On 10 November 2022 APRA published the results of their December 2021 risk culture survey.

The voluntary survey covered employees of the five largest banks and a further 13 banking entities.

The employee assessment of risk culture follows the 2018 Culture, Governance and Accountability survey which caused some ripples among boards concerned and brought corporate culture (and who is accountable for it) into focus.

Unfortunately, the results were not directly compared to the prior survey, so it is not readily apparent if there has been any improvement. However, we provide links to both reports at the end of the article for those interested in comparisons.

While participation was voluntary, the risk culture landscape described by participating employees suggested a consistency with APRA’s prior supervision of individual entities.

APRA has flagged that the feedback from employees will feed into its supervisory action plan for each entity i.e.

APRA will review the risk culture survey results as part of a range of supervisory data collected from the entity (e.g. reporting on RGSA remediation progress, quarterly data returns, risk governance reporting, breach reporting, etc). These will be considered alongside entity engagements and activities to inform APRA’s view of the entity’s risk culture, contributing to the entity’s supervision action plan and the supervisor’s assessment of risk culture as part of the APRA’s Supervision Risk and Intensity (SRI) model (see HERE).

It is meaningful that APRA is not averse to increasing individual ADI capital requirements based on its assessment of risk survey results.

Across the 18 ADIs, the 5 highlights from the commentary are:

1) Executives are overconfident in their organisation’s risk management capabilities

• 76% of Executives considered sufficient resources had been committed to improving risk management, compared to only 58% of Legal, Risk and Compliance employees.

The critical “voice of risk” needs to continue to be heard and acted upon, particularly regarding the need for sustainable investment in risk management capability and architecture.

2) Risk management practices may not be effective and risk management is still under resourced.

Individual company responses ranged in their assessment of risk management practices with a low of:

• 70% affirming processes for overseeing risks are effective and strike the right balance between risk management and business outcomes;
• ~60% having reliable systems that help manage risks effectively; and
• ~50% having sufficient resources (budget, systems, skills, capacity) committed to improving the management of risk.

On average a third of respondents were unable to agree that they had adequate budget, systems, skills and capability to improve risk management.

3) Blind spots remain – you may think you encourage disclosure but 1/3^rd of participants say that employees do not admit mistakes in their organisation.

• While employees confirmed that they are encouraged to escalate risk issues promptly (97% to 95% across the survey cohorts);
• Whether an individual actually felt safe to speak up dropped to 87%; and
• Individual employees actually admitting to making mistakes fell to only 68%.

Declining levels of psychological safety among different levels within an organisation is a commonly observed trend. How can Executives encourage people across the organisation to speak up?

4) Risk management roles and responsibilities are clear – maybe!

In some organisations:

• The belief of executives that individuals in their business are clear on their risk management responsibilities or what was needed to improve risk management practices was as low as 2/3^rds and
• Understanding of the Three Lines of Defence and the roles shared between the business, risk function and internal audit fell even further to about 50% – employees in Technology being less confident than those in other areas.

It seems that while banks have Accountability Statements arising from BEAR regulation some employees, at least, are not aware of them. How are ADIs ensuring that risk management expectations are clearly communicated and implemented throughout the organisation? How are risk management responsibilities and accountabilities cascaded through the entity monitored and reported? 

5) If you think that your organisation’s decisions embrace constructive challenge and diverse viewpoints you are probably wrong.

• Only 76% of individuals agreed that leaders challenge decisions to ensure good risk management
• While only 71% of individuals agreed that risk management decisions reflect diverse viewpoints

How can an ADI promote an environment in which individual contributors feel able to constructively challenge decisions?

The APRA insights from the survey can be found HERE.

If you want to compare to prior, see our summary and links to the 2021 publications HERE and the article and links to their initial survey can be found HERE.

© Guerdon Associates 2024 Back to all articles