Information paper

Transforming Governance, Culture, Remuneration and Accountability: APRA's Approach

  • Banking
  • Current
    19 November 2019
Disclaimer and copyright
While APRA endeavours to ensure the quality of this publication, it does not accept any responsibility for the accuracy, completeness or currency of the material included in this publication and will not be liable for any loss or damage arising out of any use of, or reliance on, this publication.
© Australian Prudential Regulation Authority (APRA)
This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0). This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit https://creativecommons.org/licenses/by/3.0/au/ 

Executive summary

APRA’s core mandate is to maintain and promote the safety and stability of the financial system for the benefit of the Australian community. For financial entities to be financially and operationally sound - now and into the future - they need more than adequate financial resources, robust balance sheets and sound systems of formal risk management and internal control.
The 2018-19 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry and the prudential inquiry into the Commonwealth Bank of Australia highlighted that the health and reputation of a regulated entity (and hence the outcomes it delivers) can be seriously damaged by weak leadership, misaligned remuneration structures, and/or a lack of accountability for operational or other failings.
Poor governance, remuneration structures and accountability mechanisms, leading to and reinforcing a poor risk culture, can undermine the prudential soundness of an entity and the outcomes for its customers. These issues are of primary interest to a prudential supervisor such as APRA.
Since 2015, APRA has increased its focus on these aspects of an entity’s performance as a potential indicator of prudential risk. In light of recent failings in these areas identified within the Australian financial system, APRA has committed to strengthening and intensifying its approach to overseeing governance, culture, remuneration and accountability (GCRA). This information paper sets out APRA’s enhanced approach. It reflects a strategic decision to take a more intensive regulatory approach to GCRA, with a view to transforming GCRA practices across the financial system.
This more intensive approach to GCRA responds to the recommendations from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry and the Final Report of the Australian Prudential Regulation Authority Capability Review. It will involve enhanced cooperation with the Australian Securities and Investments
Commission (ASIC) and be enabled by additional resourcing approved by the Australian Government in its 2019–2020 Budget, and a heightened regulatory appetite to intervene more forcefully where necessary.
The key attributes of APRA’s GCRA approach are:
  • Strengthening the prudential framework through clarifying expectations of boards and senior managers, and consulting with industry on plans to embed risk governance selfassessments in the prudential framework. APRA is strengthening the current principlesbased prudential requirements for remuneration to provide clearer and more-readily enforceable expectations for remuneration arrangements, particularly for senior executives.
  • Sharpening APRA’s supervisory focus on GCRA outcomes, through additional resourcing to intensify supervision, investment in new tools to assess and benchmark GCRA practices, and a clear intent to hold entities accountable for promptly addressing deficiencies.
  • Sharing APRA’s insights with industry and the broader public to reinforce prudential expectations by adopting a more strategic approach to transparency, with this approach in line with, and in some cases at the forefront of, international practice.
APRA acknowledges the potential trade-offs and risks of this approach. In particular, APRA’s more intensive GCRA approach needs to strike the right balance between preserving the principle that boards and senior management are accountable for the GCRA practices of regulated entities, while also ensuring that APRA is fulfilling its mandate by holding regulated entities accountable for meeting community expectations. APRA considers that, on balance, the potential benefits of adopting a more intensified approach outweigh the potential costs:
  • a stronger prudential framework will, in places, result in a more prescriptive set of regulatory requirements. The costs of more prescriptive requirements are expected to be more than offset by a systemic uplift in GCRA standards and practices across regulated entities, and result in greater transparency by entities of their approaches and outcomes;
  • more intensive supervision of GCRA may result in higher compliance costs, including that directors and senior managers of regulated entities are subject to more frequent or deeper engagement with APRA. However, APRA expects these higher costs to be offset by the benefits of more timely identification and rectification of GCRA issues; and
  • greater sharing of APRA’s findings and observations will support public scrutiny of regulated entities, ensuring that GCRA practices and outcomes are at the forefront of institutions’ thinking, and thereby embedding a philosophy of avoiding problems rather than remediating them after the event.
The intended outcome of this intensified approach to GCRA is to drive genuine change across the industry, with success measured by:
  • stronger governance frameworks and processes, providing robust oversight of organisational activities;
  • organisations that understand and enable a risk culture that supports effective risk management practices and delivers sound prudential outcomes;
  • remuneration arrangements that reflect a holistic assessment of performance and risk management, and reduce the incentive for misconduct; and
  • clear accountability (individually and collectively) for outcomes achieved.
APRA’s approach to GCRA seeks to incorporate a range of international practices with its own supervision philosophy in a way that is fit for purpose for the Australian financial system. This approach to GCRA represents an ambitious and comprehensive agenda, supporting a financial system that delivers sound outcomes for all its stakeholders.

Glossary

ADI
Authorised Deposit-taking Institution
APRA
Australian Prudential Regulation Authority
ASIC
Australian Securities and Investments Commission
BEAR
The Banking Executive Accountability Regime
Capability Review
Australian Prudential Regulation Authority Capability Review
CPS 220
Prudential Standard CPS 220 Risk Management
CPS 510
Prudential Standard CPS 510 Governance
CPS 511
Draft Prudential Standard CPS 511 Remuneration
GCRA
Governance, culture, remuneration and accountability
GI
General Insurer
LI
Life Insurer
HPS 510
Prudential Standard HPS 510 Governance
PHI
Private Health Insurer
Prudential Inquiry
Prudential Inquiry into the Commonwealth Bank of Australia
Royal Commission
Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry
RSE
Registrable Superannuation Entity
SPS 510
Prudential Standard SPS 510 Governance

Chapter 1 – Introduction

This paper sets out APRA’s intensified approach to the supervision of regulated entities with respect to their governance, culture, remuneration and accountability (GCRA) practices. While this approach builds upon recent work APRA has undertaken on GCRA, it represents a significant enhancement – in the resourcing, capability and intensity – of its supervisory focus. This approach also reflects APRA’s willingness to use its powers more assertively to hold regulated entities, and their boards and senior management, to account for ensuring high standards of GCRA are maintained.
This supervisory stance is in response to serious GCRA failings that have been identified within the Australian financial system. These failings have resulted in a loss of public trust in the fairness of the financial system, and community demands for higher standards of governance, greater transparency and clearer accountability where poor outcomes have been identified.
Despite often being described as ‘non-financial’ in nature, a failure to identify and mitigate weaknesses in GCRA issues can undermine the financial and operational resilience of a regulated entity. APRA’s intensified approach to the supervision of GCRA is consistent with its focus on resilience and recognises that each element interacts to drive and reinforce effective management of financial and non-financial risks. APRA’s focus on these issues will also reinforce and support broader efforts, including by ASIC, to limit the potential for misconduct, and drive better consumer outcomes.
[1]
Entities regulated by APRA are authorised deposit-taking institutions (ADIs), e.g. banks, credit unions and building societies, insurers (general insurers (GIs), life insurers (LIs), private health insurers and reinsurers), friendly societies and most of the superannuation industry.

Figure 1: GCRA interactions

 Each strand within GCRA interacts and reinforces each other to form a regulated institution’s risk
APRA’s supervisory philosophy remains founded on the premise that the ultimate responsibility for the prudent management of a regulated entity rests with its board and management. However, where a regulated entity fails to address poor GCRA practices, APRA is prepared to use its regulatory powers to compel the entity to take action. This is essential for both strengthening the resilience of regulated entities and restoring community trust in the financial system as a whole.
Risk culture
Risk culture refers, in simple terms, to an entity’s attitude to risk management. More particularly, it refers to the norms of behaviour for individuals and groups that shape the ability to identify, understand, openly discuss, escalate and act on an entity’s current and future challenges and risks. Risk culture is not separate to organisational culture but reflects the influence of organisational culture on how risks are managed.
Importantly, a strong risk culture does not imply an avoidance of risk-taking. It does, however, ensure that risk is taken within well-defined boundaries, that risk-reward tradeoffs are actively considered, and that an entity is alert to the consequences of adverse risks crystallising. This can be achieved when organisational values and beliefs promote behaviours that support robust risk management and decision making, and when effective risk frameworks and clear accountabilities are in place.
A weak risk culture, on the other hand, has insufficient regard to risk management. As a result, it can encourage excessive risk taking, undermine the effectiveness of risk management practices, entrench patterns of misconduct and ultimately result in material losses.
The board of a regulated institution must set the risk appetite of the entity and form a view of its risk culture. When forming a view, the board needs to determine the extent to which the risk culture of the institution enables it to consistently operate within its risk appetite. It is expected that institutions will have a number of initiatives in place to enable the desired risk culture, and for appropriate governance to be in place to monitor them.
The board is ultimately accountable, together with senior management, for the management of risk, whether financial or non-financial, and the outcomes that result from it. The entity’s risk culture will play a critical role in ensuring board-approved statements of appetite and policy are translated into practices that deliver sound prudential outcomes. Assessing risk culture will, therefore, be a core focus of APRA’s supervision activities, and aligns directly with APRA’s mandate.

Chapter 2 – APRA’s evolving approach to GCRA

The supervision of GCRA is not new to APRA and has evolved considerably over time. Figure 2 below outlines the timeline of regulatory developments in GCRA within APRA, and is reflective of an increased focus on GCRA issues in recent years.

Figure 2: Timeline of regulatory developments in GCRA

In line with international trends, APRA began in 2015 to step up its focus on the promotion of sound management of GCRA issues within Australian regulated entities. It established a small specialist supervision team devoted to these issues, introduced requirements for boards to have regard to risk culture within their entities, and subsequently published thematic reviews of risk culture in 2016 and remuneration in 2018. As part of this evolving approach, APRA also established a Prudential Inquiry into Commonwealth Bank of Australia (Prudential Inquiry) in August 2017, focusing on GCRA practices at CBA, and subsequently asked the country’s largest banks, insurers and superannuation licensees to conduct a selfassessment against the findings of that Prudential Inquiry. APRA published a report on the findings of those self-assessments in May 2019.
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) and the Final Report of the Australian Prudential Regulation Authority Capability Review (Capability Review) acknowledged the work that APRA has done in supervising GCRA. However, both concluded APRA needed to do more to broaden its focus on GCRA, set more robust standards, and intensify its scrutiny and challenge of regulated entities.
APRA’s refreshed approach to the supervision of GCRA and how it responds to the Royal Commission and Capability Review is outlined in Attachment A and B. The greater importance being assigned to GCRA in APRA’s activities is reflected in APRA’s 2019-2023 Corporate Plan, which identifies the transformation of GCRA within regulated entities as one of the key community outcomes that APRA seeks to deliver in the coming years.

International practices

APRA is not alone in strengthening its approach to GCRA, and international practice in the regulation and supervision of GCRA also continues to develop. There is, however, still little consensus on which supervisory tools are best to employ, or how good outcomes are best achieved. Individual jurisdictions are addressing GCRA in many different ways, often reflecting the specific needs and characteristics of their respective financial systems.
A summary of leading international practices is set out in Figure 3, together with APRA’s proposed approach.

Figure 3: Summary of leading international practices


Self-assessments leading to better practices

Following the release of the final report of the Prudential Inquiry, APRA asked regulated entities to reflect on the findings and consider whether similar issues might exist in their own organisations. In addition, APRA wrote to the boards of 36 ADIs, insurers and superannuation licensees asking them to conduct a self-assessment against the findings, and provide that assessment to APRA.
APRA identified common themes and provided specific observations to entities about the depth, challenge and insight from the self-assessments. A report on the main themes from the assessments was published in May 2019.
Overall, APRA identified three key findings in its review of the self-assessments:
  • the weaknesses identified in the Prudential Inquiry were not unique to CBA;
  • there were four key themes surrounding gaps and weaknesses relating to the management of non-financial risks, inaction in relation to long-standing issues, accountabilities and risk culture; and
  • regulated entities may not have fully identified the root causes of findings, resulting in the risk that actions to address weaknesses may not be effective or sustainable.
Figure 4 sets out a summary of overall outcomes and activities from the self-assessments.

Figure 4: Outcomes from self-assessments

Chapter 3 – APRA’s GCRA strategy

APRA’s approach to GCRA is a multi-year strategy, and a key pillar in APRA’s 2019-2023 Corporate Plan. The high-level strategy is set out in Figure 5 below.

Figure 5: APRA’s GCRA strategy

Approach

In adopting a more intensive approach to the supervision of GCRA, APRA’s objective is to enhance the resilience in regulated entities to restore the Australian community’s trust and confidence in the financial system.
The intended outcome of this intensified approach to GCRA is to drive genuine change across the industry, with success measured by:
  • stronger governance frameworks and processes, providing robust oversight o f organisational activities;
  • organisations that understand and enable a risk culture that supports effective ri sk management practices and delivers sound prudential outcomes;
  • remuneration arrangements that reflect a holistic assessment of performance and ri sk management, and reduce the incentive for misconduct; and
  • clear accountability (individually and collectively) for outcomes achieved.

Work streams

APRA’s approach to each of the component parts of its GCRA strategy are described in more detail below.

Governance roadmap

APRA’s plans will contribute to the transformation of GCRA practices by strengthening prudential requirements to uplift minimum standards, and sharpen supervisory insights in relation to governance. Figure 6 provides the governance roadmap, including APRA’s planned activities and timing.

Figure 6: Governance roadmap

Governance - APRA’s plans to effect transformation of GCRA practices:

  • Strengthen: Amending the prudential standards to incorporate the lessons from the Royal Commission and self-assessments, and ensuring they remain fit for purpose. Areas for review will include the effectiveness of board obligations in relation to risk culture, the relative emphasis on financial and non-financial risks, and the clear need to strengthen the requirements in relation to compliance and audit functions.
  • Sharpen: Undertaking targeted prudential engagements with entities that completed a self-assessment to assess the progress of remediation plans.
  • Sharpen: Conducting a phased thematic review (which has already commenced) to identify drivers of effective governance practices, including: the value of insights gained from Prudential Standard CPS 220 Risk management (CPS 220) effectiveness reviews; the robustness of processes supporting the CPS 220 risk management declaration; the role and effectiveness of board committees and processes undertaken to assess board effectiveness.
  • Sharpen: Carrying out ‘deep dive’ prudential reviews of the major banks’ compliance functions.

Risk culture roadmap

APRA’s plans to transform risk culture practices include building a supervisory program to sharpen focus on regulated entities’ risk culture; the supervisory program will include developing the capability to benchmark and track risk culture across regulated entities.
Figure 7 provides the risk culture roadmap, including APRA’s planned activities and timing

Figure 7: Risk culture roadmap

A screenshot of a computer Description automatically generated
Risk culture - APRA’s plans to effect transformation of GCRA practices:
  • Strengthen: Reviewing the effectiveness of board obligations in respect to risk culture in CPS 220 to ensure it remains fit for purpose.
  • Sharpen: Building supervisory capability to assess risk culture for regulated entities, using an approach derived from APRA’s risk culture assessment model.
  • Sharpen: Conducting deep dive risk culture reviews. Initially, this will be set at three per year from 2020 onwards, with one expected to be completed in 2019.
  • Sharpen: Developing and establishing an industry-wide tool(s) to benchmark risk culture across industry sectors and cohorts of entities.
[2]
The industry wide tool will involve a number of inter-dependent factors (e.g. data, legal, stakeholder engagement), which may impact the project delivery milestones and deadline.

Remuneration roadmap

APRA’s plans to transform practices in relation to remuneration include strengthening the alignment of incentives between regulated entities and diverse stakeholders, including shareholders, customers and beneficiaries; these changes will be complemented by sharper supervisory focus on the implementation of stronger prudential requirements. Figure 8 provides the remuneration roadmap, including APRA’s planned activities and timing.

Figure 8: Remuneration roadmap

A screenshot of a computer Description automatically generated

Remuneration - APRA’s plans to effect transformation:

  • Strengthen: Implementing more prescriptive remuneration requirements to align with international better practice and address the recommendations of the Royal Commission. The key changes proposed include strengthening the role of the board, requiring specific consideration of non-financial risk when determining variable remuneration, and ensuring that robust consequence management mechanisms are available to align risk with variable remuneration (e.g. malus and clawback). A draft prudential standard was released in July 2019 and consultation closed in relation to these proposals in October 2019. APRA plans to respond to the feedback provided during the consultation process in early 2020.
  • Sharpen: Assessing implementation plans from a sample of regulated entities once the final standard is released. This process will provide APRA with emerging market practice and an opportunity to take pre-emptive action to address any shortfalls in implementation. An information paper will be published based on the findings to reinforce APRA’s expectations on implementation to the broader industry.
  • Sharpen: Uplifting internal capability of supervisors to assess regulated entities’ approach to implementing the final standard.
  • Sharpen: Carrying out ‘deep dive’ effectiveness reviews once the final standard is implemented that will focus on the design, implementation and outcomes of remuneration frameworks.

Proactive industry consultation – New remuneration prudential standard

Given the extent of change contained in APRA’s proposed new remuneration standard, APRA has undertaken an extensive consultative process on the new draft remuneration standard.
External engagements have included:
  • Industry webinars with over 380 registered attendees across the ADI, insurance and superannuation industries.
  • Over 30 individual meetings held between APRA and stakeholder groups to ensure the intent of the new standard is well understood. As well as regulated entities, stakeholders included: domestic and international regulators, shareholder groups and proxy advisors, industry bodies, governance institutions, remuneration consultants and consumer groups.
APRA intends to continue this active consultation approach for upcoming releases of the draft remuneration prudential practice guide and remuneration disclosure and reporting requirements.

Accountability roadmap

APRA’s plans to transform practice in relation to accountability include strengthening requirements for accountability and by ensuring there is clear accountability for outcomes; this will be complemented by heightened supervisory focus on the implementation of the regime. Figure 9 provides the accountability roadmap, including APRA’s planned activities and timing.

Figure 9: Accountability Roadmap

Accountability - APRA’s plans to effect transformation of GCRA practices:
  • Strengthen: Working with the Government, Treasury and ASIC to develop an accountability regime for all prudentially regulated industries.
  • Sharpen: Uplifting internal capability of supervisors to assess regulated entities’ approach to the implementation of the Accountability Regime.
  • Sharpen: Assessing outcomes from the implementation of the BEAR legislation, through on-site reviews at large ADIs commencing in the second half of 2019, with key areas of focus being actions taken by large ADIs to embed the regime, and cascade accountability through the entity.

Sharing insights and best practice

A key pillar of APRA’s GCRA strategy is to share GCRA insights and practices publicly. In doing so, APRA's objectives are to:
  • Inform - explain APRA’s overall supervisory approach, methodology, intensity, views and outcomes;
  • Influence - convey key messages to deter poor behaviour, promote better practice and maintain confidence in the Australian financial system; and,
  • Drive accountability - hold entities and individuals to account.
In forming its view about what GCRA information should be disclosed, APRA must balance a range of considerations:
  • Could disclosure adversely impact financial stability, including in relation to the resilience of individual regulated entities?
  • Could disclosure of commercial ‘in confidence’ information adversely impact the strategic position of individual regulated entities, particularly when disclosure only relates to a subset of entities?
  • Could disclosure raise legal professional privilege issues, or affect current law enforcement or other activities of other regulators?
  • Could disclosure have a material adverse impact on market or community confidence in relation to the prudential standing of individual regulated entities?
  • Could disclosure of personal information be unreasonable in light of an individual’s legal and ethical entitlements to privacy?
Notwithstanding these considerations, APRA’s view is that there is scope to increase the extent of information about APRA’s GCRA activities and findings, including in relation to individual entities. There is also potentially scope for entities to self-disclose a greater range of information. Both of these steps will bring greater transparency to, and drive accountability for, generating sound GCRA practices and outcomes.
Set out in Figure 10 below is a summary of APRA’s future approach to GCRA-related disclosure. APRA has compared its intensified approach to GCRA disclosure with the practices adopted by peer regulators, and concluded that its approach will be in line with, and in some cases at the forefront of, international practice.

Figure 10: Future approach to GCRA-related disclosure

A screenshot of a computer Description automatically generated
* In some cases, APRA must seek approval of the Attorney-General to disclose the reports of investigations.
** Regulated entities will be informed at the commencement of any future self-assessment processes of the extent and nature of APRA’s requirements in respect of public disclosure.
As noted earlier in this chapter, APRA plans to conduct a series of GCRA-related thematic reviews and, from these, publish a number of information papers to reinforce its expectations in this area. These will include the names of the entities selected to participate in thematic reviews, and also include examples of entity-specific practices, to guide industry towards stronger GCRA outcomes.

Figure 11: Selection of planned external publications

*The release of the remuneration information paper is dependent on the timing of the final release of CPS 511

APRA / ASIC cooperation

Transforming GCRA across the financial system is a shared priority with other Australian regulators. In particular, ASIC has an active interest and work program in this area. While APRA and ASIC assess GCRA issues through the lenses of their respective mandates, there will be many opportunities to clarify, collaborate and consult on joint expectations in relation to GCRA-related issues, as set out in the table below.
[3]
APRA is responsible for protecting the interests of depositors, insurance policyholders and most superannuation fund members. It is also required to balance the objectives of financial safety and efficiency, competition, contestability and competitive neutrality and, in balancing these objectives, is to promote financial system stability. ASIC regulates the conduct of Australian companies, financial markets, financial services organisations, and professionals who operate in those sectors. It strives to promote the confident and informed participation of investors and consumers in the financial system.

Figure 12: APRA and ASIC’s roles

 A recent example of cooperation is the review by ASIC’s Corporate Governance Taskforce into Australia’s large listed companies, which used as a reference point APRA’s Prudential Inquiry and self-assessments of governance, culture and accountability. APRA is, in turn, liaising with ASIC to leverage the insights from this review to develop its criteria for assessing board effectiveness.
More generally, APRA and ASIC will cooperate on GCRA issues, as part of the broader refresh of the cooperation arrangements between the two agencies that is currently underway. An objective of this work will be to maximise alignment of each regulator’s activities, and to minimise duplication for regulated entities.
APRA recognises the importance of its cooperation and coordination with ASIC. In pursuing the work detailed in this paper, APRA has committed with ASIC to undertaking a number of actions to strengthen collaboration between the two agencies.
[4]
The key objectives of the new engagement framework are to: i) facilitate cooperation and collaboration between the agencies; ii) strengthen the effectiveness and contribute to the efficiency of regulatory outcomes across the financial sector; and, iii) promote a whole-of-system perspective in meeting each agency’s responsibilities.

Strengthening

  • Working with ASIC and Treasury to design, implement and jointly administer an expanded accountability regime for regulated entities.
[5]
The scope of entities captured by this regime is subject to industry consultation.

Sharpening

  • Actively seeking opportunities to collaborate with ASIC on GCRA related projects, including:
  • partnering on planned thematic reviews where there is overlap between the mandates and work plans of agencies, e.g. reviewing the effectiveness of Board Audit Committees and Internal Audit functions as part of the governance thematic review;
  • conducting risk-based follow-ups on issues identified from the risk governance self-assessment process; and
  • providing inter-agency training and support to upskill staff and build capability in relation to GCRA.

Sharing

  • • Enhancing inter-agency information sharing on GCRA and other regulatory matters by:
  • publishing a revised Memorandum of Understanding (MoU) with ASIC to strengthen cooperation between regulators by the end of 2019;
  • refreshing the inter-agency engagement structure to embed the principles of the MoU; and,
  • increasingly share information and combine expertise, including joint reviews, supervisory colleges and inter-agency secondments to foster closer collaboration.

Chapter 4 – APRA’s capabilities

Building APRA’s resourcing and capabilities is fundamental to the success of APRA’s approach to GCRA. Supervising GCRA requires different skill sets and approaches compared to traditional areas of prudential focus, such as credit or liquidity risk. Good GCRA practices are harder to define and more subjective in their assessment. There are fewer agreed upon metrics, and weaknesses are more difficult to detect in advance.
The principles informing the build in capabilities are:
  • Resilience – an approach that is adaptable and flexible, with capacity for supervisory judgement to tailor responses to different issues in different types of entities;
  • Scalability – an approach that facilitates risk-based supervision across the entire prudentially regulated population while also ensuring appropriate coverage of entity specific issues; and
  • Effectiveness – an approach that identifies and addresses serious prudential risks, applies best practice to lift industry standards, and holds entities and individuals to account for prudential outcomes.
These principles are designed to ensure that APRA maintains appropriate supervisory coverage of all regulated entities, and has risk-based mechanisms to ‘triage’ regulated entities, identifying those requiring more intense supervisory intervention.
The success of the GCRA approach will require innovation, agility and flexibility as well as increased resourcing. APRA will seek to uplift its GCRA capabilities through multiple channels, as set out in Figure 13.

Figure 13: Lifting APRA’s GCRA capability

Staff and capability

In 2015, APRA established a dedicated risk team to provide support to frontline supervisors on GCRA issues. Following increased funding approved by the Australian Government in the 2019 Budget, the GCRA team’s headcount will grow in FY20 to more than 20 FTE, which will represent a doubling in size from FY19. The additional staffing will include a blend of experienced supervisors, industry practitioners, and policy development staff. A separate but closely aligned team is also being established to implement the expanded accountability regime.
The objective of the GCRA risk specialist team is to effectively embed the supervision of GCRA issues into the routine supervision of regulated entities. To do this, the GCRA team is focused on equipping frontline supervisors to develop comprehensive knowledge of GCRA issues within regulated entities.

Enhanced framework and tools

APRA has existing capabilities to conduct risk-based supervision activities that have supported the resilience of the Australian financial system (e.g. entity specific risk assessments, idiosyncratic prudential reviews, and thematic reviews). APRA will build on and refine its approach to ensure that GCRA issues are addressed effectively, with a significant focus on strengthening and sharpening supervision of GCRA risks. Some key elements of the enhanced toolkit are set out below.

Industry-wide insights

A new tool is being developed to benchmark and assess trends in risk culture across regulated entities, similar in method to the work undertaken by the UK Banking Standards Board. APRA used a version of this tool for the Prudential Inquiry, and will seek to adapt it for industry wide use. To test the robustness of this tool, APRA is planning to undertake an initial survey of a small sample of entities in 2020, with a view to including a broader sample of entities in subsequent surveys. The initial survey will be a ‘proof of concept’ that will seek to explore the insights gained from the data, and test the technical capability for wider roll-out.
APRA’s expectation is that the development and launch of this tool will enable it to measure and monitor changes in risk culture across the industry. Once a risk culture benchmark is established, APRA will use its data analytics capabilities to interrogate the responses, and to provide evidence of the extent to which positive changes are (or are not) occurring.

GCRA declarations and self-assessments

The self-assessments following the Prudential Inquiry have provided APRA with valuable insights into the weaknesses of GCRA practices of the selected entities. APRA is considering how it can scale the self-assessment process to apply to all regulated entities. APRA intends to incorporate GCRA declarations and self-assessments into the supervision framework, building on the existing process of risk management declarations under CPS 220. This process will embed self-assessments in a more structured way into APRA’s supervisory processes and should produce a reinforcing and sustained uplift in the management of GCRA risks by all regulated entities. Subject to consultation on the exact nature of the new requirements, this could involve:
  • annual GCRA declarations from the boards of regulated entities, akin to the declarations provided for risk management under CPS 220;
  • periodic GCRA self-assessments, as well as independent reviews, to support the annual declarations;
  • engagement with independent experts to assist with APRA’s assessment of entities’ selfassessments, including benchmarking segments of the industry to highlight good and bad GCRA practices;
  • follow-up actions from these assessments incorporated into APRA’s ongoing supervision; and
  • more formal supervisory actions applied to entities that fail to make sufficient progress in rectifying deficiencies.
APRA will consult with industry about how these expectations will be included in the prudential framework. In particular, APRA will seek feedback about how the process can best be integrated with existing declaration and review requirements in CPS 220.

Prudential inquiries, investigations and deep dives

The Prudential Inquiry was an extremely valuable exercise that identified a number of important issues and learnings, not only for the bank itself, but for all regulated entities. The insights from this exercise will have relevance for some time.
APRA considers a full scale Prudential Inquiry similar to that conducted for CBA as being at the highest intensity end of the scale for addressing GCRA issues. They will be an important tool that APRA can utilise when the circumstances warrant such an approach. They are most likely to be targeted at cases where issues have been identified that are serious, complex and potentially indicative of systemic GCRA problems within the regulated entity that have, or could, diminish the prudential standing of the entity. Depending on the willingness of the entity concerned to cooperate with APRA, consideration will also be given to the use of APRA’s formal investigation powers to undertake such reviews. 
In instances where a full scale Prudential Inquiry may not be warranted, APRA has the option to utilise a program of more targeted ‘deep dive’ prudential reviews, such as the risk culture reviews outlined in APRA’s GCRA strategy section. Such reviews would deploy some of the tools and elements used in the Prudential Inquiry, such as interviews with directors and senior managers, staff surveys, and analysis of case studies. The insights from these activities will be used to inform the structure and design of the self-assessment process that APRA is considering rolling out across the sector, as well as the focus of thematic reviews.
[6]
APRA’s powers to conduct investigations have recently been strengthened to address shortcomings that led APRA to conduct a Prudential Inquiry, rather than an investigation, in the case of CBA.

Partnering with experts and harnessing innovation

A balance of internal and external capabilities will be needed to deliver the approach to GCRA outlined in this paper. APRA, therefore, plans to engage external experts where their expertise is critical to address a specific issue or to the success of a project, and is unavailable internally. Given the diversity of issues that fall within the area of GCRA, APRA plans to draw upon a range of both domestic and international experts – including those from other regulators, academia, and the private sector.
APRA will also continue its use of experts, as needed, to review and challenge APRA’s own findings, and will also look to use technology to support supervision (suptech) such as enhanced data analytics.
Natural language processing
APRA is trialling natural language processing (NLP) in its risk culture reviews. NLP is a powerful tool for assessing the sentiments – whether negative, positive, or neutral – contained within large amounts of information, for example free text survey responses. NLP can be used to pick out pre-determined themes across a range of topics that can aid the understanding of an entity’s risk culture.
The early results from APRA’s use of NLP in its risk culture assessments are highly promising, especially in identifying potential areas for more detailed attention through APRA’s deep-dive reviews.

Attachment A – Addressing the Royal Commission’s GCRA recommendations

Royal Commission recommendation
How APRA's plans address the recommendation
Recommendation 5.1 - Supervision of remuneration - principles, standards and guidance
In conducting prudential supervision of remuneration systems, and revising its prudential standards and guidance about remuneration, APRA should give effect to the principles, standards and guidance set out in the Financial Stability Board's publications concerning sound compensation principles and practices.
Recommendations 5.2 and 5.3 explain and amplify aspects of this Recommendation.
On track. APRA released for consultation a draft prudential standard, Prudential Standard CPS 511 Remuneration, in July 2019. APRA plans to respond to the feedback provided during the consultation process in early 2020. The draft standards encapsulates the Financial Stability Board's guidance in relation to sound compensation principles and practices, including in relation to misconduct, compliance and other non-financial risks.
Work is underway to devise new information collections that will allow APRA to better assess how remuneration frameworks work in practice.
Recommendation 5.2 - Supervision of remuneration - aims
In conducting prudential supervision of the design and implementation of remuneration systems, and revising its prudential standards and guidance about remuneration, APRA should have, as one of its aims, the sound management of APRA-regulated institutions of not only financial risk but also misconduct, compliance and other non-financial risks.
On track. APRA released for consultation a draft prudential standard, Prudential Standard CPS 511 Remuneration, in July 2019. APRA plans to respond to the feedback provided during the consultation process in early 2020. The draft standards encapsulates the Financial Stability Board's guidance in relation to sound compensation principles and practices, including in relation to misconduct, compliance and other non-financial risks.
Work is underway to devise new information collections that will allow APRA to better assess how remuneration frameworks work in practice.
Recommendation 5.3 - Revised prudential standards and guidance
In revising its prudential standards and guidance about the design and implementation of remuneration systems, APRA should:
  • require APRA-regulated institutions to design their remuneration systems to encourage sound management of non- financial risks, and to reduce the risk of misconduct;
  • require the board of an APRA-regulated institution (whether through its remuneration committee or otherwise) to make regular assessments of the effectiveness of the remuneration system in encouraging sound management of non- financial risks, and reducing the risk of misconduct;
  • set limits on the use of financial metrics in connection with long-term variable remuneration;
  • require APRA-regulated institutions to provide for the entity, in appropriate circumstances, to claw back remuneration that has vested; and
  • encourage APRA-regulated institutions to improve the quality of information being provided to boards and their committees about risk management performance and remuneration decisions.
On track. APRA released for consultation a draft prudential standard, Prudential Standard CPS 511 Remuneration, in July 2019. The draft standard requires regulated entities to:
  • design their remuneration systems to encourage sound management of non- financial risks, and to reduce the risk of misconduct;
  • make regular assessments of the effectiveness of the remuneration system in encouraging sound management of nonfinancial risks, and reducing the risk of misconduct;
  • limit to 50 per cent the use of financial metrics in connection with variable remuneration;
  • provide for the entity, in appropriate circumstances, to claw back remuneration that has vested; and
  • improve the quality of information being provided to boards and their committees about risk management performance and remuneration decisions.
APRA plans to respond to the feedback provided during the consultation process in early 2020.
Work is underway to devise new information collections that will allow APRA to better assess how remuneration frameworks work in practice
Recommendation 5.7 - Supervision of culture and governance
In conducting its prudential supervision of APRA-regulated institutions and in revising its prudential standards and guidance, APRA should:
  • build a supervisory program focused on building culture that will mitigate the risk of misconduct;
  • use a risk-based approach to its reviews;
  • assess the cultural drivers of misconduct in entities; and
encourage entities to give proper attention to sound management of conduct risk and improving entity governance.
On track. Building on additional resourcing provided by the Government in the 2019 Budget, the recommendations of the Royal Commission, and the recommendations of the Capability Review, APRA is developing an intensified approach to the supervision of governance, culture, remuneration and accountability within regulated entities. APRA’s approach to the supervision of culture and governance is set out in this paper.

Attachment B – Addressing the Capability Review’s GCRA recommendations

Capability Review recommendation
How APRA's plans address the recommendation
Recommendation 4.1: Strengthening APRA’s capabilities – GCA risks
As part of its work to revise and enhance its supervisory and policy frameworks, APRA should:
ensure the policy framework is focussed on assessing appropriate outcomes around GCA risk in regulated entities, not just appropriate processes;
further develop its toolkit for assessing GCA risks, including board and senior management performance, and ensure that it has an escalating suite of options for engaging with entities;
embed the recent entity self-assessment process into its more intense supervision of GCA risks by making it a biennial requirement. The self-assessments should be more prescriptive than APRA’s recent program, including coverage of questions
set out in Appendix 2. The self-
assessments, APRA’s assessment of each of them, APRA’s thematic reviews, and any rectification requirements imposed by APRA in response to a self-assessment should be published;
establish an external panel of experts to assist it in undertaking more in-depth assessments of individual entities;
explore ways to collaborate with regtech specialists and other experts to develop more efficient and effective tools to identify GCA risks.
APRA supports this recommendation. As outlined in the Corporate Plan 2019 -2023 and this paper, APRA’s GCRA Strategy significantly uplifts its regulatory and supervisory approach in these areas, including:
On track: Actions to enhance the GCRA prudential framework outlined in this paper will strengthen requirements for regulated entities to focus on outcomes;
On track: APRA’s GCRA strategy combined with the refresh of its supervisory and enforcement review, will further develop the toolkit for assessing these risks;
On track: APRA continues to engage with regulated entities on the execution of remediation plans following the completion of self-assessments undertaken following the Prudential Inquiry.
APRA plans to strengthen the prudential framework to make it explicit that boards must submit an annual declaration on the effectiveness of GCRA, and undertake periodic GCRA self-assessments.
APRA’s external communication of information associated with the selfassessment process will align with its external communication strategy.
On track: APRA will use a range of external experts to complement its internal GCRA capabilities to support the execution of its GCRA strategy. For example, APRA is assessing options to use external experts to support planned activities in relation to risk culture.
In progress: APRA recognises that collaborating with regtech specialists and other experts will be an opportunity going forward to sharpen supervision. APRA notes that work undertaken in relation to Natural Language Processing provides an example where technology is being incorporated as part of sharper GCRA supervision practices.
Recommendation 4.2: Strengthening APRA’s capability – GCA risks
APRA should build on the CBA Prudential Inquiry and entity self-assessments by embedding CBAstyle prudential inquiries as an ongoing part of its supervisory toolkit. The Panel would expect to see several prudential inquiries in the first few years to reinforce the need for rigorous selfassessments. In time, the inquiries should involve retail and industry superannuation, insurance and ADI entities.
APRA supports this recommendation. APRA will include CBA-style prudential inquires as part of the supervisory toolkit. GCRA self-assessments will be periodic, and targeted GCRA deep dives will occur as part of ongoing supervision.
Reports from prudential inquiries will be publicly disclosed.
 
Recommendation 4.3: Strengthening APRA’s capability – GCA risks
The Government should consider providing APRA with a non-objections power to veto the appointment or reappointment of directors and senior executives of regulated entities. This would bring it into line with international regulators and strengthen its capacity to preemptively regulate GCA risks. The power should be available to APRA only where the risks associated with the entity, including but not limited to member outcomes for superannuation funds, warrant it.
APRA supports the objective of a strong regime for the fitness and propriety of directors and senior executives, but notes that ultimately this is a matter for Government.