APRA's recently released Information Paper, regarding the recent self-assessments undertaken by financial institutions, indicates focus areas for APRA in the upcoming period of regulatory supervision.
APRA called for self-assessments on a range of ADIs, insurers and super funds and asked those entities to assess their present capabilities in non-financial risk management as well as in matters of culture and governance. APRA released the paper to further assist the sector in addressing the challenges of embedding effective risk governance practices within their organisations.
APRA observed some key emerging themes from the self-assessments:
- Non-financial risk management needs to improve;
- Accountabilities are not always clear, cascaded or enforced;
- Weaknesses are well-known and many are long-standing – and, concerningly, such weaknesses are frequently tolerated; and
- Risk culture is not well understood.
"Significant uplift is required across industries to bring governance and the management of non-financial risks to an appropriate standard". APRA – 22 May 2019
In a clear signal to the sector, APRA foreshadowed increased supervisory intensity for governance, accountability and culture for all regulated institutions. Given Hayne's robust commentary on the performance of regulators, we can expect APRA to walk the talk on this.
The questions for institutions to now ask themselves include:
- What remedial work have you mobilised to address culture, and the issues uncovered in the self-assessment?
- Has the board and senior management been sufficiently rigorous and self-critical given the wide range of weaknesses exposed?
- Are you prepared for an APRA-imposed operational risk capital requirement where issues are significant?
- Are you unwittingly cultivating complexity – or failing to drive appropriate simplicity - in your systems, processes and policies?
- Are you adequately considering the underlying drivers for internal failures through root cause analysis?
- Are you failing to prioritise the resolution of weaknesses, only responding reactively when there is regulatory scrutiny or adverse public commentary?
There is no doubt that regulatory focus on whether institutions are proactively improving the management of non-financial risk, and prioritising risk culture, governance and remuneration will continue to sharpen. There is also no question that, in this regard, all organisations – and particularly financial institutions – must be able to demonstrate, both to regulators and, increasingly, the public, an effective and continuing response to these challenges.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.