In Focus: Governance and Risk Culture

In recent years, we have seen a greater focus on organisational governance and risk culture, with the Government and regulators introducing several initiatives and reforms to transform governance, risk culture, remuneration and accountability practices across the financial services industry and beyond.

This blog provides a summary of recent developments in the areas of governance and risk culture, covering:

APRA’s risk culture pilot survey
An update on the Financial Accountability Regime
Final remuneration standard: Prudential Standard CPS 511 Remuneration
ASIC’s letter on whistleblowing policies

This update is intended to help you review your organisation’s governance structure and practices, so your organisation is well prepared to respond to these developments.

APRA’s risk culture pilot survey

Prudential Standard CPS 220 Risk Management requires the boards of APRA-regulated entities to form a view of the risk culture in the entity they govern and identify necessary changes to ensure the risk culture enables the entity to operate within its risk appetite. APRA’s role is to enforce, support and assess the work these regulated entities are doing to build and maintain effective risk culture.

To carry out this role, APRA has introduced a risk culture survey, piloted with 10 general insurance entities in March and April 2021. The survey provides insights on how employees perceive risk management practices and behaviours within their entities and intends to monitor the changes to the risk culture of individual entities over time, identifying strengths and weaknesses. It also allows the benchmarking of results for peer comparison between regulated entities within a particular industry.

APRA’s 10 dimensions of risk culture

To assess the risk culture of regulated entities, APRA has developed a new framework called the ‘Risk Culture 10 Dimensions’, which expresses the key facets of an entity’s risk behaviours and risk architecture that contribute to risk culture. This framework formed the basis of the pilot survey questions.

APRA notes that this framework is for comparison and assessment purposes only and does not expect entities to adopt it as their own but to instead develop a risk culture framework appropriate for the nature, size and complexity of their operations.

APRA’s ‘Risk Culture 10 Dimensions’ framework closely resembles Hall Advisory’s five pillar model for risk culture assessments, shared in our previous blog Assessing risk culture for better organisational outcomes. Similarly, our risk culture survey questions are based on our five pillars of risk culture and are tailored to suit the specific requirements and dynamics of individual organisations.

Key observations

Based on the survey results, APRA observed the following lowest scoring risk culture dimensions:

· Risk Governance and Controls;

· Decision-Making and Challenge; and

· Responsibility and Accountability.

This highlights the need for more robust risk architecture across entities – through clearer roles, responsibilities, controls and reporting lines – to form a strong foundation for positive risk culture.

These results are unsurprising as we have also seen similar outcomes from risk culture surveys of individual organisations, with common areas for improvement including adequacy of challenge in decision making, clarity of roles and responsibilities for risk and adequacy of delegation frameworks.

Results also revealed that responses varied between business areas within an entity. For the general insurance entities surveyed in the pilot, the Underwriting and Customer Services business areas were the most negative, particularly in the Risk Governance and Controls and Responsibility and Accountability risk culture dimensions. In contrast, employees in the Financial Control and Legal, Compliance and Risk business areas scored positively in all risk culture dimensions.

The observations from the survey results provide valuable insights to help entities identify areas that may require additional focus, in terms of both risk culture dimensions and business areas. Entities can also use these insights by comparing against their own internal measures to better understand the state of their risk culture.

Next steps

APRA plans to roll out the risk culture survey to up to 60 banking, insurance and superannuation entities over the next 12 months, according to the following timeline:

In the meantime, APRA is refining the risk culture survey questions and reviewing its analysis and reporting to improve the delivery and insights gathered and achieve greater reliability, accuracy and interpretation of risk culture in regulated entities.

An update on the Financial Accountability Regime

In our recent blog, Accountability: 2021 Regulatory Update, we explored the Financial Accountability Regime (FAR), obligations for accountable entities and key changes to the initial measures in the exposure draft Financial Accountability Regime Bill.

The Bill was finally introduced into the House of Representatives on 28 October 2021, however not identical to the version shared for consultation in July and August 2021. The Bill now also includes civil penalties for non-compliance by accountable persons, noted in section 83(3) as the greater of: (a) 5,000 penalty units; or (b) if the court can determine the benefit derived and detriment avoided because of the contravention—that amount multiplied by 3.

Though introduced to Parliament for reading, there are some details of the FAR that are yet to be finalised. APRA and ASIC are yet to define the prescribed list of particular responsibilities for accountable persons, as well as how the two regulators will execute joint administration of the regime. Guidance on joint administration is currently limited to sections 37 and 38 of the Bill, which outline the general approach to administering and enforcing the FAR, including forming agreements for decision making and information sharing.

As the FAR was initially proposed by the Government in February 2020, we expect regulated entities to have begun reviews of their governance frameworks and practices to prepare for the new requirements.

Final remuneration standard: CPS 511

In August 2021, APRA released the final Prudential Standard CPS 511 Remuneration. The final standard contains a few minor amendments to the second consultation draft released in November 2020 (outlined in our previous blog The 511 on Remuneration). Revisions to land on the final standard were made in response to industry concerns expressed during consultation and are as follows:

An update to the definition of Authorised deposit-taking institutions (ADI) Significant Financial Institutions (SFIs), to capture entities with more than $20 billion in assets (previously $15 billion). For superannuation SFIs, the asset threshold of $30 billion applies to the collective total assets of all RSEs of an RSE licensee. Foreign ADI and insurer branches will not be SFIs, unless otherwise determined by APRA. In summary, asset thresholds for each industry under the final CPS 511 are:

Clarification that APRA-regulated entities are expected to 'identify and mitigate material conflicts to the objectives of their remuneration framework that may result from third-party service provider compensation arrangements'. Guidance on better practice mitigants is provided in the supporting guidance, using examples.
The requirement for downward adjustments to variable remuneration in proportion to the severity of the risk or conduct incident, yet with flexibility regarding the type of adjustment tool used.

This final standard was closely followed by supporting guidance (Prudential Practice Guide CPG 511 Remuneration), finalised in October 2021. The guidance should assist entities in meeting the requirements of CPS 511 and provides examples for:

Strengthening incentives for individuals to prudently manage risks they are responsible for;
Applying consequences for poor risk outcomes; and
Improving oversight, transparency and accountability on remuneration.

To align with the FAR, APRA has included examples of better practice, such as for meeting minimum deferral requirements.

CPS 511 comes into effect from 1 January 2023 for the largest and most complex ADIs, and on a staggered basis for other entities. APRA notes it will increase its supervisory oversight of remuneration practices ahead of the implementation of CPS 511 to ensure entities are preparing appropriately to meet the new requirements.

ASIC’s letter on whistleblowing policies

To strengthen accountability and promote good risk culture, the Corporations Act 2001 (Cth) requires public companies, large proprietary companies and RSE licensees to have a whistleblower policy addressing certain matters, and to make it available to its officers and employees. This requirement is supported by guidance and tips in Regulatory Guide 270 Whistleblower policies, to help entities establish and implement a whilstleblower policy and program.

To understand how entities are responding to these requirements, during 2020 ASIC reviewed a select sample of whistleblower policies. Based on this review, ASIC is concerned most whistleblower policies do not fully address the requirements.

As such, on 13 October 2021, ASIC issued a letter to CEOs of public companies, large proprietary companies and RSE licensees, encouraging them to review their whistleblower policies against the requirements set out in the Corporations Act. The letter not only reminds entities of their obligations but also:

Identifies the shortcomings of the sample policies reviewed – unclear, incomplete or inaccurate information about how potential whistleblowers can make a qualifying disclosure and about the protections available to whistleblowers under the Corporations Act. If potential whistleblowers do not understand how to make disclosure to qualify for protection, they may not speak up. This leaves misconduct unidentified and unaddressed, contributing to poor risk culture within an organisation.
Suggests how entities can improve their policies – by clearly articulating how and to whom a person can make a disclosure that qualifies for the legal protections available to whistleblowers. Entities should update their policy to reflect the whistleblower protection regime that started on 1 July 2019, and accurately describe the legal rights and remedies whistleblowers can rely on.

ASIC plans to conduct a further review of whistleblower policies in the future and for non-compliance, will consider the full range of regulatory tools available, including enforcement action.

How Hall Advisory can help

Hall Advisory’s core services include organisation-wide independent assessments of governance, accountability, and culture standards and the development and implementation of effective governance and culture frameworks.

To help you strengthen your organisation’s frameworks and practices in response to the upcoming regulatory requirements and reviews, we provide the following services:

Review and enhancement of existing risk culture frameworks, including target risk culture statements, risk culture monitoring and assessment processes, behavioural based key risk indicators, risk culture dashboards, etc.
Externally facilitated risk culture assessments, including reviewing relevant risk data and documentation, issuing a risk culture survey, conducting interviews, and assessing results to make recommendations for improvement.
Review of accountability frameworks, including drafting of accountability maps, reviewing and editing role statements, with greater detail on linkages to risk and compliance obligations for various accountable person roles; and reviewing compliance frameworks to ensure that key compliance obligations have been appropriately assigned to a single accountable individual.
Review and enhancement of remuneration policies for alignment with CPS 511 and FAR.
Review and enhancement of whistleblowing policies and frameworks.
Board, Committee and Executive training on regulatory change.