Transcript
Page 1: Risk Governance, Culture and CPS 220

Risk Governance, Culture and CPS 220Susan CampbellArgyll Pty. Ltd

NATIONAL CONFERENCE & EXHIBITION 2014

Platinum Sponsor

Silver Sponsor

Bronze SponsorRisk Manager of the Year

Award Sponsor

Conference and Exhibition Partners

Page 2: Risk Governance, Culture and CPS 220

Argyll 2

Susan Campbell FCPA F Fin

Director of ARGYLL, risk consulting

Presenter on risk to banks, corporates and government

Specialist in risk management

25 years in finance and business risk

Undertakes risk reviews and consultant to risk committees

Author The Guide to Financial Risk Management and Treasury for Dummies (www.argyll.net.au)

N/E Director, Heritage Bank

Page 3: Risk Governance, Culture and CPS 220

Argyll 3

Before we proceed …

The information provided in this presentation is of a general nature, and it is not intended to address the circumstances of any particular individual or entity. No one should act on this information without appropriate professional advice after a thorough examination of their particular situation

Page 4: Risk Governance, Culture and CPS 220

Argyll 4

Overview purpose

To provide you with a short understanding of the new APRA standard and links to good governance and culture

We will discuss: APRA Prudential Standard CPS 220 Role of the Board Policies and procedures Risk management function Notification requirements Ongoing developments

Page 5: Risk Governance, Culture and CPS 220

Argyll 5

Regulatory push

Why the need for CPS 220?

International

Domestic – 1 January 2015

Page 6: Risk Governance, Culture and CPS 220

Argyll 6

Statement from G20 Summit, 2008

Risk Management ‘Regulators should develop enhanced guidance to strengthen

banks’ risk management practices, in line with international best practices, and … encourage financial firms to re-examine their internal controls and implement strengthened policies for sound risk mgt.

Regulators should develop and implement procedures to ensure that financial firms implement policies to better manage liquidity risk, including creating strong liquidity cushions.

Supervisors should ensure that financial firms develop processes that provide for timely and comprehensive measurement of risk concentrations and large [CP] risk positions across products and geographies.

Page 7: Risk Governance, Culture and CPS 220

Argyll 7

Bad versus good RM/IC practices

There has been an overwhelming load of bad practice: RM/IC as objective in itself v. RM/IC to achieve objectives Auditor/staff driven v. Board/management driven Rules-based v. Principles based Off-the-shelf systems v. Tailor-made Focus on threats only v. Focus on opportunities too Mainly hard controls v. Social and human Artificially implemented v. Organically implemented Stand-alone / ‘bolted-on’ v. Integrated / ‘built-in’

Source: IMA/IFAC, IMA’s 93rd Annual Conference

Page 8: Risk Governance, Culture and CPS 220

Argyll 8

Global crisis

The global crisis, according to IMA and IFAC research, was caused by:

Ethical flaws

Governance, RM/IC in name, but not in spirit

Regulatory overload, leading to legalistic compliance

Risk and control systems too narrowly focused only financial reporting controls

Source: IMA/IFAC, IMA’s 93rd Annual Conference

Page 9: Risk Governance, Culture and CPS 220

Argyll 9

Global crisis (cont.)

Conclusions from the crisis:

Organisations should take a broader approach to risk management and internal control

Appropriate application of risk management and IC standards and principles is often the problem

Source: IMA/IFAC, IMA’s 93rd Annual Conference 2012

Page 10: Risk Governance, Culture and CPS 220

Argyll 10

CPS 220 overview

Covers bank and insurance companies

Development of risk culture

ICAAP and the standard

Risk framework

Risk appetite – CPS 510 Governance

Note: Draft CPG 220 Risk Management

Page 11: Risk Governance, Culture and CPS 220

Argyll 11

CPS 220 overview (cont.)

Role of the Board

Group risk management

Risk management framework (RMF)

MIS and uncertainties

Material risks

Risk appetite

Risk tolerances

Risk management strategy

Business plan

Policies and procedures

RM function

Review of RMF

Risk management declaration

Page 12: Risk Governance, Culture and CPS 220

Argyll 12

Culture

Say one thing – do another!

> Vision and values

> Words and actions

> Ethical values

o CPS 220 requires action to support a risk culture

o Lots of good guidelines for a corporate

Page 13: Risk Governance, Culture and CPS 220

Argyll 13

CPS 220 extract

Objectives and key requirements of PS This Prudential Standard requires an APRA-regulated

institution to have systems for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks that may affect its ability ... to meet its obligations to depositors and/or policyholders. These systems, together with the structures, policies, processes and people supporting them, comprise an institution’s risk management framework.

The Board … is ultimately responsible for having an RMF that is appropriate to the size, business mix and complexity of the institution or group. The RMF must also be consistent with the institution’s strategic objectives and business plan.

Page 14: Risk Governance, Culture and CPS 220

Argyll 14

CPS 220 extract (cont.)

An APRA-regulated institution must: have an RMF that is appropriate to its size, business mix

and complexity; maintain a Board-approved risk appetite; maintain a Board-approved risk management strategy

that describes the key elements of the RMF to give effect to its approach to managing risk;

have a Board-approved business plan that sets out its approach for the implementation of its strategic objectives;

maintain adequate resources to ensure compliance with this Prudential Standard; and notify APRA breach or deviation

Page 15: Risk Governance, Culture and CPS 220

Argyll 15

Risk management

Coordinated activities to direct and control an organisation with regard to risk

Risk = effect of uncertainty on objectives (ISO 31000)

Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood

Page 16: Risk Governance, Culture and CPS 220

Argyll 16

Fundamental questions

What can happen and why?

What are the consequences?

How likely are these to occur?

Is the level of risk tolerable or acceptable, and does it require further treatment?

Guidance for the selection and application of techniques for risk assessment

Page 17: Risk Governance, Culture and CPS 220

Argyll 17

Authority

Authority should reside with senior executives at highest level, not staff functionaries

Each person within the organisation (management & other employees alike) should be held accountable for proper understanding and execution of risk management and internal control within his or her span of authority

Staff in support functions (e.g. risk officers) or external experts can facilitate/support but should not assume line responsibility for managing specific risks or for the effectiveness of controls

Page 18: Risk Governance, Culture and CPS 220

Argyll 18

Governance

Both risk and internal controls are integral parts of an effective governance system

Strong firms show strong control frameworks

Boards must take full ownership of the system

Risk management function should enable broad risk and control awareness, rather than enforcer of compliance

Designate and communicate risk and control owners

Page 19: Risk Governance, Culture and CPS 220

Argyll 19

Ultimate responsibility

Board

CEO

Senior management

Staff

CPS 220

Page 20: Risk Governance, Culture and CPS 220

Argyll 20

Board - CPS 220 The Board of the institution must ensure that:

It defines the institution’s risk appetite and establishes a risk management (RM) strategy

A sound RM culture is established and maintained POSIT IVE

Senior management monitor & manage material risks Operational structure facilitates effective RM Policies and procedures are developed for risk taking that are

consistent with RM strategy and appetite Sufficient resources are dedicated to RM Uncertainties attached to RM are recognised Appropriate controls are established and consistent with

institution’s appetite, profile, capital strength, etc and understood by and regularly communicated to staff

Page 21: Risk Governance, Culture and CPS 220

Argyll 21

Risk management framework

Provides the Board with a comprehensive institution-wide view of its ‘material risks’

Covers the totality of systems, structures, policies, processes and people within institution

Material risks are risks that could have material impact, financial and non-financial, on institution or interests of depositors and/or policyholders

Is consistent with business plan (see later)

Risk must be soundly managed with regard to its size, context etc.

Page 22: Risk Governance, Culture and CPS 220

Argyll 22

What an RMF must include

An institution’s RMF must include at minimum: an established risk appetite a risk management strategy (discussed later) a business plan policies and procedures supporting clearly defined and

documented roles, responsibilities and formal reporting structures for the management of material risks throughout the institution

a designated risk management function that meets the requirements of para 38

an Internal Capital Adequacy Assessment Process (ICAAP)

Page 23: Risk Governance, Culture and CPS 220

Argyll 23

What an RMF must include (cont.)

a management information system (MIS) that is adequate, both under normal circumstances and in periods of stress, for measuring, assessing and reporting on all material risks across the institution, and

a review process to ensure that the risk management framework is effective in identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks.

Page 24: Risk Governance, Culture and CPS 220

Argyll 24

RMF

An RMF must also include forward-looking scenario analysis and stress testing programs based on severe but plausible assumptions

An MIS must provide the Board, RC and senior management with regular, accurate, and timely information concerning the institution's risk profile

Data quality must be such that it … ‘provides a sound basis for making decisions’

Page 25: Risk Governance, Culture and CPS 220

Argyll 25

Material risks (CPS 220)

An institution’s RMF must address: credit risk market and investment risk liquidity risk insurance risk operational risk risks arising from its strategic objectives and business

plans other risks that, singly or in combination, may have a

material impact on the institution

Page 26: Risk Governance, Culture and CPS 220

Argyll 26

Risk appetite

Board must establish the risk appetite

An institution must maintain an appropriate, clearrisk appetite statement

Risk appetite statement must convey: degree of risk the institution is prepared to accept maximum level of risk, for each material risk process for ensuring that risk tolerances are set at an

appropriate level process for monitoring compliance with risk tolerance The timing and process for review of risk appetite and

tolerances

All companies

Page 27: Risk Governance, Culture and CPS 220

Argyll 27

Risk management strategy

An institution must maintain a risk management strategy (RMS) that is approved by the Board and that addresses each ‘material risk’

The RMS must: describe each material risk and how to manage it list the policies and procedures dealing with RM summarise role and responsibilities of RM function describe the risk governances relationship between Board,

Board committees and senior management outline the approach for ensuring awareness of the RM

framework and instilling appropriate risk culture

Page 28: Risk Governance, Culture and CPS 220

Argyll 28

Business plan

An institution must maintain a written plan that sets outs if strategic objectives

Business plan = written plan for the operational implementation of its strategic objectives

Rolling plan of at least three years’ duration, reviewed at least annually. Approved by Board

Institution must consider the material risks associated with the business plan – and explicitly manage these risks, including how changing these plans affects its risk profile

Page 29: Risk Governance, Culture and CPS 220

Argyll 29

Policies and procedures in the RMS to include the processes for:

identifying and assessing material risks and controls validating and approval of any models to measure risk and testing mitigation strategies and controls monitoring and reporting risk issues, escalation identifying, monitoring and managing potential and

actual conflicts of interest; the mechanisms in place for monitoring and ensuring

ongoing compliance with all prudential requirements; ensuring consistency across RMF establishing and maintaining appropriate contingency

arrangements (including robust and credible recovery plans where warranted) for the operation of the RMF in stressed conditions;

Page 30: Risk Governance, Culture and CPS 220

Argyll 30

Risk management function

An institution must have a designated risk management (RM) function that at minimum.: is responsible for helping the Board and senior management

develop and maintain the RMF is appropriate to the size, business mix and complexity of

the institution is operationally independent has the necessary authority and reporting lines to act

effectively and independently has the right staff and skills, qualification has access to e.g. IT systems is required to notify the Board of any significant breach of

the RMF

Page 31: Risk Governance, Culture and CPS 220

Argyll 31

Risk management function (cont.)

The risk management function must be headed by a designated Chief Risk Officer (CRO)

Critical lines of authority – to challenge decisions

Independence from business lines

CRO must have direct reporting line to CEO and unfettered access to Board and Risk Committee

Institution may engage an external service provider to perform part of the risk management function

Page 32: Risk Governance, Culture and CPS 220

Argyll 32

Compliance function CPS 220

An institution must have a dedicated compliance function

The compliance function must be adequately staffed by appropriately trained and competent persons

Have a reporting line independent from business lines

Page 33: Risk Governance, Culture and CPS 220

Argyll 33

Review of the RMF

An institution must ensure that compliance with, and effectiveness of, the RMF is reviewed by internal and external audit at least annually

Results reported to Board Audit Committee or SAORS

Also, comprehensively reviewed by appropriately trained and competent persons at least every three years and report to BRC

If a material change to size, business mix and complexity is identified, institution must assess whether amendment or review of RMF required

Page 34: Risk Governance, Culture and CPS 220

Argyll 34

Review of RMF

must, at a minimum, assess whether:

(a) the framework is implemented and effective;

(b) it remains appropriate for the institution, taking into account its current business plan;

(c) it remains consistent with the Board’s risk appetite;

(d) it is supported by adequate resources; and

(e) the RMS accurately documents the key elements of the risk management framework that give effect to its strategy for managing risk.

Page 35: Risk Governance, Culture and CPS 220

Argyll 35

Notification requirements – CPS220 An institution must submit to APRA copies of its:

risk appetite statement business plan RMS group liquidity management policy

no more than 10 business days after Board approval

It must notify APRA within 10 business days of becoming aware of: breach or material deviation from RMF risk framework did not adequately address a material risk material change to size, business mix and complexity change in law outside Australia affected business

Page 36: Risk Governance, Culture and CPS 220

Argyll 36

Risk management declaration

Board must state that to best of its knowledge and having made appropriate enquiries: Institution has systems for ensuring its compliance RM systems in place are appropriate for size, business mix

and complexity of institution RM and internal control systems are operating effectively

and are adequate Institution has a CPS 220-compliant RMS and it complies

with each measure and control in the RMS Institution is satisfied with efficacy of its processes and

systems surrounding the production of financial information

Page 37: Risk Governance, Culture and CPS 220

Argyll 37

Ongoing development

How does your firm view risk?

Consider Your Board’s role in risk governance Effective reporting against polices Risk appetite embedded Promoting and reinforcing culture Values embraced Questions that the Board can ask

Page 38: Risk Governance, Culture and CPS 220

Argyll 38

Questions?

Q AND A

Page 39: Risk Governance, Culture and CPS 220

Argyll 39

Short Courses

Fundamentals of Risk Controls 8 October Perth

Fundamentals of Risk Controls 30 October Melbourne

Page 40: Risk Governance, Culture and CPS 220

For further help contact

[email protected] or 0412 152 965

Thank you for your attention

Susan CampbellARGYLL

TRAINING IN RISK, CONTROLS AND CULTUREISO 31000 AND APRA STANDARDS ON RISKINDEPENDENT RISK COMMITTEE MEMBER

Page 41: Risk Governance, Culture and CPS 220

Thank you.

NATIONAL CONFERENCE & EXHIBITION 2014

Platinum Sponsor

Silver Sponsor

Bronze SponsorRisk Manager of the Year

Award Sponsor

Conference and Exhibition Partners


Recommended