Regulatory

APRA urges entities to strengthen risk management

BY CASSANDRA BALDINI  |  FRIDAY, 25 NOV 2022   12:46PM

APRA general manager of governance, culture, remuneration and accountability Stuart Bingham said a strong risk culture is essential for effective risk management outcomes.

In a speech, delivered at the Financial Services Assurance Forum, Bingham discussed the regulator's perspective on why a strong risk culture is so important to prudential soundness and financial success, while also providing an update on three significant issues regulated entities will need to navigate over the coming year.

These include the commencement of the new Financial Accountability Regime, the growing issue of cyber risk and APRA's enhanced prudential requirements around operational resilience.

"Over the past 18 months, APRA has been delving more deeply into the issue of risk culture in our regulated entities through a series of surveys and industry webinars," he said.

"Risk management requires appropriate systems, processes, and frameworks. Too many risk assessment reports APRA reads, however, only review design effectiveness. We also want to see a focus on operating effectiveness."

Bingham acknowledged that risk culture is also undertaken by entities to improve risk management and is not always due to APRA's urging.

"Risk transformation programs are becoming more common in regulated entities and vary in scope, scale and the businesses impacted," he explained.

"The tough news is that research shows that 70% of risk transformations fail."

Bingham cited a report that said failure could be attributed mostly to cultural reasons.

"It's not the plan that will make the biggest difference, it's the leadership attitude to the transformation program that will shape success," he said.

He added "powerful levers" to influence organisational and risk culture are performance incentives and consequence management.

"In addition, the Financial Accountability Regime (FAR) is getting closer to starting," he explained.

The FAR is due to commence for authorised deposit-taking institutions (ADIs) six months after Royal Assent and for insurance and superannuation 18 months.

"But with the legislation yet to pass the Senate, it's not clear when the Governor-General will give his stamp of approval," he said.

He advised that APRA and ASIC are working closely together to jointly administer the FAR.

"The regulators have established a single point of contact for engagement with entities concerning the FAR - APRA Connect," he said.

The platform is APRA's new data collection system and will be used as a single portal to avoid the need for entities to report to APRA and ASIC separately.

He highlighted that now is a good opportunity for ADIs to evolve their accountability framework.

"And it is never too early for insurers and superannuation trustees to start reviewing and reflecting on their governance and accountability arrangements in preparation for the FAR," he reminded.

Bingham also outlined CPS 230 Operational Resilience which sets out APRA's minimum expectations for the management of operational risk as well as incorporating requirements for outsourcing (existing CPS 231) and business continuity management (existing CPS 232), as well as the execution of CPS 234 independent assessments to establish a baseline of cyber controls.

"While still in the early stages, the CPS 234 assessments are pointing to a number of areas where the industry is struggling to uplift," he said.

Bingham further addressed the issue of cyber security and improving resilience and said one of the biggest issues at present is that entities don't exist or operate in isolation.

"They're just one part of an interconnected ecosystem with numerous service providers that form part of, and enable, the financial system," he said.

"While it's important that everyone keeps their own house in order, third-party suppliers can create vulnerabilities, and that is where our work - and indeed, that of the international regulatory bodies - is increasingly focused."

He highlighted the importance of bolstering risk management because it's better to mitigate risk before it crystallises.

"While APRA has the ability to compel answers from the banks, insurers and superannuation trustees we regulate when things go wrong, we expect to see questions being asked and answered internally by these entities well before a problem arises and APRA comes calling," Bingham said.

