The Australian Prudential Regulation Authority (APRA) released a 28-page information paper on Wednesday (22 May), summarising the self-assessment efforts of the nation’s largest financial institutions.
The regulator had requested 36 banks, insurers and superannuation licensees in June last year to reflect on the findings of the Final Report of the Prudential Inquiry into Commonwealth Bank of Australia (CBA) to see if there are any relatable weaknesses.
Based on the self-assessment reports received in December last year, the prudential regulator has concluded that there are material weaknesses in the management of non-financial risks across the industry.
“Although the self-assessments raised no concerns about financial soundness, they confirmed our observation that industry is grappling to manage non-financial risks, such as culture and accountability,” APRA deputy chair John Lonsdale said.
The regulator noticed a “wide variation” in the quality of self-assessments.
“Most institutions recognised the opportunity provided by the findings in the final report to examine critically their own organisation. Some sought to replicate the prudential inquiry approach, incorporating case studies, board and senior leadership interviews, and staff surveys,” APRA’s information paper stated.
“At the other end of the spectrum, a small number of institutions approached the self-assessment largely as an exercise for APRA rather than an opportunity to drive improvement. These institutions applied a lighter touch process, such as a tick-the-box approach, and justified this by indicating that the issues detailed in the final report could not and do not apply to them given the different scale or business models of their respective operations.
“This perspective is disappointing, particularly in light of the prudential inquiry’s findings on the risks that arise from complacency.”
The main findings of APRA’s review of self-assessments are:
- non-financial risk management requires improvement
- accountabilities are not always clear, cascaded and effectively enforced
- acknowledged weaknesses are well-known and some have been long-standing
- risk culture is not well understood, and therefore may not be reinforcing the desired behaviours
Mr Lonsdale observed that the financial institutions had “limited insight” into the drivers of their findings and, as such, “there is a risk that any planned action to address weaknesses may not be effective or sustainable”.
“Assessments often identified a range of weaknesses or opportunities to improve risk management practices; however, these were, in the main, reported to be already known to boards and leadership teams,” APRA’s information paper stated.
“The extent of issues raised in self-assessments, accompanied with lengthy lists of planned actions, also suggests that many institutions have yet to develop a clear understanding of what factors have caused weaknesses to manifest and persist.
“It is important that boards and senior leadership appreciate why frameworks are not operating as intended and challenge themselves on whether proposed actions will be holistic and effective in delivering sustainable improvements in behaviours and practices.”
Mr Lonsdale also found it “interesting” that the perceptions boards and senior leadership teams had of their own performance were positive.
APRA is currently considering additional capital requirements for “several” regulated institutions, the chair said, and is seeking assurances from all boards that weaknesses in non-financial risk management would be addressed as a matter of priority.
He additionally said the findings of the firms’ self-assessments, which the prudential regulator has not publicised as they were provided confidentially, would be used by APRA to better target its efforts to lift standards in the management of non-financial risks, as outlined in its 2019 Policy Priorities document.
“APRA will shortly write to the boards of all participating institutions providing tailored observations on their self-assessments. Boards should expect increased supervisory scrutiny of their institutions as they implement remediation actions,” Mr Lonsdale said.
“Also, in a number of cases, the weaknesses identified in the self-assessment were sufficiently material that APRA is considering stronger supervisory responses, including the application of an operational risk capital overlay.”
The chair continued: “Boards must be committed to uplifting governance and management of non-financial risks. Where this commitment is not forthcoming, APRA will consider the need for further regulatory action.”
[Related: APRA censures CBA for range of failings]