Business Insight

Key insights from APRAs pilot risk culture survey

Insight Hero Image

     What you need to know 

    • APRA has identified a number of focus areas for entities to improve risk culture, including ensuring that responsibilities are clearly identified within an organisation and having appropriate controls in place to manage risks. 
    • The pilot survey was shaped around APRA's Risk Culture 10 dimensions framework, which identifies the key themes relating to risk culture within organisations.
    • The survey is a key initiative that supports APRA's expanded governance, risk culture, remuneration and accountability function (GCRA).
    • APRA intends to use the survey results, along with other supervisory information when assessing a regulated entity's risk culture, noting that this will assist APRA to identify areas of concern.
    • The risk culture survey is intended to be rolled out to up to 60 banking, insurance and superannuation entities over the next 12 months.  In the meantime, APRA will continue to develop it's Risk Culture 10 dimensions categorisation and measurement methodology to verify maturity levels for each.

    What you need to do

    • Consider how to utilise the survey results, including by self-reflecting on the Risk Culture 10 dimensions and considering how these factors would be viewed within your organisation.
    • Assess whether there is value in aligning your risk culture framework to be consistent with the Risk Culture 10 dimensions, or otherwise consider where value can be drawn from the framework to enhance your existing framework.
    • Conduct a deep-dive validation exercise into the maturity level of behaviours, governance, capabilities, communication and accountability.


    On 14 October 2021, APRA introduced an industry-wide risk culture survey, which aims to reinforce, support and assess the work regulated entities are doing to build and maintain an effective risk culture.

    The survey, which has already been piloted with 10 general insurance entities, specifically provides insights from employees on perceived risk behaviours and the effectiveness of the risk management structure within their entities.  This is achieved by providing each employee within an APRA-regulated entity with a series of statements relating to the entity's risk culture and asking these persons to answer whether they agree or disagree with how that statement relates to their entity.

    Over time, the results of the survey are intended to illustrate the extent to which positive changes to risk culture are occurring within individual entities, while they will also provide scope for performance to be benchmarked across relevant industry sectors.

    What is risk culture?

    An entity's "risk culture" refers to its attitudes and behaviours towards risk management, with this to be determined with reference to two factors, being "risk behaviours" and "risk architecture".

    The first of these factors relates to the observable actions and behaviours of individuals and groups within an organisation.  These norms are likely to shape how an entity is able to identify, understand, discuss, escalate and act on any emerging or current risks that may impact the organisation.  On the other hand, risk architecture refers to the formal structures and arrangements that support the management of risks, including an entity's systems, internal policies and procedures, and governance structures.

    A strong risk culture is likely to facilitate better decision-making across an organisation, as it will generally create an environment whereby employees are comfortable speaking up and voicing concerns to those with executive responsibility.  This will in turn lead to better business and customer outcomes for organisations, as heightened risks will be more appropriately managed, or otherwise avoided altogether.

    The Risk Culture 10 Dimensions

    The risk culture survey is relevantly framed around APRA's 'Risk Culture 10 Dimensions' framework, which articulates what APRA considers to be the key aspects of an entity's risk behaviours and risk architecture.  These dimensions are set out in the table below:

    Risk Behaviours
    Risk Architecture
    • Leadership
    • Decision-making and Challenge
    • Communication and Escalation
    • Risk Capabilities
    • Alignment with Purpose and Values
    • Risk Culture Assessment and Board Oversight
    • Risk Appetite and Strategy
    • Risk Governance and Controls
    • Responsibility and Accountability
    • Performance Management and Incentives

    The Risk Culture 10 Dimensions is not a prescriptive framework, in that APRA does not expect entities to adopt it as their own risk culture framework.  Rather, APRA has noted that an entity's risk culture framework should fit its own particular circumstances, including its size and complexity.  APRA's framework will, however, allow an entity to measure, monitor and report on its risk culture in a way that enables it to gauge its performance in the context of entities operating in a similar segment of the industry.

    Key insights from APRA's pilot survey program 

    Noting that the majority of respondents to the pilot survey were employees with no management responsibilities, the results provided APRA with a unique insight into risk culture across these entities.  

    Of particular relevance, the results revealed that the lowest scoring dimensions across the industry were Risk Governance and Controls, Decision-making and Challenge, and Responsibility and Accountability.  The first of these dimensions represents an especially key risk for APRA-regulated entities, as having effective internal policies and governance structures is critical to building a strong risk culture.  APRA noted that the Responsibility and Accountability dimension had the largest variance in responses, indicating that employees within the surveyed entities do not necessarily understand how risks are managed across the three lines of defence.

    The survey also allowed APRA to identify how different business areas within organisations viewed each of the dimensions.  Notably, the areas of Underwriting and Customer Service were revealed to be amongst the lowest scoring.

    An attention check question was included in the survey to identify those persons who were providing thoughtful responses and, by extension, to ensure only reliable data was collected.  If a participant did not pass the attention check question, their responses were excluded from the results.  On average, 20% of employees across the surveyed entities failed the attention check question, which was noted to have been higher than the failure rate in previous risk culture surveys conducted by APRA.

    These results have in turn allowed the surveyed entities to prioritise the specific areas highlighted in their report that may warrant additional focus and to more appropriately allocate resources to ensure that risk management is strengthened across the entire organisation. 

    What APRA will do with the results

    APRA intends to use the survey results, along with other supervisory information including the findings of any reviews or investigations conducted by APRA's Risk Culture team, when assessing an entity's risk culture.  The results will inform the types of assessments and validation processes that APRA is required to undertake in order to form a definitive view as to whether an entity is appropriately managing the risks that are affecting its business. 

    On completion of the above evidence gathering, APRA's frontline supervisors will be able to determine the areas within an organisation that may be preventing the entity from achieving good risk outcomes and the most appropriate supervisory strategy it can adopt to assist in strengthening these areas moving forward.

    Next steps

    APRA plans to roll out the risk culture survey over the next 12 months, starting with the banking industry over Q4 2021, followed by insurance in Q1 2022 and then superannuation in Q2 2022.

    It is intended that the survey questions will be refined over time to ensure that greater reliability and accuracy is achieved, while the analysis and reporting will too be enhanced to assist entities with interpreting their results and implementing solutions to strengthen risk culture.

    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provide services under the Ashurst Consulting brand. Ashurst Consulting services do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services. 

    For more information about the Ashurst Group and the services offered, please visit 

    Liability limited by a scheme approved under Professional Standards Legislation (Ashurst Risk Advisory only).

    Authors: Silvana Wood, Partner; Luke Whitcher, Director(Ashurst Risk Advisory); Elena Lambros, Partner(Ashurst Risk Advisory);  Jack Collins, Associate and Mikaela Wyndham, Specialist(Ashurst Risk Advisory)