Management and boards are under pressure with the release of APRA's report on governance, accountability and culture of large financial companies.
The Australian Prudential Regulation Authority (APRA) has warned the boards of 36 banks, insurers and super funds they face penalties in the form of higher capital charges if they don’t lift their game on managing risk culture. This follows shortcomings revealed in its analysis of their self-assessments of governance, culture and accountability.
APRA wrote to the boards in mid-2018, after its prudential inquiry into the Commonwealth Bank of Australia (CBA) found continued financial success dulled the bank’s senses, especially with regard to the management of non-financial risks. It asked boards to examine whether the weaknesses uncovered by the CBA prudential inquiry existed in their own companies.
Releasing APRA’s information paper in late May, APRA deputy chair John Lonsdale said it was clear many of the issues identified within CBA are not unique to that institution. “Although the self-assessments raised no concerns about financial soundness, they confirmed our observation that industry is grappling to manage non-financial risks, such as culture and accountability,” he said.
While APRA noted most institutions recognised the opportunity to critically examine their own organisation, some took a “lighter touch approach” and viewed it as an “exercise for APRA rather than an opportunity to drive improvement”. While acknowledging the challenges of measuring and analysing risk culture, “there remains significant scope for improvement in this area’’, the report said.
The self-assessments showed considerable variation in the number and severity of findings of the institutions, but four themes emerged across all industries:
- Non-financial risk management requires improvement. This was evidenced through a range of issues identified by institutions, including resource gaps (particularly in the compliance function), blurred roles and responsibilities for risk, and insufficient monitoring and oversight. Institutions acknowledged historical underinvestment in risk management systems and tools has also contributed to ineffective controls and processes.
- Accountabilities are not always clear, cascaded and effectively enforced. Institutions noted that while senior executive accountabilities are fairly well defined within frameworks, there is less clarity or common understanding of responsibilities at lower levels and points of handover where risks, controls and processes cut across divisions. “This is further undermined by weaknesses in remuneration frameworks and inconsistent application of consequence management.”
- Acknowledged weaknesses are well-known and some have been long-standing. “The majority of self-assessment findings were reported to be already known to boards and senior leadership. Nevertheless, some issues have been allowed to persist over time, with competing priorities, resource and funding constraints typically cited as the basis for acceptance of slower progress. These issues are often only prioritised when there is regulatory scrutiny or after adverse events.”
- Risk culture is not well understood and therefore may not be reinforcing desired behaviours. APRA noted institutions are putting considerable effort into assessing risk culture. “But many continue to face difficulties in measuring, analysing, and understanding culture (and subcultures across the institution). It is therefore unclear if these institutions can accurately determine whether their culture is effectively reinforcing desired behaviours (or identify how it would need to be changed to do so).”
APRA said many self assessments noted the institution is generally well governed, with strong executive leadership teams and a good tone from the top, although at the same time acknowledging weaknesses spanning most or all chapters of the Final Report. The regulator poses the question: do boards and senior management have a blind spot when it comes to assessing their own effectiveness? It intends to test this further.
Further, APRA has signalled it may require organisations to hold additional capital as a risk buffer where it is not satisfied that issues identified in self-assessments are being resolved in a satisfactory and timely manner.
Already a member?
Login to view this content