This document summarizes a presentation on the new APRA Prudential Standard CPS 220 on risk management. Key points include: - CPS 220 requires banks and insurers to implement a risk management framework with clear roles, policies, and oversight by the Board. - The framework must include risk appetite, a risk management strategy, and identify material risks. - APRA introduced these new standards following the global financial crisis to strengthen risk governance and culture in the financial sector.

1. NATIONAL CONFERENCE &
EXHIBITION 2014
Risk Governance, Culture and CPS 220
Susan Campbell
Argyll Pty. Ltd
Platinum Sponsor
Silver
Sponsor
Bronze Sponsor
Risk Manager of the Year
Award Sponsor
Conference and Exhibition
Partners

2. Susan Campbell FCPA F Fin
 Director of ARGYLL, risk consulting
 Presenter on risk to banks, corporates and government
 Specialist in risk management
 25 years in finance and business risk
 Undertakes risk reviews and consultant to risk committees
 Author The Guide to Financial Risk Management and
Treasury for Dummies (www.argyll.net.au)
 N/E Director, Heritage Bank
Argyll
2

3. Before we proceed …
 The information provided in this presentation is of a
general nature, and it is not intended to address the
circumstances of any particular individual or entity. No
one should act on this information without appropriate
professional advice after a thorough examination of their
particular situation
Argyll
3

4. Overview purpose
 To provide you with a short understanding of the new
APRA standard and links to good governance and
culture
 We will discuss:
 APRA Prudential Standard CPS 220
 Role of the Board
 Policies and procedures
 Risk management function
 Notification requirements
 Ongoing developments
Argyll
4

5. Regulatory push
 Why the need for CPS 220?
 International
 Domestic – 1 January 2015
Argyll
5

6. Statement from G20 Summit, 2008
 Risk Management
 ‘Regulators should develop enhanced guidance to strengthen
banks’ risk management practices, in line with international
best practices, and … encourage financial firms to re-examine
their internal controls and implement strengthened policies for
sound risk mgt.
 Regulators should develop and implement procedures to
ensure that financial firms implement policies to better manage
liquidity risk, including creating strong liquidity cushions.
 Supervisors should ensure that financial firms develop processes
that provide for timely and comprehensive measurement of risk
concentrations and large [CP] risk positions across products
and geographies.
Argyll
6

7. Bad versus good RM/IC practices
There has been an overwhelming load of bad practice:
 RM/IC as objective in itself v. RM/IC to achieve objectives
 Auditor/staff driven v. Board/management driven
 Rules-based v. Principles based
 Off-the-shelf systems v. Tailor-made
 Focus on threats only v. Focus on opportunities too
 Mainly hard controls v. Social and human
 Artificially implemented v. Organically implemented
 Stand-alone / ‘bolted-on’ v. Integrated / ‘built-in’
Source: IMA/IFAC, IMA’s 93rd Annual Conference
Argyll
7

8. Global crisis
The global crisis, according to IMA and IFAC research, was
caused by:
 Ethical flaws
 Governance, RM/IC in name, but not in spirit
 Regulatory overload, leading to legalistic compliance
 Risk and control systems too narrowly focused only financial
reporting controls
Source: IMA/IFAC, IMA’s 93rd Annual Conference
Argyll
8

9. Global crisis (cont.)
Conclusions from the crisis:
 Organisations should take a broader approach to risk
management and internal control
 Appropriate application of risk management and IC
standards and principles is often the problem
Source: IMA/IFAC, IMA’s 93rd Annual Conference 2012
Argyll
9

10. CPS 220 overview
 Covers bank and insurance companies
 Development of risk culture
 ICAAP and the standard
 Risk framework
 Risk appetite – CPS 510 Governance
 Note: Draft CPG 220 Risk Management
Argyll
10

11. CPS 220 overview (cont.)
 Role of the Board
 Group risk management
 Risk management
framework (RMF)
 MIS and uncertainties
 Material risks
 Risk appetite
 Risk tolerances
 Risk management strategy
 Business plan
 Policies and procedures
 RM function
 Review of RMF
 Risk management
declaration
Argyll
11

12. Culture
 Say one thing – do another!
> Vision and values
> Words and actions
> Ethical values
o CPS 220 requires to
support a risk culture
o Lots of good guidelines for a
corporate
Argyll
12

13. CPS 220 extract
 Objectives and key requirements of PS
 This Prudential Standard requires an APRA-regulated institution
to have systems for identifying, measuring, evaluating,
monitoring, reporting, and controlling or mitigating material
risks that may affect its ability ... to meet its obligations to
depositors and/or policyholders. These systems, together with
the structures, policies, processes and people supporting
them, comprise an institution’s risk management framework.
 The Board … is ultimately responsible for having an RMF
that is appropriate to the size, business mix and
complexity of the institution or group. The RMF must also
be consistent with the institution’s strategic objectives
and business plan.
Argyll
13

14. CPS 220 extract (cont.)
 An APRA-regulated institution must:
 have an RMF that is appropriate to its size, business mix and
complexity;
 maintain a Board-approved risk appetite;
 maintain a Board-approved risk management strategy that
describes the key elements of the RMF to give effect to its
approach to managing risk;
 have a Board-approved business plan that sets out its
approach for the implementation of its strategic objectives;
 maintain adequate resources to ensure compliance with this
Prudential Standard; and notify APRA breach or deviation
Argyll
14

15. Risk management
 Coordinated activities to direct and control an
organisation with regard to risk
 Risk = effect of uncertainty on objectives
(ISO 31000)
 Uncertainty is the state, even partial, of deficiency of
information related to, understanding or knowledge of an
event, its consequence, or likelihood
Argyll
15

16. Fundamental questions
 What can happen and why?
 What are the consequences?
 How likely are these to occur?
 Is the level of risk tolerable or acceptable, and does it
require further treatment?
 Guidance for the selection and application
of techniques for risk assessment
Argyll
16

17. Authority
 Authority should reside with senior executives at highest
level, not staff functionaries
 Each person within the organisation (management &
other employees alike) should be held accountable for
proper understanding and execution of risk
management and internal control within his or her span
of authority
 Staff in support functions (e.g. risk officers) or external
experts can facilitate/support but should not assume line
responsibility for managing specific risks or for the
effectiveness of controls
Argyll
17

18. Governance
 Both risk and internal controls are integral parts of an
effective governance system
 Strong firms show strong control frameworks
 Boards must take full ownership of the system
 Risk management function should enable broad risk and
control awareness, rather than enforcer of compliance
 Designate and communicate risk and control owners
Argyll
18

19. Ultimate responsibility
CPS 220
Argyll
19

20. Board - CPS 220
 The Board of the institution must ensure that:
 It defines the institution’s risk appetite and establishes a risk
management (RM) strategy
 A sound RM culture is established and maintained
 Senior management monitor & manage material risks
 Operational structure facilitates effective RM
 Policies and procedures are developed for risk taking that are
consistent with RM strategy and appetite
 Sufficient resources are dedicated to RM
 Uncertainties attached to RM are recognised
 Appropriate controls are established and consistent with
institution’s appetite, profile, capital strength, etc and
understood by and regularly communicated to staff
Argyll
20

21. Risk management framework
 Provides the Board with a comprehensive institution-wide
view of its ‘material risks’
 Covers the totality of systems, structures, policies, processes
and people within institution
 Material risks are risks that could have material impact,
financial and non-financial, on institution or interests of
depositors and/or policyholders
 Is consistent with business plan (see later)
 Risk must be soundly managed with regard to its size,
context etc.
Argyll
21

22. What an RMF must include
 An institution’s RMF must include at minimum:
 an established risk appetite
 a risk management strategy (discussed later)
 a business plan
 policies and procedures supporting clearly defined and
documented roles, responsibilities and formal reporting
structures for the management of material risks throughout the
institution
 a designated risk management function that meets the
requirements of para 38
 an Internal Capital Adequacy Assessment Process (ICAAP)
Argyll
22

23. What an RMF must include (cont.)
 a management information system (MIS) that is adequate,
both under normal circumstances and in periods of stress,
for measuring, assessing and reporting on all material risks
across the institution, and
 a review process to ensure that the risk management
framework is effective in identifying, measuring, evaluating,
monitoring, reporting, and controlling or mitigating material
risks.
Argyll
23

24. RMF
 An RMF must also include forward-looking scenario
analysis and stress testing programs based on severe but
plausible assumptions
 An MIS must provide the Board, RC and senior
management with regular, accurate, and timely
information concerning the institution's risk profile
 Data quality must be such that it … ‘provides a sound
basis for making decisions’
Argyll
24

25. Material risks (CPS 220)
 An institution’s RMF must address:
 credit risk
 market and investment risk
 liquidity risk
 insurance risk
 operational risk
 risks arising from its strategic objectives and business plans
 other risks that, singly or in combination, may have a
material impact on the institution
Argyll
25

26. Risk appetite
 Board must establish the risk appetite
 An institution must maintain an appropriate, clear
risk appetite statement
 Risk appetite statement must convey:
 degree of risk the institution is prepared to accept
 maximum level of risk, for each material risk
 process for ensuring that risk tolerances are set at an
appropriate level
 process for monitoring compliance with risk tolerance
 The timing and process for review of risk appetite and
tolerances
Argyll
26

27. Risk management strategy
 An institution must maintain a risk management strategy
(RMS) that is approved by the Board and that addresses
each ‘material risk’
 The RMS must:
 describe each material risk and how to manage it
 list the policies and procedures dealing with RM
 summarise role and responsibilities of RM function
 describe the risk governances relationship between Board,
Board committees and senior management
 outline the approach for ensuring awareness of the RM
framework and instilling appropriate risk culture
Argyll
27

28. Business plan
 An institution must maintain a written plan that sets outs if
strategic objectives
 Business plan = written plan for the operational
implementation of its strategic objectives
 Rolling plan of at least three years’ duration, reviewed at
least annually. Approved by Board
 Institution must consider the material risks associated with
the business plan – and explicitly manage these risks,
including how changing these plans affects its risk profile
Argyll
28

29. Policies and procedures
 in the RMS to include the processes for:
 identifying and assessing material risks and controls
 validating and approval of any models to measure risk
 and testing mitigation strategies and controls
 monitoring and reporting risk issues, escalation
 identifying, monitoring and managing potential and actual
conflicts of interest;
 the mechanisms in place for monitoring and ensuring
ongoing compliance with all prudential requirements;
 ensuring consistency across RMF
 establishing and maintaining appropriate contingency
arrangements (including robust and credible recovery
plans where warranted) for the operation of the RMF in
stressed conditions;
Argyll
29

30. Risk management function
 An institution must have a designated risk management
(RM) function that at minimum.:
 is responsible for helping the Board and senior management
develop and maintain the RMF
 is appropriate to the size, business mix and complexity of the
institution
 is operationally independent
 has the necessary authority and reporting lines to act
effectively and independently
 has the right staff and skills, qualification
 has access to e.g. IT systems
 is required to notify the Board of any significant breach of the
RMF
Argyll
30

31. Risk management function (cont.)
 The risk management function must be headed by a
designated Chief Risk Officer (CRO)
 Critical lines of authority – to challenge decisions
 Independence from business lines
 CRO must have direct reporting line to CEO and
unfettered access to Board and Risk Committee
 Institution may engage an external service provider to
perform part of the risk management function
Argyll
31

32. Compliance function CPS 220
 An institution must have a dedicated compliance
function
 The compliance function must be adequately staffed by
appropriately trained and competent persons
 Have a reporting line independent from business lines
Argyll
32

33. Review of the RMF
 An institution must ensure that compliance with, and
effectiveness of, the RMF is reviewed by internal and
external audit at least annually
 Results reported to Board Audit Committee or SAORS
 Also, comprehensively reviewed by appropriately trained
and competent persons at least every three years and
report to BRC
 If a material change to size, business mix and complexity is
identified, institution must assess whether amendment or
review of RMF required
Argyll
33

34. Review of RMF
must, at a minimum, assess whether:
(a) the framework is implemented and effective;
(b) it remains appropriate for the institution, taking into
account its current business plan;
(c) it remains consistent with the Board’s risk appetite;
(d) it is supported by adequate resources; and
(e) the RMS accurately documents the key elements of the
risk management framework that give effect to its strategy
for managing risk.
Argyll
34

35. Notification requirements – CPS220
 An institution must submit to APRA copies of its:
 risk appetite statement
 business plan
 RMS
 group liquidity management policy
no more than 10 business days after Board approval
 It must notify APRA within 10 business days of becoming
aware of:
 breach or material deviation from RMF
 risk framework did not adequately address a material risk
 material change to size, business mix and complexity
 change in law outside Australia affected business
Argyll
35

36. Risk management declaration
 Board must state that to best of its knowledge and having
made appropriate enquiries:
 Institution has systems for ensuring its compliance
 RM systems in place are appropriate for size, business mix and
complexity of institution
 RM and internal control systems are operating effectively and
are adequate
 Institution has a CPS 220-compliant RMS and it complies with
each measure and control in the RMS
 Institution is satisfied with efficacy of its processes and systems
surrounding the production of financial information
Argyll
36

37. Ongoing development
 How does your firm view risk?
 Consider
 Your Board’s role in risk governance
 Effective reporting against polices
 Risk appetite embedded
 Promoting and reinforcing culture
 Values embraced
 Questions that the Board can ask
Argyll
37

38. Questions?
Argyll
38

39. Short Courses
 Fundamentals of Risk Controls 8 October Perth
 Fundamentals of Risk Controls 30 October Melbourne
Argyll
39

40. Thank you for your attention
For further help
contact
enquiry@argyll.net.au
or 0412 152 965
Susan Campbell
ARGYLL
TRAINING IN RISK, CONTROLS AND CULTURE
ISO 31000 AND APRA STANDARDS ON RISK
INDEPENDENT RISK COMMITTEE MEMBER

41. NATIONAL CONFERENCE &
EXHIBITION 2014
Thank you.
Platinum Sponsor
Silver
Sponsor
Bronze Sponsor
Risk Manager of the Year
Award Sponsor
Conference and Exhibition
Partners