APRA has published an Information paper Self-assessments of governance, accountability and culture examining the responses of APRA-regulated institutions to the Final Report of APRA’s Prudential Inquiry into the Commonwealth Bank of Australia which highlighted weaknesses by financial institutions in the management of non-financial risks – in particular, operational, compliance and conduct risks.
The CBA Report listed 35 recommendations focussing on five key levers of change:
- more rigorous board and executive committee governance of non-financial risks;
- exacting accountability standards reinforced by remuneration practices;
- substantial upgrading of the authority and capability of the operational risk management and compliance functions;
- injection of the “should we” question in relation to all dealings with and decisions on customers; and
- cultural change that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation.
APRA wrote to the boards of 36 authorised deposit-taking institutions (ADIs), insurers and superannuation licensees asking them to conduct a self-assessment against the findings and consider whether similar issues might exist in their own organisations.
The 36 are identified but their individual responses are not.
They comprise 9 ADI’s, 9 General insurers, 4 Life insurers, 3 Private health insurers and 11 Superannuation Fund Trustees.
The paper discusses the outcomes of the self-assessment process, key findings and common themes, and some of the solutions being implemented by institutions.
With respect to remuneration APRA observed that while most self-assessments focused on remuneration design, few commented on the effectiveness of the framework as a whole. This included a lack of coverage of implementation, the use of board discretion in the remuneration process, the link between risk, conduct and customer outcomes and whether remuneration outcomes reflect policy intent.
APRA says institutions’ assessments of culture were also generally less comprehensive than other components in the self-assessments. It says many institutions either struggled to articulate their assessment of culture or provided little evidence to support their assessment. While APRA acknowledges the challenges of measuring and analysing risk culture, it says there remains significant scope for improvement in this area.
APRA observed that:
- the weaknesses identified in the CBA Prudential Inquiry are not unique to CBA;
- there are consistent findings relating to non-financial risk management, accountabilities, and risk culture; and
- institutions may not have fully identified the root causes of findings, resulting in the risk that actions to address weaknesses may not be effective or sustainable.
A number of common themes have emerged from the self-assessments, including:
- non-financial risk management requires improvement;
- accountabilities are not always clear, cascaded and effectively enforced;
- acknowledged weaknesses are well-known and some have been long-standing; and
- risk culture is not well understood, and therefore may not be reinforcing the desired behaviours.
APRA says most institutions critically examined their organisation, and have committed to a considerable list of actions. They have, however, generally rejected the notion that the cultural traits of complacency, insularity, and collegiality underpinning the Prudential Inquiry findings are prevalent.
Next steps by APRA
The paper outlines the next phase of APRA’s streams of work to strengthen prudential expectations and intensify supervision of governance, accountability and culture.
APRA is meeting with participating institutions and, as a next step, will be writing to the boards of each of the 36 institutions to provide feedback on their self-assessments, and outline APRA’s intended targeted supervisory engagement. The nature of this engagement will depend on the quality and findings of the self-assessment, and the risk profile of the institution. One area of focus will be whether boards and senior leadership have been sufficiently self-critical given the wide range of weaknesses identified.
For some institutions, the issues identified in the self-assessment are material, and the changes required to address them are significant. APRA is, therefore, considering applying an additional operational risk capital requirement to reflect the higher risk profile of these institutions.
APRA’s policy agenda
APRA’s policy agenda for the next 12 months includes strengthening prudential expectations for governance, accountability, and culture.
In particular:
- APRA will update its requirements for remuneration to focus on better alignment of remuneration, prudent risk management outcomes, and long-term financial soundness, recognising the need to ensure incentives within financial institutions promote high standards of conduct and management of non-financial risks. APRA will consult on a new prudential standard on remuneration in mid-2019.
- as recommended by the Royal Commission, with the Government APRA has commenced planning for an extension of the BEAR to all APRA-regulated sectors, as well as a broadening of the scope to address product management and customer remediation. APRA will also align and integrate the legislative requirements under BEAR with the broader prudential framework and will consult on updates to the existing fit and proper requirements in Prudential Standard CPS 520 Fit and Proper.
- APRA will also review and clarify the governance and risk management provisions set out in CPS 510 and CPS 220 to ensure they remain fit for purpose. This includes more clearly articulating APRA’s expectations of boards and senior management.