The APRA report of the prudential inquiry in the Commonwealth Bank of Australia (CBA) was issued on 1 May 2018 https://www.apra.gov.au/media-centre/media-releases/apra-releases-cba-prudential-inquiry-final-report-accepts-eu. On the following day, I was flying from Sydney to Perth and downloaded the report to "skim" read the key points on the flight.
I began reading on take-off and on landing 4 hours later, had completed the full 111 pages. I could not put it down.
Rather than a negative feeling of what we are doing wrong, I saw instead a rich source of information that we can use to take risk management to the next level.
On page 5, the report states:
"The Report that follows may read as a long catalogue of shortcomings. That would be too narrow a read. The Panel acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia. The Report is a roadmap for this journey."
It is also clear that many other financial institutions accept that they could change the name "CBA" on this report to their own and it would be equally as valid. At Protecht, we see this as a must-read for anyone serious about taking their risk management to the next level. It is, as APRA states, "a valuable roadmap".
The following is a summary of the main lessons we can learn from the report, and also the main themes that run through the report.
Many of these lessons and themes will be subject to separate blogs over the next few months where we will explore the them in greater detail and importantly what is practically required to implement the learnings.
Subscribe now to the Risk Management Insights Blog and don't miss out.
The APRA report is broken down into 3 main sections covering Governance, Accountability and Culture and these sections are further divided into 8 key topics.
These are noted in the table below with the key lessons identified from each:
On reading the full report, it became evident that there are a number of key themes that cut across many of the above topics. The key themes identified are:
Trust, Challenge, Accountability, Responsibility and ComplacencyThese are the key elements of culture that can provide either a foundation of rock or sand for an organisation’s risk management.
The voicesThe importance of balancing the various “voices” that need to be listened to and weighed up in all decisions and behaviour. This covers the various stakeholder voices, particular the voices of the shareholder (finance) and the voice of customer but also the voices of reward and risk for each stakeholder.
Risk AppetiteThe role of risk appetite in providing decision makers with the “Can I?” test and the importance of the correct metrics to articulate appetite.
How hungry are you for Risk? Download this practical guide to Risk Appetite.
Decision MakingThe focus on "optimal" decision making through ensuring the various “voices” are listened to and that long-term strategic decisions are not compromised with a tendency to favour short-term quick fix "Band-Aid" tactical decisions.
Issue and Action ManagementThe importance of learning from past mistakes and ensuring that the correct issues and actions are identified through a focus on the root cause rather than the symptoms of the risk. Also, the importance of a strong culture to resolve issues and implement actions in a timely manner.
ReportingThe importance of relevant and timely reporting to the Board, Board Committees and Executive management to highlight key risk issues. Also, the importance of being able to aggregate risk information across the business while still being able to drill down to specific issues that are masked by aggregation. The shared reporting and messaging across the various board committees is also critical to ensure a common unified approach to risk management is achieved.
Risk Management SystemsThe importance of a risks system that can provide the relevant risk information as and when required. The critical elements are the ability to aggregate risks using a common risk taxonomy as well as being able to report those aggregated risks while at the same time ensuring that key information from more granular “tail end” risks are captured and reported.
It is also critical that a strong BI tool allows the identification of risk themes and systemic risks to be identified and reported. Lastly is the importance of being able to link the various parts of risk, such as controls to obligations.
Financial vs. Non-Financial Risk ManagementFor financial institutions this is particularly important as the management of financial risks is usually more mature and reliant on easier statistical quantification. It is important that the more difficult and complex non-financial risks that rely more on qualitative assessment are given equal, if not greater, prominence in the Voice of Risk.
Incentive schemesHumans respond to incentives! You get what you measure! Incentive schemes, in order to drive the right behaviour, need to be based on the balanced scorecard of each stakeholder voice and both risk and reward. The question is how can this be achieved?
Proactive vs Reactive Risk ManagementReactive firefighters are important when an incident occurs but it is way more effective if we can prevent the fire (incident) in the first place. This requires us to understand the root causes of our risks and to apply preventive and early detective controls. We also need a culture where investment is provided for prevention rather than only providing investment to fix things once an incident has occurred. Prevention is better than cure!
Outcome focused vs. process focused risk managementRisk management is conducted through a combination of informal and formal risk management. Formal risk management (the process) should focus primarily on providing: a minimum standard of risk management, an ability to aggregate and report risk information and an audit trail to support accountability and responsibility. The focus of the “process” should be to achieve the right risk management outcome and support the informal process. There is a tendency to focus too much on the process and not enough on the outcome and this causes, death by process, not seeing the wood for the trees and a “tick the box” mentality.
ControlsControls are the major “tool” we have in the business to manage risk at the coal face. They are critical for day to day risk management. Too often, controls are not understood and are not taken seriously enough. Too many controls are manual and are not optimally designed. We often accept critical / key controls working at less than a fully effective level. We need to become more intimate with our controls, improve their design effectiveness and ensure they are operating optimally.
Risk Management Capability and TrainingTraining is my passion as Head of Research and Training at The Protecht Group. This is the “preparing of the mental ground” on which risk management can be sown and cultivated. Many "risks managers" do not have either the technical or behavioural skills to truly be able to review and challenge the risk management and decisions made by the business.
The Big PictureLastly is the "Big Picture". This is overcoming the "siloed" view we often see in risk management where each business unit and risk discipline (WHS, Fraud, ISMS etc.) do their own thing. There is no ability to see risks from an end to end “value chain” perspective or the ability to see systemic issues across the wider business. In addition, incidents and lessons learned are often not shared across the business and we lose the enormous value-add that a big picture view can provide.
Each of these themes will be subject to separate blogs. In the interim, if you would like to know more about how Protecht can take your risk management to the next level through the combination of superb practical risk management training, a leading edge ERM system that addresses the issues noted above, and a hand holding advisory team that can support you in taking your risk management journey to the next level, please:
David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.