Financial Services Regulation

Increase text sizeDecrease text sizeDefault text size

Unravelled: Risk culture – 'an evolving area of supervisory practice'

3 November 2016

Written by Senior Regulatory Counsel Michael Mathieson

A director of a bank, life company or general insurer who read APRA's recent information paper on risk culture could be excused for indulging in a wry smile. Since mid-2015 he or she has been subject to legislative obligations concerning risk culture. However, the information paper suggests that APRA is still working out what risk culture is and how to assess it.

Under Prudential Standard CPS 220 Risk Management, the board of a bank or insurer must ensure that 'it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identifies any desirable changes to the risk culture and ensures the institution takes steps to address those changes'.

The original version of this obligation was much more demanding. The original version required the board to ensure that 'a sound risk management culture is established and maintained throughout the institution'. Many thought that this was unacceptable and so APRA produced the less demanding version of the obligation set out in the previous paragraph.

But the final version of the obligation still requires the board to identify and assess the institution's risk culture. Without doing so, it would be difficult for the board to form a view about risk culture or to identify any desirable changes. It is this need to identify and assess the institution's risk culture that makes APRA's information paper so interesting.

Defining risk culture

In its paper, APRA does provide some commentary concerning the definition of risk culture, although without positively adopting any particular concise definition. What one takes away from the commentary is that risk culture involves 'a system of shared values', 'norms' and 'traditions of behaviour'. Now, these sorts of things are self-evidently not easy to identify. APRA accepts as much. It notes that various sets of shared norms and behaviours may exist within a single organisation. It acknowledges that this adds 'additional complexity' to the task of understanding risk culture,

Start quotation since it necessitates consideration of how varying norms and behaviours within parts of an organisation interact with each other and impact the way in which the organisation as a whole perceives and manages risks. End quotation


The reader also learns that the 'informal' elements of an organisation's risk culture are 'important' but 'difficult to observe and assess'. The director of a bank or insurer might be inclined to agree.

Assessing risk culture

APRA observes that, given 'the relatively recent focus on risk culture', most prudential supervisors 'have yet to publicly state how they assess risk culture'. A director might well ask, if the regulator is not prepared to state how risk culture is to be assessed, why am I subject to a personal legislative obligation concerning risk culture?

The exceptions are the PRA in the UK and the DNB in the Netherlands. It seems the Dutch are leading the pack here. They have roped in organisational and social psychologists. By extension, the board of a bank or insurer might consider engaging consultants with those qualifications to assist the board with the difficult task of identifying the institution's risk culture.


According to APRA's paper, senior executives and boards are critical to an organisation's risk culture because they set the 'tone from the top'. In relation to senior executives, APRA said:

Start quotation Institutions noted the direct impacts on behaviour and risk culture where there were disconnects – both real and perceived – between stated values and actual behaviours. Employees were seen to be particularly aware of instances of 'do as I say, not as I do'. End quotation

The last sentence struck me as ambiguous. It could be suggesting that employees are perceptive and are dispirited by the 'disconnects' they see. Or it could be suggesting that employees are crafty and will take the 'disconnects' they see as a licence to engage in misconduct. Or it could be both.

In relation to boards, APRA said it is 'critical that the (implicit and explicit) messages from directors about what behaviours are important are consistent with those emanating from senior executives'. This makes sense, assuming the senior executives are sending the right messages in the first place, free of 'disconnects'.

Others are not up to my standards

Perhaps it is human nature to think that we do things a little better than others. It seems this is no less true in respect of risk culture. APRA included the following gem in its paper:

Start quotation Despite the recognised challenge in gaining insight into risk culture, institutions consistently asserted to APRA that their risk cultures were broadly 'good' or 'strong'. Institutions did, however, acknowledge that risk culture was an issue within their industry. This view that any problems lay elsewhere suggests the need for a deeper analysis and understanding of risk culture across the entire financial sector. End quotation

This appeared under a heading that included the word 'insight'.

The decoding process

APRA is at pains to emphasise that it will not 'impose a common risk culture across prudentially-regulated entities' or prescribe the specific characteristics of a 'good' risk culture. However, APRA is also at pains to emphasise that it will apply 'greater supervisory focus' to institutions that are either 'unwilling or unable to address behaviours which are inconsistent with prudent risk management'. A plausible interpretation of these and a number of other similar statements would be: 'We won't tell you what to do, but if we don't like what we see, there will be serious consequences for you'.

What next?

APRA wants to 'maintain the prominence of risk culture within regulated institutions'. In that respect, publishing the information paper, and the establishment of a 'dedicated Governance, Culture and Remuneration risk specialist team' at APRA, are ends in themselves (and by writing about risk conduct I suppose I am helping APRA achieve its goal).

APRA also flags conducting 'pilot on-site reviews at individual institutions focussing specifically on risk culture'. Finally, it flags extending the risk culture obligations that currently apply in the banking and insurance sectors to the superannuation sector.

Risk culture does indeed remain 'an evolving area of supervisory practice'.

Other articles in this edition of Unravelled

Unravelled banner

Life insurance, conflicted remuneration and commissions
The Bill to amend the conflicted remuneration provisions in the Corporations Act for life insurance has been introduced into Parliament a second time and draft regulations have been released for comment. However, we struggle to know how to describe them because the changes seem to have conflicting purposes. Read more>>

The ASIC Enforcement Review Taskforce unloaded
The ASIC Enforcement Review Taskforce members and terms of reference have been announced. The terms of reference are very broad and come as no surprise, with an emphasis on evaluating the adequacy of ASIC's enforcement toolkit. We analyse the key themes that are likely to emerge. Read more>>

For further information, please contact:

Share or Save for later

What are these?


To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.



You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...