Risk culture is the engine to drive the entire enterprise risk management (ERM) program in any organization and, therefore, is of paramount importance to be a focus point.
Australian Prudential Regulation Authority (APRA) has greatly focused on the development of risk culture in banks and insurance companies over the last couple of years. However, it is difficult to measure risk culture, and thus a comparison with peer organisations is even more challenging. This article discusses the importance of risk culture and what steps APRA takes to enhance the risk culture in Australian financial institutions.
Importance of Risk Culture
Culture is a way of life, including the arts, beliefs, and institutions of a population, that is passed down from generation to generation. Culture breeds itself from one individual to another without physically transmitting it. Therefore, culture is not always documented because the transmission can have different sizes and shapes.
The same is valid with risk culture. The spread of risk culture is based on the internal behaviour of senior management, existing employees, to new employees. So, it is worth implementing a good risk culture into the DNA of the organisation.
Over the last two decades, enterprise risk management (ERM) has been positioned against silo risk management, which was prevalent for hundreds of years and was not so successful in addressing various global crises in recent times. Contemporary examples include the dot com bubble, Enron and the 2008 crisis.
On the other hand, ERM is holistic and can be applied across the organization. This approach involves the Board, senior management, the appointment of the Chief Risk Officer, and any employees who are part of the first-line defence in managing risk. The ERM considers correlations of risks that relatively reduce the cost of managing risk; further, in the aggregation of risk, correlation allows a diversification effect reducing overall capital requirement. It is established in many academic pieces of literature that ERM enhances firm value.
Given the importance of ERM for the organisation, risk culture is the engine of the ERM.
The determinants of ERM are:
- Board of Directors (size of Board, composition of Board, gender mix)
- Three lines of defence
- Risk appetite
- Risk culture
Apart from risk culture, all other determinants are architecture related. Whereas risk culture is functional-related because this is associated with human behaviour and their resulting actions. This means any changes in the risk culture will impact how ERM is implemented and its effectiveness. Therefore, it is essential to focus on the risk culture that APRA has been doing in recent years.
According to the Institute of Risk Management, London, the Risk Culture Executive Summary document  mentions four critical levers of good risk culture as shown in the figure below.
These key levers have further sub-components that need to be improved within the organization to improve the risk culture.
APRA  has created ten dimensions for developing a sound risk culture. These levers are:
- Decision-Making and Challenge.
- Communication and Escalation.
- Risk Capabilities.
- Alignment with Purpose and Values.
- Risk Culture Assessment and Board Oversight.
- Risk Appetite and Strategy.
- Risk Governance and Controls.
- Responsibility and Accountability.
- Performance Management and Incentives.
APRA has identified the right risk culture elements that are a combination of determinants of ERM (mentioned above) and determinants of risk culture identified by IRM. The star-marked determinants are common with IRM. APRA has taken the right step to guide the industry in the right way to focus on ten risk culture dimensions to work on.
The APRA’s further effort in developing the risk culture is evident from the three examples discussed below in the banking and general insurance sector.
APRA’s Focus to Enhance Risk Culture
Survey on Banks
APRA initiated a survey  in the 18 authorized deposit-taking institutions (ADIs) between October and December 2021 in which the five largest banks( referred to as Major ADIs) participated, 13 entities consisting of a mix of regional banks, foreign bank subsidiaries/branches, mutual banks, credit unions and building societies (collectively referred to as Other ADIs). APRA sent a survey invitation to every employee at each participating ADI, amounting to approximately 165,500 invitations. The response rate was 42% in Major ADIs and 59% in Other ADIs. These are exceptionally high participation rates.
The survey result demonstrated overconfidence by CXO about their risk management capabilities compared to the second line of defence (risk, compliance, and legal). There were response gaps of 5% to 6% between the two sets of workforces on effective processes of controlling risk and 18% gaps in resource allocation like budget, skill capacity, etc.
These results show that top executives are consistently more optimistic about their risk management capabilities compared to the second line of defence, who are closer to the actual execution of risk management.
There was a wide variation (22% to 28%) in lowest to highest response on oversight, striking a balance between risk management & business outcome, system reliability, resources, etc.
This indicates that there is a need for risk management practices to be appropriately supported to evolve and mature, thereby improving the way risks are managed.
There was a wide variation of responses between CXOs and individual contributors on the level of accountabilities and understanding of roles and responsibilities through three lines of defence.
This issue is observed in other parts of the world. The challenge is the first line of defence is not ready to take risk management responsibilities because of their lack of risk management capabilities.
Survey on General Insurance Companies
APRA wrote to all general insurance companies in October 2022  about the weaknesses they identified in risk management practices through self-assessment processes conducted in July 2021. They outlined in their letter that the non-participating insurers should consider conducting their self-assessments and adapting the learnings to their operations.
The findings of the self-assessment process confirmed the existence of weakness in their risk management practices. During the peak of COVID-19, customers faced difficulties receiving their claims in their Business Interruption (BI) insurance policies. They found a failure to update the policy wordings of BI policies that exposed companies to litigation and reputation risk. They also found a mismatch between their policy wordings and what reinsurance companies could tell them about the reinsurers’ claim process. They found multiple versions of policy wordings across different distribution channels.
Through a government lens, APRA needed to develop a sound culture of risk acceptance, awareness, and quantification. The integration of insurance risk management into their broader risk management framework was immature and lacked proactive efforts toward adequate controls. The oversight by the second line of defence on the first line needs improvement. Also, there was a need to develop a risk acceptance framework based on risk appetite. Some essential factors of good risk culture, like accountability and a “what if” mindset, were missing.
In 2019, the Australian Transaction Reports and Analysis Centre (AUSTRAC) found widespread breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act on over 23 million occasions in Westpac bank . The same year, APRA announced an extensive review program focused on Westpac’s Risk Governance. In 2020, AUSTRAC imposed a penalty of $1.3 billion.
APRA found Westpac’s non-financial risk culture to be immature and reactive and identified weaknesses in culture, governance, and accountability . As a result, the bank acknowledged that significant work is needed to improve its risk management capability and culture.
Later, APRA created a remediation plan with oversight from an independent reviewer. They further imposed additional capital outlay  for operations risk of $1 billion with a split as below:
- $500 million in response to Westpac’s Culture, Governance, and Accountability self-assessment.
- $500 million in response to the magnitude and nature of issues that were the subject of the AUSTRAC proceedings.
IRM Risk Culture Executive summary https://www.theirm.org/media/8447/risk_culture_a5_web15_oct_2012-executive-summary.pdf
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.