In light of current regulatory developments and regulators’ expectations concerning good governance, risk culture, remuneration and accountability (GCRA) practices, getting GCRA right has never been more important to ADIs. A recent APRA risk culture survey of ADIs indicates a misalignment in sentiment between executives and individual contributors; raising questions about how risk management capability is perceived by senior executives and Boards relative to risk management capability in practice.
With the enhanced focus on consequence management for adverse risk and conduct events under APRA’s CPS 511 Remuneration and enhanced accountability obligations under FAR, any misalignment between senior executive and Board perceptions of risk management capability and actual risk management outcomes may have adverse consequences for those senior executives. Accordingly, the need for continued and sustained focus on improving risk management culture from top to bottom is more important now than ever.
What is ‘risk management culture’?
Organisations which institute sound risk management practices and behaviours are more likely to be operationally resilient and financially sustainable, and suffer fewer adverse risk and conduct events. On this basis, a robust risk management culture should be perceived as a key driver of accountability frameworks and remuneration outcomes for senior executives.
A robust risk management culture fosters an environment where employees feel empowered to speak up, while feeling safe and supported in doing so, and ensures leaders not only hear, but act upon raised concerns. When the true “voice of risk” is considered, organisations invariably make better decisions by allowing ideas that present heightened risks to business strategy to be appropriately evaluated, in accordance with the organisation’s risk appetite, during decision-making.
APRA Risk Culture Survey
Background
In October 2021, APRA introduced an industry-wide risk culture survey; a key initiative that supports APRA’s expanded supervisory toolkit designed to transform GCRA practices across regulated entities.
The survey provides insights from employees on perceived risk behaviours and the effectiveness of the risk management systems within their entities. These responses determine the extent to which positive changes to risk culture occur within individual entities, and correspondingly, areas where an entity’s risk culture can be improved further. The survey also provides the opportunity to benchmark results across a number of regulated entities within an industry sector.
APRA first piloted its risk culture survey in late 2021 with 10 general insurance entities. Finding the pilot risk culture survey to be a rich source of insights, APRA subsequently turned its attention to ADIs. APRA plans to roll out the risk culture survey to a broader range of insurance and superannuation entities over the next few months.
Survey results & insights
APRA surveyed 18 ADIs, including the five major banks (Major ADIs); with approximately 165,000 employees sharing their perspectives on their organisation’s risk culture. APRA reported the level of attention and rate of response indicate high employee engagement in the survey.
The survey considered levels of agreement between executives and employees across several dimensions. Some of the key survey findings are set out in the table below:
|
High Levels of Agreement between executive & Employees
|
Low Levels of Agreement between executive & Employees
|
Example
uses 2
|
|
|
|
Across several dimensions, executives held a more optimistic view of their organisation’s risk management capabilities than individual employee contributors, including those individuals who work in the risk management function. These groups showed an 18% difference in their belief that sufficient resources had been committed to improving risk management, while risk management practices (i.e. processes, policies, systems and resources) varied in their perceived effectiveness by 22-26%.
This trend continued in relation to sentiments of psychological safety and support to raise difficult matters or admit mistakes. Another area of wide variation between executive responses and individuals was in relation to clarity and understanding of risk management roles, responsibilities and accountability.
In relation to the experience of decision making and constructive challenge, there was agreement that risk management is now more central to decision-making. While executives had a high level of belief that leaders appropriately challenge decisions, and are encouraged to do so, individual contributors were less likely to agree that leaders appropriately challenged decisions to ensure good risk management; and 9% less likely to agree that constructive challenge of decisions is encouraged.
What is the underlying cause for misalignment?
While it is clear that organisations have gone to considerable lengths to address risk culture in recent years, these findings suggest executives may be out of step with their employees; particularly with those whose voice is critical to the day-to-day risk management practice and behaviour of their organisation. So, what is the cause for this apparent disconnect in sentiment between executives and individual contributors?
Executives appear highly optimistic about the adequacy and capability of their organisation’s risk management culture, but disconnected from the survey results which indicate that at each level of diminishing seniority, staff report feeling less safe speaking up and less willing to admit to making mistakes than their respective leaders. On this view, a possible cause for misalignment between executive and employee sentiment may be the oversimplification or sanitisation of upward reporting to boards and senior management caused by:
- loss of meaning and detail that may occur when distilling complex risk reports into short, digestible reports for executives juggling a crowded agenda and
- poor psychological safety - the effect of which is to exacerbate risk culture weaknesses and to limit the executive’s exposure to accurate insights and ability to implement systems to address weaknesses.
Misalignment also exists in relation to the perceived adequacy of risk management practice support (i.e. budget, systems, skills, and capacity), the sufficiency of resourcing for continued risk improvement, and the belief that leaders are encouraged to, and do, appropriately and constructively challenge decisions. It is possible that this results in a lack of quality information reaching boards and executives from those best-placed to give risk management insights, a lack of diversity in the views they receive, or the wrong information. ADIs have undertaken significant work already, with many having implemented organisation-wide change in how they manage risk. In this light, it is possible that executive perceptions of their organisation’s risk management capability, compounded by these misalignments, has resulted in some executive complacency whereas a strong risk culture requires ongoing attention.
For any number of ADIs there may be no single underlying cause for misalignment, nor a single solution to bring executive perceptions of risk management capability into alignment with practices and behaviours within organisations. Ultimately however, executive remuneration implications demands that boards and senior management maintain vigilance in understanding and correcting this issue.
Executives must remain vigilant in aligning remuneration with risk
APRA’s risk culture survey indicates a clear misalignment between senior executive’s perceptions of risk management capabilities and risk management capabilities in practice. To ensure that senior executive accountability obligations are met and avoid adverse consequences under a risk-based adjustment process, senior executives should ensure that their organisation’s risk management capability match their expectations. Remuneration is just one incentive to ensure that this occurs.
By releasing these survey results, APRA have made clear that they will continue to supervise and assess perceived risk behaviours and effectiveness of risk management practices within participating ADIs. Businesses need to ensure better linkage between risk and remuneration through continued and sustained focus on improving risk management practices and behaviours.
