APRA is piloting a risk culture survey, independent cyber security reviews, and a new data collection exercise on technology and cyber risks.
APRA (Australian Prudential Regulation Authority) has identified climate-related risks, GCRA (governance, culture, remuneration and accountability) and cyber security risks as key threats to the financial sector and its long-term strength.
In a speech to the Committee for the Economic Development of Australia, APRA Chair Wayne Byres said climate risks are “increasingly very real, and immediate”.
He pointed to a number of initiatives aimed at helping the financial sector prepare, including a draft prudential practice guide recently released by APRA to help financial institutions better understand and manage the financial risks flowing from climate change.
“The draft guidance responds to climate-related risks that are growing in size and importance,” Byres said. “Financial institutions need to understand where, how and to what extent those risks will impact their business, and consider how they should respond.”
“Importantly, the guidance doesn’t tell banks who to lend to, it doesn’t tell insurers what to insure, and it doesn’t tell superannuation funds where to invest. Those are decisions for financial institutions themselves.”
One of the biggest challenges to understanding the impact of climate change in the financial sector involves the shift from subjective judgements to data-driven analysis, Byres said, noting that the tools and methods for risk analysis are still in their relative infancy. “Not only are the direct impacts difficult to assess, but so are the potential technological and policy responses.”
In this vein, APRA’s current work programme on climate-related financial risks includes a pilot climate vulnerability assessment (CVA). Starting with the five largest banks, the CVA will help measure the potential financial exposure of institutions, the financial system and economy to climate-related risks, and boost understanding of how institutions might adjust their business models in response to different climate scenarios.
APRA’s goal is to better identify and measure the links between climate science and financial risk within the context of existing industry risk assessment frameworks. The regulator is working with the CSIRO (Commonwealth Scientific and Industrial Research Organisation) to see whether it is possible to leverage its expertise in climate change and modelling as part of the CVA pilot.
“This would, when combined with the climate scenarios developed for international use by the Network for Greening the Financial System [NGFS], provide a strong science-based foundation and a degree of international comparability to the analysis,” Byres said.
The results of the CVA are expected later this year, following which the overall outcomes will be published to aid other industry participants and potential expand the CVA exercise to other parts of the financial system.
To address threats related to GCRA issues, Byres pointed to APRA’s ongoing work on remuneration and risk culture. Specifically, he spoke of a new draft prudential practice guide which he said will aid in the implementation of the new prudential standard on remuneration published last November.
The updated prudential standard reflects a shift from a more prescriptive approach to a more principles-based one, Byres said, adding that this was done in response to industry feedback that the level of prescription created problems for the diversity of institutions.
APRA is also trialling a new approach to examining risk culture, compared to its traditional engagement with financial institutions, which generates views about an organisation’s culture that are “highly judgemental, less than comprehensive, and very difficult to benchmark against others”.
To improve on this, APRA has recently commenced a pilot risk culture survey involving 10 general insurers, comprising questions that explore attitudes and behaviours in relation to risk, and the willingness and capacity to speak up when things aren’t right.
If the pilot proves successful, APRA plans to launch the survey to around 60 institutions across the banking, insurance and superannuation industries from the second half of this year.
“We plan to use the survey to identify themes across the industry that are impacting risk culture, as well as particular institutions that we might want to look at more closely,” Byres said. “For participants, the survey will help them assess their risk culture maturity over time and relative to peers, identify areas where action is needed, and fulfil their obligations under APRA’s standards.”
“Most importantly, we hope the survey will provide important evidence of whether all of the efforts to improve risk culture, within individual institutions as well as across the industry, are having a genuine impact.”
On cyber security risk, Byres noted that APRA’s first prudential standard related to cyber (CPS 234) came into effect in July 2019.
In November last year, APRA unveiled its new Cyber Security Strategy, which focuses on three areas: to establish a baseline of cyber controls; to enable boards and executives of financial institutions to oversee and direct correction of cyber exposures; and to rectify weak links within the broader financial eco-system and supply chain.
Work is now underway to finalise a process of independent cyber security reviews across all APRA-regulated industries, where an initial assessment process with nine pilot entities is nearing completion. The reviews will be followed by a 12-month period where all APRA entities will be asked to conduct independent assessments against CPS 234, Byres said.
APRA is also seeking better information on an ongoing basis, so it is piloting a new data collection exercise on technology and cyber risks. It is also working on a more active cyber defence testing regime, in conjunction with other regulators.
“This involves enlisting specialist expertise to actively probe for gaps and weaknesses in an institution’s cyber defences, using tools and techniques employed by real life adversaries,” Byres said, adding that the pilot exercise is underway will provide insights into the cyber resilience of individual institutions and systemic weaknesses that may be present.