Insights from APRA's latest risk culture survey

The survey indicated that Executives may be more confident than legal and Line 2 risk management regarding:

• Sufficiency of risk resourcing
• Effectiveness of risk governance and controls

How can Executives ensure that the voice of risk is sufficiently heard and acted upon?

This can be interpreted as not necessarily making the voice of Line 2 stronger, but the voice of risk being more consistent across the entity, facilitated by Line 2.

This disconnect between the Executive, the Board and Line 2 is not uncommon, and can be related both to the way that Line 2 engage with Line 1 risk owners and also the nature and depth of risk reporting that is presented to the Board and Executive.

Risk reporting to the Board should come from both Line 1 and Line 2. If there is a disconnect in messaging, the Board must explore why. We often observe Boards that are drowning in risk data, but receive very little insightful commentary or analysis. Trends in risk ratings can be as important as the risk rating itself because trends can be a leading indicator. Fewer, targeted KPIs may relay more insights than many data points. More operational data points should still be monitored by Line 1; however, these can be accumulated up to a more strategic KPI that is reported to the Board.

One other factor that is particularly prevalent in mutual or member-owned entities (although not solely), is appropriately balancing member or other stakeholder representation on the Board with Non-Executive and Executive Directors that bring industry experience. A Boards’ capacity to ask probing questions, provide suggestions about the type and detail of information they need to receive, and recognise when they are only receiving “good news” will be greater when have a range of experience and succession and tenure aligns with principles of good governance.

How will Executives ensure that risk management practices are appropriately supported (budget, systems, skills, capacity) to evolve and mature, thereby improving the way risks are managed?

In many respects, this insight is linked to the previous one. It is aligned to ensuring that Line 1 have the capability and capacity to own and manage their risks, and that Line 2 can facilitate and uplift this.

It is difficult for an entity to increase its risk maturity if risk management is undertaken solely by Line 2. Whilst it is necessary for Line 2 to build and maintain the risk infrastructure, it must be designed and embedded in such a way that Line 1 can own their risks and management of these. By doing this, Line 2 can transition to a facilitation, review and challenge role to support the consistent embedment of risk management across the entity, and to enable a move towards the target level of risk maturity. It is far more effective for non-financial risks such as operational risk to be managed at the point where the risk occurs.

In our recent article on managing operational risk, we noted some of the elements necessary for successfully managing operational risk including an easy-to-use risk MIS and a streamlined risk taxonomy. Many of these can be applied across all risk categories and at the enterprise risk framework level. These elements are necessary so that risk can be managed consistently and transparently across an entity and at the point  that they arise.

Effective Line 1 risk resource is as critical as a strong Line 2. If an entity is resource constrained, particularly once the risk infrastructure is developed, risk resources should be balanced across Line 1 and Line 2.

Employees need a psychologically safe environment and their willingness to speak up to be supported.

Declining levels of psychological safety among different levels within an organisation is a commonly observed trend. How can Executives encourage people across the organisation to speak up?

Employees should not be penalised for raising issues; they must feel safe to do so. Unrealistic key performance and risk indicators that specify the number of issues permitted to occur, or where that number is zero, may discourage employees from raising issues for fear of not meeting their KPIs. More appropriate KPIs refer to “not knowingly breaching” or set targets regarding the length of time taken to identify an issue.

In addition to training, messaging from leaders to employees must consistently communicate the advantage of reporting issues and the importance of treating the root causes.

Indicators such as the number of calls to the whistle-blower hotline or usage of EAP services are important indicators of risk culture.

How are Executives ensuring that risk management expectations are clearly communicated and implemented throughout the organisation? How are risk management responsibilities and accountabilities cascaded through the entity monitored and reported?

Risk management KPIs must form part of the broader performance management framework. These KPIs must be cascaded from the CEO throughout the entity and be adjusted as appropriate for each level within the entity. This supports a culture of “everyone is accountable.”

Consistency is critical. KPIs must be aligned to the Code of Conduct, risk appetite, delegations, and the overall culture. Information regarding the status of KPIs and any remediation necessary should not just be communicated to the Board but throughout the entity.

It is not necessary for employees at all levels to have a detailed knowledge of the risk appetite. They do however require knowledge of the policies and delegations that govern their day-to-day work, the importance of these and the consequences of non-compliance. These policies and delegations must align with the risk appetite.

How can an entity promote an environment in which individual contributors feel able to constructively challenge decisions?

Clearly defined and well understood delegated authorities are an important way to empower team members. They must however be aligned to the capacity and capability of an individual and their role description. Employees must also understand where to escalate decisions that fall outside their authority.

Constructive challenge requires cultivation. It isn’t something that regulatory frameworks, policies or procedures can build. There is a requirement for leaders to promote a culture of openness, debate and challenge and to facilitate diverse viewpoints from all parts of the organisation.

Where decision-making is too concentrated, or team members don’t believe that they are able to constructively challenge leaders decisions, team members will not feel empowered.