APRA boss on improving the risk culture in financial services

Stuart Bingham, general manager of governance, culture, remuneration, and accountability at the Australian Prudential Regulation Authority (APRA), lifted the lid on the financial services industry's risk culture in his latest speech.

Over the past 18 months, APRA has conducted risk culture surveys across 61 regulated entities in insurance, banking, and superannuation – sent to over 230,000 employees – to provide insights from employees within financial institutions on perceived risk behaviours and the effectiveness of the risk management architecture they work with.

In his speech to the Financial Services Assurance Forum, Bingham delved into the issue of risk culture in APRA-regulated entities, specifically why a strong risk culture is essential to achieve prudential soundness and financial success.

“As Australia's financial safety regulator, we are very much in the business of risk management, with a mandate to prevent, fix, or mitigate problems before they cause harm. When this doesn't happen at a bank, insurer, or superannuation fund, we are naturally curious,” Bingham said.

Read more: APRA seeks feedback on life insurance prudential standards

According to Bingham, APRA's survey found the following:

• Three-quarters of executives said sufficient resources had been committed to improving risk management, while legal, risk, and compliance employees were far less positive – a reminder that the critical “voice of risk” needs to be heard and acted upon, particularly regarding the need for sustainable investment in risk management capability and architecture;
• The risk culture survey results highlight a need to continue to ensure that sufficient resources are committed to improving risk management within ADIs;
• Executives and senior management were positive about employees communicating and escalating risk issues, suggesting high levels of psychological safety. This view, however, was not matched by the experiences of individual contributors (i.e., employees without people management responsibility), highlighting potential blind spots by executives and a missed opportunity for ensuring that people continue to feel safe to speak up;
• There was a wide variation in responses regarding whether individuals are clear on their risk management accountabilities and whether the risk management roles and responsibilities across the organisation (i.e., three lines of defence model) are well understood; and
• Executives and individual contributors agreed that risk management was regularly considered in decision-making. Executives also believed that leaders were appropriately challenging decisions, and that constructive challenge was encouraged in their organisation. Individual contributors experienced this differently, indicating more could be done to facilitate an environment that supports constructive challenge and diverse viewpoints within and across all levels of the organisation.

“These findings should be considered more broadly by the industry to determine what more can be done at an entity level to improve these issues. Assurance and audit teams can help drive improvements,” Bingham said.

APRA calls for assessing the operating effectiveness of risk management systems, processes, and frameworks.

Bingham added: “As a further step, where the risk management systems, processes, and frameworks are not operating as intended, I encourage you to consider why this is the case. This will require the consideration of attitudes and behaviours towards risk or the risk culture.”