APRA has released an Information Paper on the findings arising from self-assessments of governance, accountability and culture dated 22 May 2019.
The request for self-assessments followed the release of the Final Report of the Prudential Inquiry into Commonwealth Bank of Australia (CBA). Thirty-six authorised deposit-taking institutions, insurers and superannuation licensees were asked to conduct an independent assessment to consider whether similar issues might exist in their own organisations.
APRA subsequently examined the self-assessments to review their quality, identify common themes and, where necessary, challenge institutions’ findings. The results of APRA’s review as published in an APRA Information Paper Self-assessments of governance, accountability and culture on 22 May 2019. While the Information Paper relates to findings arising from the assessments performed by particular institutions, APRA expects that all prudentially regulated institutions consider the findings in the context of the report for their own institutions. APRA notes in the Information Paper, it has released the findings to ‘assist institutions in understanding and addressing the challenges of embedding effective risk governance frameworks and practices’.
Indeed, now that the report and learnings are publicly available to all, consideration of the report would arguably be essential to demonstrating ‘reasonable steps’ have been performed for those institutions currently regulated by the Banking Executive Accountability Regime.
While similar common themes were identified in the self-assessment to those identified in the CBA Prudential Review, relevant institutions have rejected the possibility that similar defective cultural traits such as complacency, insularity and collegiality exist in their own institutions.1
This does appear to be overly optimistic when considered in the context of the issues identified in the Royal Commission Inquiry into Misconduct in the Banking, Superannuation and the Financial Services Industry and is inconsistent with findings in the Information Report that assessment of culture is immature and insufficiently robust in most cases.
APRA has made it clear it will hold Boards and management ultimately accountable for weaknesses in their institutions. It has foreshadowed further changes in the next 12 months to ‘strengthen prudential expectations and increase supervisory intensity for governance, accountability and culture’. Some institutions who performed the assessments have identified material issues and APRA has noted it is considering applying additional operational risk capital requirements on these institutions until the issues are fully addressed.2
While APRA acknowledges many institutions have developed plans to address the findings it cautions ‘a clear understanding of the underlying drivers of issues is essential’. APRA has encouraged all institutions to complete a thorough self-assessment if they have not already done so and to consider the observations in the Information Paper.3
Quality of the self-assessments
APRA states that the request to perform self-assessments was intentionally non-prescriptive. Accordingly, the structure, methodology and format each institution took to completing the self-assessment was considered an ‘important indicator’ of how seriously each board approached the task.4 In reviewing the quality of the self- assessments, APRA considered the adequacy of depth, challenge and insights in each assessment. APRA was disappointed where institutions opted to adopt a ‘tick a box’ approach and suggests this was an indicator of complacency. It preferred those approaches which more closely replicated the approach adopted in the CBA Prudential Review which incorporated case studies, board and senior leadership interviews and staff surveys.
While most assessments met APRA’s expectations on the level of depth and challenge, only a few self- assessments identified new insights.5 Eight institutions have been identified as having a ‘Poor’ rating for insights, meaning significant further work will be required to meet the objectives of the assessment with a further 23 identified as having a ‘Moderate’ rating meaning some improvements will be required for at least most of the participants. Only five institutions were considered to have satisfactorily met this objective.
Many of the issues were said to be already known by boards and senior management and the extent of issues and a long list of planned actions suggests to APRA that many institutions do not have a good grasp on the root cause of these weaknesses which have caused them to ‘manifest and persist’.6 While this has not been expressly stated by APRA in its report, it would appear that the overly positive assessment of the institutions’ own cultures may have some connection to this finding. Replace me
Replace me…it is highly possible that the ongoing weaknesses in understanding the root causes of issues are rooted in cultural issues which are either not properly understood or ignored.
In other words, it is highly possible that the ongoing weaknesses in understanding the root causes of issues are rooted in cultural issues which are either not properly understood or ignored. This is supported by APRA’s observations that many institutions either ‘struggled to articulate their assessment of culture’ or provided ‘little evidence’ to support their assessment.7
Table 1: Key self-assessment emerging themes
|Non-financial risk management requires improvement
|Embedding effective frameworks and controls to identify, manage and mitigate non-financial risks is a challenge for institutions. Resources gaps in the compliance function were particularly noted in addition to lack of clarity of roles and responsibilities for risk and insufficient monitoring and oversight.
The three lines of defence where business line management provide the first line, risk functions the second and internal audit the third, is the risk model which is adopted by most institutions but is acknowledged in the Information Report to be have been largely ineffectively implemented. A common reason cited were blurring of roles and responsibilities for non- financial risk largely due to challenges in effectively implementing the three lines of defence model. As this model has been around for many years, one has to wonder if this model needs re-thinking. It has been argued by some commentators the model itself can have a negative impact on accountability and effectiveness,8 two key issues that continue to emerge in the conduct of the banking, superannuation and finance sectors.
This is a critical issue particularly for compliance functions who continue to compete for skilled resources that are scarce and thereby placing extra pressure on existing resources who are already stretched under the weight of substantial regulatory reform and remediation and enhancement programs. This is a genuine problem for institutions which requires resolution. ADI firms will need to consider the role outsourcing and technology (such as the emergence of RegTech) will play in addressing resource challenges. But it is not sufficient to merely consider this, strategic planning for investment in alternatives sources of expertise, automation, digitisation and systems to facilitate compliance will need to be a top priority for Boards and Executive Management to effect the enhancements that have been identified.
|Accountabilities are not always clear, cascaded and effectively enforced
|Less clarity was particularly identified in lower levels of management and points of handover. This was considered to be further undermined by weaknesses in remuneration frameworks and inconsistent application of consequence management.
The BEAR was considered to be the answer to accountability challenges by clarifying roles and responsibilities and a ‘means to sharpen executive accountability’.
|Acknowledged weaknesses are well known and some have been long- standing
|The majority of findings were reported to be already known to boards and senior leadership but nevertheless had persisted over time. It was observed the issues were only prioritised when there is regulatory scrutiny or after adverse events.
ADI firms admitted to ‘untimely and reactive resolution’9 of issues with a propensity for ‘short-term’ tactical fixes rather than ‘long-term strategic solutions’10.
|Risk culture is not well understood, and therefore may not be reinforcing the desired behaviours
|Many institutions struggle to measure, analyse and understand culture.
The source of truth used by many ADIs according to APRA’s report were surveys on culture. There were limited attempts to validate survey results with other data sources. Overall, it was observed there was insufficient regularity of reporting to the board on risk culture issues and limited efforts to link risk culture outcomes to stated risk appetite. Institutions were warned against adopting a ‘too hard’ mindset to culture change. The ability to articulate the culture and objectives was viewed in terms of the maturity of an institution. Those institutions that could demonstrate an understanding of the drivers of behaviour and its central role in the business model and strategy were seen to be on the right path.
While the institutions themselves may not have acknowledged the above emerging themes are indicators of weaknesses in their culture, when considered in more detail, they do seem to point to some possible areas cultural concerns areas such as:
- prioritisation of financial performance over management of non-financial risk
- lack of accountability for senior management where they fail to deliver actions or objectives
- ‘band-aid’ fixes and lack of prioritisation and insufficient investment in resolving risk and compliance issues
- an insufficient ‘tone from the top’ on the importance of a positive risk culture and inadequate challenge and scrutiny where weaknesses are identified.
Identifying the root cause of weaknesses
The risk of failing to adequately identify the true root cause of the weaknesses is specifically called out by APRA who will no doubt be monitoring whether these matters are effectively or sustainably resolved by institutions in the future.
Many institutions either fail to consider the root cause at all or only consider surface causes of issues rather than considering whether there is a deeper, underlying cause for the individual’s actions such as cultural weaknesses, structural issues, lack of resourcing, ineffective leadership or ineffective or lack of effective systems. Boards and senior management should challenge what they are being told about the causes of particular weaknesses and enquire further where this is insufficiently clear. It is also important to consider the skills, competency and experience of the persons investigating and reporting on weaknesses. A sufficient depth of knowledge, experience and relevant skills concerning the particular subject matter is required to properly diagnose the root cause and accurately and comprehensively describing the issue.
Many ADIs accepted they need to improve data, measurement and reporting for non-financial risks. It was acknowledged that indicators and metrics for measuring and monitoring non-financial risks are ‘fairly basic’. Reporting occurs in various reports which limit the ability of institutions to draw meaningful analysis and some large institutions accepted this had led to significant regulatory compliance breaches.
Effective compliance monitoring should consist of both monitoring the effectiveness of a compliance management system and compliance performance. It requires comprehensive planning and analysis on the key compliance risks which will be monitored and the metrics which will be utilised to measure performance. Deep knowledge and experience in compliance and the regulatory requirements is needed to effectively design a monitoring program. The resource challenges identified in identifying and recruiting experienced risk and compliance personnel could be contributing to the weaknesses in identifying issues as there are limited persons with the requisite skills and experience required to design such systems.
Given the issues identified with reporting to boards in the Royal Commission into Banking, Financial Services and Superannuation, it is no surprise that these issues were also identified in the self-assessment reviews. ADIs cited issues with voluminous board and committee reporting and poor data analytics capabilities.
This is an area where institutions will need to improve and close examination of reporting structures, escalation protocols and the content of reports will need to be required.
APRA has indicated it will continue to enhance its supervision of risk culture which will include:
- further risk-based reviews across a wide range of institutions
- scoping these reviews to consider the influence of risk culture on non-financial risk management
- stronger and more direct engagement with boards and senior management to hold them to, account for actions to address identified
Those institutions who have not been formally requested to undertake a self-assessment were encouraged to do so.
With the issues identified from this self-assessment review, the CBA Prudential Review and Royal Commission, if there was ever a burning platform for institutions to look seriously at their own culture and how they manage non-financial risk, now is the time.
Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.