APRA, risk and ‘boiling frogs’

Many self-assessments noted that the institution is generally well governed, with a respected and
suitably challenging board, strong executive leadership teams and a good tone from the top, although at the same time acknowledging weaknesses spanning most or all chapters of the Final Report. This raises the question of whether boards and senior management have a potential blind spot when it comes to assessing their own effectiveness.
— Laker, Broadbent & Samuel "Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia, APRA 1 May 2081, p7

D’oh. Significant uplift is required

In a previous article, we wrote about ASIC Report 515 and APRA’s report on the CBA. As we noted in February, APRA’s Final Report made a number of observations about culture, structure, accountability and governance that are more generally applicable than many Licensees would care to admit.

We wrote:

The importance of capability and competence, and in particular compliance capability, became an inconvenient truth for CBA, when in August 2018, APRA released their Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA).

The Final Report is a must read for anyone interested in corporate culture and organisational design. Its clear summation included a series of recommendations designed to substantially upgrade the authority and capability of CBA’s operational risk management and compliance functions.

As we’ve previously argued, and as the Royal Commission found, CBA is not the outlier some may have hoped.
— Assured Support "You're right, compliance is (still) the problem", February 17, 2019

This view was reinforced by the Information Paper released by APRA on 22 May 2019.

After asking 36 Insurers, Banks and Trustees to assess themselves against the issues identified in the CBA Report, it became obvious the CBA issues - particularly with respect to operational risk management and compliance - are the norm rather than the exception.


Observations and objections

We’d recommend that you read “Self-assessments of governance, accountability and culture” but we know you’re busy people, so we’ll just focus on what we consider to be the key take-aways.

First, despite the common themes, the respondents reject the notion that these indicate a culture of “complacency, insularity and collegiality”. The reasonableness of their views, given ASIC Report 515, may be open to debate, but APRA return their focus to capability and competency without challenging this seemingly naive assertion.

APRA’s Risk Architecture

APRA’s Risk Architecture

Second, APRA observe that

  • non-financial risk management requires improvement;

  • accountabilities are not always clear, cascaded and effectively enforced;

  • acknowledged weaknesses are well-known and some have been long standing; and

  • risk culture is not well understood, and therefore may not be reinforcing the desired behaviours.

Non-financial risk management needs improvement

there was a widespread sense of complacency, a reactive stance in dealing with risks, insularity and not learning from experiences and mistakes, and an overly collegial and collaborative working environment that lessened constructive criticism, timely decision-making and a focus on outcomes.
— APRA Information Paper, p7

We’ve long argued that compliance is a critical management function; and it is, in both senses of the word. The compliance function both has a decisive or crucial importance in the success, failure, or existence of the Licensee AND must objectively analyse and evaluate in order to form a judgement on issues, acts and strategies.

In our experience, the critical capacity of the compliance function is compromised by structure, reporting, leadership and remuneration arrangements (including the absence of these defined elements). While some licensees will acknowledge the potential influence of unclear accountabilities, blurred roles and resource gaps, few if any Licensees acknowledge or admit that the competence and capability of their compliance and risk teams is an important reason for their ineffectiveness.

In our experience, Licensees too easily confuse cost with effectiveness and headcount with capability.

It’s important to acknowledge that APRA (and ASIC before them) seem to imply that the quality and capability of the compliance resources is significantly more important than the number of compliance resources.

In reality, although numbers matter, the curiosity, capability, competence and independence of your compliance team is far more important.

Boiling frogs

the compliance function must be adequately staffed bt appropriately trained and competent persons who have sufficient authority to perform their role effectively and have a reporting line independent of the business.
— APRA Prudential Standard CPS 220 Risk Management [43]
Copy of compliance risk.png

Ineffective solutions, a lack of focus, voluminous reporting, complexity and a culture of collegiality contribute to what APRA describe as a ‘boiling frog’ effect - “where issues are tolerated and action is only prioritised when there is regulatory scrutiny or after adverse events”.

For licensees, it’s an appealing explanation on many levels but, in our view, it’s an effect unlikely to occur when the risk and compliance function is capable, independent and independent minded.

Unfortunately, to date, few licensees seem to have recognised the benefit of such an arrangement.

(Risk) culture is not well understood

Since 2016, APRA have made considerable efforts to help Licensees articulate and understand risk culture.

Unfortunately, it’s still not well understood - but neither is compliance culture - and the measurement and analysis of ‘culture’ is still developing.

We’d argue that the focus on, or suggestion of a, homogenous (risk) is hopelessly simplistic, but there are ways to map the key strains (and it’s important to do so).

Broad based assessments, frequent testing and targeted audits are useful tools, but a culture’s values are best defined by its exceptions, its actions (and omissions) and its priorities.

We’ve developed our own strategies and methodologies for assessing culture but we accept there’s no single best way to do it.

We also think that the main reason why (risk) culture is not well understood, is simply because it’s a marginally appealing issue for management.

APRA, have a somewhat different perspective and consider that risk culture is often not well-understood because:

  • it is unclear what ‘good’ looks like

  • It is poorly analysed and measured

  • Conduct is overlooked in favour of formal mechanisms

  • Confirmation bias influences assessments

  • The ‘tone from the top’ doesn’t ‘permeate’.

Your way forward

You may not be APRA regulated, and the “nature, scale and complexity” of your business may be nothing like that of the 36 organisations that participated in APRA’s self-assessment project. Nevertheless, you should learn from their example and:

  1. Review your accountability and remuneration framework to ensure values, outcomes and conduct are better aligned. If you need assistance with your Consequence Management and Remediation Framework email help@assuredsupport.com.au.

  2. Refine your monitoring and supervision framework to promote proactive monitoring, early detection, timely escalation and prompt remediation;

  3. Incorporate your commitment to ‘efficiency, honesty and fairness’ into your compliance/risk framework both as explicit expectations and clear measures of conduct;

  4. Ensure that your framework values substantive outcomes above formal processes;

  5. Rigorously test your framework and ‘culture’;

  6. Define accountabilities and reporting lines;

  7. Regularly test, develop and challenge the capability and competence of your Compliance/Risk resources;

  8. Regularly test your framework against best practices and industry standards.