Identifying risk appetite to drive better business

outcomes

Insights from Sean Hughes,

Chief Risk and Legal Officer, UniSuper

2 www.financeriskculture.com.au

Managing and mitigating conduct risk continues to be one of the highest regulatory priorities in the Australian financial services sector, with regulators’ turning their attention and resources to target the behaviour of firms and how they conduct their business. Already a number of companies have been fined over $15 million dollars for giving clients bad advice,

as APRA, ASIC and the FCA continue to crack down on institutional misconduct.

As a result, it has never been more important for financial services firms to define what conduct risk

means in the context of their own business, and to determine how to manage, alleviate and report

appropriately on it.

For many companies, this involves identifying their organisation’s risk appetite – the amount and type

of risk they are willing to take on in order to meet strategic objectives.

While risk appetite is widely acknowledged as a core consideration of enterprise risk management

framework, what it takes to establish risk appetite and how it can be used as a tool to drive business

performance is still widely debatable.

Ahead of Risk Culture and Regulation in Financial Services 2015, Sean Hughes, Chief Risk and Legal

Officer at UniSuper, explores what ‘risk appetite’ actually means in financial services and how

UniSuper is using it as a tool not only to improve business performance, but also effectively to

mitigate conduct risk in the current regulatory environment.

3

“’Risk appetite’ is both the level and the type of risk that a financial services company is able to assume in its business activities. It is very closely aligned to managing business objectives and obligations to stakeholders – whether they are shareholders, customers, regulators or other government authorities. It is important to note that ‘risk appetite’ is different from ‘risk tolerance.’ To some extent, the two sit together, but they play interdependent roles. ‘Risk tolerance’ is the maximum level and type of risk a firm can operate at within the constraints of its capital and its obligations to its stakeholders. ‘Risk tolerance’ is the outer limit of acceptable risk-taking and ‘risk appetite’ is the level of risk an organisation is comfortable taking. In normal business speak it is understandable that sometimes the two definitions are merged and some organisations think of them as almost identical. But those who work in risk and regulation have to understand there is a difference between the two. Under APRA requirements an organisation has to have a risk appetite statement, which has to be refreshed on a regular basis.”

What does ‘risk appetite’ mean in financial services?

Using ‘risk appetite’ as a tool to improve business performance

“In July 2014, UniSuper set about reorganising its risk functions, bringing together various disparate parts of governance functions within the organisation. We asked ourselves – and the Board – do we have a good enough handle on our risk management capability?

www.financeriskculture.com.au

4 4

Traditionally, financial services companies have tended to focus on risk as a threat or an obstacle. Our aim was to rephrase the question and look at risk not as something to just be concerned about, or something that needed to be controlled or managed; but also to see risk as an upside and a way to secure competitive advantage. When risk is looked at through both lenses, it creates new opportunities for the existing risk framework and organisational resources. For example, at the beginning of this year I reorganised my team and created business partners for all of our major operating divisions. As a result, we now operate the line two risk management function in two ways: we have co-located business partner teams who sit alongside their business clients and support them in the provision of risk and legal services. We then have a central core governance area that provides independent assurance to the Board and the Audit, Risk and Compliance Committee, that the risk management framework is operating effectively, and that breaches, incidents and issues are being addressed appropriately. By setting up our risk management framework this way, we are able to take a 360 degree view of risk. Our organisation views risk in the traditional sense (of challenges and threats), but we can also see where we are not taking enough risk. It gives us the ability to question whether or not we are being too conservative or risk averse and if there are steps we can take that will ultimately allow us to provide better services to our members.”

Getting the balance right: taking on the right amount of risk “Earlier this year the Executive Leadership team, the Audit, Risk and Compliance Committee and the Board, took our existing risk heat map - which plots key material risks for the organisation - and questioned if it was giving us an accurate depiction of the risks we actually cared about as an organisation. After those sessions, we discarded our previous approach and decided to do something innovative by changing our risk profile model. Instead, we have now adopted a radar map to plot our risks – the closer we get to the centre of the map, the more acute those risks are to the organisation. We had also previously listed 12 key priority risks for the organisation. In order to ensure we were getting the balance right, we reconsidered each of those 12 risks and we came up with revisions to them. Some we removed altogether, while others were re-phrased. We re-plotted them by testing and challenging them at each level of the organisation and then finding the right place to position them on our radar map. We’re now in the process of talking to each of our business units and identifying the risk appetite for each of those risks, depending on what level of threat they pose to the organisation. www.financeriskculture.com.au

5

The great thing about these conversations is they are led by each of the business units. It is the business leaders who are stipulating each type and level of risk. Under the old model it was the risk executive who owned all the risks, and under the new model it is the business units and their employees who own the risks which is a step in the right direction.”

Managing conduct risk: it’s not about ‘ticking all the boxes’

“Conduct risk is a theme that runs through many of the risks our organisation is addressing. Conduct risk has been around for a long time and it describes the ‘how’ rather than the ‘what,’ which is not something the industry has traditionally focused on when it came to managing misconduct. Conduct risk is more around describing the way in which we behave and manage our commitments to stakeholders, customers, employees or third parties. I don’t believe it is a risk in and of itself that has suddenly been invented in the post-GFC environment. During the financial crisis over the past decade, the industry has seen some aberrant and inappropriate behaviour, some which was driven by short term thinking, and some of which was driven by misalignment around incentives. But at the end of the day it came down to behaviour, ethics and culture, more so than it being a unique badly performing risk in and of itself. As a result, it is important for organisations to establish an appropriate risk culture – which is not about sending employees on a compulsory ethics training course simply to tick boxes. That is not an effective way to manage conduct risk. Managing conduct risk goes back to the very beginning of when an employee joins an organisation. It’s the criteria applied to appoint them – are we appointing someone because we know they will be great at driving sales at all costs? Or are we appointing people because we have satisfied ourselves they will have a strong focus on customer service and will do the right thing by their customers? From day one when that employee comes on board, the way in which they’re encouraged to learn about the policies and procedures of the organisation, how they are rewarded and incentivised to put the customer above everything else, and the leadership they observe and experience, are all some of the tangible steps an organisation can take to encourage a strong culture around good behaviour and ethics. Another powerful tool for cementing strong risk culture is around performance management. If managers focus on the bottom line aspect of employee performance and reward solely on numbers and not on behaviour, this is likely to drive the wrong set of outcomes as well. Equally, when there are employees who may have generated great financial results, but did so at a cost to the organisation, there has to be a consequence. Employees cannot be rewarded for doing wrong and breaching compliance simply because they generated good dollar outcomes.”

www.financeriskculture.com.au

6

…I can understand how tough it is for businesses to deal

with an ever increasing

avalanche of new regulatory

requirements, while at the same

time keep their costs flat and drive

increased profitability…

In an Australian context where we largely deal with principles-based regulation rather than prescriptive regulatory requirements, it is important for people in my position to peel back the layers and question: what is it the regulator or government wants to achieve? What is the outcome they want? This makes it easier to create a business case for establishing new regulatory requirements as part of a business process re-design. Having been in both business leadership roles as well as having established and then lead regulatory agencies, I can understand how tough it is for businesses to deal with an ever increasing avalanche of new regulatory requirements, while at the same time keep their costs flat and drive increased profitability. It’s a far greater challenge than it was 10 to 15 years ago and the heavy demands of regulation are not going to go away. The approach UniSuper is taking is to try to implement new regulatory requirements as seamlessly as possible by weaving them into existing business processes and then improve those processes from there.

Complying with new regulations

If the ‘big stick’ approach to regulatory implementation is taken, inevitably there are going to be failures that will be overwhelming for many staff. It’s important to consider to what extent each new requirement will change your existing way of doing business. It is a lot easier to then weave these changes into your existing business models and processes, which in turn will make it easier to adapt. When it comes to complying with regulation, it is important to take a ‘business as usual’ approach, and demonstrate to staff what the end benefit is for not only them as individuals, but for the entire organisation. Some organisations waste valuable time and resource complaining about or seeking to work around regulations, rather than just get on and deal with them as a part of doing business.

www.financeriskculture.com.au

7 Title of the book

To learn more about the strategies needed to effectively

identify risk appetite in your own organisation, join Sean Hughes at Risk Culture and

Regulation in Financial Services 2015.

For more information visit www.financeriskculture.com.au or call +61 2 9229 1000 or email

enquire@iqpc.com.au