Australian regulator responds to scrutiny with revamped risk framework

Australia’s prudential regulator has introduced a fresh supervisory framework to include non-financial risks for banks, a year after the government released a report calling for the body to “reset” its regulatory approach.

The Australian Prudential Regulation Authority (APRA) announced in a letter to the industry on 6 October that it would begin using its new system this month.

APRA says its new Supervision Risk and Intensity (SRI) model allows it to rate banks on issues such as governance, culture, remuneration and accountability. It will also take into account risks posed by cybersecurity breaches.

According to the new framework, APRA will look at whether banks’ governance structures and processes are aptly designed to “inform prudent decisions and actions” by their boards and senior management.

It will also analyse whether a financial institution’s risk culture encourages it to operate within its risk appetite and whether its remuneration framework articulates what the entity values and the behaviours and outcomes it rewards. It also investigates whether there are clear accountabilities to “to empower groups and individuals to perform their role.”

The SRI model replaces the Probability and Impact Rating System (PAIRS) and Supervisory Oversight and Response System (SOARS) models that have been in operation since 2002, but which had faced intensifying scrutiny, including a government review last year led by Greenhill Caliburn managing director Graeme Samuel AC.

The introduction of new risk framework comes after the compatibility report emerging from that review in July 2019 that said the regulator’s “culture and regulatory approach needs a reset.”

“It also needs to be innovative in building its capability — both greater internal capability and use of external resources to complement that,” the report said.

The IMF also released a country report on Australia in February 2019 detailing several areas in which the PAIRS and SOARS framework could improve, such as putting more importance on assessing a bank’s board and senior management.

“APRA should review the PAIRS process and determine if it remains appropriate and well calibrated for their current supervision program, which has evolved significantly since the introduction of the PAIRS,” the IMF report said.

In December the regulator announced it had been working on the new prudential risk rating system to replace the legacy frameworks.

APRA said it had been studying prudential regulators in its peer jurisdictions, looking at “different supervision models and identifying good practice.” It said it began a review of its “entire supervision model,” which includes the frameworks, processes, systems, tools and employees, in early 2019.

Announcing the new model, APRA chair Wayne Byres said that while the PAIRS and SOARS frameworks served APRA well for almost two decades, “the level and nature of prudential risks has evolved”.

He said that APRA needs to “increase its scrutiny” of governance, culture, remuneration and accountability issues, and address new and emerging risks such as cyber-security.

“The new SRI Model is more contemporary and sophisticated than its predecessor. The model includes a degree of tailoring to each individual sector, and its greater flexibility will help APRA respond to changes in the risk environment, such as those posed by the current pandemic,” he added.

The SRI model is built on tiering, risk assessment and staging as its three chief components.

An entity’s tier reflects the potential impact that its failure, imprudent behaviour or disruptions to its operations could have on financial stability, economic activity and the welfare of the Australian community.

The regulator says its risk assessment component is based on the rating of key risk categories that provides a consistent approach for assessing an entity’s overall risk profile. According to APRA, the revamped framework allows it to “incorporate industry nuances and provides flexibility for capturing emerging risks.”

Once APRA has ranked supervised entities based on their level of risk, it assigns one of five stages of “supervisory intensity” to each entity. The stages include routine supervision, heightened supervision, escalated action, formal remediation and resolution.

APRA says it will conduct new assessments on a confidential basis before communicating the result to relevant entities. The SRI model is expected to be fully adopted by June 2021.

Get unlimited access to all Global Banking Regulation Review content