Following the release of its prudential inquiry into the CBA in May 2018, the Australian Prudential Regulation Authority (APRA) requested 36 financial institutions (9 Authorised Deposit Taking Institutions (ADIs), 9 General insurers, 4 Life insurers, 3 Private Health insurers and 11 superannuation funds) to undertake self-assessments against the findings in the CBA report.
APRA released an information paper on 22 May outlining some of the key themes to emerge from the self-assessments, as well as brief comments on some of the 'solutions' being implemented by some institutions. The paper also sets out the next steps in APRA's plans to strengthen prudential expectations and intensify supervision of governance, accountability and culture. APRA states that its purpose in releasing the paper is to 'assist institutions in understanding and addressing the challenges of embedding effective risk governance frameworks and practices'. In addition, the findings will be used to 'better target' the regulator's efforts to 'lift standards of non-financial risk management'.
APRA's expectations: What does a strong governance and risk management framework look like?
APRA states that strong governance and risk management frameworks would typically exhibit:
- accountability and remuneration frameworks that incentivise delivery of sound outcomes, in particular executive remuneration that is designed to better align rewards with a holistic view of performance;
- effective assurance and compliance mechanisms that drive proactive monitoring, early detection and escalation, and timely rectification of issues; and
- direct and proportionate rewards and consequences that are consistently applied to hold individuals to account for financial and non-financial outcomes.
APRA adds that to be effective, the elements identified above need to be supported by strong governance and risk oversight, and driven by a sound risk culture.
Lifting governance standards is the board's responsibility
APRA makes clear that it considers lifting governance standards to be a board responsibility, stating that it is 'boards and management are ultimately responsible for addressing weaknesses in their institution, and APRA will be holding them to account'.
APRA adds that boards must regularly challenge, and seek assurance and evidence of whether frameworks are operating as intended to deliver the targeted risk and customer outcomes. In addition, senior leadership should also, APRA says, pay attention to the institution’s risk culture, and the extent to which it aligns with risk appetite and is reinforcing the desired behaviours.
Quality of the assessments: remuneration and culture were weak points
Overall, APRA observed that the self-assessments were generally 'weaker' (less comprehensive) on culture and remuneration. Institutions were observed to struggle to articulate their assessment of culture or provide much evidence to support their assessment. APRA writes that though it 'acknowledges the challenges of measuring and analysing risk culture, it appears that there remains significant scope for improvement in this area'.
In addition, APRA observes that self-assessments contained less detail on remuneration frameworks with most self-assessments focussing on remuneration design rather than on the effectiveness of the framework as a whole. APRA said that there was 'a lack of coverage of implementation, the use of board discretion in the remuneration process, the link between risk, conduct and customer outcomes and whether remuneration outcomes reflect policy intent'.
Four common themes
APRA identified four themes common to emerge from the self-assessments across all industries. Namely: 1) non-financial risk management requires improvement; 2) accountabilities are not always clear, cascaded and effectively enforced; 3) acknowledged weaknesses are well-known and some have been long-standing; 4) risk culture is not well understood, and therefore may not be reinforcing the desired behaviours.
A summary of APRA's comments in relation to each theme is below.
1. Non-financial risk management requires improvement
Generally, institutions consider that their oversight of financial risks is strong, but that their oversight of non-financial risk is less so (because it has not traditionally been afforded the same importance). Institutions cited a range of issues in illustration of this including: resource gaps (particularly in the compliance function), blurred roles and responsibilities for risk, and insufficient monitoring and oversight. In addition, historical underinvestment was also acknowledged to have contributed to ineffective controls/processes.
Having said this, APRA observes that institutions generally rejected the idea that the cultural traits of 'complacency, insularity and collegiality underpinning the [CBA] Prudential Inquiry findings' are prevalent in their organisations.
Areas for improvement
- Blurred roles: APRA writes that many self-assessments identified challenges in consistently applying the three lines of defence model, noting that roles continue to be blurred in practice (particularly between the first and second line functions). For example, APRA says that most self- assessments identified a lack of risk ownership by first line leading to second line stepping in and conducting first line risk activities. In addition, APRA observed that particularly in the banking and insurance industries, the assessments identified that there is room to 'elevate' the organisational status and influence of risk/compliance functions. APRA notes that this view was not shared as strongly by superannuation funds.
- Control weaknesses (and an 'apparent acceptance' of untimely/reactive resolutions): Institutions recognised that risk management frameworks have not been implemented effectively. For example, institutions flagged inconsistent and reactive risk identification processes and weaknesses in control frameworks, including in data quality and control classification and assessment processes. APRA comments that there was 'also an apparent acceptance of untimely and reactive resolution, with a propensity for short-term tactical fixes rather than long-term strategic solutions.' For example, APRA notes that one institution said that there was an 'emphasis on creating more activity rather than understanding the root-cause, specifically when things have gone wrong'.
- Insufficient data leading to poor visibility of issues (and limited ability to challenge): APRA observed that many institutions recognised the need to improve data, measurement and reporting for non-financial risks on the basis that insufficient data and limited systems/processes have impaired their ability to identify, escalate and manage emerging or systemic risks. This was also identified as a limitation on their ability to analyse why sub-optimal outcomes were allowed to occur. In addition, institutions also acknowledged that indicators and metrics for measuring and monitoring non-financial risks are fairly basic (eg there was a focus on use of the net promoter score' but often no analysis or reporting of complaints data) which APRA observes compromises the ability for 'robust internal challenge'.
- Poor board visibility: A number of self-assessments identified failure to identify key risks requiring closer board attention as an issue in 'voluminous' board and committee reports. In one case, APRA observes that an institution noted that reporting to executive committees and the board was primarily focussed on the technological aspects of the incident rather than the negative customer impact.
2. Accountabilities are not always clear, cascaded and effectively enforced
Institutions indicated that 'while senior executive accountabilities are fairly well defined within frameworks, there is less clarity or common understanding of responsibilities at lower levels, and points of handover where risks, controls and processes cut across divisions'. APRA observes that this is 'further undermined by weaknesses in remuneration frameworks and inconsistent application of consequence management'.
Areas for improvement
- Lack of clarity around accountability for non-financial risk: Self-assessments acknowledged that accountabilities for non-financial risks were not always clearly understood, particularly where risks, controls and processes span multiple business units/divisions. In larger institutions, self-assessments identified organisational and process complexity (eg multiple forums and committees, as contributing to confused accountabilities. In addition, the rate of internal and external change facing many institutions was cited as an added challenge in embedding clear accountabilities. Institutions also noted a reliance on informal networks for resolving incidents. For banks, implementation of the Banking Executive Accountability Regime (BEAR) was credited with clarifying accountabilities for the most senior executives. In addition, other industries referred to the regime as a means to sharpen executive accountability. A number of self assessments also said that the institution plans to cascade and embed the principles of the BEAR throughout the organisation.
- Need to enhance consequence management: 'Self-assessments generally acknowledged the need to enhance consequence management' APRA states. This requires, APRA writes 'the application of direct and proportionate consequences to hold individuals to account when issues emerge and are not promptly addressed'. Many self-assessments also recognised inconsistencies in the way consequences were applied across business units and at different levels of seniority as well as variations in the frequency of non-remuneration consequences between divisions, back and front office functions, and staff levels.
- Remuneration and risk are misaligned: APRA found that self-assessments generally contained less detail on the effectiveness of remuneration frameworks and that 'further work is required to ensure risk and customer objectives are reflected in remuneration outcomes, with gaps evident between current remuneration frameworks and better practices as set out by APRA and international bodies'. More particularly, APRA states that most institutions are yet to address the findings from APRA’s 2018 information paper Remuneration Practices at Large Financial Institutions or incorporate the Financial Stability Board’s Principles and Standards on Sound Compensation Practices (including the Supplementary Guidance addressing misconduct risk). Where institutions have started to address these findings, progress 'appears slow and some material gaps remain'.
APRA made the following high level observations with respect to remuneration:
- some institutions recognised a need for stronger board oversight and challenge of remuneration outcomes
- risk information provided to the board remuneration committee for remuneration purposes appeared to be at a high level without a clear link to the institution’s broader approach to risk management
- while non-financial metrics were commonly included in scorecards, it appeared that a disproportionate focus was placed on the achievement of financial metrics
- the level of input by the risk function and the board risk committee (or equivalent) into the risk assessment component in scorecards remained limited for most institutions
- guidelines for the use of adjustment tools such as malus and clawback need development
APRA writes that this raises questions about the rigour applied in assessing the effectiveness of remuneration frameworks, including back-testing of outcomes, as required under Prudential Standard CPS 510 Governance (CPS 510) and Prudential Standard SPS 510 Governance (SPS 510). APRA suggests that these reviews will assist institutions in identifying weaknesses in their frameworks (including those above).
3. Acknowledged weaknesses are well-known and some have been long-standing
The majority of self-assessment findings were reported to be already known to boards and senior leadership and some issues had been allowed to persist over time. Competing priorities and resource and funding constraints were typically cited as the basis for acceptance of slower progress. Assessments also observed that these issues were often only prioritised when there was regulatory scrutiny or other adverse events.
4. Risk culture is not well understood, and therefore may not be reinforcing the desired behaviours
Institutions are putting considerable effort into assessing risk culture, but many institutions continue to face difficulties in measuring, analysing, and understanding culture (and sub-cultures across the institution). APRA observes that 'it is therefore unclear if these institutions can accurately determine whether their culture is effectively reinforcing desired behaviours'.
Areas for improvement
- Inadequate 'root cause' analysis: APRA comments that 'institutions may not have fully identified the root causes of findings resulting in the risk that actions to address weaknesses may not be effective or sustainable'. APRA observed that self-assessments generally focused on symptoms without adequate consideration of the underlying drivers. Consequently, while most institutions have developed and committed to a list of actions, or have initiatives in train, there is a risk APRA cautions, that these activities may not address the issues effectively or sustainably.
- Weaknesses in program delivery: Larger institutions, in particular, identified weaknesses in program delivery, including for risk related projects as an issue. More particularly, institutions recognised tendencies for delays and changes in the scope of projects, and a lack of accountability for outcomes. Some of the largest institutions also 'acknowledged a propensity to cultivate complexity in what they do – systems, processes and policies – which hinders effective execution'. This suggests, APRA observes, further risks to effective execution of plans to address weaknesses.
- Insufficiently self-critical of boards/leadership? Though most firms 'critically examined' their organisation, and committed to a 'considerable' list of actions, there were limited findings relating to the role of the board and senior leadership oversight and the assessments relating to the effectiveness of boards and senior leadership were 'notably less critical'. For example, APRA states that 'many self-assessments noted that the institution is generally well governed, with a respected and suitably challenging board, strong executive leadership teams and a good tone from the top, although at the same time acknowledging weaknesses spanning most or all chapters of the Final Report'. APRA questions whether this may indicate that the boards/senior management of these institutions 'have a potential blind spot when it comes to assessing their own effectiveness'.
- Case by case approach: APRA writes that it is meeting with participating institutions and, will be writing to the boards of each to provide feedback on their self-assessments, and outline APRA’s intended targeted supervisory engagement. APRA states that the nature of the engagement will depend on the quality of the self-assessment and the risk profile of the institution.
- One area of focus for the regulator will be whether boards and senior leadership have been sufficiently self-critical given the wide range of weaknesses identified.
- Additional capital requirement? Where the issues identified in self-assessments are material and the changes required to address them are significant, APRA is considering applying an additional operational risk capital requirement to reflect the higher risk profile of these institutions. To incentivise effective and timely rectification by institutions, this requirement would likely remain in place until issues are fully addressed.
- APRA will also consider the extent to which further targeted thematic reviews may be required to continue to drive improvements in governance, accountability and culture across the financial services sector.
- APRA will also strengthen its prudential framework and increase supervisory intensity of governance, accountability and culture to drive improvement across the sector. APRA states that it cannot 'regulate good culture into existence or design and implement strong frameworks for institutions' but does have a role in providing a 'sound foundation' and in 'reinforcing' effective practice. As such APRA writes that it is directing additional resources to a multi-year effort involving interrelated streams of work to intensify supervision of governance, accountability and culture (in line with implementing the findings of the Financial Services Royal Commission). This involves: a) adopting a risk based approach to conducting risk culture reviews across a wide range of institutions; scoping these reviews to include consideration of the influence of risk culture on non-financial risk management; and c) stronger and more direct engagement with boards and senior leadership to hold them to account for actions to address identified risks. APRA's immediate focus will be on those institutions that undertook a self-assessment.
- Time to conduct a self-assessment? 'APRA expects all regulated institutions to identify and address points of weakness and continues to encourage institutions that have not yet completed a thorough self-assessment to do so. Institutions should consider the observations in this paper when designing and implementing steps to enhance risk governance'.
APRA's policy agenda for the next 12 months
APRA states that the findings in the research paper will be used to assist the regulator in better targeting its efforts to lift standards of non-financial risk management, as outlined in its 2019 Policy Priorities document (see: Governance News 06/03/2019). APRA’s policy agenda for the next 12 months includes strengthening prudential expectations for governance, accountability and culture. In particular:
- APRA will update its requirements for remuneration and plans to consult on a new prudential standard on remuneration in mid-2019.
- As recommended by the Royal Commission, with the Government APRA has commenced planning for an extension of the BEAR to all APRA-regulated sectors, as well as a broadening of the scope to address product management and customer remediation. APRA will also align and integrate the legislative requirements under BEAR with the broader prudential framework, and will consult on updates to the existing fit and proper requirements in Prudential Standard CPS 520 Fit and Proper.
- APRA will also review and clarify the governance and risk management provisions set out in CPS 510 and CPS 220 to ensure they remain fit for purpose. This includes more clearly articulating APRA’s expectations of boards and senior management.
[Sources: APRA media release 22/05/2019; Information paper: Self-assessment of governance, accountability and culture]