Embed Size (px)
Citation preview
Aussie
Aussie
INCIDENT and ISSUE MANAGEMENT POLICY
Version Number: 2.0
Last Updated: September 2016
INTERNAL USE ONLY – This policy is intended for internal use only and should not be used outside Aussie Home Loans and its subsidiaries without first obtaining the consent of Risk and Compliance. The matters reflected in this policy are applicable as at the date shown and may be updated from time to time.
AHL.0008.0014.3772
1 | P a g e
Document control
Version number
Approved by Effective date Amendment description
1 Board February 2014
2 Executive Risk Committee
September 2016 Policy refreshed
AHL.0008.0014.3773
2 | P a g e
TABLE OF CONTENTS
1. PURPOSE AND CONTEXT ............................................................................................................ 3
2. SCOPE ........................................................................................................................................ 3
3. DEFINITIONS AND KEY TERMS .................................................................................................... 3
4. REQUIREMENTS OF THE POLICY ................................................................................................. 5
Identify, notify and escalate ............................................................................................................... 6
Assess and manage ............................................................................................................................. 6
Reporting ............................................................................................................................................ 7
Analyse and close ................................................................................................................................ 8
5. ROLES AND RESPONSIBILITIES .................................................................................................... 9
APPENDIX 1 – AUSSIE INCIDENT REPORTING FORM ......................................................................... 11
APPENDIX 2 - INCIDENT ESCALATION AND REPORTING TABLE .......................................................... 13
APPENDIX 3 – IMPACT ASSESSMENT TABLE ...................................................................................... 14
AHL.0008.0014.3774
3 | P a g e
1. PURPOSE AND CONTEXT
The purpose of the Aussie Incident and Issue Management Policy (“the Policy”) is to establish a consistently applied process to identify, assess and manage incidents, issues and near misses (as defined) when they occur and to ensure that they are:
- appropriately escalated to management and/or reported to regulators (where required)
within appropriate timeframes;
- dealt with appropriately and consistently;
- analysed to identify control weaknesses to be addressed to prevent recurrence; and
- recorded to enable reporting to management and the Board, and where required to
regulators.
This Policy is aligned with the CBA Group Compliance Incident Management Policy. NOTE: Reporting of incidents and issues by Aussie to the CBA Group must be guided, at all times, by the Aussie and CBA Exchange of Information Protocol (Refer to Appendix A in Aussie’s Managing Conflicts of Interest Policy).
2. SCOPE
2.1 This Policy applies to Aussie and its controlled entities (to the extent practicable in relation to the size, business mix and complexity of each controlled entity).
2.2 This policy covers both the management of incidents and issues. However, for the purposes of this policy, the term ‘incidents’ is used in most text and is interchangeable with the term ‘issues’ unless otherwise specifically stated.
2.3 In the unlikely event of specific circumstances where there may be regulatory requirements or contractual obligations that conflict with requirements of this policy, an exemption should be sought in writing from the Head of Risk & Compliance.
3. DEFINITIONS AND KEY TERMS
3.1 Incidents occur when the outcome of a business process differs from the expected outcome due to inadequate or failed processes, people, systems or as a result of external events. Aussie incidents covered under this Policy include those reported to Aussie by outsourced and/or business partners and Aussie staff retain responsibility for management of such incidents.
3.2 Issues are identified control weaknesses or gaps relating to the mitigation of key risks.
3.3 A regulatory compliance incident is an actual, suspected, likely or imminent breach of an applicable law, regulation, industry standard or code. A compliance incident may also result from a material breach of an internal policy / procedure or from non-compliance with contractual obligations.
3.4 Near misses are incidents where the potential impact does not eventuate and/or the full recovery of any loss is made within 48 hours / 2 business days.
3.5 The impacts of incidents may include (refer Appendix 3 ‘Impact Assessment Table’):
regulatory non-compliance (e.g. concern/warning; breach penalty; public notice)
financial loss or gain
AHL.0008.0014.3775
4 | P a g e
reputational damage/customer dissatisfaction (e.g. media or customer complaint)
legal/contractual breach
people issues
increased management effort.
3.6 The causes of incidents may include:
Operational incidents (i.e. failure of people, processes, systems, internal fraud, external fraud)
External events that are outside the control of Aussie.
3.7 Corrective actions are taken to address the impact of incidents.
3.8 Preventative actions are taken to address the underlying cause of the incident to prevent future recurrence of the same or similar incidents.
3.9 Incident Register refers to the document where Risk & Compliance (Line 2) record all incidents, issues and near misses reported to Line 2 by management (Line 1), identified by Line 2 or raised by another party, e.g. internal or external audit.
3.10 Incident Owner refers to the person responsible for ensuring that the incident has been recorded correctly, remediated appropriately including completion of preventative and corrective actions, and closed in a timely manner.
3.11 Action Owner refers to the person responsible for the prioritisation and completion of corrective and/or preventative actions associated to the incident. The action owner and incident owner may be the same person.
3.12 Regulator refers to those governing bodies to whom Aussie has some obligation. For example, Australian Securities and Investments Commission (ASIC), Australian Communications and Media Authority (ACMA), and Office of Australian Information Commissioner.
AHL.0008.0014.3776
5 | P a g e
4. REQUIREMENTS OF THE POLICY
4.1 The capture, assessment and management of incidents and issues across Aussie is achieved through the following process:
4.2 IT/system incidents will be recorded and escalated through the IT incident management process (refer to IT Security Framework).
4.3 Broker and customer incidents and issues should also be managed under this Policy. Note that customer complaints are managed in accordance with the Customer Complaints Handling Policy. A customer complaint may, however, also result in the need to report an incident as customer complaints may be a source of incident detection. Where it is determined that an investigation of broker conduct may be required, the Sales Compliance Senior Manager should be notified.
•Incident occurs
•Incident detected or issue identified
•Notification to Risk & Compliance within 1 business day of detection (and to GM/Head of Business Unit as appropriate)
•Escalation by Risk & Compliance per Escalation Matrix (refer Appendix 2)
Identify , Notify & Escalate
•Incident or issue assessed and managed including agreed corrective and preventative actions and timelines.Assess & Manage
•Incident/issue report provided to Risk & Compliance within 5 daysof detection
•Risk & Compliance provide Incident report to CBA if required as per Escalation Matrix (and permitted per Informaton Sharing Ptrotocol)
•Incident/issue reported to Executive Risk Committee (ERC) and / or Board as required
Report
•Incident owner and action owners provide update every 30 days until all actions to manage the incident have been completed satisfactorily
•Risk & Compliance close incident once all requirements are met.
Analyse & Close
AHL.0008.0014.3777
6 | P a g e
Identify, notify and escalate
4.3 Incidents and issues can be identified via a number of different channels, for example:
Internal (self-identified) – risk and control self-assessments, controls testing and other process breakdowns.
Line 2 and Line 3 – Line 2 oversight of the business, internal/external audits and reviews.
External (suppliers) – service disruptions, regulators, customer complaints.
4.4 Where a staff member identifies a potential incident or issue it is their responsibility to escalate the matter to their relevant line manager or senior management on the day of identification.
4.5 All incidents, including near misses, that have been detected also must be notified within one day to Risk & Compliance in person or by phone or email. Even if the full details of impacts, causes or required corrective and preventative actions have not been determined, the notification is required. Notification will enable Risk & Compliance to review the causes and appropriate actions to address the impacts and underlying control weaknesses that led to the incident occurring. In addition, Risk & Compliance will confirm whether the matter has a regulatory impact and will take responsibility for managing any required communication with the relevant regulator in accordance with the ‘Contact with the Regulator Policy’. Risk & Compliance are also able to provide subject matter expertise to assist Line 1 in management of the incident or issue.
4.6 Risk & Compliance will escalate a summary of the incident to the Executive Management Team in accordance with the escalation matrix provided in Appendix 2.
Assess and manage
4.7 Incidents must be assessed by the business and, once reported, Risk & Compliance will review the:
Impacts – regulatory, financial (actual or estimate), reputational, legal.
Impact rating – in line with the Impact Assessment Matrix (Appendix 3).
Causes – operational, external, fraud.
Actions (corrective and preventative) - action owners, appropriate due dates.
These details, including the impact rating, actions and timeframes, must be recorded in the Incident/Issue Reporting & Management Form (Appendix 1) and presented to Risk and Compliance within 5 days of detection. The form must be reviewed by and agreed with Risk & Compliance. Any subsequent changes to these forms must be appropriately re-approved (levels of approval also determined by Escalation Matrix in Appendix 2) with the updated forms provided to Risk & Compliance.
4.8 Regulatory compliance incidents are subject to additional requirements. An assessment of each regulatory compliance incident must be undertaken by the business in conjunction with Risk & Compliance without delay to determine if the incident is reportable. NOTE: there are strict reporting deadlines for certain regulatory breaches so reporting breaches immediately is essential. This requirement applies even in circumstances where not all information is currently available, legal advice is in progress and/or reporting to the Board has not occurred. Records supporting the determination must be maintained by the respective Line 1 Business Unit.
AHL.0008.0014.3778
7 | P a g e
Reporting
4.9 Reporting to Risk & Compliance – Having notified Risk & Compliance within one day, the business must also submit a formal incident report within 5 days of detection per Incident/Issue Reporting & Management Form (Appendix 1). The business is responsible for providing Risk & Compliance with a status update on incidents with open actions at least every 30 days or as requested. Up-to-date incident information provides the business with an accurate snapshot of the status and transparency regarding exposure to underlying control weaknesses that have not been addressed.
4.10 Reporting to Executive Risk Committee (ERC) - The details of new incidents, the status of open actions for previously reported incidents and incidents proposed for closure will be reported to Executive Risk Committee meetings. In addition, meaningful metrics (e.g. trend analysis reporting) to monitor compliance with and the effectiveness of this Policy will be provided to the ERC.
4.11 Reporting to the Board - Incidents that are rated ‘High’ or ‘Very High’ as per the Aussie Impact Matrix or have a regulatory impact will be reported to the Board at their next meeting, or sooner if required.
4.12 Reporting to Regulators – Reporting may be subject to prescribed timeframes which are critical and may vary. The Head of Risk & Compliance is responsible for ensuring that the timeframes are met and for ensuring that the regulator is updated as required on remedial action and when the incident has been resolved.
4.13 Any communication with regulators must be in accordance with the ‘Contact with Regulators Policy’.
4.14 Where Risk & Compliance determines that a compliance incident is reportable to a regulator, Legal must be consulted in relation to notification prior to it being sent to the regulator.
4.15 Reporting to CBA (Operational Risk & Compliance Only) – For ‘Very High’ and ‘High’ rated incidents (except if prohibited under the Aussie and CBA Exchange of Information Protocol), Incident/Issue Reporting & Management Forms must be provided to CBA within five business days of Risk and Compliance receiving the completed Form from the respective Line 1 Business Unit. Additional information may be provided on a progressive basis rather than delay reporting of the incident. Any delays in reporting must be accompanied by a valid explanation.
Logging of incidents (Risk & Compliance only)
4.16 Incidents must be recorded in the Incident Register by Risk & Compliance within five business days of receiving completed Incident/Issue Reporting & Management Form from the respective Line 1 Business Unit.
4.17 The financial impact of an incident must be allocated to the business unit where the control weakness / operational risk failure occurred to enable internal and external reporting. The business (Line 1) is accountable for informing Finance of any financial impacts as the result of incidents and ensuring that these impacts are posted to, or accrued in, the General Ledger (GL).
AHL.0008.0014.3779
8 | P a g e
Analyse and close
4.18 Incidents should be closed when all remedial actions are complete and approval has been sought per the following approval matrix:
*Except if prohibited under the Aussie and CBA Exchange of Information Protocol
4.19 Line 1 Business Unit approval must be sought prior to being endorsed for closure by Line 2 (Risk & Compliance).
4.20 Line 1 are required to review and maintain evidence of completion of actions prior to closing an incident. This should be retained for future inspection and/or audit.
Incident rating
Line 1 Approval
Line 2 Approval Additional Escalation/ Approval
Very High Executive Team Head of Risk & Compliance - Executive Risk Committee
- Aussie Board
- CBA*
High Executive Team Head of Risk & Compliance - Executive Risk Committee
- Aussie Board
- CBA*
Medium
Head of Senior Manager, Risk or Senior Manager Compliance No additional approvals required.
However, ‘Medium’ and ‘Low’ rated incidents will be captured as part of the ERC reporting.
Low Head of Senior Manager, Risk or Senior Manager Compliance
AHL.0008.0014.3780
9 | P a g e
5. ROLES AND RESPONSIBILITIES The table below articulates roles and responsibilities in relation to the incident and issue management process:
Business area Responsibilities
All staff (Line 1)
Identify and escalate (as appropriate) any incident resulting from
inadequate or failed internal processes, people and systems or from
external events that could have customer/ staff, financial, regulatory or
reputational impacts and take immediate action to contain any related
exposure.
Notify relevant business management (Head of and/or GM – refer to
Incident Escalation Matrix in Appendix 2) and Risk and Compliance
within one day of the incident being detected.
Analyse each incident to determine the impacts and appropriate
corrective actions, the underlying cause of the incident and identify
preventative actions.
Manage suitable remedial actions (both corrective and preventative)
within agreed timeframes.
Ensure that material changes to the remediation action plan or control
rectification of an incident are approved by business management and
immediately notified to Risk & Compliance.
Provide formal incident reporting within 5 days of detecting an incident
to Risk & Compliance using reporting template contained in this Policy.
Ensure that Finance are notified of any financial impact that is required
to be posted to or accrued in the General Ledger.
Update Risk & Compliance on the status of incidents and actions at
least every 30 days to enable accurate reporting to management, the
Executive Risk Committee (ERC) and the Board.
Risk & Compliance (Line 2)
Ensure that management and staff are aware of their responsibilities
under this Policy and provide necessary guidance, support and training.
Ensure incidents continue to be communicated and escalated per the
Incident Escalation Matrix.
Review the incident to confirm causes and impacts including
management actions to ensure:
o Corrective actions are appropriate and timely in addressing the
impact of the incident.
o Preventative actions are appropriate in addressing underlying
control weaknesses to ensure incidents do not reoccur.
Ensure that incidents are captured completely and accurately in the
Incident Register.
Ensure that any changes made to agreed actions are reviewed and
recorded in the Incident Register.
Monitor progress of actions.
Perform verification of preventative and corrective actions prior to
closure of Incidents.
Provide periodic incident reporting to management, the Executive Risk
Committee (ERC) and the Board.
Perform periodic review of incidents to identify systemic issues,
emerging themes or trends.
AHL.0008.0014.3781
10 | P a g e
Review compliance with this Policy as part of the controls assurance
program.
Review this Policy at least annually and present to the Executive Risk
Committee (ERC) for approval.
AHL.0008.0014.3782
11 | P a g e
APPENDIX 1 – Incident/Issue Reporting & Management Form
Please complete all fields and return this form via email to [email protected] within 5 days of Incident / Issue detection. Complete the form to the best of your ability on identification of an incident / issue (you will be able to submit additional forms for any subsequent updates). NOTE: The initial notification of all incidents / issues (including near misses) MUST be made within 1 business day of initial identification. REFER TO THE INCIDENT and ISSUES MANAGEMENT POLICY FOR FURTHER GUIDANCE
Purpose of this form
Report new incident / issue Update open incident / issue (i.e. Update Actions)
Request closure of open incident / issue (signed closure request required)
Incident Identification
Incident / Issue Name (brief title to explain incident)
Incident Ref. No. (Risk & Compliance Use Only)
Incident / Issue Date Date Incident / Issue Identified
Incident / Issue Report Date Identified by (Line 1 / Line 2)
Incident / Issue Owner (Responsible for next steps)
Business Unit
Sensitive Incident / Issue? (Risk & Compliance Use Only)
Incident / Issue Details
Details (e.g. Who/What/Why When/Where/How. Please provide a succinct and clear description of the incident that can be understood by a person outside of the business area)
How was the Incident / Issue Identified?
Root Cause(s) (Why did the incident / issue occur)
Is there any control weakness or process failure? If yes, which control / process has failed?
Impact Details
Is a dollar loss or gain expected? If so, what is the estimated loss / gain value? Include estimate of internal staff efforts, remediation costs etc.
Is a recovery/refund expected (e.g. recoup from or refund to external parties)? If so, what is the estimated recovery amount?
AHL.0008.0014.3783
12 | P a g e
Is Non-Financial Impact expected (describe and/or quantify the potential or actual impact)
Customers
Customer Service
Reputation / Brand
Legal / Regulatory Compliance
People / Employee
Impact Assessment
Impact Rating (Very High/ High/Medium/Low)
Rationale (refer to Impact Assessment Matrix below)
Corrective Action Plan
What corrective action(s) have been or will be taken to remediate the incident / issue?
Target completion date of corrective action(s)
Corrective Action Owner
Preventative Action Plan What preventative action(s) have been / or will be taken to prevent a similar incident / issue from recurring?
Target implementation date of preventative actions / control enhancement
Preventative Action Owner
Closure Request I (General Manager or Head Of) confirm that all the above corrective and preventative action(s) to satisfactorily remediate this incident have been completed and implemented and that the incident / issue may be closed. I confirm that evidence has been retained to support completion of corrective and preventative actions and this will be provided, on request, for audit or follow up of the incident / issue closure.
(Attach: Email Approval)
Name Date
Attach any document to support the closure:
AHL.0008.0014.3784
13 | P a g e
APPENDIX 2 - INCIDENT / ISSUE ESCALATION AND REPORTING TABLE All incidents / issues are to be notified to Risk and Compliance within one day of detection. The following table provides the additional escalation paths that should be taken:
Incident rating (see table below)
Escalate to Timing & (by whom) Format Reporting
Very High Executive Team, Executive Risk Committee (ERC) and Risk & Compliance
Within 1 business day of detection (by person identifying potential incident/issue).
Email/Phone/In Person/Incident Reporting and Management Form
A report on all incidents / issues will be prepared for and presented at every Executive Risk Committee meeting. Very High and High
rated issues will also be reported to CBA (except if prohibited under the Aussie and CBA Exchange of Information Protocol) and to the
Aussie Board.
CBA (except if prohibited under the Aussie and CBA Exchange of Information Protocol)
Within 5 days of receiving completed Incident/Issue Reporting & Management Form from Line 1 (by Risk & Compliance)
Incident Reporting and Management Form
High Executive Team, Executive Risk Committee (ERC) and Risk & Compliance
Within 1 business day of detection (by person identifying potential incident/issue).
Email/Phone/In Person/Incident Reporting and Management Form
CBA (except if prohibited under the Aussie and CBA Exchange of Information Protocol)
Within 5 days of receiving
completed Incident/Issue Reporting & Management Form from Line 1 (by Risk & Compliance)
Incident Reporting and Management Form
Medium
Head of impacted Business Unit; relevant GM/Exec Team member and Risk & Compliance
Within 1 business day of detection (by person identifying potential incident/issue).
Email/Phone/In Person/Incident Reporting and Management Form
Low Head of impacted Business Unit and Risk & Compliance
Within 1 business day of detection (by person identifying potential incident/issue).
Email/Phone/In Person/Incident and Management Reporting Form
AHL.0008.0014.3785
14 | P a g e
APPENDIX 3 – Impact Assessment Table
FINANCIAL (BUSINESS)
CUSTOMER SERVICE AND OPERATIONS REPUTATION/ BRAND /CUSTOMERS LEGAL/REGULATORY COMPLIANCE PEOPLE PROJECT DELIVERY MANGEMENT EFFORT GUIDANCE*
Assessment based on:
Loss of existing customers/market share
Cost of remediation/recovery Loss of new business /market share
Damage to reputation by actions of both individual staff and the Group as a whole
Actual or potential impact on customers
Regulatory action
Customer/third party legal actions
Workplace health & safety
Workplace relations
-Staff morale/loyalty
Inability to deliver on project plan
and/or meet project budget
Drain on Executive resources
Opportunity cost
Very High
5
>$2.5m
Significant loss of market share and customer numbers because of extensive interruption to service capability.
Group wide data availability or integrity issues or information security is compromised
Widespread and prolonged inability to service all or the majority of our customer base irrespective of geographic location, channel or product
Major failure of systems impacting customers
Serious financial or reputational impact to all or most customers
Prolonged media and / or political attention as a result of inappropriate decision or operational incident
Actual or potential loss of license and/or penalties on directors
Severe impact on regulator relationships
Imposition of significant regulatory restrictions, e.g. enforceable undertakings, conditions or directions
Death or severe injury to employees whilst on Group business, or customers on Group property
Widespread loss of morale among management and staff resulting in high staff turnover
Industrial dispute/action – Group wide impact.
Project not delivered
>15% financial variance
Potential to lead to the significant damage to the business
Sustained ExCo/ Senior Management effort
High 4
$650k-$2.5m
Some loss of market share and customer numbers because of major interruption to service capability.
Extensive management involvement and significant costs incurred to restore critical processes
Significant data availability or integrity issues or compromise of info security
Widespread inability to service a significant proportion of customers
Short term media and / or political attention as a result of inappropriate decision or operational incident
Medium but widespread disruption of the system and/or Group’s systems lasting several days
Serious or reputational impact to a significant number of customers
Moderate financial or reputational impact to all Customers
Major fines and sanctions
Multiple legal actions
Focused regulatory surveillance/ significant increased regulatory oversight
Major systemic, recurring or significant breaches
Major impact on regulator relationships
Severe injury to employees whilst on Group business, or customers on Group property
Serious but localised loss of morale among management and staff resulting in high staff turnover
Industrial dispute/action – State or BU based impact
10% - 15% financial variance
Multiple mandatory scope item(s) cannot be delivered.
Majority of tangible / intangible benefits in business case will not be achieved
A significant event requiring major Group Executive/ Senior Management effort to absorb the impact
Medium
3
$200k<$650k
Minimal loss of market share and customer numbers because of minor interruption to service capability.
Some costs incurred to restore critical processes Localised data availability or integrity issues, or
compromise of info security Inability to satisfactorily service a material
proportion of customers irrespective of geographic location, channel or product
Reduced market share or temporary damage to Group brands resulting from limited negative national publicity or detrimental local publicity
Minor but widespread disruption of systems lasting several days
Moderate financial or reputational impact to a limited number of customers
Minor financial or reputational impact to a significant number of customers
Fines
Multiple agreements with customers at risk
Systemic complaints or compliance incidents
Significant breaches
Potential impact on regulator relationships
Increased regulatory oversight
Injuries to employees whilst on Group business, or customers on Group property
Some loss of morale among management and staff
Industrial dispute/action – localised department level impact
5% - 10% financial variance
All mandatory scope items can be delivered but a Highly Desirable scope item or multiple Desirable scope items cannot be delivered.
Moderate risk to delivery of tangible/intangible benefits
Moderate EGM/Senior Management effort is required to absorb the event impact
Low 2
$100k<$200k
Service standards not achieved but no impact on market share or customer numbers
Minimal time, effort and cost required to correct critical processes
Minimal disruption to satisfactorily servicing some customers irrespective of geographic location, channel or product
Limited adverse publicity = 1-2 days as a result of isolated customer complaint impacting little or no other customers
Limited disruption of systems impacting some geographical areas
Minor financial or reputational impact to a limited number of customers
Multiple customer complaints or compliance incidents which are not systemic or significant
Individual legal actions Low range fines
Injury to an employee whilst on Group business, or a customer on Group property
Short term and localised loss of morale among management and staff
Industrial dispute/action – localised at team level impact
1%-5% financial variance Slippage impacts one or more low criticality project(s).
Desirable scope item cannot be delivered.
Little or low risk to delivery of tangible/intangible benefits
Impact can be absorbed through normal activity with minor effort required from Senior Management
Very low 1
<$100k
No measurable operational impact on business
Limited operational impact on business; ability to service individual customers impacted but no systemic issues
Intra-day disruption of systems
No measurable loss of market share resulting from limited negative local publicity.
Insignificant financial or reputational impact to a limited number of customers
One off complaints or compliance incidents
No impact on staff morale <1% financial variance All Mandatory, Highly Desirable,
and Desirable scope items can be delivered but a mass of nice to have cannot.
Impact can be absorbed through normal activity
AHL.0008.0014.3786
15 | P a g e
Likelihood assessment
Level Rating Likelihood Description
5 Almost Certain ≥80% or greater probability of the risk/event occurring within the next 12 months
4 Likely <80% probability of the risk/event occurring within the next 12 months
3 Possible <50% probability of the risk/event occurring within the next 12 months
2 Unlikely <20% probability of the risk/event occurring within the next12 months
1 Rare <5% probability of the risk/event occurring within the next 12 months
Overall risk rating matrix
Likelihood
5 L M M H VH
4 L L M H VH
3 I L M H VH
2 I L M H VH
1 I I L M H
≤$100k <$200k <$650k <$2.5m >$2.5m
Impact
AHL.0008.0014.3787
