APRA's agenda: Implications for regulated entities

The capability review of APRA, published in June 2019, has helped to sharpen APRA’s strategic thinking for its Corporate Plan 2019-2023. The outcomes flagged for APRA’s focus are reflective of APRA’s mandate to maintain financial system resilience, while being heavily geared towards three key areas of legislative focus:

1. Superannuation member outcomes; as necessitated by the upcoming prudential standard SPS 515 Strategic Planning and Member Outcomes.

2. Extension of the BEAR legislation into other industries; as driven by a necessary focus on improving governance, culture, remuneration and accountability across all regulated institutions.

3. Cyber resilience; a continuation of the implementation of CPS 234 Information Security and precipitated by the increasing global cyber security threat.

Actions set to help deliver on APRA’s mandate of maintaining financial system resilience are broad ranging and cover all sectors; ADI capital frameworks, superannuation member outcomes, risk governance maturity in insurers, implementation of prudential frameworks at private health insurers, preparedness and resiliency in the general insurance sector, and cross-industry recovery planning. In all, there is a little something in there for everyone, not the least APRA, who is also expected to implement aspects of the BEAR legislation within its own ranks, collaborate more with other industry bodies, and improve its own leadership, people and culture. APRA have also flagged the establishment of a new prudential standard on resolution and plans to improve its own resolutions capabilities.

A core part of this agenda is focused on improving governance, culture, remuneration and accountability at institutions in an effort to help rebuild the Australian community’s trust and confidence in the financial system following the issues that came to light in the Financial Services Royal Commission. This will be no easy feat, challenged by the vast and multi-faceted changes that are in store for the industry. Particular highlights are set out below.

Non-financial risk governance

To improve governance of non-financial risk, institutions must look critically at the information that is being reported to Management, Committees and Boards. This necessitates quality information in the first place, supported by systems that enable that information to be easily analysed and reported in a meaningful way. In tandem with this is a potential need to upskill and train both employees and directors in how to interpret this information and how to better identify risk issues stemming from non-financial risk information. Examples of this include incident and complaints reporting - often only the more serious and higher rated matters are escalated to a Committee on a quarterly basis, and often without historical trend analysis or supporting information that would enable someone to identify a trend or emerging patterns.

Institutions should focus on:

1. Data quality.

2. Systems capability.

3. Analytical skills.

Risk culture

The evaluation of organisational culture within distinct sub-cultures is an evolving piece of work. Some organisations are squarely in favour of separating risk culture out and conducting specific analysis on it, while others are convinced that risk culture must be looked at as part of the holistic organisation culture and not individually. In any case, there remains a weakness in how Boards set risk appetite and tone for risk culture, and how those critical pieces of information are disseminated throughout the organisation. There is often also a disjoint between employees and directors who very rarely meet face-to-face, and some employees may not feel as though the tone is really being set at the top.

Institutions should focus on:

1. Adopting a clear and consistent method for assessing risk culture.

2. Regularly conducting pulse checks of risk culture by adopting metrics that can be reported to the Board or a Committee.

3. Promoting organisation-wide conversations on risk.


Remuneration structures are long known to have an impact on employees’ motivations. Performance-based incentives simply would no longer exist if there wasn’t some merit behind this. But in this ‘carrot versus stick’ approach, perhaps too much emphasis has been placed on the carrot, with no real consequence for negative outcomes, or even for positive outcomes that were achieved through unacceptable risks being taken. Additionally, concerns have been focussed on the complexity of incentive structures that could lead to unintended consequences.

As a result of this, organisations not only need to take a critical look at their remuneration structures, but several legislative changes have resulted in the development of a more prescriptive approach. The BEAR legislation, albeit carved out for variable remuneration less than $50K, requires the deferral of up to 60% of variable remuneration for CEOs, and the draft prudential standard on remuneration (CPS 511) reflects these same requirements with additional prescriptions for the design of the overall remuneration framework (e.g. extended deferral periods of 7 years rather than 4). The requirements of CPS 511 will also be applicable to insurers and superannuation trustees in advance of the extension of the BEAR regime beyond the ADI sector.

The basic premise of these new requirements is to bring risk outcomes to the forefront and ensure that they are driving remuneration outcomes, with greater oversight from Board level in respect of implementation. In this way, there will be real and meaningful consequences to people when poor behaviours are demonstrated, balanced with potential rewards for good outcomes.

Institutions should focus on:

1. Reviewing remuneration structures and ensuring that risk and compliance gateways are effectively implemented.

2. Looking at ways to use incentives as both consequences for negative outcomes and behaviours, as well as positive reinforcements for good behaviours and outcomes.

3. Consideration of how new elements like clawbacks could be included into remuneration frameworks.

Executive accountability regime

Now fully operationalised within the ADI sector, there continues to be developments to the remit with respect to end-to-end product responsibility. Once this aspect has been dealt with, it will only be a matter of time before other industries are subjected to the same requirements. Work is already underway within major insurers, and superannuation is said to be next on the cards, which could see the industry weighed down by all the required legislative changes; from Protect Your Super, to member outcomes, to executive accountability.

Institutions should focus on:

1. Planning for the upcoming changes by getting a head start on the development of accountability statements and maps.

2. Using existing documents like positions descriptions and committee charters to form the basis of accountability statements and maps, so that they are not reinventing the wheel.

3. Considering integration of the executive accountability regime with draft CPS 511 Remuneration requirements.

Concluding remarks

In noting all of these areas of focus, institutions will have a lot of work cut out for them in keeping on top of required changes. Resulting skills and resource gaps, and the potential need for external and specialist perspectives, should be considered.

At Hall Advisory we are focussed on helping the industry reach its risk management and regulatory compliance objectives. So get in touch with us about with your risk and compliance needs.

Recent Posts