Posted: 24 May 2019 05 min. read

Embedding Risk Culture

APRA issues a poor report card

APRA’s Self-Assessment of Governance, Accountability and Culture report was scathing of financially regulated institutions’ understanding of their risk culture. 

Key points

There were three areas APRA asked the 9 banks, 16 insurers and 11 superannuation funds to clearly articulate: a target risk culture; measure and report it; and understand or evidence progress in achieving the desired risk culture state. 

Despite the obligations in Prudential Standard 220 Risk Management that came into effect in 2016, many institutions are still unable to articulate a target risk culture.  

It was also clear that institutions have not sufficiently developed their approaches to measuring their risk culture, with a high proportion still relying on their staff surveys to understand it. 

APRA set a clear expectation that institutions should use multiple sources of data to verify their findings, proving examples such as surveys, interviews, focus groups, workshops, risk audits as well as existing data sources such as customer complaints to get a rounded view of their culture.  

APRA also found that reporting to the board on risk culture was largely insufficient, with limited efforts to linkURL risk culture to risk appetite.

APRA believes that most institutions’ understanding of risk culture remains immature. 

Institutions have tended to favour formal mechanisms such as systems, data and processes, rather than the behavioural mechanisms of culture, such as communication, leadership and decision-making. 

Companies that were more mature linked purpose, values and culture to risk appetite and demonstrated that they saw the linkURL between culture, remuneration, business models (including the Three Lines of Defence), and effective strategy.  

Where to next?

APRA’s report pushes companies to think more deeply about risk culture. The regulator is asking for greater clarity on the desired risk culture, how organisations are assessing progress, and a more integrated approach that recognises the role of accountabilities and remuneration.

It is no longer enough to think about risk compliance culture for root-cause analysis. Or tinker with systems and process as though it might fix norms and mindsets. 

What decisions are being made and why?

APRA wants institutions to understand why decisions are being made, and what is preventing good decisions. Is it because people don’t want to make good decisions? Or don’t know how to make good risk aware decisions? 

Are leaders directing them to prioritise something else? Is another behaviour being rewarded as better?

Risk culture is about creating the conditions for responsible and risk aware decisions. 

Despite the focus on culture increasing over the last three or four years, the quality of institutions’ self-assessments still falls short of APRA’s bar as the regulator warns of penalties.

What does ‘good’ look like?

A well-embedded and understood risk management framework, with associate policies and controls, coupled with a strong purpose and values, provides the right frame for decision making within a company. This is the ying and yang of decision-making. 

The framework needs to include risk appetite, supported by clarity on roles and responsibilities for risk aka the three lines of defence.

Add to this purpose and values, which allows for an organisational culture where responsible decisions are nurtured. The complexity and burden of too many rules can be relaxed – giving the institution back agility. 


Given this first poor report card, APRA will adopt a risk-based approach to risk culture reviews across a wide range of institutions. In it, they will connect risk culture to misconduct. 

Each institution will have to ask itself: how does our culture and risk culture affect our ability to deliver our promises to our customers?

Customers experience an organisation through its culture, and will quickly and easily point out where it misfunctions. 

Given all external stakeholders have a view - maybe it’s time we included them in the assessment? 

A purpose and values led organisation, enabled by an effective and meaningful risk management framework, will live and breathe responsible and risk aware decisions. And that’s gotta’ be good for all stakeholders. 

It’s the way we do (good) things around here. 

Victoria Whitaker Deloitte Partner, is an experienced risk advisor focusing on ethics and sustainability.

Meet our author

Victoria Whitaker

Victoria Whitaker

Partner, Risk Advisory

Victoria is a partner in Risk Advisory and leads the responsible business practice. Victoria’s work focuses on developing ethical corporations, with strong cultures who build trust with external stakeholders. Victoria brings 19 years of expertise in ethics, cultural integrity, and corporate responsibility. Throughout her career, Victoria has helped organisations in Australia and globally understand and address ethical challenges, minimise risks, maintain trust with stakeholders, and reduce social and environmental impacts. Practically, Victoria lead’s the firm practices in ethics, risk culture and human rights services portfolios. Victoria’s consulting and commercial experience has seen her lead multi-disciplinary teams predominantly servicing financial services, energy & resources, and government, amongst other sectors.