Risk culture - 'an evolving area of supervisory practice'

By Michael Mathieson
Banking Corporate Governance Insurance Risk & Compliance Superannuation Financial Services

In brief

Written by Senior Regulatory Counsel Michael Mathieson

A director of a bank, life company or general insurer who read APRA's recent information paper on risk culture could be excused for indulging in a wry smile. Since mid-2015 he or she has been subject to legislative obligations concerning risk culture. However, the information paper suggests that APRA is still working out what risk culture is and how to assess it.

Under Prudential Standard CPS 220 Risk Management, the board of a bank or insurer must ensure that 'it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identifies any desirable changes to the risk culture and ensures the institution takes steps to address those changes'.

The original version of this obligation was much more demanding. The original version required the board to ensure that 'a sound risk management culture is established and maintained throughout the institution'. Many thought that this was unacceptable and so APRA produced the less demanding version of the obligation set out in the previous paragraph.

But the final version of the obligation still requires the board to identify and assess the institution's risk culture. Without doing so, it would be difficult for the board to form a view about risk culture or to identify any desirable changes. It is this need to identify and assess the institution's risk culture that makes APRA's information paper so interesting.

Defining risk culture

In its paper, APRA does provide some commentary concerning the definition of risk culture, although without positively adopting any particular concise definition. What one takes away from the commentary is that risk culture involves 'a system of shared values', 'norms' and 'traditions of behaviour'. Now, these sorts of things are self-evidently not easy to identify. APRA accepts as much. It notes that various sets of shared norms and behaviours may exist within a single organisation. It acknowledges that this adds 'additional complexity' to the task of understanding risk culture,

since it necessitates consideration of how varying norms and behaviours within parts of an organisation interact with each other and impact the way in which the organisation as a whole perceives and manages risks.


The reader also learns that the 'informal' elements of an organisation's risk culture are 'important' but 'difficult to observe and assess'. The director of a bank or insurer might be inclined to agree.

Assessing risk culture

APRA observes that, given 'the relatively recent focus on risk culture', most prudential supervisors 'have yet to publicly state how they assess risk culture'. A director might well ask, if the regulator is not prepared to state how risk culture is to be assessed, why am I subject to a personal legislative obligation concerning risk culture?

The exceptions are the PRA in the UK and the DNB in the Netherlands. It seems the Dutch are leading the pack here. They have roped in organisational and social psychologists. By extension, the board of a bank or insurer might consider engaging consultants with those qualifications to assist the board with the difficult task of identifying the institution's risk culture.


According to APRA's paper, senior executives and boards are critical to an organisation's risk culture because they set the 'tone from the top'. In relation to senior executives, APRA said:

Institutions noted the direct impacts on behaviour and risk culture where there were disconnects – both real and perceived – between stated values and actual behaviours. Employees were seen to be particularly aware of instances of 'do as I say, not as I do'.

The last sentence struck me as ambiguous. It could be suggesting that employees are perceptive and are dispirited by the 'disconnects' they see. Or it could be suggesting that employees are crafty and will take the 'disconnects' they see as a licence to engage in misconduct. Or it could be both.

In relation to boards, APRA said it is 'critical that the (implicit and explicit) messages from directors about what behaviours are important are consistent with those emanating from senior executives'. This makes sense, assuming the senior executives are sending the right messages in the first place, free of 'disconnects'.

Others are not up to my standards

Perhaps it is human nature to think that we do things a little better than others. It seems this is no less true in respect of risk culture. APRA included the following gem in its paper:

Despite the recognised challenge in gaining insight into risk culture, institutions consistently asserted to APRA that their risk cultures were broadly 'good' or 'strong'. Institutions did, however, acknowledge that risk culture was an issue within their industry. This view that any problems lay elsewhere suggests the need for a deeper analysis and understanding of risk culture across the entire financial sector.

This appeared under a heading that included the word 'insight'.

The decoding process

APRA is at pains to emphasise that it will not 'impose a common risk culture across prudentially-regulated entities' or prescribe the specific characteristics of a 'good' risk culture. However, APRA is also at pains to emphasise that it will apply 'greater supervisory focus' to institutions that are either 'unwilling or unable to address behaviours which are inconsistent with prudent risk management'. A plausible interpretation of these and a number of other similar statements would be: 'We won't tell you what to do, but if we don't like what we see, there will be serious consequences for you'.

What next?

APRA wants to 'maintain the prominence of risk culture within regulated institutions'. In that respect, publishing the information paper, and the establishment of a 'dedicated Governance, Culture and Remuneration risk specialist team' at APRA, are ends in themselves (and by writing about risk conduct I suppose I am helping APRA achieve its goal).

APRA also flags conducting 'pilot on-site reviews at individual institutions focussing specifically on risk culture'. Finally, it flags extending the risk culture obligations that currently apply in the banking and insurance sectors to the superannuation sector.

Risk culture does indeed remain 'an evolving area of supervisory practice'.