actions at key emerging risks. It is all too easy to fall back on the comfort of routine (but all too often unproductive) processes.

In recent years, academics have started to devote their attention to the study of regulatory effectiveness and efficiency. There is a lot of support for risk-based approaches.

Two of the leading exponents in the field are Professor Malcolm Sparrow at Harvard and Professor Julia Black at the LSE, both of whom have done highly relevant work in the area of financial sector regulation. Malcolm Sparrow comes at the problem from an economic perspective, whereas Julia Black takes a legal viewpoint. However, their findings are similar. If you are not familiar with their work, I can commend it to you.

In his book, The Character of Harms,[6] Malcolm Sparrow utilises a simple model to illustrate the different ways in which regulators design operational processes to achieve their regulatory goals.

Figure 3 is an adaptation of Sparrow’s model. The model consists of four quadrants. The top two quadrants represent the domain of the regulator, while the bottom two quadrants represent the external world that the regulator is seeking to influence. Starting from the regulatory goal (ie the bottom right hand corner), Sparrow finds that regulatory agencies typically move around the quadrants in a counter-clockwise direction when it comes to the design of their regulatory operations. Namely, there is normally a pre-existing view about the correct regulatory approach, which is usually based on past practices, habits and cultural norms, and this, in turn, determines the nature of regulatory activities that are undertaken.

The alternative approach, advocated by Sparrow, is for regulators to design their regulatory interventions by moving in a clockwise direction. Thus, rather than automatically following a standard supervisory process, first identify and define the key risk issues and then target regulatory interventions around those issues.

This approach is more ‘surgical’ and requires a different way of thinking, more in line with that seen in the consulting arm of a professional services firm. It necessitates more of a problem-solving mindset:

  • How do we assess the risk environment?
  • How many risks do supervisors take on?
  • How do we find them?
  • How do we assess their significance?
  • How we propose to respond to them?

This is quite a different way of thinking to simply working our way through a set of pre-defined processes which may or may not bear fruit, and which will inevitably only partially cover off the set of potential risks that are out there.

Of course, we can never do away with routine process all together. The environment in which we work is too uncertain, and too changeable, for that. So, a certain amount of ‘baseline monitoring’ will always be needed as part of the risk identification process. In reality, a mix of both approaches will always be required. Nevertheless, even allowing for that, risk-based approaches offer regulators a better way of directing their supervisory resources toward those areas requiring greatest attention.

But how do we know which risks to target?

In order to be effective, risk-based supervision first requires that we have techniques in place to reliably detect potential risk issues and assess their significance. And, in this, we run up against risk-based supervision’s biggest challenge. The universe of potential risks is vast: how do we find them and which ones do we focus on?

There is no simple answer to this. But help is at hand – and from the most unlikely of sources.

You might recall that former US Secretary of Defence, Donald Rumsfeld, famously provided this piece of ‘home-spun’ philosophy at a Washington press conference in 2002 when answering a question about Iraq and its possible links to weapons of mass destruction.[7] When a journalist put to him that there didn’t seem to be any evidence of such a link, Rumsfeld replied:

  • there are Known Knowns – these are facts. They are things that we know that we know;
  • there are Known Unknowns – these are gaps in our knowledge, but gaps that we know exist. If we want to close these gaps, we know where to look and we can investigate further;
  • but there are also Unknown Unknowns – these are also gaps in our knowledge, and they are gaps of which we are unaware. These are potentially the most dangerous because of their ability to catch us unprepared.

Rumsfeld’s answer was widely lampooned at the time. But many scholars have since rallied to Rumsfeld’s defence, saying that this statement is actually a pretty good explanation of the limits of human knowledge.

For me, Donald Rumsfeld has clearly missed his true calling: he should have been a prudential supervisor. As a statement of the challenges faced by prudential supervisors, this is a very astute observation.

We can use this schema to shape the way we go about identifying potential risks:

  1. if we think about Known Knowns, these are revealed risks. For example, risks revealed from the analysis of statistical data submitted to the regulator; It might be high levels of non-performing loans, or rapid asset growth, or liquidity mismatches;
  2. looking at Known Unknowns, these are potential risks that we know from past experience could be out there but which require further investigation to uncover. These are the kinds of risks that are typically the subject of an on-site review program. (They include, for example, inherent risk areas such as credit underwriting standards or looking for weaknesses in risk control functions); and
  3. not surprisingly, it is the Unknown Unknowns that are the most difficult to discover. These risks are ‘black swans’. By definition, we will not discover these risks by looking in the usual places. But that doesn’t mean that they are beyond detection. They just require more imaginative thinking in order to find them. (Examples include stress testing, looking at macroprudential indicators, and undertaking ‘what if’ analysis.)

So, if we only ever respond to known risks, then this is Reactive Supervision. It is a foundation level of work that all prudential supervisors must do. Most enforcement action is inherently reactive. But, if this is all we do, we will be forever fighting fires and failing to take preventative action.

If we are also able to devote resources to investigating areas that we know from prior experience could be potential sources of future problems, then this is Proactive Supervision. We have a work program of ‘potential suspects’ and we actively go looking for them. Typically, a risk-based regulator operates mainly in this space. The potential pitfall here is that we might end up just ‘ploughing the same furrow’ and will be exposed to previously unseen risks.

But, if a proactive supervisor can also manage to use the tools at its disposal to seek out and analyse new and emerging risks, then this is Forward-Looking Supervision.

Putting it all into practice

Putting all this into place requires a structured process to:

  • identify risks;
  • assess their significance;
  • develop a remediation strategy; and
  • prioritise the allocation of resources.

The approach we take in APRA is depicted in Figure 4:

Our approach moves from risk identification to their assessment and rating. Once risks are rated, we can then identify appropriate responses and prioritise the resources we are able to devote to them.

To this end, we engage in a wide range of supervisory activities:

  • Risk identification and risk assessment - Our main vehicles for the identification and assessment of potential risks are the quarterly off-site analysis of prudential data and our program of on-site prudential reviews to assess a firm’s risk profile and the adequacy of its risk management systems and controls. These are supplemented by our regular meetings with the firm’s senior management and board to understand the strategic direction of the business and assess the appropriateness of risk governance processes.
  • Risk rating - The results of our risk assessment work are collated in our risk rating tool which we call PAIRS. PAIRS stands for Probability and Impact Rating System. As the name suggests, it models the likelihood and potential impact of institutional failure. By rating risks in this way, we get a view of the portfolio by entity and by risk type. This provides a ‘heat map’ that identifies risk priorities and helps us to direct our resources to where they are most needed.
  • Risk response - The outcome is a Supervisory Action Plan (SAP) for each and every entity that we supervise. These set out the supervisor’s response to each risk and issue identified in the PAIRS rating. SAPs are ‘living documents’. At a minimum, they have to be updated annually but, if needs be, they can be updated as often as is needed to keep them in line with changing risk priorities.
  • Prioritisation of risk responses - Figure 5 gives you a view of how we seek to balance the allocation of our resources. Note that, even though we are committed to a risk-based approach, there is still a substantial commitment of resources to ‘baseline’ supervision. This is because we do not believe that it is possible to be ‘risk-based’ without first having some reliable view of what the risks are.
  • Reassessment and re-evaluation – This is a ‘feedback loop’ which takes us back to risk analysis where we benchmark the effectiveness of our regulatory interventions.

Of course, the effectiveness of any risk-based approach owes a lot to the supervisor’s ability to get an early line of sight of new and emerging risks. This is an area where we are constantly seeking to make improvements. To this end, APRA is continuing to expand its industry analysis resources and stress testing capabilities.

There is also a growing interest in macroprudential supervision as a risk identification tool. As you know, enhancing regulators’ capacity for macroprudential oversight has become a major focus of reform initiatives coming out of the global financial crisis. This is to be welcomed. It is apparent that too little attention has been paid to system-wide imbalances in the past and this needs to be addressed. It is an area in which APRA is looking to make improvements as well.

Of course, it is also apparent that macroprudential supervision means different things to different people. To some, macroprudential supervision means adding another layer to prudential framework to install system-wide ‘shock-absorbers’ to dampen excessive swings in the economic cycle. If this is what is intended, then we still have some way to go.

But, to others, macroprudential supervision is nothing new. It is what prudential supervisors have always done - or should have done. (Wasn’t it always the job of prudential supervisors to take a system-wide view?) It should not be overlooked that, when done well, the timely interventions of supervisors to counteract excessive risk-taking by firms is inherently counter-cyclical.

APRA is currently developing a range systemic risk indicators across each of the industry sectors that we supervise to help us to map and track potential industry risks. In each case, we examine a number of potential risk indicators and then look at their impact on individual firms. This highlights those firms which might be vulnerable to the particular risk and focuses attention on the outliers. Having done that, we also take into account indicators of how that risk is tending.

In conclusion

Let me leave you with one final observation.

Risk isn’t always tangible. It can’t always be precisely calculated and, even when it can be calculated, it can change. Supervisors can devote a lot of time and effort toward trying to prevent or mitigate this or that risk incident. If that was the goal, we could expend a lot of resources and likely get nowhere. Rather, a good supervisor targets patterns of behaviour that give rise to excessive risk-taking in the first place.

When it comes to supervising for risk, behaviours matter. Things like:

  • risk appetite;
  • risk management;
  • corporate governance;
  • alignment of incentives; and
  • organisational culture;

are important. Firms that have these things – and which live and breathe them – are likely to be well-run firms with a good grasp of their risk environment. Firms that have them but merely pay lip service to them are inviting trouble.

It is sometimes said that these are matters that are properly left to the board and management of the regulated institution. And that’s true; these are very important functions for the board and management to turn their minds to. But that doesn’t mean that it should not be within the domain of prudential supervisors to review these aspects of the business and ascertain that they are working effectively.

Supervisors can, and do, make rules about these things. We have rules in relation to:

  • board composition;
  • independence of directors;
  • risk management strategies and risk appetite statements;
  • executive remuneration; and
  • engagement with internal and external auditors.

But, in this area, rules can only take us so far. It is here that risk-based supervision comes into its own.

Getting to grips with matters of risk management and corporate governance requires a more interventionist approach from supervisors. It takes:

  • a deep understanding of the institution’s business model and appetite for risk for each of its main business lines;
  • frequent interaction with regulated firms at both board and management levels (firms need to know that the regulator is looking over their shoulders);
  • a capacity to assess the effectiveness of risk management and control functions, including how the firm is governed and its prevailing risk culture); and
  • a capacity and willingness to act when deficiencies are identified.

None of this is easy to implement. Risk-based approaches are resource-intensive. They require a hands-on, active approach to prudential supervision to put into effect. They require experienced supervisors with deep industry knowledge. And, even after all that, there is no guarantee that supervisors will always make the right calls on risk.

But, in spite of that, by targeting specific risk outcomes, risk-based approaches to prudential supervision are better placed to enable us to make a material difference to prudential health of the firms we supervise for any given level of resources.

Thank you.



  1. Refer IMF Country Report No. 12/313 Australia: Basel Core Principles for Effective Banking Supervision - Detailed Assessment of Observance. The Financial Sector Assessment Program (FSAP), established in 1999, is a comprehensive and in-depth analysis conducted by the IMF of a country’s financial sector.
  2. From PBS documentary ‘The Untouchables: Are Wall Street’s Leaders Too Big To Jail?’ (April 2013).
  3. Basel Committee on Banking Supervision – Supervisory guidance on dealing with weak banks (March 2002).
  4. 14th International Conference of Banking Supervisors (Merida, Mexico), Working paper on risk-based supervision (2006).
  5. M. Sparrow The Character of Harms Cambridge University Press (2008) p 5.
  6. Sparrow ibid Chapter 2.
  7. Rumsfeld didn’t invent this axiom but he is the person who has become most associated with it. His autobiography is even titled ‘Donald Rumsfeld - Known and Unknown’ Penguin Books (2011).

For images and figures mentioned in this speech please refer to the file attachment below.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6 trillion in assets for Australian depositors, policyholders and superannuation fund members.