When APRA’s report on the CBA was released (see HERE), APRA called on 36 significant APRA-regulated institutions to reflect on the findings and consider whether similar issues exist in their own organisations. APRA asked and has reviewed these self-assessments.
APRA released its report on these self-assessments on 22 May 2019.
It is clear from the report that 6 to 8 of the 36 institutions were just going through the motions and ticking boxes. Hence, APRA is considering a higher capital holding requirement to reflect the higher operational risk profiles of institutions with inadequate self-assessments.
APRA also had some more general findings on what was weak across the 36 institutions and presumably, by extension, to all APRA-regulated institutions. These relate to remuneration and culture.
Remuneration and risk management continues to disappoint
APRA observed that self-assessments generally contained less detail on remuneration frameworks than expected.
While most self-assessments focused on remuneration design, few commented on the effectiveness of the framework as a whole. There were inadequate or lacking reviews of :
- The use of board discretion in the remuneration process; and
- The link between risk, conduct and customer outcomes, and whether remuneration outcomes reflect policy intent.
Guerdon Associates’ experience is that effectiveness reviews should not be difficult in terms of methodology. It requires each institution to frame a series of hypotheses relating to the objectives of its remuneration, and then to go about testing these. Most would have comprehensive data already to allow for valid testing. An absence of data also is a telling sign for the board on the effectiveness of the institution’s remuneration management.
As a guide, remuneration governance and risk management frameworks that will meet APRA expectations would exhibit:
1 . Incentivised delivery of sound outcomes;
2 . effective assurance and compliance mechanisms; and
3 . direct and proportionate rewards and consequences that are consistently applied.
It seems from APRA’s report of its findings that the first of these has been an institutional focus among the 36, while the second and third aspects need further attention.
Based on information in the self-assessments, most institutions are yet to address fully the findings from APRA’s 2018 information paper Remuneration Practices at Large Financial Institutions (see HERE) or incorporate the Financial Stability Board’s Principles and Standards on Sound Compensation Practices (including the Supplementary Guidance addressing misconduct risk) (see HERE) .
While some institutions have started to address these findings, progress appears slow and some material gaps remain.
In particular, APRA’s observations from the self-assessments revealed that:
- some institutions recognised a need for stronger board oversight and challenge of remuneration outcomes;
- risk information provided to the board remuneration committee for remuneration purposes appeared to be at a high level without a clear link to the institution’s broader approach to risk management;
- while non-financial metrics were commonly included in scorecards, it appeared that a disproportionate focus was placed on the achievement of financial metrics;
- the level of input by the risk function and the board risk committee (or equivalent) into the risk assessment component in scorecards remained limited for most institutions; and
- guidelines for the use of adjustment tools such as malus and clawback need development.
APRA observations from the self-assessments raise questions about the rigour applied in assessing the effectiveness of remuneration frameworks.
Culture assessment and management remains unnecessarily immature
Institutions’ assessments of culture were also less comprehensive than other components in the self-assessments.
Many institutions either struggled to articulate their assessment of culture or provided little evidence to support their assessment. APRA indicated significant scope for improvement in this area remains. Despite this, it would appear that institutions are putting considerable effort into assessing risk culture, but many continue to face difficulties in measuring, analysing, and understanding culture (and sub-cultures across the institution).
At a recent Guerdon Associates’ director briefing it was evident that boards are struggling with the concept of organisation culture. This is probably indicative of the struggle also at management level.
It should not be a struggle to:
1 . Replace the word “culture” with “behaviour”. Now the concept is observable, measurable, useful for identifying what is required, desirable versus what is unacceptable and undesirable.
2 . Broaden application from risk management to organisation purpose and strategy. Risky behaviours can then be managed within this more useful context for organisational performance and sustainability.
3 . Define organisation-wide behaviours necessary for purpose and strategy, including those associated with risk.
4 . Measure the frequency, direction and strength of these behaviours. Forget doing this with site visits (sampling error), employee engagement surveys (inaccurate given a significant proportion of employees do not trust the confidentiality of the process). Instead, utilise the existing huge data pools from emails, employee collaboration platforms, call centre transcripts, phone records, social media platforms etc. Behavioural scientists using highly sophisticated content analysis tools can comb through terabytes of data to provide most organisations highly nuanced and valid pictures of employee behaviour (aka “culture”), and map changes over time. Boards many need to turn up the heat on management that have not yet grasped the power of data and behavioural science technologies to master these issues.
See APRA finding of the review of 36 entities’ self-assessments HERE .© Guerdon Associates 2019 Back to all articles