Risk Governance, Culture and CPS 220

  • View

  • Download

Embed Size (px)


Susan Campbell , Argyll Pty. Ltd

Text of Risk Governance, Culture and CPS 220

  • 1. NATIONAL CONFERENCE &EXHIBITION 2014Risk Governance, Culture and CPS 220Susan CampbellArgyll Pty. LtdPlatinum SponsorSilverSponsorBronze SponsorRisk Manager of the YearAward SponsorConference and ExhibitionPartners

2. Susan Campbell FCPA F Fin Director of ARGYLL, risk consulting Presenter on risk to banks, corporates and government Specialist in risk management 25 years in finance and business risk Undertakes risk reviews and consultant to risk committees Author The Guide to Financial Risk Management andTreasury for Dummies (www.argyll.net.au) N/E Director, Heritage BankArgyll2 3. Before we proceed The information provided in this presentation is of ageneral nature, and it is not intended to address thecircumstances of any particular individual or entity. Noone should act on this information without appropriateprofessional advice after a thorough examination of theirparticular situationArgyll3 4. Overview purpose To provide you with a short understanding of the newAPRA standard and links to good governance andculture We will discuss: APRA Prudential Standard CPS 220 Role of the Board Policies and procedures Risk management function Notification requirements Ongoing developmentsArgyll4 5. Regulatory push Why the need for CPS 220? International Domestic 1 January 2015Argyll5 6. Statement from G20 Summit, 2008 Risk Management Regulators should develop enhanced guidance to strengthenbanks risk management practices, in line with internationalbest practices, and encourage financial firms to re-examinetheir internal controls and implement strengthened policies forsound risk mgt. Regulators should develop and implement procedures toensure that financial firms implement policies to better manageliquidity risk, including creating strong liquidity cushions. Supervisors should ensure that financial firms develop processesthat provide for timely and comprehensive measurement of riskconcentrations and large [CP] risk positions across productsand geographies.Argyll6 7. Bad versus good RM/IC practicesThere has been an overwhelming load of bad practice: RM/IC as objective in itself v. RM/IC to achieve objectives Auditor/staff driven v. Board/management driven Rules-based v. Principles based Off-the-shelf systems v. Tailor-made Focus on threats only v. Focus on opportunities too Mainly hard controls v. Social and human Artificially implemented v. Organically implemented Stand-alone / bolted-on v. Integrated / built-inSource: IMA/IFAC, IMAs 93rd Annual ConferenceArgyll7 8. Global crisisThe global crisis, according to IMA and IFAC research, wascaused by: Ethical flaws Governance, RM/IC in name, but not in spirit Regulatory overload, leading to legalistic compliance Risk and control systems too narrowly focused only financialreporting controlsSource: IMA/IFAC, IMAs 93rd Annual ConferenceArgyll8 9. Global crisis (cont.)Conclusions from the crisis: Organisations should take a broader approach to riskmanagement and internal control Appropriate application of risk management and ICstandards and principles is often the problemSource: IMA/IFAC, IMAs 93rd Annual Conference 2012Argyll9 10. CPS 220 overview Covers bank and insurance companies Development of risk culture ICAAP and the standard Risk framework Risk appetite CPS 510 Governance Note: Draft CPG 220 Risk ManagementArgyll10 11. CPS 220 overview (cont.) Role of the Board Group risk management Risk managementframework (RMF) MIS and uncertainties Material risks Risk appetite Risk tolerances Risk management strategy Business plan Policies and procedures RM function Review of RMF Risk managementdeclarationArgyll11 12. Culture Say one thing do another!> Vision and values> Words and actions> Ethical valueso CPS 220 requires tosupport a risk cultureo Lots of good guidelines for acorporateArgyll12 13. CPS 220 extract Objectives and key requirements of PS This Prudential Standard requires an APRA-regulated institutionto have systems for identifying, measuring, evaluating,monitoring, reporting, and controlling or mitigating materialrisks that may affect its ability ... to meet its obligations todepositors and/or policyholders. These systems, together withthe structures, policies, processes and people supportingthem, comprise an institutions risk management framework. The Board is ultimately responsible for having an RMFthat is appropriate to the size, business mix andcomplexity of the institution or group. The RMF must alsobe consistent with the institutions strategic objectivesand business plan.Argyll13 14. CPS 220 extract (cont.) An APRA-regulated institution must: have an RMF that is appropriate to its size, business mix andcomplexity; maintain a Board-approved risk appetite; maintain a Board-approved risk management strategy thatdescribes the key elements of the RMF to give effect to itsapproach to managing risk; have a Board-approved business plan that sets out itsapproach for the implementation of its strategic objectives; maintain adequate resources to ensure compliance with thisPrudential Standard; and notify APRA breach or deviationArgyll14 15. Risk management Coordinated activities to direct and control anorganisation with regard to risk Risk = effect of uncertainty on objectives(ISO 31000) Uncertainty is the state, even partial, of deficiency ofinformation related to, understanding or knowledge of anevent, its consequence, or likelihoodArgyll15 16. Fundamental questions What can happen and why? What are the consequences? How likely are these to occur? Is the level of risk tolerable or acceptable, and does itrequire further treatment? Guidance for the selection and applicationof techniques for risk assessmentArgyll16 17. Authority Authority should reside with senior executives at highestlevel, not staff functionaries Each person within the organisation (management &other employees alike) should be held accountable forproper understanding and execution of riskmanagement and internal control within his or her spanof authority Staff in support functions (e.g. risk officers) or externalexperts can facilitate/support but should not assume lineresponsibility for managing specific risks or for theeffectiveness of controlsArgyll17 18. Governance Both risk and internal controls are integral parts of aneffective governance system Strong firms show strong control frameworks Boards must take full ownership of the system Risk management function should enable broad risk andcontrol awareness, rather than enforcer of compliance Designate and communicate risk and control ownersArgyll18 19. Ultimate responsibilityCPS 220Argyll19 20. Board - CPS 220 The Board of the institution must ensure that: It defines the institutions risk appetite and establishes a riskmanagement (RM) strategy A sound RM culture is established and maintained Senior management monitor & manage material risks Operational structure facilitates effective RM Policies and procedures are developed for risk taking that areconsistent with RM strategy and appetite Sufficient resources are dedicated to RM Uncertainties attached to RM are recognised Appropriate controls are established and consistent withinstitutions appetite, profile, capital strength, etc andunderstood by and regularly communicated to staffArgyll20 21. Risk management framework Provides the Board with a comprehensive institution-wideview of its material risks Covers the totality of systems, structures, policies, processesand people within institution Material risks are risks that could have material impact,financial and non-financial, on institution or interests ofdepositors and/or policyholders Is consistent with business plan (see later) Risk must be soundly managed with regard to its size,context etc.Argyll21 22. What an RMF must include An institutions RMF must include at minimum: an established risk appetite a risk management strategy (discussed later) a business plan policies and procedures supporting clearly defined anddocumented roles, responsibilities and formal reportingstructures for the management of material risks throughout theinstitution a designated risk management function that meets therequirements of para 38 an Internal Capital Adequacy Assessment Process (ICAAP)Argyll22 23. What an RMF must include (cont.) a management information system (MIS) that is adequate,both under normal circumstances and in periods of stress,for measuring, assessing and reporting on all material risksacross the institution, and a review process to ensure that the risk managementframework is effective in identifying, measuring, evaluating,monitoring, reporting, and controlling or mitigating materialrisks.Argyll23 24. RMF An RMF must also include forward-looking scenarioanalysis and stress testing programs based on severe butplausible assumptions An MIS must provide the Board, RC and seniormanagement with regular, accurate, and timelyinformation concerning the institution's risk profile Data quality must be such that it provides a soundbasis for making decisionsArgyll24 25. Material risks (CPS 220) An institutions RMF must address: credit risk market and investment risk liquidity risk insurance risk operational risk risks arising from its strategic objectives and business plans other risks that, singly or in combination, may have amaterial impact on the institutionArgyll25 26. Risk appetite Board must establish the risk appetite An institution must maintain an appropriate, clearrisk appetite statement Risk appetite statement must convey: degree of risk the institution is prepared to accept maximum level of risk, for each material risk process for ensuring that risk tolerances are set at anappropriate level process for monitoring compliance with risk tolerance The timing and process for review of risk appetite andtolerancesArgyll26 27. Risk management strategy An institution must maintain a risk management strategy(RMS) that is approved by the Boar


View more >