APRA Insights on Risk Culture

Sean McGing reports on the March 7 Insights Session which saw Fahmi Hosain, Head of Governance, Culture & Remuneration at APRA discuss how the regulator is engaging with industry on risk culture across banking, insurance and superannuation.

What better example of APRA’s engagement with industry than to have its Head of Governance, Culture & Remuneration, Fahmi Hosain (pictured below), present to an Institute Insights Session and partake in a wide ranging question and answer session afterwards.   Fahmi was ideally placed to inform the large live and webinar audience on this topic having established this specialist unit within APRA and having previously headed the team which developed CPS 220 Risk Management  – the cross industry prudential standard.     

The Presentation largely reflected APRA’s Information Paper on Risk Culture published in October last year.  It covered the context for that paper, APRA’s observations on industry – across banking, insurance and superannuation, and what’s next on APRA’s Agenda.


Investigations of the global financial crisis (GFC) in 2008 have highlighted that poor risk culture was a major factor in risk taking and resultant losses globally.   Prior to this in Australia the failure of HIH Insurance was at its heart a result of its poor culture.  The G20’s response to the GFC included the emergence of the Financial Stability Board (FSB) in 2009 which has investigated the importance of risk culture in the stability of financial institutions. It issued a Compensation (Remuneration) Paper in 2009 and in 2014 a Guidance Paper on Risk Culture.

APRA’s response as regulator was to develop and introduce CPS 510 Governance and CPS 220 Risk Management.  It focused on the linked elements of governance, remuneration and culture, with culture getting the biggest focus in the last couple of years reflecting its importance.  

Observations on industry

Europe has had a much more open response to the importance of haing a sound risk culture than Australia.   They’ve been through the tough times.  Australian entities needs to be well prepared around a sound risk culture to avoid the recession whenever it comes.

More of Australia’s financial institution leadership needs to have Board discussions centred on values and purpose which help drive a sound risk culture.

As it matures risk culture needs to be driven by CEOs, their senior management and the board, a change from the current predominantly CRO and HR leaders.   

Superannuation as an industry has a degree of understanding which generally lags banking and insurance. 

The first line of defence must own the risk and take responsibility for risk culture.  In a more mature state the second line should be identifying, collecting, monitoring and acting on data including quantitative information. Examples might be number of breaches, number of days sick leave.

There is increasing use of organisational psychologists and behavioural economists.   Diagnostic reviews by consultants are used.  Currently tools are focussed on identification and assessment – still on understanding risk culture at their organisation.   The next stage is using this self awareness information to challenge behaviour. For example to identify the root causes of “bad apples” – what in the organisation is supporting that.   Consider what behaviour data can be collected by your company.  Use methodologies and science to understand why is the culture the way it is and make sustainable change to improve it. 

What’s next from APRA

APRA’s plan across culture, remuneration and governance is best summarised in Fahmi’s final slide:

Of these culture and remuneration are the current priority items. 

Q&A  – Topics and insights shared

These included:

  • There is a considerable crossover between APRA and ASIC in the risk culture space.  ASIC has its own culture team.   But the two regulators work very closely together on these matters.  At the same time they have different specific objectives – ASIC’s responsibility is to protect consumers, while APRA’s is to ensure prudential management.  APRA considers poor treatment of consumers as a potential signal of poor prudential management.
  • The preparation of the Risk Culture paper was a journey internally for APRA itself with a heightened understanding of the risks from, and elements of, organisational culture.
  • Whistle-blowing protection mechanisms are important but if the issues are around whistle-blowing, then APRA and companies involved have already failed from a culture perspective.
  • Remuneration is an important element linked to the risk culture of an organisation. APRA are working on a more detailed paper on remuneration, which may be ready by the end of this year.
  • Some Boards still think that culture is gut feel. Its not. It’s more than that.
  • Complacency is the industry’s biggest danger. Australia’s 25 year recession free environment has dulled our sensitivity to risk.
  • Culture and risk culture can be considered the same thing. Risk culture is simply how organisational culture relate to risk management.  Risk culture is looking at organisational culture through a risk lense.
  • There is a wide range of practices across industries on funding risk culture assessments and investigations. Some superannuation funds appear to have less of an understanding of their risk culture and its importance than those in insurance and banking.
  • Risk culture needs to be understood and implemented in the first line of defence to ultimately reflect a mature state.

Thank you Fahmi for a very informative session.  Please come again!

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.