APRA has released an article providing insights into the outcomes of its recent pilot risk culture survey and outlining next steps.  Our key takeaways are below.

Key takeouts

  • APRA has released the results of a pilot risk culture survey conducted with 10 insurers earlier in the year.  The survey provides an employee perspective on risk behaviours and the effectiveness of the risk management structures within the participating organisations.
  • APRA intends to roll out the risk culture survey to other APRA-regulated entities over the next 12 months 
  • The survey is part of APRA's broader focus on 'transforming' governance, culture, risk and accountability (GCRA) practices across APRA-regulated entities.  

Overview

The Australian Prudential Regulation Authority (APRA) has released an article presenting a summary of the results of the pilot risk culture survey conducted with the employees of 10 general insurers in March and April 2021.

The survey involved APRA directly collecting responses from the employees at participating entities – the survey was sent to every employee and completed on a voluntary basis. Questions were designed to measure employee perceptions of the entities' risk culture. Questions included for example: Do people feel safe to speak up? Do their leaders role model good risk management behaviours? Are adequate resources and training committed to deliver continuous improvement in risk management across the organisation?

As such, APRA considers that the results provide a 'unique employee view' of the risk management practices and behaviours within particular entities and an important basis for comparison across regulated entities.

Following the success the pilot program, APRA intends to roll out the survey to other APRA-regulated sectors over the next 12 months as part of its broader focus on transforming governance, risk culture, remuneration and accountability (GCRA) practices across regulated entities. This is part of APRA's Hayne response.

APRA's approach to measuring risk culture

The survey contained over 40 questions aligned with a framework developed by APRA – the Risk Culture 10 Dimensions – to assess the risk culture of regulated entities.

The Risk Culture 10 Dimensions are framed around two elements that APRA considers contribute to risk culture within organisations: a) observable actions and behaviours; and b) the 'risk architecture' or formal systems, policies, processes and governance structures that support risk management within organisations.

For context, the Risk Culture 10 Dimensions are as follows.

Risk behaviours

  • Leadership: 'Leaders at every level deliberately and consistently champion risk management, setting a clear tone and role-modelling appropriate risk behaviours to instil the desired risk culture throughout the entity'.
  • Decision-Making and Challenge: 'There is a demonstrated willingness to proactively consider diverse viewpoints and to give and receive constructive challenge across the entity'
  • Communication and Escalation: 'Risk issues are openly communicated across the entity, supported by an environment where people feel safe to speak up without fear of retribution'.
  • Risk Capabilities: 'The level of skills and learning, well-being, processes, systems and data across the three lines of defence support effective risk management practices and behaviours'.
  • Alignment with Purpose and Values: 'The entity’s espoused Purpose and Values promote and support good risk management practices and behaviours'.

Risk Architecture

  • Risk Culture Assessment and Board Oversight: 'The Board has a robust approach for overseeing the assessment of risk culture in order to form a view, identify desirable changes and ensure steps are being taken to address these changes'.
  • Risk Appetite and Strategy: 'Business and strategic decisions align with the Risk Appetite Statement'.
  • Risk Governance and Controls: 'Across the entity there is effective oversight of risk, and risk management is supported by appropriate risk frameworks, policies, controls and reporting'.
  • Responsibility and Accountability: 'Responsibilities and accountabilities for risk are clearly understood, embraced and discharged across the three lines of defence.'

Key findings from the pilot survey of 10 general insurers

  • Areas identified as potentially warranting 'additional focus':
    • On the 'risk architecture' side: Employee Perceptions of Risk governance and controls and Decision Making and Challenge were the lowest scoring dimensions.
    • On the behaviour side: Responsibility and Accountability scored the lowest
  • Perceptions varied across different business areas: APRA assessed how each business area within a surveyed entity responded relative to other areas within the same organisation. APRA also considered how the views from employees in the same business area across all surveyed entities compared with those in other business areas. According to APRA's analysis:
    • The business areas of Underwriting and Customer Service had some of the most negative perceptions, particularly with respect to the Responsibility and Accountability, and Risk Governance and Controls Dimensions.
    • In contrast, employees in the Financial Control business area and employees in Legal, Compliance and Risk were the most positive across all 10 risk culture dimensions including the dimensions that employees in the Underwriting and Customer Service areas felt most negatively about. APRA considers that there is opportunity for entities to 'understand what is working well' and to consider applying a similar approach in areas where employees have a less positive outlook.
  • Benchmarking: Overall two entities had results that 'predominantly fell into the top quartile' and beyond that, results 'were more varied, although generally concentrated across four entities'. APRA emphasises that falling into the top quartile is not an indication that there is no room for improvement.

Timeline for the roll-out to other sectors

Following what it considers to be a successful pilot, APRA intends to roll out the survey to other sectors over the next 12 months according to the following timeline:

  • Banking sector: Q4 2021
  • Insurance sector (general insurance, life insurance and private health insurance): Q1 2022
  • Superannuation Q2 2022

APRA's expectations of how the data will be used

  • APRA makes clear that they survey results are only one of 'a number of qualitative and quantitative approaches used to assess risk culture' within regulated entities, though APRA will take into account an individual entity's survey results when assessing the entity's risk culture.
  • Going forward, APRA expects that the data from the surveys will be useful in:
    • gauging changes in risk culture over time – both in terms of highlighting the extent to which positive changes are occurring and in terms of identifying weaknesses/areas for improvement.
    • benchmarking results across industry sectors
    • providing entities with valuable additional insights to supplement their own internal indicators and help to build a more comprehensive picture of their risk culture.

[Source: APRA Insight - Transforming risk culture 14/10/2021]