The Australian Prudential Regulation Authority (APRA) recently published its plans to significantly scale up its efforts to raise the standards of governance, culture, remuneration and accountability (GCRA) across financial institutions.

Following on from the Royal Commission, the Prudential Inquiry into the Commonwealth Bank of Australia (CBA), and the extension of CBA-style self-assessments to large financial institutions, APRA has released an information paper setting out considerations for its approach to supervising GCRA issues in financial institutions.

In doing so, APRA has signalled its commitment to using GCRA as a prudential supervision tool in a bid to strengthen the resilience of financial institutions – and in the same stroke, restore community trust and confidence in the financial system.


Financial institutions can expect the focus on governance, risk culture and now GCRA to take root and develop over the long term. It is vital that organisations stay on top of these regulatory trends to ‘future proof’ their businesses. GCRA issues are now a mainstream priority, and those who continue to relegate oversight of these issues – for example, culture being solely the remit of the HR or People and Culture team – will find themselves at a disadvantage.

As the regulator’s focus continues to sharpen on GCRA issues, we can expect to keep seeing incidents like the Westpac Austrac scandal splashed across the media. In this particular instance, a raft of cultural and governance failings were uncovered, including willingness to turn a blind eye to potential breaches and non-compliances, insufficient risk consideration being given to new systems and processes (e.g. overseas remittance systems), and reluctance to report breaches until it becomes unavoidable to do so.

While we hope not to see further failings on the scale of Westpac’s, the eyes of the regulator are certainly now on all financial institutions to prevent non-compliance or breaches on any scale.

APRA’s approach is set to place an unprecedented expectation on financial institutions’ treatment of GCRA

The actions your organisation could take are many and varied but we recommend the following as a good place to start:

What should boards be considering now?

  • Consider your board’s approach to GCRA – what is the tone from the top and how is it holding management accountable? Think of five things to do differently from now on.
  • Review your board governance assessments for robustness and alignment to the organisation’s profile. If your organisation has had major non-compliances during the year, consider the impact of this on the board performance assessment.

Your next GCRA assessment

  • Consider doing an annual GCRA assessment – noting that this may evolve over time and be impacted by reporting on BEAR and CPS 511, which have differing effective timings.
  • APRA proposes biennial assessments, however this can be supplemented by annual risk culture assessments.
  • Ensure your GCRA assessments include input from external audit, internal audit, suppliers and customers.
  • Include input into your GCRA assessment and/or your risk culture assessment from past employees, past service providers, past customers and junior staff. These stakeholders are often omitted from assessment processes but may have valuable input – both negative and positive.

What can executive teams do?

  • Develop a GCRA dashboard to use internally – covering aspects such as GCRA assessments, incidents/breaches, customer complaints, Australian Federal Complaints Authority (AFCA) outcomes, overdue audit items, whistle-blower complaints, and bullying/harassment complaints – as well as positive aspects such as awards, positive media and social media etc.
  • Review your processes for incident recording, assessment and breach reporting, including timeliness. A willingness to identify and resolve issues can be a hallmark of a positive GCRA environment.
  • Strengthen your processes to allow and encourage issues and risks to be identified, recorded and elevated. The matter that keeps your call centre manager awake at night could be your next Westpac moment. Helping them raise a concern may save you from being on the front page of The Australian Financial Review.
  • Implement CPS 511 – for more information read here.

Go that extra mile

  • Consider self-reporting of GCRA to stay ahead of the curve – the style and content of the reporting may need careful consideration. Issues to consider may include GCRA assessment results, breaches reported to regulators, AFCA history, and other relevant content. For many small and mid-sized financial institutions, their profile will be very favourable to those of the major banks – this represents an opportunity to build credibility and differentiate themselves.
  • Consider the impact of past breaches and other unfavourable issues on your GCRA assessment. APRA has levelled criticisms of complacency at many financial institutions. If you have had issues in the past, consider demonstrating how you have learned from these and established processes to prevent these issues from recurring.
  • Who is your institution’s Chief Culture Officer? While we do not recommend hiring a new person, our view of better practice is that the CEO is also your “CCO”!

Unsure of how this applies to your business?

Among other services, we have capability across Audit, Internal Audit, Risk Advisory, Risk Culture, Governance, and Culture & Remuneration (Human Capital). With in-depth knowledge on the current environment, plus a track record of working with clients in financial services – credit unions, mutual banks, super funds, private health insurers and insurers more broadly, and with APRA itself – we are here to assist you.