APRA deputy chairman Ian Laughlin has spoken at length about the importance of risk culture in Australian financial institutions.
Speaking at the 31st Governance Institute of Australia National Conference in Brisbane this week, Mr Laughlin said APRA is giving “increasing attention” to the culture, values and behaviour of Australian lenders.
“It is generally accepted that inappropriate culture was at the root of many of the problems that emerged in the GFC (such as the packaging of poor quality mortgages into AAA securities and the way they were sold)," he said.
He admitted that bank culture is an ongoing concern.
“There are many definitions of risk culture – most quite complex,” Mr Laughlin said. “However, I don’t think we need to be too concerned with its precise definition.
“A reasonably simple way to look at it is as follows: those aspects of the organisation’s culture that influence its management of risk.
“Of course, culture is often described as ‘the way we do things around here’. So a good working definition of risk culture is ‘the way we do risk around here.’
“Culture is about what is truly important in an organisation," he said. "It is about the way people actually behave (rather than what they should do, or even would like to do).”
Mr Laughlin added that behaviour is critical to prudential outcomes.
“The risk appetite must be clear and unambiguous; the espoused values must be clear, and consistent with the risk appetite and the business strategy; those values must be embraced across the organisation; and decision-making must be consistent with the values, risk appetite and business strategy,” he said.
APRA was recently advised that one of the criteria in an external audit tender was how the auditor would help with the assessment of risk culture.
“Often, staff engagement surveys are being used to get some insight,” Mr Laughlin said.
“We do not find consistently satisfactory standards, and so this is an ongoing area of focus for us.
“The reasons for the deficiencies are surprisingly basic in some cases – for example, there might be a lack of direction from the board, or the risk appetite may be unclear.”
APRA has a number of specific governance requirements that cover board size, board renewal, the need for various committees and fitness and propriety matters.
“There are quite a few specific responsibilities imposed on the board in our prudential standards (e.g. that the board must ensure an adequate level of capital, or set the risk appetite),” Mr Laughlin said.
“This sometimes generates concerns that APRA expects too much of boards. Or that we expect boards to take responsibility for what is normally seen as the province of management.”
Mr Laughlin stressed that APRA is not seeking to change the boundary of responsibilities between management and board from generally accepted practice, nor does it expect the board to be involved in operational matters.
“However, for an APRA-regulated institution, there are additional board responsibilities for the board,” he said, adding that there is no intent that any of those additional responsibilities would in the normal course of events lie with management.