Federal Budget 2024 - How will this impact your business? Read the latest insights
APRA’s analysis included matters for ADIs to consider, however in our experience these could equally be applied to insurers and Registerable Superannuation Entity Licences (RSELs). Below are points for consideration noted by APRA and guidance on potential root causes based on our experience working with regulated entities of all sizes across all financial services industries.
The survey indicated that Executives may be more confident than legal and Line 2 risk management regarding:
This can be interpreted as not necessarily making the voice of Line 2 stronger, but the voice of risk being more consistent across the entity, facilitated by Line 2.
This disconnect between the Executive, the Board and Line 2 is not uncommon, and can be related both to the way that Line 2 engage with Line 1 risk owners and also the nature and depth of risk reporting that is presented to the Board and Executive.
Risk reporting to the Board should come from both Line 1 and Line 2. If there is a disconnect in messaging, the Board must explore why. We often observe Boards that are drowning in risk data, but receive very little insightful commentary or analysis. Trends in risk ratings can be as important as the risk rating itself because trends can be a leading indicator. Fewer, targeted KPIs may relay more insights than many data points. More operational data points should still be monitored by Line 1; however, these can be accumulated up to a more strategic KPI that is reported to the Board.
One other factor that is particularly prevalent in mutual or member-owned entities (although not solely), is appropriately balancing member or other stakeholder representation on the Board with Non-Executive and Executive Directors that bring industry experience. A Boards’ capacity to ask probing questions, provide suggestions about the type and detail of information they need to receive, and recognise when they are only receiving “good news” will be greater when have a range of experience and succession and tenure aligns with principles of good governance.
In many respects, this insight is linked to the previous one. It is aligned to ensuring that Line 1 have the capability and capacity to own and manage their risks, and that Line 2 can facilitate and uplift this.
It is difficult for an entity to increase its risk maturity if risk management is undertaken solely by Line 2. Whilst it is necessary for Line 2 to build and maintain the risk infrastructure, it must be designed and embedded in such a way that Line 1 can own their risks and management of these. By doing this, Line 2 can transition to a facilitation, review and challenge role to support the consistent embedment of risk management across the entity, and to enable a move towards the target level of risk maturity. It is far more effective for non-financial risks such as operational risk to be managed at the point where the risk occurs.
In our recent article on managing operational risk, we noted some of the elements necessary for successfully managing operational risk including an easy-to-use risk MIS and a streamlined risk taxonomy. Many of these can be applied across all risk categories and at the enterprise risk framework level. These elements are necessary so that risk can be managed consistently and transparently across an entity and at the point that they arise.
Effective Line 1 risk resource is as critical as a strong Line 2. If an entity is resource constrained, particularly once the risk infrastructure is developed, risk resources should be balanced across Line 1 and Line 2.
Employees need a psychologically safe environment and their willingness to speak up to be supported.
Employees should not be penalised for raising issues; they must feel safe to do so. Unrealistic key performance and risk indicators that specify the number of issues permitted to occur, or where that number is zero, may discourage employees from raising issues for fear of not meeting their KPIs. More appropriate KPIs refer to “not knowingly breaching” or set targets regarding the length of time taken to identify an issue.
In addition to training, messaging from leaders to employees must consistently communicate the advantage of reporting issues and the importance of treating the root causes.
Indicators such as the number of calls to the whistle-blower hotline or usage of EAP services are important indicators of risk culture.
Risk management KPIs must form part of the broader performance management framework. These KPIs must be cascaded from the CEO throughout the entity and be adjusted as appropriate for each level within the entity. This supports a culture of “everyone is accountable.”
Consistency is critical. KPIs must be aligned to the Code of Conduct, risk appetite, delegations, and the overall culture. Information regarding the status of KPIs and any remediation necessary should not just be communicated to the Board but throughout the entity.
It is not necessary for employees at all levels to have a detailed knowledge of the risk appetite. They do however require knowledge of the policies and delegations that govern their day-to-day work, the importance of these and the consequences of non-compliance. These policies and delegations must align with the risk appetite.
Clearly defined and well understood delegated authorities are an important way to empower team members. They must however be aligned to the capacity and capability of an individual and their role description. Employees must also understand where to escalate decisions that fall outside their authority.
Constructive challenge requires cultivation. It isn’t something that regulatory frameworks, policies or procedures can build. There is a requirement for leaders to promote a culture of openness, debate and challenge and to facilitate diverse viewpoints from all parts of the organisation.
Where decision-making is too concentrated, or team members don’t believe that they are able to constructively challenge leaders decisions, team members will not feel empowered.
Grant Thornton is available to support you to review and refresh your risk culture and overall risk management framework.
Grant Thornton uses cookies to monitor the performance of this website and improve user experience. If you are happy to accept cookies from this site, please check the box. To find out more about cookies, what they are and how we use them, please see our privacy notice, which also provides information on how to delete cookies from your hard drive.
