APRA cautions banks against 'complacency' on risk 

5 minute read  15.11.2022 Kate Hilder, Siobhan Doherty

We summarise the key takeaways from APRA's bank risk culture survey 

Key Takeouts

  • APRA has released insights from the risk culture survey conducted with the employees of 18 ADIs at the end of 2021.  The survey provides a point in time employee perspective on risk behaviours and the effectiveness of the risk management structures within the participating organisations.
  • The survey is part of APRA's broader focus on lifting standards of governance, culture, risk and accountability (GCRA) practices across APRA-regulated entities
  • The headline message from APRA is that despite the work ADIs have put in to improve their risk management practices since the release of the Final Report of the Prudential Inquiry into the CBA (summarised) in 2018, and the subsequent outcomes of the Risk Governance Self-Assessments (RGSAs), ADIs need to maintain, and continue to prioritise, lifting their risk management capabilities.   
  • Importantly, APRA considers that the findings from the survey are an indicator that employees consider that 'some of the tell-tale markers that contributed to the mismanagement of non-financial risks, identified by the Prudential Inquiry and visible in the RGSAs, are still prevalent today. These include instances of lack of clarity regarding risk management roles and responsibilities, and less-than-effective risk management frameworks and practices.'

Overview 

The Australian Prudential Regulation Authority (APRA) has released insights from the risk culture survey conducted with the employees of 18 ADIs – the five largest banks and a mix of 13 other regional banks, foreign bank subsidiaries/branches, mutual banks, credit unions and building societies -  between October and December 2021.

The survey involved APRA collecting responses from the employees at participating entities – the survey was sent to every employee and completed on a voluntary basis.  Questions were designed to measure employee perceptions of the entities' risk culture.  The survey sought employee views on a range of issues including, for example: views on leadership – views on whether/the extent to which leaders 'appropriately challenge decisions to ensure good risk management'; risk appetite and strategy – whether/the extent to which employees have a clear understanding of the emerging risks in their part of the business; and communication and escalation – whether/the extent to which employees feel safe to 'speak up' .  

Read the full list of questions APRA Risk Culture - Survey Questions

This follows the release of the findings of what APRA considers to be a successful pilot exercise conducted with ten insurers earlier in 2021 (summarised).  

APRA states that insights gained from the survey will be used, together with 'a range of supervisory data' collected from entities, to contribute to the regulator's view of individual entities' risk culture.   

APRA has encouraged ADIs, including those who did not participate in the exercise, to consider the insights highlighted as part of their ongoing efforts to improve their own risk culture.

Five key insights for ADIs

Below is a brief overview of the five key messages APRA considers emerged from the exercise.  

1.  Executives are 'overconfident' about their organisation's risk capabilities

APRA found that: 

'the perspectives of executives about the effectiveness of their risk governance and controls were more optimistic than the views of their Legal, Risk and Compliance areas.'

In support of this, APRA points to the gap in the level of confidence between executives and Legal, Risk and Compliance employees.  For example, according to APRA:

  • 76% of executives indicated that sufficient resources had been dedicated to improving how risk is managed within their part of the business vs just 58% of Legal, Risk and Compliance employees
  • 82% of executives considered that their organisation's risk oversight processes are effective vs 75% of Legal, Risk and Compliance employees
  • 82% of executives consider their organisation has effective risk control processes in place vs 76% of Legal, Risk and Compliance employees.

APRA also considers these findings are:

'a reminder that the critical "voice of risk" needs to continue to be heard and acted upon, particularly regarding the need for sustainable investment in risk management capability and architecture'.  

APRA encourages ADIs to consider how executives can ensure that the 'voice of risk' is sufficiently heard and acted upon.  

2.  Wide variation in the perceived effectiveness of risk management practices

APRA highlights that employees across the ADI cohort had differing perceptions of the effectiveness of risk practices within their organisations. For example, while 67% of employees on average agreed that that sufficient resources had been committed within their own part of the business to improving risk management, there was a 28% variation from the highest level of agreement to the lowest level on this question.

APRA suggests that this wide variation in perceived effectiveness may be a reflection of risk maturity within individual entities.  

APRA also highlights that on average a third of respondents were unable to agree that they had adequate budget, systems, skills and capability to improve risk management.  

APRA suggests that entities give some thought to how they will ensure risk management practices are 'appropriately supported to evolve and mature, thereby improving the way risks are managed'.

3.  Executives are 'prone to blind spots' when it comes to ensuring people feel safe to speak up and/or admit mistakes

APRA highlights a gap in the level of confidence between senior executives and those lower in the hierarchy when it comes to perceived safety in speaking up and admitting mistakes.  For example:

  • While 76% of CEOs agreed that people within their organisation admit when they make mistakes, Managers were less confident of this (71% of managers of a single team agreed this was the case) and 'individual contributors' were less confident still (68%).  
  • While 95% of CEOs agreed that it was safe to speak up in their part of the business, again Managers and individuals were less confident - 89% of managers of a single team and 87% of individual contributors agreed that this was the case.  

More positively, the gap in perception between CEOs and individual contributors was much narrower on the extent to which people within the organisation are encouraged to escalate issues promptly – 97% of CEOs agreed this was the case vs 95% for individual contributors.

In light of these findings ASIC suggests ADIs consider how executives can encourage people across the organisation (and especially those at lower levels in the hierarchy) to feel safe in speaking up.  

4.  Risk management roles and responsibilities 'require further clarity'

The survey identified wide variation among executives, individual contributors and business units within organisations on the issue of the delineation of risk management roles and responsibilities.  
For example:

  • Though 88% of CEOs surveyed/Executive Level 1 executives considered that individuals within their own part of the business were clear on their risk management accountabilities, there was a 24% variation from the highest level of agreement to the lowest level on the question.
  • Looking at individual contributors' level of agreement with the same question, 86% on average agreed with a 15% variation from the highest level of agreement to the lowest level on the question.  
  • Perceptions of the extent to which the 'three lines of defence' is understood within the organisation varied even more widely.  Though 87% of CEOs agreed on average, there was a 42% variation from the highest level of agreement to the lowest level on the question.  Looking at individual contributors' level of agreement with the same question, 83% agreed on average, with a 29% variation from the highest to the lowest level of agreement.
  • Looking at it from a business unit perspective, Technology employees had the lowest level of agreement and weren’t as confident as other parts of the ADI when it comes to both:     
    • the perceived level clarity on their risk management accountabilities - 90% of Banking, Finance Control and Retail Banking employees agreed they were clear vs 81% of technology unit employees – or; 
    • the perceived level of clarity around what needed to be done to improve risk management practices - 86% agreement among retail banking employees vs 79% among technology employees.

APRA suggests that these findings indicate that ADIs should consider both:

  • how they are ensuring that risk management expectations are clearly communicated and implemented throughout their organisation; and 
  • how risk management responsibilities/accountabilities throughout the organisation are monitored and reported.  

5. Differing perceptions when it comes to constructive challenge 

On the issue of constructive challenge – the extent to which individuals perceive that leaders appropriately and constructively challenge decisions and the extent to which constructive challenge is encouraged within individual organisations – the views of executives and individual contributors were found to differ.

To illustrate, 85% of executives considered that constructive challenge was encouraged within their organisation, but only 76% of individual contributors agreed that this was the case. 

In light of this, APRA suggests that ADIs consider what steps they can take to 'promote an environment in which individual contributors feel able to constructively challenge decisions'.  

Insurer and superfund risk culture survey planned to be released soon 

The risk culture survey has also been rolled out to 33 insurers and superfunds and APRA intends to share insights to emerge from the exercise 'in the coming months'.  

Looking ahead APRA comments that: 

'there is value in undertaking the risk culture industry-wide survey on a periodic basis and developing time series data.  At this time, a decision on the appropriate frequency and timing of any future risk culture survey is yet to be made'.

[Source: APRA insight:  No room for complacency on bank risk culture 10/11/2022]

Interested in this (and similar) topics?

Subscribe to alerts and our weekly wrap up of key financial services, risk, regulatory and ESG developments.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI3NDVhOTk1Ny0wNDg2LTQ5MGUtYTllOS0wZWI1YmNkNTYyZGIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczOTcwNzA1MiwiZXhwIjoxNzM5NzA4MjUyLCJpYXQiOjE3Mzk3MDcwNTIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3N1bW1hcnktYXByYS1iYW5rLXJpc2stY3VsdHVyZS1zdXJ2ZXktbm92ZW1iZXItMjAyMiIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3N1bW1hcnktYXByYS1iYW5rLXJpc2stY3VsdHVyZS1zdXJ2ZXktbm92ZW1iZXItMjAyMiJ9.PZ53XNX5jHj8j9TWjplLwrUT_C9XeWTVQKBiAVu8YcY
https://www.minterellison.com/articles/summary-apra-bank-risk-culture-survey-november-2022