APRA’s report released today highlights the gaps which still exist across our financial firms, following the CBA analysis. Worryingly, despite firms’ boards and management teams being aware of the risk and accountability deficits which exist, some are not addressing them appropriately. Indeed, in some organsiations, there is still limited visibility of potential non-financial risks.
The Final Report of the Prudential Inquiry into the CBA found that continued financial success dulled the institution’s senses to signals that might have otherwise alerted the Board and senior executives to a deterioration in the bank’s risk profile. This was particularly evident in relation to the management of non-financial risks.
The Prudential Inquiry also found a number of prominent cultural themes; there was a widespread sense of complacency, a reactive stance in dealing with risks, insularity and not learning from experiences and mistakes, and an overly collegial and collaborative working environment that lessened constructive criticism, timely decision-making and a focus on outcomes.
The Final Report listed 35 recommendations focussing on five key levers of change:
- more rigorous board and executive committee governance of non-financial risks;
- exacting accountability standards reinforced by remuneration practices;
- a substantial upgrading of the authority and capability of the operational risk management and compliance functions;
- injection of the “should we” question in relation to all dealings with and decisions on customers; and
- cultural change that moves the dial from reactive and complacent to empowered, challenging and striving for best practice in risk identification and remediation.
In releasing the Final Report, APRA noted that all regulated financial institutions would benefit from conducting a self-assessment to gauge whether similar issues might exist in their institutions. APRA subsequently wrote to the chairs of 36 institutions requesting a board endorsed written self-assessment of the effectiveness of their own governance, accountability and culture practices. APRA received all of these assessments by mid-December 2018.
APRA’s request for institutions to conduct the self-assessments was intentionally not prescriptive. Boards were asked to determine an approach to the assessment which would provide them with a comprehensive understanding of the effectiveness of governance, accountability and culture, and enable them to form a view as to the extent the ‘tone from the top’ is permeating through and across the institution. As a result, the structure, methodology and format each institution took to completing the self-assessment was considered an important indicator of how seriously boards approached the task.
APRA set three principles that it expected the self-assessments to reflect:
- Depth – to enable the board to gain assurance that appropriate governance, accountability and culture are embedded in practices and behaviours, and enforced within the various levels and across the group-wide operations;
- Challenge – either independent or self-challenge, to provide the board with fresh perspectives on the strength of governance, accountability and culture (e.g. the assessment should not only reflect the view of the risk function); and
- Insights – to inform the board of areas requiring attention and improvement, and how better practice can be achieved.
Emerging themes
While the self-assessments exhibited considerable variation in the number and severity of findings, four themes emerged across all industries:
- non-financial risk management requires improvement. This was evidenced through a range of issues identified by institutions, including resource gaps (particularly in the compliance function), blurred roles and responsibilities for risk, and insufficient monitoring and oversight. Institutions acknowledged that historical underinvestment in risk management systems and tools has also contributed to ineffective controls and processes.
- accountabilities are not always clear, cascaded, and effectively enforced. Institutions noted that, while senior executive accountabilities are fairly well defined within frameworks, there is less clarity or common understanding of responsibilities at lower levels, and points of handover where risks, controls and processes cut across divisions. This is further undermined by weaknesses in remuneration frameworks and inconsistent application of consequence management.
- acknowledged weaknesses are well known and some have been long-standing. The majority of self-assessment findings were reported to be already known to boards and senior leadership. Nevertheless, some issues have been allowed to persist over time, with competing priorities, resource and funding constraints typically cited as the basis for acceptance of slower progress. It was observed that these issues are often only prioritised when there is regulatory scrutiny or after adverse events.
- risk culture is not well understood, and therefore may not be reinforcing the desired behaviours. Institutions are putting considerable effort into assessing risk culture, but many continue to face difficulties in measuring, analysing, and understanding culture (and sub-cultures across the institution). It is therefore unclear if these institutions can accurately determine whether their culture is effectively reinforcing desired behaviours (or identify how it would need to be changed to do so).
While the self-assessments contained some in-depth self-reflection and acknowledgement by institutions of issues within their organisations, the assessments relating to the effectiveness of boards and senior leadership were notably less critical. Many self-assessments noted that the institution is generally well governed, with a respected and suitably challenging board, strong executive leadership teams and a good tone from the top, although at the same time acknowledging weaknesses spanning most or all chapters of the Final Report. This raises the question of whether boards and senior management have a potential blind spot when it comes to assessing their own effectiveness.