An undercurrent of concern has emerged in recent years that the reality of a Directors’ role does not match the expectations of regulators and the public.
Particularly illustrative of this has been the release this month of an “Aid for Directors” by the Australian Prudential Regulation Authority (APRA), clarifying what it expects Directors to do in order to minimise risk and promote financial soundness.
Such clarifications had become necessary after APRA released a package of standards and guidelines — (APRA Prudential Standard CPS 220 Risk Management (CPS 220), APRA Prudential Standard CPS 510 Governance (CPS 510) and draft APRA Prudential Practice Guide CPG 220 Risk Management (CPG 220) – that Directors and the industry felt muddled the responsibilities of management and the Board.
The Australian Institute of Company Directors (AICD) submitted a strongly worded submission on the package in March, stating that “APRA seems to see Boards as having a hands-on role in company affairs, akin to that of management.”
The use of the word “ensures” appeared to be a particular sticking point for many parties, with the Australian Bankers’ Association stating in its submission that this word inferred managerial ownership of risk management by the Board, despite APRA’s assurance to industry that such ownership was not APRA’s intention.
The AICD underlined that Boards and Directors cannot be so closely involved in an organisation that they themselves are able to ensure nothing will go wrong. To do so, they would have to become full-time employees, which would undermine their objectivity.
Changes in wording have now been made to CPS 220, and the word “ensures” has been provided with a revised definition to match APRA’s stated intent. When used in relation to the responsibility of the Board, ensures means “to take all reasonable steps and make all reasonable enquiries as are appropriate for a Board so that the Board can determine, to the best of its knowledge, that the stated matter has been properly addressed”.
In addition, APRA’s Aid for Directors presents a “back to basics” view of how prudential standards function and the Board’s role in upholding them, noting that Board involvement will differ depending on the requirement:
The prudential standards will sometimes set down quite particular responsibilities for the Board. For example, the Board may be assigned specific responsibility for a matter. This means that the Board is expected to be ultimately and finally accountable, and to remain in a position so as to be able to justify the actions and decisions of the institution in relation to that matter.
In other cases, the standards may require the Board to ensure that a particular matter is addressed or action taken. This means that the Board should take all reasonable steps and make all appropriate enquiries so that the Board can determine, to the best of its knowledge, that the stated matter has been properly addressed.
At other times, the standards may provide for the Board to set, approve or review a policy or oversee particular work undertaken by management.
It also provides a high level overview of what it expects of the Board in terms of risk management:
The prudential standards make it clear that the Board must oversee, and is ultimately responsible for, the establishment and maintenance of an effective risk management framework. The Board is expected to provide clear direction and leadership for the institution in its approach to risk management. Amongst other things, this includes setting a clearly articulated risk appetite so that the boundaries within which management may operate are clear. It also involves overseeing the implementation and ongoing operation of a robust and effective risk management strategy that seeks to ensure the institution remains within that appetite.
No control framework will be truly effective if an institution’s culture is not appropriately aligned to it. The Board therefore has a very important task in this respect: it needs to form a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes.
The clarifications will no doubt be welcome to Directors, but the fact remains that they needed to be made in the first place. It is necessary that regulators and industry alike keep in mind what the purpose of a Board of Directors is, and act accordingly.
Submissions are sought on the CPS 220 changes by 4 November.