Peeling the risk culture onion
Risk management has always been complex, but the identification and execution of the tenets of a sound risk-management framework have been raised to a new level by Stronger Super obligations. Now, this outcome should not be considered abnormal. After all, the Australian Prudential Regulation Authority (APRA) is a risk-based prudential regulator, and all recent regulatory adjustments have been based upon the treatise that when it comes to supervising for risks, behaviours matter. Not surprisingly, when Prudential Guide SPG 220 Risk Management was issued, there was an outline of APRA’s take on risk culture.
Layers of the Onion
Across the industry sectors it regulates, APRA has long taken an approach that there are common aspects to prudential oversight. When registrable superannuation entity (RSE) licensing was introduced in 2006, there were many aspects of the regulation that were drawn from existing prudential regulation within the Approved Deposit-Taking Institutions (ADI) and insurance sectors.
Notwithstanding that ‘risk culture’ has been newly introduced through Stronger Super, what might APRA have under consideration for the next layer?
There is no need to look far for answers. In May 2013, APRA released to the ADI/insurance sector a draft Prudential Standard CPS 220. The core principles of this Standard are that APRA seeks to ‘embed’ a cultural outcome from the execution of the Standard. While there is currently doubt on the intended commencement date, the intent is clearly to move to an active monitoring of what a ‘risk culture’ might look like.
You do not need to be a rocket scientist to work out that there is a very high likelihood that the proposed ADI/ insurance Risk Standard will, at some point in time, be rolled out into the superannuation sector. So what is APRA’s current perception of what a ‘risk culture’ might look like?
Risk Governance And Risk Culture – The Softer Skills
In a May 2013 presentation, APRA deputy commissioner Ian Laughlin outlined several aspects of the next stage of risk-management development. Admittedly, the target of the presentation was ADIs and insurers, but it is merely a matter of time before similar requirements become applied in the superannuation regulation environment.
In his presentation titled ‘Stay Ahead of the Risk: Risk Governance and Risk Culture’, Laughlin identified that effective risk governance is a fundamental requirement for high-quality risk management. He gave a number of observations about risk governance, but the most relevant for this discussion, is his statement that the real challenge lies in bringing all of this to life, so that risk governance is highly effective. This, he claimed, requires “soft skills”.
Risk culture encompasses the general awareness, attitudes and behaviours of employees towards risk, and how risk is managed. Risk culture is a key indicator of how well the risk governance is working across the enterprise. Laughlin stated, “A good working definition of risk culture for our [APRA’s] purposes is ‘the way we do risk around here’.”
The soft skills referred to are the tools by which behaviours are managed and aligned. Obvious examples are an enterprise-wide code of conduct, which includes a clear enunciation on the style of behaviours that are expected, the performance-management program containing recognition and rewards for behaviour that support the expected conduct and assists with the delivery of a compliant risk environment.
To unpack this further, risk governance is the tools and means by which the risk focus is delivered, and helps to drive the cultural execution of risk. The risk governance framework is made up of many parts but they all need to be pointing in the same direction and leading to the creation of an organisational culture that embraces risk management as an integral and valuable piece of the strategic imprint that drives the business.
So Where Are We Now?
As part of the process of validating the existing level of cultural application of risk management across the industry, I issued a survey questionnaire to a group of trustees (18 in total) focusing on the following 5 aspects of the execution of risk management:
Unsurprisingly, the feedback was aligned with, and reflected the size and scale of, the trustee surveyed. The larger the superannuation fund, the greater the focus on management of risk across the layers of management, with smaller funds looking to find more innovative ways of managing the risk amongst a handful of staff.
Three aspects of the questionnaire were topical for all trustees regardless of scale. Firstly, all respondents agreed that the board sets the tone. The results indicated that there was a difference between what the majority of respondents contemplated as the degree of the existing ‘culture’, and what the new APRA ADI/insurer benchmark is seeking to establish. Some of the cultural execution hallmarks identified by Laughlin needed more work.
Feedback suggested that creation of risk governance and a risk culture should not be allowed to distract from the delivery of services and benefits to members.
Several of the respondent trustees had determined to ‘revisit’ aspects of the risk implementation carried out as part of the Stronger Super authorisation program in a more considered and timely manner.
Secondly, feedback identified a direct correlation between the level of engagement and the volume of employees. The larger the enterprise, the greater the level of staff engagement, as the risk governance framework and efforts to develop a risk culture were more embedded in the business. However, for these entities, there was also a direct link between frustration at the degree of intrusion of risk and compliance activities into the daily working obligations of the staff.
Thirdly, feedback suggested that creation of risk governance and a risk culture should not be allowed to distract from the delivery of services and benefits to members. The primary means by which a trustee can quickly and efficiently meet the required execution of governance and cultural delivery of risk management is through IT facilitation and via development of targeted monitoring tools. Feedback was in favour of greater access to tools which facilitated the collection and interrogation of data collected from across the enterprise. The focus was on gaining access to reporting which highlights existing or impending weaknesses in the management of risk or flowing from compliance breakdowns, all of which help to inform the direction in which the Board governs the fund and its activities.
While all respondents had varying degrees of application of a risk governance and risk culture, there was a constant throughout the responses, which was eloquently stated by one chairman:
“We’ve had enough of this governance stuff. Let’s focus on our members!”
Peeling the onion
Despite the level of regulatory fatigue, the focus on management of risk is likely to continue unabated. The creation of an environment that is conducive to the generation of a “risk culture” is a long road. My personal experience is that the lead time to gain visible traction on an enterprise cultural risk approach has been 15-24 months.
It is highly probable that APRA’s expectation on risk governance and risk culture could be at the stage of implementation within the superannuation sector by this time.
If I had a crystal ball to look into the future, beyond the next APRA focal point on risk governance and risk culture, the concept of risk intelligence is making an appearance just over the horizon. Risk intelligence is being framed as all levels of management having high degrees of engagement on, and involvement in, the execution of risk as a business output and not merely an accepted norm of behaviour.
So while the superannuation sector takes a deep breath after the implementation of Stronger Super, I’m afraid the news on risk management concepts is that there are a few more layers of the onion yet to be peeled and, when peeling an onion, tears are often shed!