Executives at authorised deposit-taking institutions (ADIs) believed that sufficient resources had been committed to improving risk management, while legal, risk, and compliance employees had a different assessment of things, according to the latest Australian Prudential Regulation Authority (APRA) data.
There is “no room for complacency on bank risk culture”, APRA has warned, as the results of its Risk Culture Survey, issued on Thursday (10 November) highlighted a range of discerning key points.
The biggest takeaway from it was that the results “serve as a reminder for boards and senior management that continual vigilance is needed,” APRA explained.
Secondly, banks have undertaken a lot of work to transform governance, risk culture, remuneration, and accountability practices, but “now is not the time to slow momentum”, it added.
Finally, APRA recommended that a “continued and sustained focus” on “improving risk management practices and behaviours” is required.
In total, the five largest banks (referred as ‘Major ADIs’) took part in the risk culture survey, along with 13 entities consisting of a mix of regional banks, foreign bank subsidiaries/branches, mutual banks, credit unions and building societies (collectively referred to as Other ADIs), APRA confirmed.
The regulator sent a survey invitation to every employee at each participating ADI, amounting to approximately 165,500 invitations, it explained.
“The fairly high response rates and low “attention check” failure (i.e. where respondents selected an incorrect response to an attention check question designed to assess data quality) indicate that ADI employees were highly engaged in the risk culture survey.” APRA outlined.
Executives are overconfident regarding RMC
Out of the many key points discovered, five stood out, which APRA highlighted.
“Effective oversight of risk, and risk management, is necessary to support appropriate risk frameworks, policies, controls and reporting,” the regulator said.
Its survey found that the perspectives of executives about the effectiveness of their risk governance and controls were “more optimistic than the views of their legal, risk and compliance areas”.
APRA explained: “Three-quarters of executives believed that sufficient resources had been committed to improving risk management, while legal, risk and compliance employees were far less positive.”
“This observation serves as a reminder that the critical ‘voice of risk’ needs to continue to be heard and acted upon, particularly regarding the need for sustainable investment in risk management capability and architecture.”
Risk management practices vary widely
The effective operation of frameworks and processes helps the board and management evaluate the risks to business strategy, the appetite for these risks, and how they are governed, monitored and managed, APRA stated.
“The risk management practices across the ADI cohort varied in their perceived effectiveness and, by extension, their likely maturity,” it said.
“As identified by the Prudential Inquiry, effective risk management frameworks rely on adequately resourced functions.
“The risk culture survey results highlight a need to continue to ensure that sufficient resources are committed to improving risk management within ADIs.
“In addition, on average a third of respondents were unable to agree that they had adequate budget, systems, skills and capability to improve risk management.”
Executives were prone to blind spots
For employees to be willing to raise difficult matters, they need a psychologically safe environment and their willingness to speak up to be supported, APRA warned.
“Executives and senior management held similar views to those of the rest of the organisation about being encouraged to escalate risk issues promptly, suggesting high levels of psychological safety,” the regulator explained.
“However, there was an 8 per cent difference between executives and individual contributors (employees with no people management responsibility), both in response to questions about feeling safe to speak up, and in relation to people admitting mistakes.
“This highlights potential blind spots by executives and a missed opportunity for ensuring that people continue to feel safe to speak up.”
Roles and responsibilities - further clarity needed
Being clear on risk management responsibilities in one’s role, as well as across the organisation, ensures there is end-to-end coverage and effective management of risk, APRA explained.
“The wide variation in executive responses regarding whether individuals in their business are clear on their risk management accountabilities … and whether the risk management roles and responsibilities across the organisation (three lines of defence model) were well understood … indicate this is an area where capability and practices could be improved.”
“As noted in the Prudential Inquiry, clearly delineated responsibilities across the organisation would promote effective accountability, encouraging the prompt identification and escalation of new and emerging risk issues,” it concluded.
Decision-making experienced differently
APRA emphasised that effective decision-making means there is a “demonstrated willingness” to “proactively consider diverse viewpoints” and to give and receive “constructive challenge” across an organisation.
Via the survey it found that: “executives and individual contributors agreed that risk management was regularly considered in decision-making.”
“Executives also believed that leaders were appropriately challenging decisions, and that constructive challenge was encouraged in their organisation.
“Individual contributors experienced this differently, indicating more could be done to facilitate an environment that supports constructive challenge and diverse viewpoints within and across all levels of the organisation.”
[Related: New APRA chair confirmed]