Insight

Insights from APRA's latest risk culture survey

By:
Jane Stanton,
George Sutton,
Isabella Quant
22 Nov 20227 min read
insight featured image
On 10 November, APRA released the results of their latest risk culture survey in an Insight, “No room for complacency on bank risk culture”. This survey was rolled out to 18 ADIs in late 2021 – including the five largest and 13 smaller ADIs, where all employees of the ADIs were invited to participate. This is the second such survey completed by APRA.
Contents

APRA’s analysis included matters for ADIs to consider, however in our experience these could equally be applied to insurers and Registerable Superannuation Entity Licences (RSELs). Below are points for consideration noted by APRA and guidance on potential root causes based on our experience working with regulated entities of all sizes across all financial services industries.

The survey indicated that Executives may be more confident than legal and Line 2 risk management regarding:

  • Sufficiency of risk resourcing
  • Effectiveness of risk governance and controls

How can Executives ensure that the voice of risk is sufficiently heard and acted upon?

This can be interpreted as not necessarily making the voice of Line 2 stronger, but the voice of risk being more consistent across the entity, facilitated by Line 2.

This disconnect between the Executive, the Board and Line 2 is not uncommon, and can be related both to the way that Line 2 engage with Line 1 risk owners and also the nature and depth of risk reporting that is presented to the Board and Executive.

Risk reporting to the Board should come from both Line 1 and Line 2. If there is a disconnect in messaging, the Board must explore why. We often observe Boards that are drowning in risk data, but receive very little insightful commentary or analysis. Trends in risk ratings can be as important as the risk rating itself because trends can be a leading indicator. Fewer, targeted KPIs may relay more insights than many data points. More operational data points should still be monitored by Line 1; however, these can be accumulated up to a more strategic KPI that is reported to the Board.

One other factor that is particularly prevalent in mutual or member-owned entities (although not solely), is appropriately balancing member or other stakeholder representation on the Board with Non-Executive and Executive Directors that bring industry experience. A Boards’ capacity to ask probing questions, provide suggestions about the type and detail of information they need to receive, and recognise when they are only receiving “good news” will be greater when have a range of experience and succession and tenure aligns with principles of good governance.

How will Executives ensure that risk management practices are appropriately supported (budget, systems, skills, capacity) to evolve and mature, thereby improving the way risks are managed?

In many respects, this insight is linked to the previous one. It is aligned to ensuring that Line 1 have the capability and capacity to own and manage their risks, and that Line 2 can facilitate and uplift this.

It is difficult for an entity to increase its risk maturity if risk management is undertaken solely by Line 2. Whilst it is necessary for Line 2 to build and maintain the risk infrastructure, it must be designed and embedded in such a way that Line 1 can own their risks and management of these. By doing this, Line 2 can transition to a facilitation, review and challenge role to support the consistent embedment of risk management across the entity, and to enable a move towards the target level of risk maturity. It is far more effective for non-financial risks such as operational risk to be managed at the point where the risk occurs.

In our recent article on managing operational risk, we noted some of the elements necessary for successfully managing operational risk including an easy-to-use risk MIS and a streamlined risk taxonomy. Many of these can be applied across all risk categories and at the enterprise risk framework level. These elements are necessary so that risk can be managed consistently and transparently across an entity and at the point  that they arise.

Effective Line 1 risk resource is as critical as a strong Line 2. If an entity is resource constrained, particularly once the risk infrastructure is developed, risk resources should be balanced across Line 1 and Line 2.

Employees need a psychologically safe environment and their willingness to speak up to be supported.

Declining levels of psychological safety among different levels within an organisation is a commonly observed trend. How can Executives encourage people across the organisation to speak up?

Employees should not be penalised for raising issues; they must feel safe to do so. Unrealistic key performance and risk indicators that specify the number of issues permitted to occur, or where that number is zero, may discourage employees from raising issues for fear of not meeting their KPIs. More appropriate KPIs refer to “not knowingly breaching” or set targets regarding the length of time taken to identify an issue.

In addition to training, messaging from leaders to employees must consistently communicate the advantage of reporting issues and the importance of treating the root causes.

Indicators such as the number of calls to the whistle-blower hotline or usage of EAP services are important indicators of risk culture.

How are Executives ensuring that risk management expectations are clearly communicated and implemented throughout the organisation? How are risk management responsibilities and accountabilities cascaded through the entity monitored and reported?

Risk management KPIs must form part of the broader performance management framework. These KPIs must be cascaded from the CEO throughout the entity and be adjusted as appropriate for each level within the entity. This supports a culture of “everyone is accountable.”

Consistency is critical. KPIs must be aligned to the Code of Conduct, risk appetite, delegations, and the overall culture. Information regarding the status of KPIs and any remediation necessary should not just be communicated to the Board but throughout the entity.

It is not necessary for employees at all levels to have a detailed knowledge of the risk appetite. They do however require knowledge of the policies and delegations that govern their day-to-day work, the importance of these and the consequences of non-compliance. These policies and delegations must align with the risk appetite.

How can an entity promote an environment in which individual contributors feel able to constructively challenge decisions?

Clearly defined and well understood delegated authorities are an important way to empower team members. They must however be aligned to the capacity and capability of an individual and their role description. Employees must also understand where to escalate decisions that fall outside their authority.

Constructive challenge requires cultivation. It isn’t something that regulatory frameworks, policies or procedures can build. There is a requirement for leaders to promote a culture of openness, debate and challenge and to facilitate diverse viewpoints from all parts of the organisation.

Where decision-making is too concentrated, or team members don’t believe that they are able to constructively challenge leaders decisions, team members will not feel empowered.

Grant Thornton is available to support you to review and refresh your risk culture and overall risk management framework.

TAGS  
Authors
  • Jane Stanton
    Jane Stanton Jane has over 20 years of financial services industry experience having worked in a variety of senior risk management, internal audit and finance roles for APRA regulated and listed entities. View Profile
  • George Sutton
    George Sutton George has over 20 years of professional experience serving clients in financial services and risk consulting. View Profile
  • Isabella Quant
    Isabella Quant Isabella is a senior manager in the Financial Services Risk Consulting team with experience leading internal audits, delivering culture and governance reviews for APRA regulated entities, designing, reviewing and implementing risk management frameworks, assisting regulated entities to implement prudential standards and developing programs and initiatives to improve risk and control environments.

Related content

View more

Operational Risk Management: APRA’s CPS 230 key areas of focus

Insight

One of the most common ways of managing operational risk is through a system of effective internal controls. Control failures however can lead to events as varied as mis-selling, data breaches and underpayments – as such in APRA's Prudential Standard CPS 230 they have strengthened the focus on operational risk management. In this second series of our CPS 230 technical guides we provide an overview of some necessary elements to achieve strong operational risk management and why it is the foundation of operational resilience.

George Sutton
Jane Stanton
Daniel Farthing
Matthew Green
| 8 min read | 10 Nov 2022

Operational Resilience: APRA’s CPS 230 key areas of focus

Insight

APRA has released draft Prudential Standard CPS 230 Operational Risk Management for comment. CPS 230 will replace CPS 231: Outsourcing and CPS 232: Business Continuity, and the sector specific standards HPS 231, SPS 231 and SPS 232. What is operational resilience? Operational risk management analyses and defines risks associated with people, processes, and systems. Operational resilience defines the approach to managing operational risks.

Jane Stanton
George Sutton
Matthew Green
Daniel Farthing
| 6 min read | 27 Sep 2022

Risk management

Service
19 Apr 2021
    View more