On 18 October 2016, APRA released an information paper that provides a snapshot of current practice in risk culture in a range of banking, insurance and superannuation businesses.
The paper serves as a marker before APRA’s review of remuneration policies and practices among regulated institutions and examination of how they interact with risk culture. Guerdon Associates is participating in the review.
The review is intended to gauge how well the existing requirements in Prudential Standard CPS 510 Governance (see HERE) are being implemented, and how they are interacting with the risk cultures of regulated institutions. This will include an examination of the remuneration arrangements and outcomes for some senior executives, risk and control staff, and material risk takers at a sample of institutions.
‘Risk culture’ is the influence of organisational culture on how risks are managed in an organisation. What was interesting was how APRA defined risk culture in its paper. While it still makes unfortunate references to “tone at the top” and “attitudes”, its primary definition is behavioural:
“the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes”
This is, at least, measurable. And what can be measured can be controlled. It also recognises that it is behaviours, not attitudes, that count. It is well-known from more than 50 years’ of research that attitudes are outcomes of behaviour, and not the other way around.
All organisations have a risk culture regardless of whether it is actively considered or managed. And there is nothing wrong with an institution or an industry pursuing a higher risk strategy, provided it does so consciously, and with appropriate risk management capabilities and financial capacity.
It was interesting that the paper highlights that regulated companies believe that they have appropriate risk management relative to peers. APRA more or less says that this means if one goes down, all go down. By implication, the relative TSR measures they use for executive remuneration may not be entirely appropriate. APRA, like Guerdon Associates, is not entirely fond of relative TSR (see para 52 of its guidelines HERE).
The APRA paper notes that, while there has clearly been a stronger focus on risk culture in recent years among APRA-regulated institutions, continued effort and ongoing attention is required by these institutions to better understand and manage their risk cultures.
APRA began an information-gathering exercise in relation to industry practices on risk culture in late 2015. The paper indicates this exercise found that approaches to understand and manage risk culture are at a relatively early stage of development. In addition, many institutions are grappling with how best to:
- clearly articulate what type of risk culture they aspire to;
- identify any specific weaknesses in their current risk culture; and
- effectively address those weaknesses.
Underpinning much of this work has been APRA’s Prudential Standard CPS 220 Risk Management, which came into effect on 1 January 2015 (see HERE).
CPS 220 requires, among other things, each Board of an authorised deposit-taking institution (ADI) or insurer to form a view of the risk culture in their institution, identify any desirable changes to that risk culture, and ensure the institution takes steps to address those changes.
What is helpful in APRA’s press release is a Q&A guide that indicates an APRA point of view. However, some of the answers do, in themselves, raise more questions. Here are some examples.
Q: Who is responsible for the risk culture of an organisation?
A: It is ultimately the responsibility of each APRA-regulated institution’s CEO and senior executives to establish a sound risk culture, supported and overseen by their Board of Directors.
Q: What are the other findings from APRA’s information gathering exercise on risk culture?
A: In addition to the findings listed above, other findings from APRA’s information gathering exercise on risk culture are:
- most APRA-regulated institutions’ efforts have focussed on understanding and assessing the current state of risk culture;
- less progress has been made to define a target state of risk culture;
- approaches to understand and manage risk culture varied by institutional size, business mix and complexity;
- larger institutions noted that their size and complexity introduced additional challenges, particularly regarding the greater prevalence of sub-cultures — as a result, their efforts were often segmented, typically by geography or business unit; and
- all institutions were in agreement on the central role of leadership in shaping and driving both organisational and risk culture.
See the APRA paper HERE.© Guerdon Associates 2020 Back to all articles