Transforming governance, culture, remuneration and accountability: APRA’s approach 19 November 2019

Disclaimer and Copyright

While APRA endeavours to ensure the quality of this publication, it does not accept any responsibility for the accuracy, completeness or currency of the material included in this publication and will not be liable for any loss or damage arising out of any use of, or reliance on, this publication.

This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0). This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit https://creativecommons.org/licenses/by/3.0/au/

Contents

Executive summary 4

Glossary 6

Chapter 1 – Introduction 7

Chapter 2 – APRA’s evolving approach to GCRA 9

International practices 10

Self-assessments leading to better practices 11

Chapter 3 – APRA’s GCRA strategy 13

Approach 13

Work streams 14

Sharing insights and best practice 18

APRA / ASIC cooperation 20

Chapter 4 – APRA’s capabilities 23

Staff and capability 24

Enhanced framework and tools 24

Partnering with experts and harnessing innovation 26

Attachment A – Addressing the Royal Commission’s GCRA recommendations 27

Attachment B – Addressing the Capability Review’s GCRA recommendations 29

AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY 4

Executive summary

APRA’s core mandate is to maintain and promote the safety and stability of the financial system for the benefit of the Australian community. For financial entities to be financially and operationally sound - now and into the future - they need -

  • more than adequate financial resources,

  • robust balance sheets

  • sound systems of formal risk management; and

  • internal control.

The 2018-19 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry and the prudential inquiry into the Commonwealth Bank of Australia highlighted that the health and reputation of a regulated entity (and hence the outcomes it delivers) can be seriously damaged by weak leadership, misaligned remuneration structures, and/or a lack of accountability for operational or other failings.  Ian Narev and a gullible/incompetent Board of Directors

Poor governance, remuneration structures and accountability mechanisms, leading to and reinforcing a poor risk culture, can undermine the prudential soundness of an entity and the outcomes for its customers. These issues are of primary interest to a prudential supervisor such as APRA.

Since 2015, APRA has increased its focus on these aspects of an entity’s performance as a potential indicator of prudential risk. In light of recent failings in these areas identified within the Australian financial system, APRA has committed to strengthening and intensifying its approach to overseeing governance, culture, remuneration and accountability (GCRA). This information paper sets out APRA’s enhanced approach. It reflects a strategic decision to take a more intensive regulatory approach to GCRA, with a view to transforming GCRA practices across the financial system.

This more intensive approach to GCRA responds to the recommendations from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry and the Final Report of the Australian Prudential Regulation Authority Capability Review. It will involve enhanced cooperation with the Australian Securities and Investments Commission (ASIC) and be enabled by additional resourcing approved by the Australian Government in its 2019–2020 Budget, and a heightened regulatory appetite to intervene more forcefully where necessary.

The key attributes of APRA’s GCRA approach are:

•        Strengthening the prudential framework through clarifying expectations of boards and senior managers, and consulting with industry on plans to embed risk governance self-assessments in the prudential framework. APRA is strengthening the current principles-based prudential requirements for remuneration to provide clearer and more-readily enforceable expectations for remuneration arrangements, particularly for senior executives.

•        Sharpening APRA’s supervisory focus on GCRA outcomes, through additional resourcing to intensify supervision, investment in new tools to assess and benchmark GCRA practices, and a clear intent to hold entities accountable for promptly addressing deficiencies.

        Sharing APRA’s insights with industry and the broader public to reinforce prudential expectations by adopting a more strategic approach to transparency, with this approach in line with, and in some cases at the forefront of, international practice.  APRA acknowledges the potential trade-offs and risks of this approach. In particular, APRA’s more intensive GCRA approach needs to strike the right balance between preserving the principle that boards and senior management are accountable for the GCRA practices of regulated entities, while also ensuring that APRA is fulfilling its mandate by holding regulated entities accountable for meeting community expectations. APRA considers that, on balance, the potential benefits of adopting a more intensified approach outweigh the potential costs:

•        a stronger prudential framework will, in places, result in a more prescriptive set of regulatory requirements. The costs of more prescriptive requirements are expected to bemore than offset by a systemic uplift in GCRA standards and practices across regulated entities, and result in greater transparency by entities of their approaches and outcomes;

        more intensive supervision of GCRA may result in higher compliance costs, including that directors and senior managers of regulated entities are subject to more frequent ordeeper engagement with APRA. However, APRA expects these higher costs to be offset by the benefits of more timely identification and rectification of GCRA issues; and

•        greater sharing of APRA’s findings and observations will support public scrutiny of regulated entities, ensuring that GCRA practices and outcomes are at the forefront of institutions’ thinking, and thereby embedding a philosophy of avoiding problems rather than remediating them after the event.

The intended outcome of this intensified approach to GCRA is to drive genuine change across the industry, with success measured by:

        stronger governance frameworks and processes, providing robust oversight of organisational activities;

        organisations that understand and enable a risk culture that supports effective riskmanagement practices and delivers sound prudential outcomes;

        remuneration arrangements that reflect a holistic assessment of performance and riskmanagement, and reduce the incentive for misconduct; andclear accountability (individually and collectively) for outcomes achieved.

APRA’s approach to GCRA seeks to incorporate a range of international practices with its own supervision philosophy in a way that is fit for purpose for the Australian financial system. This approach to GCRA represents an ambitious and comprehensive agenda, supporting a financial system that delivers sound outcomes for all its stakeholders.

Glossary ADI Authorised Deposit-taking Institution
APRA Australian Prudential Regulation Authority
ASIC Australian Securities and Investments Commission
BEAR The Banking Executive Accountability Regime
Capability Review Australian Prudential Regulation Authority Capability Review
CPS 220 Prudential Standard CPS 220 Risk Management
CPS 510 Prudential Standard CPS 510 Governance
CPS 511 Draft Prudential Standard CPS 511 Remuneration
GCRA Governance, culture, remuneration and accountability
GI General Insurer
LI Life Insurer
HPS 510 Prudential Standard HPS 510 Governance
PHI Private Health Insurer
Prudential Inquiry Prudential Inquiry into the Commonwealth Bank of Australia
Royal Commission Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry
RSE Registrable Superannuation Entity
SPS 510 Prudential Standard SPS 510 Governance

Chapter 1 – Introduction

This paper sets out APRA’s intensified approach to the supervision of regulated entities 1with respect to their governance, culture, remuneration and accountability (GCRA) practices. While this approach builds upon recent work APRA has undertaken on GCRA, it represents a significant enhancement – in the resourcing, capability and intensity – of its supervisory focus. This approach also reflects APRA’s willingness to use its powers more assertively to hold regulated entities, and their boards and senior management, to account for ensuring high standards of GCRA are maintained. This supervisory stance is in response to serious GCRA failings that have been identified within the Australian financial system. These failings have resulted in a loss of public trust in the fairness of the financial system, and community demands for higher standards of governance, greater transparency and clearer accountability where poor outcomes have been identified. Despite often being described as ‘non-financial’ in nature, a failure to identify and mitigate weaknesses in GCRA issues can undermine the financial and operational resilience of a regulated entity. APRA’s intensified approach to the supervision of GCRA is consistent with its focus on resilience and recognises that each element interacts to drive and reinforce effective management of financial and non-financial risks. APRA’s focus on these issues will also reinforce and support broader efforts, including by ASIC, to limit the potential for misconduct, and drive better consumer outcomes.

Figure 1: GCRA interactions CRAGHave regulated institutions established clear and heightened expectations of accountability and are there clear consequences in the event of a failure to meet those expectations?Are remuneration arrangements creating incentives that reward effective management of financial and non-financial risks?Are boards and senior managers effective long-term stewards of regulated institutions? Are regulated institutions fostering a risk culture that encourages behaviour and conduct that aligns with its risk appetite?….interacts and reinforces each other to form a regulated institution’s risk governance architecture.1 Entities regulated by APRA are authorised deposit-taking institutions (ADIs), e.g. banks, credit unions and building societies, insurers (general insurers (GIs), life insurers (LIs), private health insurers and reinsurers), friendly societies and most of the superannuation industry.

Governance Culture Remuneration Accountability Each strand within GCRA….

APRA’s supervisory philosophy remains founded on the premise that the ultimate responsibility for the prudent management of a regulated entity rests with its board and management. However, where a regulated entity fails to address poor GCRA practices, APRA is prepared to use its regulatory powers to compel the entity to take action. This is essential for both strengthening the resilience of regulated entities and restoring community trust in the financial system as a whole. Risk culture

Risk culture refers, in simple terms, to an entity’s attitude to risk management. More particularly, it refers to the norms of behaviour for individuals and groups that shape the ability to identify, understand, openly discuss, escalate and act on an entity’s current and future challenges and risks. Risk culture is not separate to organisational culture but reflects the influence of organisational culture on how risks are managed.

Importantly, a strong risk culture does not imply an avoidance of risk-taking. It does, however, ensure that risk is taken within well-defined boundaries, that risk-reward trade-offs are actively considered, and that an entity is alert to the consequences of adverse risks crystallising. This can be achieved when organisational values and beliefs promote behaviours that support robust risk management and decision making, and when effective risk frameworks and clear accountabilities are in place.

A weak risk culture, on the other hand, has insufficient regard to risk management. As a result, it can encourage excessive risk taking, undermine the effectiveness of risk management practices, entrench patterns of misconduct and ultimately result in material losses.

The board of a regulated institution must set the risk appetite of the entity and form a view of its risk culture. When forming a view, the board needs to determine the extent to which the risk culture of the institution enables it to consistently operate within its risk appetite. It is expected that institutions will have a number of initiatives in place to enable the desired risk culture, and for appropriate governance to be in place to monitor them.

The board is ultimately accountable, together with senior management, for the management of risk, whether financial or non-financial, and the outcomes that result from it. The entity’s risk culture will play a critical role in ensuring board-approved statements of appetite and policy are translated into practices that deliver sound prudential outcomes. Assessing risk culture will, therefore, be a core focus of APRA’s supervision activities, and aligns directly with APRA’s mandate.

Chapter 2 – APRA’s evolving approach to GCRA - governance, culture, remuneration and accountability

The supervision of GCRA is not new to APRA and has evolved considerably over time. Figure 2 below outlines the timeline of regulatory developments in GCRA within APRA, and is reflective of an increased focus on GCRA issues in recent years.

Figure 2: Timeline of regulatory developments in GCRA 2019ADI/ GI/ LI/ PHI/ RSEInformation paper on risk governance self-assessmentsADIBEAR –small and medium ADIsPHICPS 510 Governance and CPS 520 Fit and Proper extended to PHIADIIncrease minimum capital requirements for ANZ, Westpac and NAB of $500m eachGIAdditional $250m capital requirement for Allianz2018ADI/ GI/ LI/ PHI/ RSEInformation paper on remuneration practices in large financial institutionsPHICPS 220 extended to PHIADI -CBACBA Prudential Inquiry report,enforceable undertaking and $1bn additional capital requirementRSEReview of superannuation board governance and related party arrangementsADIBEAR –large ADIs2017ADI/ GI/ LI/ Risk culture pilot program2016ADI/ GI/ LI/ PHI/ RSEInformationpaper on risk culture2015ADI/ GI/ LIConsolidation of CPS 220 Risk Management and introduction to risk culture requirementsPHIHPS 510 Governance20142013ADI/ GI/ LIConsolidation of CPS 510 Governance and CPS 520 Fit and ProperRSESPS 520 Fit and Proper2012RSESPS 510 Governance2010ADI/ GI/ LIIntroduction of remuneration requirements into Governance prudential standards2009200820072006ADI/ GI/ LIFit and Proper prudential standardsADI/ GI/ LIGovernance prudential standards

In line with international trends, APRA began in 2015 to step up its focus on the promotion of sound management of GCRA issues within Australian regulated entities. It established a small specialist supervision team devoted to these issues, introduced requirements for boards to have regard to risk culture within their entities, and subsequently published thematic reviews of risk culture in 2016 and remuneration in 2018. As part of this evolving approach, APRA also established a Prudential Inquiry into Commonwealth Bank of Australia (Prudential Inquiry) in August 2017, focusing on GCRA practices at CBA, and subsequently asked the country’s largest banks, insurers and superannuation licensees to conduct a self-assessment against the findings of that Prudential Inquiry. APRA published a report on the findings of those self-assessments in May 2019.

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) and the Final Report of the Australian Prudential Regulation Authority Capability Review (Capability Review) acknowledged the work that APRA has done in supervising GCRA. However, both concluded APRA needed to do more to broaden its focus on GCRA, set more robust standards, and intensify its scrutiny and challenge of regulated entities.

APRA’s refreshed approach to the supervision of GCRA and how it responds to the Royal Commission and Capability Review is outlined in Attachment A and B. The greater importance being assigned to GCRA in APRA’s activities is reflected in APRA’s 2019-2023 Corporate Plan, which identifies the transformation of GCRA within regulated entities as one of the key community outcomes that APRA seeks to deliver in the coming years.

International practices

APRA is not alone in strengthening its approach to GCRA, and international practice in the regulation and supervision of GCRA also continues to develop. There is, however, still little consensus on which supervisory tools are best to employ, or how good outcomes are best achieved. Individual jurisdictions are addressing GCRA in many different ways, often reflecting the specific needs and characteristics of their respective financial systems. A summary of leading international practices is set out in Figure 3, together with APRA’s proposed approach.

Figure 3: Summary of leading international practices

Leading international practices

APRA’s Approach

GOVERNANCE

Explicit powers for supervisors to veto board and senior management appointments.

Supervisors observe board meetings.

APRA supports the objective of a strong fitness and propriety regime, and is engaging with the Government about how the intent of this objective could be achieved.

APRA is considering the benefits associated with observing board meetings.

CULTURE

Regulatory authorities establish specialist risk culture teams that conduct deep dive reviews (e.g. De NederlandscheBank N.V. (DNB)).

Jurisdictions conduct industry-wide risk culture surveys (e.g. periodic survey conducted by the UK Banking Standards Board).

APRA has established a dedicated risk culture team and GCRA work plan - governance, culture, remuneration and accountability.

APRA has committed to build an industry-wide tool to benchmark risk culture.

REMUNERATION

International regulatory authorities have prepared guidance on how non-financial risk, such as misconduct, should be addressed in remuneration policy design and supervision (e.g. Financial Stability Board (FSB)).

International regulators have introduced more prescriptive requirements in relation to deferral of variable remuneration and clawback(e.g. PRA / FCA).

APRA has released for a consultation a new prudential standard seeks to align Australia with FSB guidance and the most stringent international standards, e.g. length of deferral periods, availability of clawback, etc.

ACCOUNTABILITY

 International regulators have established statutory accountability regimes (e.g. PRA / FCA).

APRA has implemented BEAR and is workingwith the Government, Treasury and ASIC on the expansion of this regime to other industries.

 

 

  

Self-assessments leading to better practices

Following the release of the final report of the Prudential Inquiry, APRA asked regulated entities to reflect on the findings and consider whether similar issues might exist in their own organisations. In addition, APRA wrote to the boards of 36 ADIs, insurers and superannuation licensees asking them to conduct a self-assessment against the findings, and provide that assessment to APRA.

APRA identified common themes and provided specific observations to entities about the depth, challenge and insight from the self-assessments. A report on the main themes from the assessments was published in May 2019.

Overall, APRA identified three key findings in its review of the self-assessments:
•    the weaknesses identified in the Prudential Inquiry were not unique to CBA;
•    there were four key themes surrounding gaps and weaknesses relating to themanagement of non-financial risks, inaction in relation to long-standing issues,accountabilities and risk culture; and
•    regulated entities may not have fully identified the root causes of findings, resulting in therisk that actions to address weaknesses may not be effective or sustainable.

Figure 4 sets out a summary of overall outcomes and activities from the self-assessments.

Figure 4: Outcomes from self-assessments

4 common themes from the APRA Information Paper in May 2019

1.    Non-financial risk management requires improvement

2.    Accountabilities are not always clear, cascaded and effectively enforced

3.    Acknowledged weaknesses are well-known and some have been long-standing

4.    Risk culture is not well understood, and therefore may not be reinforcing the desired behaviours

Insights have informed supervisory plans for all regulated entities, and targeted prudential engagements are well underway. This includes completion of the first risk culture deep dive, to address specific issues identified in the self-assessment.

36 letters to entities on quality of the self-assessment and key issues to be addressed

Over 60 engagements with boards and senior management with planned regular targeted engagements

$1.75b additional capital requirements

Over 1,200 actions identified to address findings

50% actions expected to be complete by end 2019 with ongoing follow-up on progress

Trend of voluntary self-assessments by entities

Chapter 3 – APRA’s GCRA strategy - governance, culture, remuneration and accountability

APRA’s approach to GCRA is a multi-year strategy, and a key pillar in APRA’s 2019-2023 Corporate Plan. The high-level strategy is set out in Figure 5 below.

Figure 5: APRA’s GCRA strategy

Approach In adopting a more intensive approach to the supervision of GCRA, APRA’s objective is to enhance the resilience in regulated entities to restore the Australian community’s trust and confidence in the financial system.

WHAT?

Strengthening the prudential framework to lift minimum GCRA standards.

Sharpening supervisory practices through refreshing existing practices and adopting innovative techniques in supervision.

Sharing insights and GCRA best practices publicly.

HOW?

This sets the foundation for clearer and firmer minimum expectations of regulated entities.

Intensifies the supervisory focus on GCRA. Supervision of GCRA becomes a core part of day-to-day supervision of entities.

Reinforces transparency and APRA’s expectations to all stakeholders to lift industry-wide practices.

The intended outcome of this intensified approach to GCRA is to drive genuine change across -
•stronger governance frameworks and processes, providing robust oversight of organisational activities;

•organisations that understand and enable a risk culture that supports effective risk management practices and delivers sound prudential outcomes;

•remuneration arrangements that reflect a holistic assessment of performance and risk management, and reduce the incentive for misconduct; and

•clear accountability (individually and collectively) for outcomes achieved.

Governance - APRA’s plans to effect transformation of GCRA practices:

Strengthen: Amending the prudential standards to incorporate the lessons from the Royal Commission and self-assessments, and ensuring they remain fit for purpose. Areas for review will include the effectiveness of board obligations in relation to risk culture, the relative emphasis on financial and non-financial risks, and the clear need to strengthen the requirements in relation to compliance and audit functions.

Sharpen: Undertaking targeted prudential engagements with entities that completed a self-assessment to assess the progress of remediation plans.

Sharpen: Conducting a phased thematic review (which has already commenced) to identify drivers of effective governance practices, including :
the value of insights gained from Prudential Standard CPS 220 Risk management (CPS 220) effectiveness reviews; the robustness of processes supporting the CPS 220 risk management declaration; and
the role and effectiveness of board committees and processes undertaken to assess board effectiveness.

Sharpen: Carrying out ‘deep dive’ prudential reviews of the major banks’ compliance functions.

Risk culture roadmap APRA’s plans to transform risk culture practices include building a supervisory program to sharpen focus on regulated entities’ risk culture; the supervisory program will include developing the capability to benchmark and track risk culture across regulated entities.

Figure 7 provides the risk culture roadmap, including APRA’s planned activities and timing.

Chapter 4 – APRA’s capabilities

Building APRA’s resourcing and capabilities is fundamental to the success of APRA’s approach to GCRA. Supervising GCRA requires different skill sets and approaches compared to traditional areas of prudential focus, such as credit or liquidity risk. Good GCRA practices are harder to define and more subjective in their assessment. There are fewer agreed upon metrics, and weaknesses are more difficult to detect in advance. The principles informing the build in capabilities are:

Resilience – an approach that is adaptable and flexible, with capacity for supervisoryjudgement to tailor responses to different issues in different types of entities;

Scalability – an approach that facilitates risk-based supervision across the entireprudentially regulated population while also ensuring appropriate coverage of entityspecific issues; and

Effectiveness – an approach that identifies and addresses serious prudential risks, applies best practice to lift industry standards, and holds entities and individuals to account for prudential outcomes.

These principles are designed to ensure that APRA maintains appropriate supervisory coverage of all regulated entities, and has risk-based mechanisms to ‘triage’ regulated entities, identifying those requiring more intense supervisory intervention. The success of the GCRA approach will require innovation, agility and flexibility as well as increased resourcing. APRA will seek to uplift its GCRA capabilities through multiple channels, as set out in Figure 13.