Common Pitfalls in GL20 Compliance and How to Overcome Them

Let’s be honest – when GL20 landed on insurers’ desks, many risk teams felt like they’d been handed a 500-piece jigsaw puzzle… with half the pieces missing. APRA’s governance standard isn’t just another compliance exercise – it’s fundamentally reshaping how insurers demonstrate risk maturity. Yet, three years on, 30% of insurers still struggle with material deficiencies in their frameworks (APRA, 2023).

Understanding GL20 

GL20, or “Governance and Risk Management Requirements,” outlines expectations from regulatory bodies (like APRA in Australia) on how insurers should structure their governance frameworks, manage risks, and demonstrate accountability.

The aim is to ensure that insurers:

• Have a robust and responsive risk management framework.
• Maintain transparent governance structures.
• Comply with operational and financial standards that protect consumers and markets.

But the subjective nature of GL20 leaves plenty of room for interpretation and, therefore, misinterpretation.

Why GL20 Feels Like Moving Goalposts

The standard’s principles-based approach is both its strength and frustration. Unlike prescriptive rules, GL20 says:
“Here’s what good looks like – you figure out how to get there.”

This flexibility becomes problematic when:

• Boards receive vanilla risk reports that don’t support real challenge
• Risk teams drown in manual processes while strategic work piles up
• Auditors can’t trace how decisions align with risk appetite

Common Pitfalls in Achieving GL20 Compliance

1. Underestimating Time and Resources Required

GL20 compliance is not a one-time task. It demands ongoing engagement across departments. Many organisations:

• Understaffed risk and compliance functions.
• Delegate compliance to overstretched teams.
• Relying on manual documentation, which becomes outdated quickly.

According to the Deloitte Global Risk Management Survey (2022), 59% of financial institutions feel underprepared for regulatory inspections despite allocating more budget to compliance. This shows a clear gap between effort and effectiveness.

2. Fragmented Systems and Siloed Reporting

Governance data is often spread across different departments:

• Risk teams use spreadsheets.
• Compliance teams maintain static registers.
• Boards receive disjointed summaries.

This fragmentation creates audit blind spots and inconsistent records, major red flags for APRA.

APRA Insight (2022): Several insurers faced scrutiny for “lack of traceability in Board reporting” and “inconsistent alignment between internal controls and risk frameworks.”

3. Lack of Real-Time Visibility for Boards and Risk Committees

Boards are ultimately accountable under GL20, yet many receive lagging risk indicators or templated reports that don’t reflect live risks. This undermines their ability to demonstrate active oversight and challenge.

RiskCulture Report (2023): APRA noted that Boards that were not receiving timely, decision-useful information were more likely to be subject to capital overlays or supervisory follow-up.

4. Misinterpretation of Principles-Based Expectations

GL20 doesn’t dictate exactly how to meet its requirements. Instead, it outlines what outcomes insurers must achieve. Many organisations:

• Oversimplify compliance by applying templated policies.
• Or overcomplicate it with excessive documentation that lacks substance.

This leads to either under- or over-engineering, both of which fail to satisfy APRA’s expectation for tailored, integrated governance.

5. Inadequate Audit Trails and Governance Evidence

You may be managing risk well—but can you prove it?

GL20 requires detailed records of:

• Board discussions and decision-making rationale.
• Follow-ups on internal audit findings.
• Control changes and their impact on risk appetite.

Without systematic audit trails, you risk falling short—even if actual governance practices are sound.

Consequences of GL20 Non-Compliance

Failing to meet GL20 expectations can result in:

The consequences of falling short on GL20 compliance go far beyond a slap on the wrist. Insurers that fail to meet requirements could face:

1. Regulatory Consequences

• Financial penalties: APRA has demonstrated its willingness to impose substantial fines, with recent cases ranging from 250,000 to 2 million for material breaches
• Increased supervisory oversight: Non-compliant insurers face more frequent examinations and reporting requirements
• Capital implications: APRA may impose additional capital requirements, directly impacting financial flexibility

1. Reputational Impact

• Market confidence: 72% of institutional investors consider governance failures when making investment decisions (Australian Investment Council, 2023)
• Customer trust: 58% of policyholders would reconsider their coverage following governance-related negative publicity (Insurance Council of Australia survey)
• Rating agency scrutiny: S&P and Moody’s now explicitly factor governance effectiveness into ratings assessments

1. Operational Disruption

• Resource allocation: Remediation efforts typically require 3-6 months of dedicated team focus
• Strategic delays: 83% of insurers report postponed initiatives due to compliance remediation (Deloitte Insurance Survey)
• Talent retention: High-performing risk professionals often seek employers with strong governance cultures

1. Strategic Consequences

• M&A implications: Compliance history significantly impacts valuation multiples
• Innovation lag: Organizations addressing governance gaps allocate 40% less to digital transformation
• Market positioning: Compliance leaders outperform peers in customer acquisition costs by 15-20%

How to Overcome GL20 Challenges with AI-Powered Governance Tools

Despite these challenges, innovative insurers are adopting new techniques and technologies to remain ahead of the compliance curve.

Here’s how you can turn obstacles into opportunities—with help from AI and automation.

1. Automate Routine Tasks

Manual compliance activities are time-consuming and error-prone. With an AI-driven solution such as ComplyNexus, you can automate recurrent compliance tasks such as:

• Document collection and validation.
• Risk assessments and control checks.
• Regulatory updates and policy mapping.

This frees up your compliance team to focus on strategic analysis and decision-making.

2. Centralise Your Compliance Framework

ComplyNexus allows you to bring together disparate compliance functions—risk, audit, governance, and policy tracking—into a single platform. This means:

• No more duplicated data or inconsistent reports.
• Real-time visibility into compliance status across departments.
• A clear audit trail for every decision and update.

Centralisation reduces friction and improves communication among stakeholders.

3. Gain Real-Time Regulatory Intelligence

As regulations change daily, it is a task by itself to remain updated. ComplyNexus incorporates real-time regulatory feeds and automatically alerts you to any changes that impact your organisation. Rather than scouring regulatory updates manually, you’re alerted to pertinent changes and provided contextual advice on how to react.

4. Leverage AI for Predictive Risk Management

AI doesn’t just automate tasks—it empowers you to see around corners. ComplyNexus uses machine learning algorithms to:

• Identify emerging risks based on historical data and patterns.
• Suggest proactive mitigation strategies.
• Predict areas of non-compliance before they become liabilities.

This predictive capability can be a game-changer in strengthening your risk management posture.

5. Build a Culture of Continuous Compliance

With intuitive dashboards, auto alerts, and performance monitoring, your team remains on the same page. Compliance becomes a seamless part of your everyday workflow—not an afterthought. By infusing a culture of ongoing compliance, you minimize dependence on quarterly reviews and eleventh-hour rushes.

Compliance is Complex—But It Doesn’t Have to Be Painful

Let’s be candid: GL20 compliance will never be “easy.” But with the right approach, it can be manageable, valuable, and even strategic. The financial strain, technical requirements, and administrative overhead can overwhelm even seasoned compliance teams. But the cost of non-compliance—legal penalties, reputational damage, operational disruption—is far greater.

The key to successful, sustainable compliance lies in leveraging technology that works with your team, not against it.

ComplyNexus empowers insurers to:

• Simplify compliance workflows.
• Automate the manual.
• Stay ahead of regulatory change.
• Cut costs without cutting corners.

Need Help with GL20 Compliance?  

If you’re facing challenges aligning with GL20 or want to ensure your governance framework is audit-ready, we’re here to help.