Date post: | 26-May-2015 |
Category: |
Leadership & Management |
Upload: | risk-management-institution-of-australasia |
View: | 164 times |
Download: | 2 times |
Risk Governance, Culture and CPS 220Susan CampbellArgyll Pty. Ltd
NATIONAL CONFERENCE & EXHIBITION 2014
Platinum Sponsor
Silver Sponsor
Bronze SponsorRisk Manager of the Year
Award Sponsor
Conference and Exhibition Partners
Argyll 2
Susan Campbell FCPA F Fin
Director of ARGYLL, risk consulting
Presenter on risk to banks, corporates and government
Specialist in risk management
25 years in finance and business risk
Undertakes risk reviews and consultant to risk committees
Author The Guide to Financial Risk Management and Treasury for Dummies (www.argyll.net.au)
N/E Director, Heritage Bank
Argyll 3
Before we proceed …
The information provided in this presentation is of a general nature, and it is not intended to address the circumstances of any particular individual or entity. No one should act on this information without appropriate professional advice after a thorough examination of their particular situation
Argyll 4
Overview purpose
To provide you with a short understanding of the new APRA standard and links to good governance and culture
We will discuss: APRA Prudential Standard CPS 220 Role of the Board Policies and procedures Risk management function Notification requirements Ongoing developments
Argyll 5
Regulatory push
Why the need for CPS 220?
International
Domestic – 1 January 2015
Argyll 6
Statement from G20 Summit, 2008
Risk Management ‘Regulators should develop enhanced guidance to strengthen
banks’ risk management practices, in line with international best practices, and … encourage financial firms to re-examine their internal controls and implement strengthened policies for sound risk mgt.
Regulators should develop and implement procedures to ensure that financial firms implement policies to better manage liquidity risk, including creating strong liquidity cushions.
Supervisors should ensure that financial firms develop processes that provide for timely and comprehensive measurement of risk concentrations and large [CP] risk positions across products and geographies.
Argyll 7
Bad versus good RM/IC practices
There has been an overwhelming load of bad practice: RM/IC as objective in itself v. RM/IC to achieve objectives Auditor/staff driven v. Board/management driven Rules-based v. Principles based Off-the-shelf systems v. Tailor-made Focus on threats only v. Focus on opportunities too Mainly hard controls v. Social and human Artificially implemented v. Organically implemented Stand-alone / ‘bolted-on’ v. Integrated / ‘built-in’
Source: IMA/IFAC, IMA’s 93rd Annual Conference
Argyll 8
Global crisis
The global crisis, according to IMA and IFAC research, was caused by:
Ethical flaws
Governance, RM/IC in name, but not in spirit
Regulatory overload, leading to legalistic compliance
Risk and control systems too narrowly focused only financial reporting controls
Source: IMA/IFAC, IMA’s 93rd Annual Conference
Argyll 9
Global crisis (cont.)
Conclusions from the crisis:
Organisations should take a broader approach to risk management and internal control
Appropriate application of risk management and IC standards and principles is often the problem
Source: IMA/IFAC, IMA’s 93rd Annual Conference 2012
Argyll 10
CPS 220 overview
Covers bank and insurance companies
Development of risk culture
ICAAP and the standard
Risk framework
Risk appetite – CPS 510 Governance
Note: Draft CPG 220 Risk Management
Argyll 11
CPS 220 overview (cont.)
Role of the Board
Group risk management
Risk management framework (RMF)
MIS and uncertainties
Material risks
Risk appetite
Risk tolerances
Risk management strategy
Business plan
Policies and procedures
RM function
Review of RMF
Risk management declaration
Argyll 12
Culture
Say one thing – do another!
> Vision and values
> Words and actions
> Ethical values
o CPS 220 requires action to support a risk culture
o Lots of good guidelines for a corporate
Argyll 13
CPS 220 extract
Objectives and key requirements of PS This Prudential Standard requires an APRA-regulated
institution to have systems for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks that may affect its ability ... to meet its obligations to depositors and/or policyholders. These systems, together with the structures, policies, processes and people supporting them, comprise an institution’s risk management framework.
The Board … is ultimately responsible for having an RMF that is appropriate to the size, business mix and complexity of the institution or group. The RMF must also be consistent with the institution’s strategic objectives and business plan.
Argyll 14
CPS 220 extract (cont.)
An APRA-regulated institution must: have an RMF that is appropriate to its size, business mix
and complexity; maintain a Board-approved risk appetite; maintain a Board-approved risk management strategy
that describes the key elements of the RMF to give effect to its approach to managing risk;
have a Board-approved business plan that sets out its approach for the implementation of its strategic objectives;
maintain adequate resources to ensure compliance with this Prudential Standard; and notify APRA breach or deviation
Argyll 15
Risk management
Coordinated activities to direct and control an organisation with regard to risk
Risk = effect of uncertainty on objectives (ISO 31000)
Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
Argyll 16
Fundamental questions
What can happen and why?
What are the consequences?
How likely are these to occur?
Is the level of risk tolerable or acceptable, and does it require further treatment?
Guidance for the selection and application of techniques for risk assessment
Argyll 17
Authority
Authority should reside with senior executives at highest level, not staff functionaries
Each person within the organisation (management & other employees alike) should be held accountable for proper understanding and execution of risk management and internal control within his or her span of authority
Staff in support functions (e.g. risk officers) or external experts can facilitate/support but should not assume line responsibility for managing specific risks or for the effectiveness of controls
Argyll 18
Governance
Both risk and internal controls are integral parts of an effective governance system
Strong firms show strong control frameworks
Boards must take full ownership of the system
Risk management function should enable broad risk and control awareness, rather than enforcer of compliance
Designate and communicate risk and control owners
Argyll 19
Ultimate responsibility
Board
CEO
Senior management
Staff
CPS 220
Argyll 20
Board - CPS 220 The Board of the institution must ensure that:
It defines the institution’s risk appetite and establishes a risk management (RM) strategy
A sound RM culture is established and maintained POSIT IVE
Senior management monitor & manage material risks Operational structure facilitates effective RM Policies and procedures are developed for risk taking that are
consistent with RM strategy and appetite Sufficient resources are dedicated to RM Uncertainties attached to RM are recognised Appropriate controls are established and consistent with
institution’s appetite, profile, capital strength, etc and understood by and regularly communicated to staff
Argyll 21
Risk management framework
Provides the Board with a comprehensive institution-wide view of its ‘material risks’
Covers the totality of systems, structures, policies, processes and people within institution
Material risks are risks that could have material impact, financial and non-financial, on institution or interests of depositors and/or policyholders
Is consistent with business plan (see later)
Risk must be soundly managed with regard to its size, context etc.
Argyll 22
What an RMF must include
An institution’s RMF must include at minimum: an established risk appetite a risk management strategy (discussed later) a business plan policies and procedures supporting clearly defined and
documented roles, responsibilities and formal reporting structures for the management of material risks throughout the institution
a designated risk management function that meets the requirements of para 38
an Internal Capital Adequacy Assessment Process (ICAAP)
Argyll 23
What an RMF must include (cont.)
a management information system (MIS) that is adequate, both under normal circumstances and in periods of stress, for measuring, assessing and reporting on all material risks across the institution, and
a review process to ensure that the risk management framework is effective in identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks.
Argyll 24
RMF
An RMF must also include forward-looking scenario analysis and stress testing programs based on severe but plausible assumptions
An MIS must provide the Board, RC and senior management with regular, accurate, and timely information concerning the institution's risk profile
Data quality must be such that it … ‘provides a sound basis for making decisions’
Argyll 25
Material risks (CPS 220)
An institution’s RMF must address: credit risk market and investment risk liquidity risk insurance risk operational risk risks arising from its strategic objectives and business
plans other risks that, singly or in combination, may have a
material impact on the institution
Argyll 26
Risk appetite
Board must establish the risk appetite
An institution must maintain an appropriate, clearrisk appetite statement
Risk appetite statement must convey: degree of risk the institution is prepared to accept maximum level of risk, for each material risk process for ensuring that risk tolerances are set at an
appropriate level process for monitoring compliance with risk tolerance The timing and process for review of risk appetite and
tolerances
All companies
Argyll 27
Risk management strategy
An institution must maintain a risk management strategy (RMS) that is approved by the Board and that addresses each ‘material risk’
The RMS must: describe each material risk and how to manage it list the policies and procedures dealing with RM summarise role and responsibilities of RM function describe the risk governances relationship between Board,
Board committees and senior management outline the approach for ensuring awareness of the RM
framework and instilling appropriate risk culture
Argyll 28
Business plan
An institution must maintain a written plan that sets outs if strategic objectives
Business plan = written plan for the operational implementation of its strategic objectives
Rolling plan of at least three years’ duration, reviewed at least annually. Approved by Board
Institution must consider the material risks associated with the business plan – and explicitly manage these risks, including how changing these plans affects its risk profile
Argyll 29
Policies and procedures in the RMS to include the processes for:
identifying and assessing material risks and controls validating and approval of any models to measure risk and testing mitigation strategies and controls monitoring and reporting risk issues, escalation identifying, monitoring and managing potential and
actual conflicts of interest; the mechanisms in place for monitoring and ensuring
ongoing compliance with all prudential requirements; ensuring consistency across RMF establishing and maintaining appropriate contingency
arrangements (including robust and credible recovery plans where warranted) for the operation of the RMF in stressed conditions;
Argyll 30
Risk management function
An institution must have a designated risk management (RM) function that at minimum.: is responsible for helping the Board and senior management
develop and maintain the RMF is appropriate to the size, business mix and complexity of
the institution is operationally independent has the necessary authority and reporting lines to act
effectively and independently has the right staff and skills, qualification has access to e.g. IT systems is required to notify the Board of any significant breach of
the RMF
Argyll 31
Risk management function (cont.)
The risk management function must be headed by a designated Chief Risk Officer (CRO)
Critical lines of authority – to challenge decisions
Independence from business lines
CRO must have direct reporting line to CEO and unfettered access to Board and Risk Committee
Institution may engage an external service provider to perform part of the risk management function
Argyll 32
Compliance function CPS 220
An institution must have a dedicated compliance function
The compliance function must be adequately staffed by appropriately trained and competent persons
Have a reporting line independent from business lines
Argyll 33
Review of the RMF
An institution must ensure that compliance with, and effectiveness of, the RMF is reviewed by internal and external audit at least annually
Results reported to Board Audit Committee or SAORS
Also, comprehensively reviewed by appropriately trained and competent persons at least every three years and report to BRC
If a material change to size, business mix and complexity is identified, institution must assess whether amendment or review of RMF required
Argyll 34
Review of RMF
must, at a minimum, assess whether:
(a) the framework is implemented and effective;
(b) it remains appropriate for the institution, taking into account its current business plan;
(c) it remains consistent with the Board’s risk appetite;
(d) it is supported by adequate resources; and
(e) the RMS accurately documents the key elements of the risk management framework that give effect to its strategy for managing risk.
Argyll 35
Notification requirements – CPS220 An institution must submit to APRA copies of its:
risk appetite statement business plan RMS group liquidity management policy
no more than 10 business days after Board approval
It must notify APRA within 10 business days of becoming aware of: breach or material deviation from RMF risk framework did not adequately address a material risk material change to size, business mix and complexity change in law outside Australia affected business
Argyll 36
Risk management declaration
Board must state that to best of its knowledge and having made appropriate enquiries: Institution has systems for ensuring its compliance RM systems in place are appropriate for size, business mix
and complexity of institution RM and internal control systems are operating effectively
and are adequate Institution has a CPS 220-compliant RMS and it complies
with each measure and control in the RMS Institution is satisfied with efficacy of its processes and
systems surrounding the production of financial information
Argyll 37
Ongoing development
How does your firm view risk?
Consider Your Board’s role in risk governance Effective reporting against polices Risk appetite embedded Promoting and reinforcing culture Values embraced Questions that the Board can ask
Argyll 38
Questions?
Q AND A
Argyll 39
Short Courses
Fundamentals of Risk Controls 8 October Perth
Fundamentals of Risk Controls 30 October Melbourne
For further help contact
[email protected] or 0412 152 965
Thank you for your attention
Susan CampbellARGYLL
TRAINING IN RISK, CONTROLS AND CULTUREISO 31000 AND APRA STANDARDS ON RISKINDEPENDENT RISK COMMITTEE MEMBER
Thank you.
NATIONAL CONFERENCE & EXHIBITION 2014
Platinum Sponsor
Silver Sponsor
Bronze SponsorRisk Manager of the Year
Award Sponsor
Conference and Exhibition Partners