Read the key points of APRA Executive Director Superannuation Division, Suzanne Smith’s speech at the recent ASFA Spotlight on Risk and Compliance event.
“A single serious accusation of misconduct can cause immense damage to an organisation’s reputation, eroding public trust, deterring customers and investors, or attracting financial penalties such as fines. That in itself is a prudential risk. APRA’s chief concern when it comes to misconduct, however, is what it says about an institution’s culture, and whether that culture potentially enables or even encourages damaging behaviour”.
In a timely speech, Suzanne Smith provided an APRA perspective on conduct, culture and “what good looks like”. APRA has been stepping up its focus on transforming governance, culture, remuneration and accountability across its regulated entities with a view to rectifying sub-standard industry practices.
Risk culture refers in simple terms to an entity’s attitude to risk management. An inadequate risk culture and instances of misconduct often go hand-in-hand. Conversely, a sound risk culture encourages employees to speak up and voice concerns with their leaders. It produces better decisions by considering a broader range of views and appropriate challenge of questionable ideas and incentivises boards and senior executives to prioritise what’s right over what’s simply profitable or expedient.
To reach conclusions on risk culture and to answer the question “what does good look like?” APRA uses Risk Culture 10 Dimensions. These 10 Dimensions of Risk Culture are:
- Risk appetite and strategy
- Decision-making and challenge
- Communication and escalation
- Risk capabilities
- Risk governance and controls
- Responsibility and accountability
- Performance management and incentives
- Shared values
- Risk culture assessment
A number of these 10 dimensions were covered in more detail including what constitutes good practice and what may give APRA cause for concern, as summarised below.
It’s no coincidence that leadership is number one on APRA’s list as APRA considers that nothing influences an institution’s risk culture more than the ‘tone from the top’. Organisations with strong role models who champion risk culture and with leaders who regularly monitor risk culture and take effective actions to address identified weaknesses and deal proactively with poor risk outcomes do well in this leadership dimension. On the flip side, organisations that are poor on this front have leaders who don’t necessarily ‘walk the talk’.
Decision making and challenge is another critical element which refers to the willingness to give and receive constructive challenge across the entity. This includes whether the decision making is dominated by an individual or group of individuals, whether risk is recognised as being critical to the decisions or whether the voice of risk is silenced. It is expected that staff are encouraged to speak up and give constructive challenge on decisions. The dimension of communications and escalation speaks to how well risk issues are openly communicated and whether people feel safe to speak up. An organisation’s attitude to diversity and inclusion can be a key factor in creating a culture where everyone feels safe to speak up.
It is critical that responsibility and accountability for risk are clearly understood and discharged across the three lines of defence of the organisation to foster an effective risk culture. APRA would expect that individuals take personal ownership risk and that accountabilities are clear. The introduction of the Financial Accountability Regime (FAR) will be an important lever in bringing greater transparency to the accountability of individuals for risks.
In terms of “what good looks like”, it is expected that values are well articulated, sound and are being lived throughout the entity and that time and effort is spent on refreshing and maintaining the set of shared values even in periods of significant growth or crises. Individual behaviours need to be aligned with the entity’s espoused values around risk management. APRA is looking to understand the ‘echo from the bottom’ demonstrated through the myriad of day-to-day decisions made within the business and whether this is consistent with the entity’s stated values.
The final risk culture dimension covered is performance management and incentives. APRA has recently issued draft prudential guidance related to its forthcoming cross-industry standard on remuneration. APRA’s new standard is intended to lead to stronger incentives for individuals to proactively manage non-financial risks and to have appropriate financial consequences where material risk incidents have occurred. At its core this dimension is about ensuring good risk management behaviour is rewarded and poor risk behaviour faces proportionate consequences i.e. that mature organisations will be rewarding ‘doing the right thing’ and penalising poor risk behaviours even when the poor behaviour has contributed to a good financial outcome.
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.