APRA, risk and ‘boiling frogs’
D’oh. Significant uplift is required
In a previous article, we wrote about ASIC Report 515 and APRA’s report on the CBA. As we noted in February, APRA’s Final Report made a number of observations about culture, structure, accountability and governance that are more generally applicable than many Licensees would care to admit.
This view was reinforced by the Information Paper released by APRA on 22 May 2019.
After asking 36 Insurers, Banks and Trustees to assess themselves against the issues identified in the CBA Report, it became obvious the CBA issues - particularly with respect to operational risk management and compliance - are the norm rather than the exception.
Observations and objections
We’d recommend that you read “Self-assessments of governance, accountability and culture” but we know you’re busy people, so we’ll just focus on what we consider to be the key take-aways.
First, despite the common themes, the respondents reject the notion that these indicate a culture of “complacency, insularity and collegiality”. The reasonableness of their views, given ASIC Report 515, may be open to debate, but APRA return their focus to capability and competency without challenging this seemingly naive assertion.
Second, APRA observe that
non-financial risk management requires improvement;
accountabilities are not always clear, cascaded and effectively enforced;
acknowledged weaknesses are well-known and some have been long standing; and
risk culture is not well understood, and therefore may not be reinforcing the desired behaviours.
Non-financial risk management needs improvement
We’ve long argued that compliance is a critical management function; and it is, in both senses of the word. The compliance function both has a decisive or crucial importance in the success, failure, or existence of the Licensee AND must objectively analyse and evaluate in order to form a judgement on issues, acts and strategies.
In our experience, the critical capacity of the compliance function is compromised by structure, reporting, leadership and remuneration arrangements (including the absence of these defined elements). While some licensees will acknowledge the potential influence of unclear accountabilities, blurred roles and resource gaps, few if any Licensees acknowledge or admit that the competence and capability of their compliance and risk teams is an important reason for their ineffectiveness.
In our experience, Licensees too easily confuse cost with effectiveness and headcount with capability.
It’s important to acknowledge that APRA (and ASIC before them) seem to imply that the quality and capability of the compliance resources is significantly more important than the number of compliance resources.
In reality, although numbers matter, the curiosity, capability, competence and independence of your compliance team is far more important.
Ineffective solutions, a lack of focus, voluminous reporting, complexity and a culture of collegiality contribute to what APRA describe as a ‘boiling frog’ effect - “where issues are tolerated and action is only prioritised when there is regulatory scrutiny or after adverse events”.
For licensees, it’s an appealing explanation on many levels but, in our view, it’s an effect unlikely to occur when the risk and compliance function is capable, independent and independent minded.
Unfortunately, to date, few licensees seem to have recognised the benefit of such an arrangement.
(Risk) culture is not well understood
Since 2016, APRA have made considerable efforts to help Licensees articulate and understand risk culture.
Unfortunately, it’s still not well understood - but neither is compliance culture - and the measurement and analysis of ‘culture’ is still developing.
We’d argue that the focus on, or suggestion of a, homogenous (risk) is hopelessly simplistic, but there are ways to map the key strains (and it’s important to do so).
Broad based assessments, frequent testing and targeted audits are useful tools, but a culture’s values are best defined by its exceptions, its actions (and omissions) and its priorities.
We’ve developed our own strategies and methodologies for assessing culture but we accept there’s no single best way to do it.
We also think that the main reason why (risk) culture is not well understood, is simply because it’s a marginally appealing issue for management.
APRA, have a somewhat different perspective and consider that risk culture is often not well-understood because:
it is unclear what ‘good’ looks like
It is poorly analysed and measured
Conduct is overlooked in favour of formal mechanisms
Confirmation bias influences assessments
The ‘tone from the top’ doesn’t ‘permeate’.
Your way forward
You may not be APRA regulated, and the “nature, scale and complexity” of your business may be nothing like that of the 36 organisations that participated in APRA’s self-assessment project. Nevertheless, you should learn from their example and:
Review your accountability and remuneration framework to ensure values, outcomes and conduct are better aligned. If you need assistance with your Consequence Management and Remediation Framework email firstname.lastname@example.org.
Refine your monitoring and supervision framework to promote proactive monitoring, early detection, timely escalation and prompt remediation;
Incorporate your commitment to ‘efficiency, honesty and fairness’ into your compliance/risk framework both as explicit expectations and clear measures of conduct;
Ensure that your framework values substantive outcomes above formal processes;
Rigorously test your framework and ‘culture’;
Define accountabilities and reporting lines;
Regularly test, develop and challenge the capability and competence of your Compliance/Risk resources;
Regularly test your framework against best practices and industry standards.