Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Risk Governance, Culture and CPS 220
1. NATIONAL CONFERENCE &
EXHIBITION 2014
Risk Governance, Culture and CPS 220
Susan Campbell
Argyll Pty. Ltd
Platinum Sponsor
Silver
Sponsor
Bronze Sponsor
Risk Manager of the Year
Award Sponsor
Conference and Exhibition
Partners
2. Susan Campbell FCPA F Fin
Director of ARGYLL, risk consulting
Presenter on risk to banks, corporates and government
Specialist in risk management
25 years in finance and business risk
Undertakes risk reviews and consultant to risk committees
Author The Guide to Financial Risk Management and
Treasury for Dummies (www.argyll.net.au)
N/E Director, Heritage Bank
Argyll
2
3. Before we proceed …
The information provided in this presentation is of a
general nature, and it is not intended to address the
circumstances of any particular individual or entity. No
one should act on this information without appropriate
professional advice after a thorough examination of their
particular situation
Argyll
3
4. Overview purpose
To provide you with a short understanding of the new
APRA standard and links to good governance and
culture
We will discuss:
APRA Prudential Standard CPS 220
Role of the Board
Policies and procedures
Risk management function
Notification requirements
Ongoing developments
Argyll
4
5. Regulatory push
Why the need for CPS 220?
International
Domestic – 1 January 2015
Argyll
5
6. Statement from G20 Summit, 2008
Risk Management
‘Regulators should develop enhanced guidance to strengthen
banks’ risk management practices, in line with international
best practices, and … encourage financial firms to re-examine
their internal controls and implement strengthened policies for
sound risk mgt.
Regulators should develop and implement procedures to
ensure that financial firms implement policies to better manage
liquidity risk, including creating strong liquidity cushions.
Supervisors should ensure that financial firms develop processes
that provide for timely and comprehensive measurement of risk
concentrations and large [CP] risk positions across products
and geographies.
Argyll
6
7. Bad versus good RM/IC practices
There has been an overwhelming load of bad practice:
RM/IC as objective in itself v. RM/IC to achieve objectives
Auditor/staff driven v. Board/management driven
Rules-based v. Principles based
Off-the-shelf systems v. Tailor-made
Focus on threats only v. Focus on opportunities too
Mainly hard controls v. Social and human
Artificially implemented v. Organically implemented
Stand-alone / ‘bolted-on’ v. Integrated / ‘built-in’
Source: IMA/IFAC, IMA’s 93rd Annual Conference
Argyll
7
8. Global crisis
The global crisis, according to IMA and IFAC research, was
caused by:
Ethical flaws
Governance, RM/IC in name, but not in spirit
Regulatory overload, leading to legalistic compliance
Risk and control systems too narrowly focused only financial
reporting controls
Source: IMA/IFAC, IMA’s 93rd Annual Conference
Argyll
8
9. Global crisis (cont.)
Conclusions from the crisis:
Organisations should take a broader approach to risk
management and internal control
Appropriate application of risk management and IC
standards and principles is often the problem
Source: IMA/IFAC, IMA’s 93rd Annual Conference 2012
Argyll
9
10. CPS 220 overview
Covers bank and insurance companies
Development of risk culture
ICAAP and the standard
Risk framework
Risk appetite – CPS 510 Governance
Note: Draft CPG 220 Risk Management
Argyll
10
11. CPS 220 overview (cont.)
Role of the Board
Group risk management
Risk management
framework (RMF)
MIS and uncertainties
Material risks
Risk appetite
Risk tolerances
Risk management strategy
Business plan
Policies and procedures
RM function
Review of RMF
Risk management
declaration
Argyll
11
12. Culture
Say one thing – do another!
> Vision and values
> Words and actions
> Ethical values
o CPS 220 requires to
support a risk culture
o Lots of good guidelines for a
corporate
Argyll
12
13. CPS 220 extract
Objectives and key requirements of PS
This Prudential Standard requires an APRA-regulated institution
to have systems for identifying, measuring, evaluating,
monitoring, reporting, and controlling or mitigating material
risks that may affect its ability ... to meet its obligations to
depositors and/or policyholders. These systems, together with
the structures, policies, processes and people supporting
them, comprise an institution’s risk management framework.
The Board … is ultimately responsible for having an RMF
that is appropriate to the size, business mix and
complexity of the institution or group. The RMF must also
be consistent with the institution’s strategic objectives
and business plan.
Argyll
13
14. CPS 220 extract (cont.)
An APRA-regulated institution must:
have an RMF that is appropriate to its size, business mix and
complexity;
maintain a Board-approved risk appetite;
maintain a Board-approved risk management strategy that
describes the key elements of the RMF to give effect to its
approach to managing risk;
have a Board-approved business plan that sets out its
approach for the implementation of its strategic objectives;
maintain adequate resources to ensure compliance with this
Prudential Standard; and notify APRA breach or deviation
Argyll
14
15. Risk management
Coordinated activities to direct and control an
organisation with regard to risk
Risk = effect of uncertainty on objectives
(ISO 31000)
Uncertainty is the state, even partial, of deficiency of
information related to, understanding or knowledge of an
event, its consequence, or likelihood
Argyll
15
16. Fundamental questions
What can happen and why?
What are the consequences?
How likely are these to occur?
Is the level of risk tolerable or acceptable, and does it
require further treatment?
Guidance for the selection and application
of techniques for risk assessment
Argyll
16
17. Authority
Authority should reside with senior executives at highest
level, not staff functionaries
Each person within the organisation (management &
other employees alike) should be held accountable for
proper understanding and execution of risk
management and internal control within his or her span
of authority
Staff in support functions (e.g. risk officers) or external
experts can facilitate/support but should not assume line
responsibility for managing specific risks or for the
effectiveness of controls
Argyll
17
18. Governance
Both risk and internal controls are integral parts of an
effective governance system
Strong firms show strong control frameworks
Boards must take full ownership of the system
Risk management function should enable broad risk and
control awareness, rather than enforcer of compliance
Designate and communicate risk and control owners
Argyll
18
20. Board - CPS 220
The Board of the institution must ensure that:
It defines the institution’s risk appetite and establishes a risk
management (RM) strategy
A sound RM culture is established and maintained
Senior management monitor & manage material risks
Operational structure facilitates effective RM
Policies and procedures are developed for risk taking that are
consistent with RM strategy and appetite
Sufficient resources are dedicated to RM
Uncertainties attached to RM are recognised
Appropriate controls are established and consistent with
institution’s appetite, profile, capital strength, etc and
understood by and regularly communicated to staff
Argyll
20
21. Risk management framework
Provides the Board with a comprehensive institution-wide
view of its ‘material risks’
Covers the totality of systems, structures, policies, processes
and people within institution
Material risks are risks that could have material impact,
financial and non-financial, on institution or interests of
depositors and/or policyholders
Is consistent with business plan (see later)
Risk must be soundly managed with regard to its size,
context etc.
Argyll
21
22. What an RMF must include
An institution’s RMF must include at minimum:
an established risk appetite
a risk management strategy (discussed later)
a business plan
policies and procedures supporting clearly defined and
documented roles, responsibilities and formal reporting
structures for the management of material risks throughout the
institution
a designated risk management function that meets the
requirements of para 38
an Internal Capital Adequacy Assessment Process (ICAAP)
Argyll
22
23. What an RMF must include (cont.)
a management information system (MIS) that is adequate,
both under normal circumstances and in periods of stress,
for measuring, assessing and reporting on all material risks
across the institution, and
a review process to ensure that the risk management
framework is effective in identifying, measuring, evaluating,
monitoring, reporting, and controlling or mitigating material
risks.
Argyll
23
24. RMF
An RMF must also include forward-looking scenario
analysis and stress testing programs based on severe but
plausible assumptions
An MIS must provide the Board, RC and senior
management with regular, accurate, and timely
information concerning the institution's risk profile
Data quality must be such that it … ‘provides a sound
basis for making decisions’
Argyll
24
25. Material risks (CPS 220)
An institution’s RMF must address:
credit risk
market and investment risk
liquidity risk
insurance risk
operational risk
risks arising from its strategic objectives and business plans
other risks that, singly or in combination, may have a
material impact on the institution
Argyll
25
26. Risk appetite
Board must establish the risk appetite
An institution must maintain an appropriate, clear
risk appetite statement
Risk appetite statement must convey:
degree of risk the institution is prepared to accept
maximum level of risk, for each material risk
process for ensuring that risk tolerances are set at an
appropriate level
process for monitoring compliance with risk tolerance
The timing and process for review of risk appetite and
tolerances
Argyll
26
27. Risk management strategy
An institution must maintain a risk management strategy
(RMS) that is approved by the Board and that addresses
each ‘material risk’
The RMS must:
describe each material risk and how to manage it
list the policies and procedures dealing with RM
summarise role and responsibilities of RM function
describe the risk governances relationship between Board,
Board committees and senior management
outline the approach for ensuring awareness of the RM
framework and instilling appropriate risk culture
Argyll
27
28. Business plan
An institution must maintain a written plan that sets outs if
strategic objectives
Business plan = written plan for the operational
implementation of its strategic objectives
Rolling plan of at least three years’ duration, reviewed at
least annually. Approved by Board
Institution must consider the material risks associated with
the business plan – and explicitly manage these risks,
including how changing these plans affects its risk profile
Argyll
28
29. Policies and procedures
in the RMS to include the processes for:
identifying and assessing material risks and controls
validating and approval of any models to measure risk
and testing mitigation strategies and controls
monitoring and reporting risk issues, escalation
identifying, monitoring and managing potential and actual
conflicts of interest;
the mechanisms in place for monitoring and ensuring
ongoing compliance with all prudential requirements;
ensuring consistency across RMF
establishing and maintaining appropriate contingency
arrangements (including robust and credible recovery
plans where warranted) for the operation of the RMF in
stressed conditions;
Argyll
29
30. Risk management function
An institution must have a designated risk management
(RM) function that at minimum.:
is responsible for helping the Board and senior management
develop and maintain the RMF
is appropriate to the size, business mix and complexity of the
institution
is operationally independent
has the necessary authority and reporting lines to act
effectively and independently
has the right staff and skills, qualification
has access to e.g. IT systems
is required to notify the Board of any significant breach of the
RMF
Argyll
30
31. Risk management function (cont.)
The risk management function must be headed by a
designated Chief Risk Officer (CRO)
Critical lines of authority – to challenge decisions
Independence from business lines
CRO must have direct reporting line to CEO and
unfettered access to Board and Risk Committee
Institution may engage an external service provider to
perform part of the risk management function
Argyll
31
32. Compliance function CPS 220
An institution must have a dedicated compliance
function
The compliance function must be adequately staffed by
appropriately trained and competent persons
Have a reporting line independent from business lines
Argyll
32
33. Review of the RMF
An institution must ensure that compliance with, and
effectiveness of, the RMF is reviewed by internal and
external audit at least annually
Results reported to Board Audit Committee or SAORS
Also, comprehensively reviewed by appropriately trained
and competent persons at least every three years and
report to BRC
If a material change to size, business mix and complexity is
identified, institution must assess whether amendment or
review of RMF required
Argyll
33
34. Review of RMF
must, at a minimum, assess whether:
(a) the framework is implemented and effective;
(b) it remains appropriate for the institution, taking into
account its current business plan;
(c) it remains consistent with the Board’s risk appetite;
(d) it is supported by adequate resources; and
(e) the RMS accurately documents the key elements of the
risk management framework that give effect to its strategy
for managing risk.
Argyll
34
35. Notification requirements – CPS220
An institution must submit to APRA copies of its:
risk appetite statement
business plan
RMS
group liquidity management policy
no more than 10 business days after Board approval
It must notify APRA within 10 business days of becoming
aware of:
breach or material deviation from RMF
risk framework did not adequately address a material risk
material change to size, business mix and complexity
change in law outside Australia affected business
Argyll
35
36. Risk management declaration
Board must state that to best of its knowledge and having
made appropriate enquiries:
Institution has systems for ensuring its compliance
RM systems in place are appropriate for size, business mix and
complexity of institution
RM and internal control systems are operating effectively and
are adequate
Institution has a CPS 220-compliant RMS and it complies with
each measure and control in the RMS
Institution is satisfied with efficacy of its processes and systems
surrounding the production of financial information
Argyll
36
37. Ongoing development
How does your firm view risk?
Consider
Your Board’s role in risk governance
Effective reporting against polices
Risk appetite embedded
Promoting and reinforcing culture
Values embraced
Questions that the Board can ask
Argyll
37
39. Short Courses
Fundamentals of Risk Controls 8 October Perth
Fundamentals of Risk Controls 30 October Melbourne
Argyll
39
40. Thank you for your attention
For further help
contact
enquiry@argyll.net.au
or 0412 152 965
Susan Campbell
ARGYLL
TRAINING IN RISK, CONTROLS AND CULTURE
ISO 31000 AND APRA STANDARDS ON RISK
INDEPENDENT RISK COMMITTEE MEMBER
41. NATIONAL CONFERENCE &
EXHIBITION 2014
Thank you.
Platinum Sponsor
Silver
Sponsor
Bronze Sponsor
Risk Manager of the Year
Award Sponsor
Conference and Exhibition
Partners