Taking Risk Management to the next level
The APRA report of the prudential inquiry in the Commonwealth Bank of Australia (CBA) was issued on 1 May 2018 https://www.apra.gov.au/media-centre/media-releases/apra-releases-cba-prudential-inquiry-final-report-accepts-eu. On the following day, I was flying from Sydney to Perth and downloaded the report to "skim" read the key points on the flight.
I began reading on take-off and on landing 4 hours later, had completed the full 111 pages. I could not put it down.
Rather than a negative feeling of what we are doing wrong, I saw instead a rich source of information that we can use to take risk management to the next level.
On page 5, the report states:
"The Report that follows may read as a long catalogue of shortcomings. That would be too narrow a read. The Panel acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia. The Report is a roadmap for this journey."
It is also clear that many other financial institutions accept that they could change the name "CBA" on this report to their own and it would be equally as valid. At Protecht, we see this as a must-read for anyone serious about taking their risk management to the next level. It is, as APRA states, "a valuable roadmap".
The following is a summary of the main lessons we can learn from the report, and also the main themes that run through the report.
Many of these lessons and themes will be subject to separate blogs over the next few months where we will explore the them in greater detail and importantly what is practically required to implement the learnings.
Subscribe now to the Risk Management Insights Blog and don't miss out.
Key topics and lessons
The APRA report is broken down into 3 main sections covering Governance, Accountability and Culture and these sections are further divided into 8 key topics.
These are noted in the table below with the key lessons identified from each:
1. Role of the Board
- Trust in executive management must be backed up by checking and challenging and holding management to account. "Don’t tell me, show me".
- The Board needs visibility and must be seen to be active and urgent on risk matters to provide the correct tone at the top.
- Board and committees must receive appropriate risk reports with relevant metrics including information on customer complaints.
- There must be strong communication and reporting between the Audit, Risk and Remuneration Committees.
- Management must communicate to the board with candour and communicate both bad and good news equally.
- Risk Management must be dealt with by the board early in meetings and with sufficient time allotted.
- The board and committees should review and challenge outstanding and overdue audit items and key actions and any extension of close dates on them.
- Line Management should be called upon to present directly to committees and the board on material risk matters.
2. Senior Leadership Oversight
- The executive committee must have collective accountability for the management of the whole company or group.
- Risk data must be able to be aggregated and viewed across business lines so as to be able to identify emerging and/or systemic risks.
- Non-financial risks (Operational and Compliance) must be given equal voice to financial risks. This includes having a committee dedicated to non-financial risk management.
- There should be a clear set of minimum standards for risk management across the business.
3. Risk Management and Compliance
- The business (Line 1) must have ownership of its risks and ownership of the related risk management.
- The independent risk management function (Line 2) should not be doing any of Line 1’s work for them.
- The voice of risk management from operational risk management and compliance must be strong. This requires strong challenge from Line 2 risk management and adequate skills to be able to carry this out.
- The Chief Risk Officer and Line 2 risk management must be adequately independent so that they can effectively challenge the business and management.
- Risk Management metrics should be leading and focus on the risk profile of the organisation rather than on the adequate completion of risk management tasks.
- Care should be taken when reporting aggregate risk information in that it may hide important message that are lost in aggregation.
- Risk Management must avoid being process focused, but instead, be outcome focused to ensure the business is not “consumed by process”.
- Risk management effort should be applied proactively and not only when incidents occur in a reactive way.
- There needs to be a strong risk taxonomy (risk libraries) that allow risk to be linked, aggregated and analysed across the business. Read the article: Enterprise Risk Management. Connecting the Dots.
- There needs to be strong risk reporting capabilities using analytics which allow risk aggregation as well as drill down capabilities into important matters.
- The risk system should allow the linking of controls to compliance obligations and more widely the linking of the various parts of risk information. Read blog article "Understanding Compliance Risk".
- Material instances of challenge by Line 2 Risk Management should be formally evidenced and recorded.
- The root causes of risks should be identified and addressed rather than just the risk itself.
- Risk and Compliance staff must receive adequate training to build up capability and expertise to be able to challenge effectively.
- Compliance and Risk Management must have strong voices and be recognised at the appropriate levels including direct access to the Board.
4. Issue Identification and Escalation
- Risk management must have the ability to identify systemic issues and themes across the business through the ability to link risk data across the business.
- Issues must be identified and appropriate actions formulated and most importantly, those actions implemented properly and within agreed timeframes.
- The closing of issues and actions should be taken seriously at every level of the organisation and issue and action status escalated all the way up to the board.
- There must be adequate overview and approval for closing issues and actions to ensure they have been properly closed.
- The closure of issues and actions should not favour short-term fixes but rather look for longer term, more permanent, solutions.
- In terms of customer risk, there should not be sole focus on aggregate customer satisfaction levels but rather the complaints that represent the tail risks.
5. Financial Objectives and Prioritisation
- The objectives of different stakeholders (shareholders, customers etc.) must be balanced. The voice of finance and the voice of customer must be heard equally.
- Short and long-term objectives must be appropriately balanced.
- The voice of risk must be balanced with the voice of reward.
- Decision making should pass the “Can We?” test (Is the decision within compliance requirements and within risk appetite) and the “Should We?” test which weighs up the risks and rewards of all stakeholders and balances them.
- Adequate investment in risk management projects should be done proactively rather than reactively once an incident has occurred.
- Focus should be made on the excessive amount of manual controls and where possible automate them.
- There needs to be a strong and clear sense of responsibility (actions that are personally taken) and accountability (decisions and actions made by their area).
- Excessive collaboration can dilute responsibility and accountability.
- Bonuses linked directly to sales volume and sales targets should be removed.
- Bonuses should be linked to a balance of metrics covering all relevant stakeholders (including customer) and both risk and reward.
- Good intent is not an excuse for poor outcome.
- There should be a range of consequence management options for staff.
- There should be positive reward for good risk behaviours and outcomes as well as negative penalties for poor risk behaviours and outcomes.
- Remuneration and incentives should reflect both individual responsibility outcomes as well as collective accountability outcomes.
- The CRO should provide the Board / Remuneration Committee with a comprehensive report which affects the CEO’s and Executives remuneration based on good / bad risk behaviours and outcomes.
8. Culture and Leadership
- Success can breed complacency. It is good to have a constant state of “chronic unease” which breeds proactivity and pre-emption rather than “chronic ease” which breeds complacency and reactivity.
- Board and executive management must walk the walk and be authentic in risk management especially in relation to the importance of risk management and supporting the challenge culture.
- Time needs to be taken for reflection and introspection when incidents and issues occur so that the real root cause is understood and the true learning is had.
- A process focus on risk management can lead to a feeling that risk management is onerous, complex and time-consuming and is therefore relegated to a low priority administrative task.
- There should be a cultural focus on making decisions for the longer term (strategic) rather than short-term (tactical) decisions.
- It is easy to become focused on the immediacy of the day to day pressures and not have time for a focus on risk and the bigger strategic issues. Avoid a focus on “rectify quickly and move on”.
- There should be a focus on the bigger picture rather than a siloed view that a federated management model can create. The end to end process and related end to end risks should be understood and managed.
- A culture of accepting challenge must be supported rather than challenge being met with defensiveness.
On reading the full report, it became evident that there are a number of key themes that cut across many of the above topics. The key themes identified are:
Trust, Challenge, Accountability, Responsibility and ComplacencyThese are the key elements of culture that can provide either a foundation of rock or sand for an organisation’s risk management.
The voicesThe importance of balancing the various “voices” that need to be listened to and weighed up in all decisions and behaviour. This covers the various stakeholder voices, particular the voices of the shareholder (finance) and the voice of customer but also the voices of reward and risk for each stakeholder.
Risk AppetiteThe role of risk appetite in providing decision makers with the “Can I?” test and the importance of the correct metrics to articulate appetite.
How hungry are you for Risk? Download this practical guide to Risk Appetite.
Decision MakingThe focus on "optimal" decision making through ensuring the various “voices” are listened to and that long-term strategic decisions are not compromised with a tendency to favour short-term quick fix "Band-Aid" tactical decisions.
Issue and Action ManagementThe importance of learning from past mistakes and ensuring that the correct issues and actions are identified through a focus on the root cause rather than the symptoms of the risk. Also, the importance of a strong culture to resolve issues and implement actions in a timely manner.
ReportingThe importance of relevant and timely reporting to the Board, Board Committees and Executive management to highlight key risk issues. Also, the importance of being able to aggregate risk information across the business while still being able to drill down to specific issues that are masked by aggregation. The shared reporting and messaging across the various board committees is also critical to ensure a common unified approach to risk management is achieved.
Risk Management SystemsThe importance of a risks system that can provide the relevant risk information as and when required. The critical elements are the ability to aggregate risks using a common risk taxonomy as well as being able to report those aggregated risks while at the same time ensuring that key information from more granular “tail end” risks are captured and reported.
It is also critical that a strong BI tool allows the identification of risk themes and systemic risks to be identified and reported. Lastly is the importance of being able to link the various parts of risk, such as controls to obligations.
Financial vs. Non-Financial Risk ManagementFor financial institutions this is particularly important as the management of financial risks is usually more mature and reliant on easier statistical quantification. It is important that the more difficult and complex non-financial risks that rely more on qualitative assessment are given equal, if not greater, prominence in the Voice of Risk.
Incentive schemesHumans respond to incentives! You get what you measure! Incentive schemes, in order to drive the right behaviour, need to be based on the balanced scorecard of each stakeholder voice and both risk and reward. The question is how can this be achieved?
Proactive vs Reactive Risk ManagementReactive firefighters are important when an incident occurs but it is way more effective if we can prevent the fire (incident) in the first place. This requires us to understand the root causes of our risks and to apply preventive and early detective controls. We also need a culture where investment is provided for prevention rather than only providing investment to fix things once an incident has occurred. Prevention is better than cure!
Outcome focused vs. process focused risk managementRisk management is conducted through a combination of informal and formal risk management. Formal risk management (the process) should focus primarily on providing: a minimum standard of risk management, an ability to aggregate and report risk information and an audit trail to support accountability and responsibility. The focus of the “process” should be to achieve the right risk management outcome and support the informal process. There is a tendency to focus too much on the process and not enough on the outcome and this causes, death by process, not seeing the wood for the trees and a “tick the box” mentality.
ControlsControls are the major “tool” we have in the business to manage risk at the coal face. They are critical for day to day risk management. Too often, controls are not understood and are not taken seriously enough. Too many controls are manual and are not optimally designed. We often accept critical / key controls working at less than a fully effective level. We need to become more intimate with our controls, improve their design effectiveness and ensure they are operating optimally.
Risk Management Capability and TrainingTraining is my passion as Head of Research and Training at The Protecht Group. This is the “preparing of the mental ground” on which risk management can be sown and cultivated. Many "risks managers" do not have either the technical or behavioural skills to truly be able to review and challenge the risk management and decisions made by the business.
The Big PictureLastly is the "Big Picture". This is overcoming the "siloed" view we often see in risk management where each business unit and risk discipline (WHS, Fraud, ISMS etc.) do their own thing. There is no ability to see risks from an end to end “value chain” perspective or the ability to see systemic issues across the wider business. In addition, incidents and lessons learned are often not shared across the business and we lose the enormous value-add that a big picture view can provide.
Each of these themes will be subject to separate blogs. In the interim, if you would like to know more about how Protecht can take your risk management to the next level through the combination of superb practical risk management training, a leading edge ERM system that addresses the issues noted above, and a hand holding advisory team that can support you in taking your risk management journey to the next level, please:
- Book a demonstration of the Protecht.ERM system.
- Call us for a chat on how we can help you. Phone: +61 (0) 2 9098 5012.