On 22 May 2019, APRA released its Information Paper which reports on the outcomes of the self-assessments of governance, accountability and culture that it required of 36 banks, insurers and superannuation trustees. These self-assessments followed the APRA's seminal inquiry and report into CBA on the same issues (the CBA APRA Inquiry). APRA reports that the findings in the self-assessments demonstrate that the issues identified by the CBA APRA Inquiry are, by and large, also apparent in other institutions.
While APRA has committed to strengthening and clarifying its prudential framework, and concurrently broadening and deepening the scope and intensity of its supervision, it has signalled a clear expectation that institutions – and particularly Boards and the senior leadership of those institutions – will proactively seek to understand their risk culture and embed strong governance frameworks and risk management practices.
The Paper identified a number of common themes that have emerged from the self-assessments:
- non-financial risk management requires improvement;
- accountabilities are not always clear, cascaded and effectively enforced;
- acknowledged weaknesses are well-known and some have been long-standing; and
- risk culture is not well understood, and therefore may not be reinforcing desired behaviours.
Although APRA's expectations are directed to the financial institutions within its jurisdiction, the Paper offers useful insights for all industries.
Observations on self-assessments
APRA was intentionally non-prescriptive about how the self-assessments were to be conducted. While APRA was satisfied with the depth of analysis and level of challenge in the self-assessments, it observed that few institutions identified new insights – the issues identified were said to be already well known.
APRA also observed that many institutions have yet to develop a clear understanding of what factors have caused weaknesses to manifest and persist. This is consistent with a theme examined in the final round of the Financial Service Royal Commission – that in order to fix the problems that have been identified (and keep recurring), institutions need first to understand their root cause. APRA infers that the self-assessments that have been conducted confirm that the ability to identify root-cause remains immature in many institutions.
Non-financial risk management requires improvement
As observed by the CBA APRA Inquiry and the Financial Services Royal Commission, one reason for the failures which have been observed in the financial services industry is the lack of focus on the management of non-financial risk. The Paper noted this is a strong theme through the self-assessments, evidenced through a range of issues identified by institutions, including resource gaps (particularly in the compliance function), blurred roles and responsibilities for risk, and insufficient monitoring and oversight. Institutions acknowledged that historical underinvestment in risk management systems and tools has also contributed to ineffective controls and processes.
There is no easy or fast answer to uplifting non-financial risk management frameworks and the assessments that many entities have now conducted into their management of non-financial risk is a sobering, but necessary, exercise. Implementing a robust solution to plug those deficiencies has been confirmed by APRA as essential to the operation of APRA regulated entities going forward.
Accountabilities – not clear, cascaded or enforced
APRA identifies another common theme across the self-assessments - a lack of clarity around accountabilities. This finding is also consistent with the findings of the Financial Services Royal Commission and the CBA APRA Inquiry.
APRA notes that:
- The self-assessments found that, while senior executive accountabilities are fairly well defined within frameworks, there is less clarity or common understanding of responsibilities at lower levels, and where activities cut across business divisions;
- This is further undermined by weaknesses in remuneration frameworks and inconsistent application of consequence management.
While the Banking Executive Accountability Regime (and its signalled expansion into other APRA-regulated institutions) assists to provide clarity at executive level, there is an identified need to ensure accountabilities cascade through all levels of an institution.
Acknowledged weaknesses – well-known and long standing
The majority of issues identified in the self-assessments were said to be well known to the Board and senior management of relevant institutions.
While that may be so, APRA observed that a number of (well known) issues have been allowed to persist for some time. The reasons cited in the self-assessments often focussed on the ineffectiveness of solutions and the application of tactical solutions, as well as insufficient information and challenge, particularly around non-financial risks.
APRA considers that these deficiencies may be creating a ‘boiling frog’ effect, where issues are tolerated and action is only prioritised when there is regulatory scrutiny or after the occurrence of adverse events.
Risk culture – not well understood and so not driving the right behaviours
APRA noted that while the focus on corporate culture has increased in recent years, the quality of self-assessments indicated that there is significant scope for improvement and further investment. Institutions are putting considerable effort into assessing risk culture, but many continue to face difficulties in measuring, analysing, and understanding culture (and sub-cultures across the institution). It is therefore unclear if these institutions can accurately determine whether their culture is effectively reinforcing desired behaviours (or identifying how the culture would need to be changed to do so).
The task of defining the culture of an institution has been of particular recent focus for ASX listed companies with the publication in February 2019 of the fourth edition of the ASX Corporate Governance Principles and Recommendations. In particular, amendments to Principle 3 (Instil a culture of acting lawfully, ethically and responsibly), aim to sharpen the focus on embedding corporate social responsibility within company culture – Principle 3 recommends that a company have and disclose (i) the company's core values; (ii) a code of conduct; (iii) a whistle-blower policy; and (iv) an anti-bribery and corruption policy.
The Paper indicates that there is still a way to go before institutions are able to properly to assess culture with a degree of rigour and confidence. We can expect more focus from APRA on this issue in the coming months and years.
A further issue – the effectiveness of governance structures
APRA reports that institutions' self-assessments largely rejected the notion that the cultural traits of complacency, insularity and collegiality underpinning the CBA APRA Inquiry findings were prevalent in their organisations.
Many self-assessments noted that the institution is generally well governed, with a respected and suitably challenging board, strong executive leadership teams and a good tone from the top, although at the same time acknowledging weaknesses spanning most or all chapters of the Royal Commission Final Report.
As APRA points out, the inconsistency between Commissioner Hayne's view of the prevalence of governance issues and the results of the self-assessments may be attributable to Board and senior management blind spots when it comes to assessing their own effectiveness.
Stepping back from that blind spot, for an institution reflecting on the adequacy of its governance structures, APRA has signposted that strong governance and risk management frameworks would typically exhibit:
- accountability and remuneration frameworks that incentivise delivery of sound outcomes, including executive remuneration that is designed to better align rewards with an holistic view of performance;
- effective assurance and compliance mechanisms that drive proactive monitoring, early detection and escalation, and timely rectification of issues;
- direct and proportionate rewards and consequences that are consistently applied to hold individuals to account for financial and non-financial outcomes.
Solving the problems: where to now?
By way of response to the self-assessments, the Paper suggests APRA expects that institutions will:
- conduct rigorous self-assessments, including of the effectiveness of remuneration frameworks and risk culture (which were generally not given sufficient focus in the self-assessments APRA has received to date), and in such a way that acknowledges the blind spot Boards and senior management may have when assessing their own effectiveness;
- invest in the significant uplift of the governance and management of non-financial risks, including improving the data, measurement and reporting of such risks and elevating the voice of risk within institutions;
- clearly define accountabilities beyond Board and executive level;
- ensure risk and customer objectives are reflected in remuneration outcomes, by reference to better practices set out by APRA and international bodies; and
- form a clear view of the risk culture in their organisation and articulate a target culture against which progress can be measured.
APRA has noted that many of the institutions' self-assessments were accompanied with lengthy lists of planned actions to respond to the issues identified. APRA cautions that until the underlying drivers of the issues are known they cannot be addressed effectively or sustainably. As well as taking time to understand the root-cause, a planned, comprehensive approach to the lengthy lists is likely warranted. The Paper provides useful guidance for all organisations – not just APRA regulated entities. It is prudent that organisations assess themselves against the guidance in the Paper to ensure that they are meeting best practice.