Risk Management Policy

Transcription

1 Risk Management Policy Version: 3 Board Endorsement: 11 January 2014 Last Review Date: 3 January 2014 Next Review Date: July 2014 Risk Management Policy 1

2 Table of Contents 1 Introduction Overview Aim Policy Responsibilities Executive Responsible (Risk) Audit Risk & Compliance Committee Board of IAS Authority Reporting Administrative Procedures Corporate Policies & Procedures Risk Categories Risk Category Definitions Risk Ratings Risk Ratings & Controls Reporting and Management of Risk Incidents Aim Action upon discovery Assessment and Reporting by Risk Officer Documentation Risk Management (Compliance) Reviews Background Preparation and Conduct of the Review Documenting the Review Sign-off Reporting on Risk Reviews Training and Awareness Non-compliance with these procedures Update to Policy Point of Contact SCHEDULE A Risk Management Responsibilities SCHEDULE B Risk Ratings & Controls SCHEDULE C Risk Incident Register SCHEDULE D Risk Treatment Schedule and Plan SCHEDULE E Risk Management Review Executive Summary & Sign Off Risk Management Policy 2

3 1 Introduction Risk management is the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk. Risk is defined in terms of the possibility of an adverse event occurring and the likely consequence of this event. Although a small entity, Investment Administration Services Pty Limited (IAS) recognises that all financial service providers face situations or events that constitute threats to success or opportunities for benefit. IAS also recognises that threats may be averted or opportunities realised by effective management of these risks. IAS is committed to maintain procedures to provide the company with a systematic view of the risks faced in the course of its administrative and business activities. These procedures are consistent with the Australian risk management standard, AS/NZS ISO 31000: Risk Management. An effective risk management strategy requires: a strategic focus, forward thinking and active approaches to management, balance between the cost of managing risk and the anticipated benefits, and contingency planning in the event that mission critical threats are realised. Risk is inherent in all administrative and business activities. IAS requires all staff to practice principles of risk management and to comply with policies, procedures and practices relating to good risk management at all times. All employees are encouraged to act as individual risk managers in the performance of their duties. 2 Overview 2.1 Aim These procedures will not eliminate risk. Rather, the objective of these procedures is to ensure that IAS has a process in place to identify, evaluate and effectively manage all significant risks by adopting appropriate risk treatments to reduce risks to an acceptable level. This includes relevant Management Controls to ensure that the policy and risk mitigation strategies are adhered to. This procedure sets the framework and outlines the structure for managing risk within IAS. IAS believes that good policy will support procedures that will be used to manage the risks involved in all areas of the business, and hence provide stability to IAS s strategic plan and mission. The aim of these procedures is to ensure that: the appropriate policies and procedures are in place to ensure that IAS can properly identify, categorise, and respond to all operational risks that the business will be exposed to in the course of business; the firm s systems and procedures are continually monitored and updated; and Risk Management Policy 3

4 staff are properly trained in relation to their risk management obligations. 2.2 Policy AS/NZS ISO 31000: Risk Management requires that IAS: Establish a context This is the strategic, organisational and risk management context against which the rest of the risk management process will take place. Criteria against which risk will be evaluated should be established and the structure of the risk analysis defined. Identify Risk This is the identification of what, why and how events arise as the basis for further analysis. Analyse Risk This is the determination of existing controls and the analysis of risks in terms of the consequence and likelihood in the context of those controls. The analysis should consider the range of potential consequences and how likely those consequences are to occur. Consequence and likelihood are combined to produce an estimated level of risk. Evaluate Risk This is a comparison of estimated risk levels against pre-established criteria. This enables risks to be ranked and prioritised. Treat Risk For higher priority risks, IAS is required to develop and implement specific risk management plans including funding considerations. Lower priority risks may be accepted and monitored. Monitor and Review This is the oversight and review of the risk management system and any changes that might affect it. Monitoring and reviewing occurs concurrently throughout the risk management process. Communicate and Consult Appropriate communication and consultation with internal and external stakeholders should occur at each stage of the risk management process as well as on the process as a whole. Schematically, the risk management process is depicted in the following diagram: Risk Management Policy 4

5 2.3 Responsibilities IAS requires that all staff practice principles of risk management and to comply with policies, procedures and practices relating to good risk management. Each staff member, particularly those who manage or supervise other staff members, and who use or are responsible for IAS assets, are to act as individual risk managers in the implementation of these procedures Executive Responsible (Risk) An executive of IAS assumes responsibilities of managing IAS s Risk Procedures. The Risk Officer s responsibilities include: establish and monitor Risk Management Procedures; advise staff on the establishment, maintenance, updating and enforcement of risk management standards; conduct risk management reviews; maintain IAS s risk management procedures for changes to legislation, regulations, industry risk management standards, and operational structure; and develop, monitor and coordinate risk management training, including relevant monitoring and reporting. The work of the Risk Officer shall not detract from the responsibilities of other staff members to identify, develop, implement, or review the management control systems in their work area. Staff should not rely solely on the results of miscellaneous risk reviews in order to monitor adherence to established controls. Risk Management Policy 5

6 2.3.2 Audit Risk & Compliance Committee The Audit Risk and Compliance Committee has an overall mandate to advise on, and monitor, the overall compliance and risk framework and operating performance of the business. The Audit Risk and Compliance Committee may make recommendations directly to the Risk Officer, the Chief Executive Officer, and/ or the Board Board of IAS It is the Board of IAS that is responsible for formulating a framework for documenting the various risks of the business, and implement a systematic way of minimising and measuring those risks. Collectively the Board is responsible for: identification of strategic risks that impact upon the businesses mission; allocation of priorities; and the approval of strategic risk management plans Authority The Risk Officer, any nominated delegate, and members of the Audit Risk & Compliance Committee should have access to the personnel and records necessary for resolving risk issues and conducting risk reviews across the company. The Audit Risk & Compliance Committee is also authorised to seek all information and instruct the Risk Officer to conduct risk reviews as required Reporting The Risk Officer reports to the Chief Executive Officer on a day-to-day basis. In addition, the Risk Officer will report to the Audit Risk & Compliance Committee as required /directed in order to ensure that the Committee is fully informed on all risk matters. Each executive reports to the Chief Executive Officer in relation to their executive responsibilities within their functional area, and to the Risk Officer on specific risk issues. IAS s Risk Management structure is presented in Schedule A. 2.4 Administrative Procedures No contract, agreement or obligation shall be bound upon IAS without the sign-off of a Director or a delegate. The development of all strategies and contracts/agreements that may affect IAS s reputation or incur a liability against its assets or involve a breach of our common law duty and any statutory obligation shall include appropriate regard to risk management and assessment. Risk Management Policy 6

7 The Risk Officer shall: - conduct risk surveys from time-to-time and determine priorities for risk management activities. This may include participating in internal Strategy and Compliance Committee meetings; - conduct and/or arrange education sessions to ensure staff are aware of their responsibilities; - develop risk minimisation procedures, recommend the adoption of performance targets and monitor the progress of IAS s risk management activities. 2.5 Corporate Policies & Procedures A suite of corporate policies and procedures has been developed by IAS to assist in the management of the business s risk. These policies and procedures detail the framework under which the business is conducted, and how the actual compliance with, and performance of, these guidelines is monitored. 3 Risk Categories 3.1 Risk Category Definitions The risk categories are intended to help IAS to organise its risk identification and assessment activities. This will include all sources of risk from the perspective of all stakeholders internal and external. Areas of impact within IAS include: Assets This collection of risks addresses the Company s ability to protect its assets. This includes corporate reputation, physical access to premises, physical assets (such as computers, blank cheques) as well as data representations of assets (books and records, electronic funds transfer applications). People This collection of risks relates to IAS s ability to attract, retain and adequately manage/monitor its employees, and also manage risks relating to employee conduct. Continuity This collection of risks relate to IAS s ability to continue its operations in the event of a loss or failing. These can include business continuity planning, disaster recovery planning, key personnel and external/internal service level agreements. Financial This collection of risks addresses IAS s exposure to loss if transactions are not processed in accordance with service levels and acceptable market standards. This also includes liquidity risks that result from any inability to meet obligations as they come due without incurring unacceptable costs or losses. Information Technology This collection of risks relate to IAS s information technology capabilities and can included web access (both internal/external), reliability (i.e. service levels), data Risk Management Policy 7

8 integrity, reliance on spreadsheets/databases and access to local area network (i.e. , intranet, files). Legal/Commercial and Compliance This collection of risks relate to conformity with internal policies and procedures, as well as external commercial transactions and applicable laws and regulations with the exception of the MDA Regulatory Guide and Class Order. Management should ensure that appropriate personnel are versed in the pertinent procedures, laws and regulatory principles and requirements. Market This collection of risks relate to non-financial market risks and can include changes in financial market conditions (domestic and international equity market movements, economic changes), regulation, competitors, etc. External Investment Managers This collection of risks relate to relationships and mandates with external investment managers for IAS s product, and the conduct of the external managers. External Service Providers This collection of risks relate to the provision of services by external parties to IAS. Product This collection of risks relate to demand for new products and services, offer documents, representations and marketing materials, and competitors. Group Company & ASX Listing These various risks relate to, and recognise, the complexities and difficulties, that arise following the consolidation of various entities into one operating business. Operational These various risks relate to the operational service and delivery environment of IAS including client registry, portfolio administration, reporting and adviser servicing. MDA Compliance These various risks relate to the specific MDA requirements under the Regulatory Guide and Class Order. 3.2 Risk Ratings Where there is any doubt re the appropriate rating, staff should apply the next highest rating and consult with the Risk Officer. Where possible, quantitative data and risk expressions should be used to measure likelihood and impact of any identified risks. In some circumstances this may not be possible nor efficient or effective. Therefore a qualitative approach is acceptable. An example of a qualitative approach follows. Risk Management Policy 8

9 Likelihood Level Descriptor Description A Almost certain Is expected to occur in most circumstances B Likely Will probably occur in most circumstances C Possible Might occur at some time D Unlikely Could occur at some time E Remote May occur only in exceptional circumstances Impact Level Descriptor Example Detail Description 1 Insignificant Low financial loss, no disruption to capability, no impact on community standing, no impact on clients. 2 Minor Medium financial loss, minor disruption to capability, minor impact on community standing, low impact on clients. 3 Moderate High financial loss, some ongoing disruption to capability, modest impact on community standing, modest impact on clients.. 4 Major Major financial loss, ongoing disruption to capability, major impact on community standing, high client impact. 5 Fundamental / Catastrophic Qualitative Risk Analysis Matrix Level of Risk Mission critical financial loss, permanent disruption to capability, and ruinous impact on community standing, high client impact. Each component of the activity subject to a risk analysis should be evaluated for the likelihood and consequences as per the matrix below. Consequences Likelihood Insignificant 1 Minor 2 Moderate 3 Major 4 Catastrophic 5 A (almost certain) M H E E E B (likely) M H H E E C (moderate) L M H E E D (unlikely) L L M H E E (remote) L L M H H Legend E: Extreme risk; Immediate action required. H: High risk; Chief Executive Officer attention needed. M: Moderate risk; Executive responsibility must be specified. L: Low risk; Manage by routine procedures. Risk Management Policy 9

10 3.3 Risk Ratings & Controls A summary of IAS s risk rating and control schedules is presented in Schedule B. IAS will apply the following control procedures to reduce the likelihood, or the impact of the identified risks: Control Control 1 Compliance program 12 Maintaining registers 2 Training 13 Review/Inspection program 3 Appointment of specialist adviser 14 Contract conditions 4 Written procedures 15 Testing / Surveys 5 Written policies 16 Business continuity & disaster recovery plans 6 Staff supervision 17 Separation of activities/ resources 7 Insurance 18 Public relations 8 Authorisation procedures 19 Effective governance processes 9 Investment strategy monitoring 20 Succession planning 10 Market analysis 21 Physical access 11 Recruitment policy 22 Custody authorisation procedures 23 Reconciliations 1. Compliance program Comprises the compliance policies and procedures of IAS, including: GS007 Operational Controls; Audit Risk & Compliance Committee; Compliance Policies & Procedures. The program is designed to manage IAS s compliance obligations under its AFSL and also to ensure the administration of the product(s) comply with the offer documents and law. 2. Training Comprises the procedures that have been established to ensure all employees are compliant with AFSL training / CPD obligations. In addition, systems under which all staff obtain training as to internal corporate obligations and policies. 3. Appointment of specialist adviser Where IAS chooses to appoint an external expert to provide advice/service on a case by case basis. 4/5. Written policies and procedures IAS has established a suite of corporate policies and procedures designed to provide administrative guidance in all matters of corporate administration. The policies and procedures include: Compliance Code of Conduct / Employee Handbook Risk Management Policy Outsourcing Procedures Financial Resources Human Resources Policy & Procedures Risk Management Policy 10

11 Staff Training Procedures Privacy Policy Complaints Handling Policy IT Resources & Recovery Procedures Occupational Health and Safety Equal Opportunity, Discrimination and Sexual Harassment Securities Trading Policy Conflicts of Interest Policy Each of the above have detailed descriptions of the processes to be followed in each area and are required to be read by all staff involved in those areas. These documents are regularly updated by the Executive team and changes communicated to staff and the Board on a timely basis. 6. Staff supervision Scale of operation allows ongoing direct supervision by an Executive team to ensure proper adherence to corporate obligations and procedures. 7. Insurance IAS has established statutory insurance cover for: Public and Professional Indemnity Director and Officers Fraud Workers compensation 8. Company Authorisation procedures Authorisation procedures require that no contract or agreement, or obligation or payment can be executed without the sign-off of at least two Directors. All external communications relating to the MDA Service (e.g. Offer documents, annual reports, performance reports, marketing fliers, advertising material, website updates) must be authorised by the Chief Executive Officer. Any payments to staff and suppliers must be authorised by two authorised officers. Redemptions from Investment accounts can only be paid to the Company bank account. 9. Investment strategy monitoring Client portfolio compliance with the investment strategy is monitored daily for any areas where investment managers need to make changes to client portfolios to ensure consistency with the investment mandate. 10. Market analysis Executives continually review the financial services market through newspapers, specialist magazine subscriptions, seminars, and client feedback. This analysis will assist to manage the risk of business devaluation through competitive pressure (eg choice of investment strategies, provider integrity, etc) or proposed legislative changes. 11. Recruitment policy Risk Management Policy 11

12 Recruitment Policy ensures that all new & existing employees are adequately recruited, and retained in the business. The recruitment controls assist to prevent the hiring of inadequate personnel. Such control measures include criminal and reference checking from previous employers, job descriptions that match the skill sets obtained from potential employees, and psychometric testing of each candidate for suitability to the role where appropriate. Control also provides basis under which resources needs of the business is addressed and managed. 12. Maintaining registers The control provides an auditable trail that the required obligations have been fulfilled. For example, this includes: statutory disclosures (eg security interests and trading), training, assets, complaints, compliance incident/breach reporting, related party & conflicts. Registers can be reviewed by external parties ie the Audit Risk & Compliance Committee and the IAS Auditor. 13. Review/Inspection program The inspection program (which complements Control No. 1) involves such things as: internal audit of systems/processes, visits to external service providers, etc. 14. Contract conditions IAS has entered into a number of contractual arrangements with external service providers. The major service provider contracts include: Custodians Investment Managers IT Software vendors IT Hardware vendors Other IT Services. Each contract specifically documents the required services (and service standards), and provides IAS will various relief conditions should the service provider fail to perform as required under the contract. All staff are employed under an employment contract with some staff including the Chief Executive Officer bound by restraints. 15. Testing / Surveys The Testing/Survey program involves such things as: internal or external parties reviewing performance against required service benchmarks staff/client surveys, etc. Risk Management Policy 12

13 16. Business continuity & disaster recovery plans The control is designed to ensure IAS can continue to operate in all circumstances. IAS maintains a disaster recovery / business continuity plan. This plan establishes procedures to allow IAS to re-establish business operations at short notice. Data files are back-up daily, stored off-site and can be recreated the following day. The major outsourced service providers have disaster recovery plans as part of contractual arrangements. 17. Separation of activities/ resources All activities involving assets of IAS and that of the client Discretionary Accounts are managed through separation of duties/activities. The use of some outsourced providers further increase separation. 18. Public relations Provides the basis under which IAS can: Market itself on a single voice / consistent basis; and Respond to general market concerns (eg insolvency/collapse of industry participants). In addition, the control recognizes IAS s membership of recognized industry representative bodies, complaints schemes, etc. 19. Effective governance processes Governance processes involves ensuring that the business administration, client relations, asset protection, related party transactions etc are conducted having regard to good corporate practice. Processes have regard to industry service standards, etc. 20. Succession planning / Skill sharing IAS supports both employee development/advancement, and also the gradual retirement and introduction of new executives/employees into the business. In addition, procedures are in place to ensure that employees are cross trained in order to ensure that no one function is unique to one person 21. Physical access All activities aimed at reducing unauthorised access to physical assets. 22 Custody authorisation procedures Authorisation procedures require that any proper instructions to the sub-custodian must be authorised by two authorised officers. 23 Reconciliations All activities aimed at reconciling IAS records to counterparties or external records to validate a source of truth. Risk Management Policy 13

14 4 Reporting and Management of Risk Incidents 4.1 Aim To ensure that all risk incidents are promptly investigated, rectified and reported as appropriate, and to standardise reporting by each business unit. 4.2 Action upon discovery Upon discovery of a risk incident, the responsible executive is to investigate the incident to determine whether a breach has occurred, establish the severity of the incident, and establish a Risk Treatment Schedule and Risk Plan to manage the risk in the future (see Schedule D). If corrective action can occur without causing unnecessary delay, this can be completed and noted on the report prior to forwarding it to Risk Officer. Otherwise details of corrective action notified as soon as it has been determined and agreed with Risk Officer. Low risk incidents may be reported to the Risk Officer monthly. A high risk incident that has immediate effect, or breaches of law, must be reported to ASIC as per the IAS Compliance Policy. In exceptional circumstances the person discovering or investigating a risk incident may report it directly to the Chief Executive Officer. Such circumstances may arise where the person discovering or investigating a serious incident believes that a very real conflict of interest or a very high risk of management interference may prejudice the proper handling of a matter. 4.3 Assessment and Reporting by Risk Officer The Risk Officer will review the risk assessment and proposed action plan and determine the appropriate escalation requirements. If it is confirmed as a reportable incident the Risk Officer will record the incident in the Risk Register. All confirmed risk incidents will be reported/escalated to the Chief Executive Officer as required by the Compliance Policy, and the Audit Risk & Compliance Committee. 5 Documentation The risk assessment and documentation is to be reviewed and accepted by the Risk Officer. Where external consultant expertise is obtained, the risk assessment will also be reviewed and countersigned by that party. The Risk Officer will maintain a Risk Rating and Control Schedule, and Action Plan in the standard form. For each risk identified, a Risk Register records: Source; Nature; Existing controls; Consequences and likelihood; and Risk Management Policy 14

15 Initial risk rating. A template of the Risk Register is provided in Schedule C. A risk treatment and action plan documents the managerial controls to be adopted and contains the following information: Who has responsibility for the implementation of the plan; What resources are to be used; Budget allocations; Implementation timetables; and Details of the control mechanism; and Frequency of review of compliance with the treatment plan 6 Risk Management (Compliance) Reviews Risk Management reviews are conducted as required under IAS s compliance obligation (or as required from time to time) by the Risk Officer and other IAS staff. Generally reviews will be focussed on particular activities identified as carrying a high operational risk and with a high compliance impact. The procedures for conducting and reporting of reviews are outlined in the Compliance Procedures. 6.1 Background Risk reviews are conducted to establish whether operational processes comply with legislative requirements and other risk obligations and to review areas identified as being of significant risk. The risk review is designed to provide management with an independent and comprehensive evaluation of risk management effectiveness. A review will generally consist of detailed examination of selected processes to check that they meet ongoing best practice, that operational staff are applying relevant risk controls and adhering to the relevant processes and procedures, and that outputs comply. The risk review includes a report provided to the Chief Executive Officer and Audit Risk & Compliance Committee highlighting strengths and weaknesses of the risk management efforts of the function or area reviewed. It will include agreed remedial action plans for addressing any identified risk management issues and the underlying process/procedure weakness or failure. The risk review report will also be provided to the Executive responsible for the functional area being reviewed in order to ensure that they are empowered to, and participate in, any remedial actions required. In certain circumstances the remedial action may require disciplinary action including referral to ASIC. Risk Management Policy 15

16 6.2 Preparation and Conduct of the Review Prior to its commencement the Executive responsible for the business area being reviewed and the Risk Officer should approve the review scope and methodology. The procedure for each review will depend on the area, process or function being reviewed. However, reviews will generally involve: Reference to legislation, regulations, contracts or corporate policies; Interviews with relevant staff; and Review of procedures, documentation and compliance controls. The risk management controls should be reviewed to ensure that they adequately reflect the relevant risk management obligation. It is not always sufficient to say that a process is complying without actually checking the documentation or background as evidence that it is. 6.3 Documenting the Review A template for scoping and reporting results of reviews is attached as Schedule E. The content of the review should be discussed by the relevant officer and the Risk Officer prior to the report being finalised. It is important that this step occur to ensure that all parties are satisfied with the outcome of the review, and that the review has been conducted within the agreed scope. 6.4 Sign-off Prior to the report being finalised, it should be signed off by the reviewer / relevant officer; and the Risk Officer. A copy of the Executive Summary together with the completed Risk Action Plan and Report will be maintained in the IAS s Risk records. 7 Reporting on Risk Reviews The results of the reviews will be formally reported to the responsible executive with a request that rectification of any issues is to be completed. Compliance incidents discovered in the course of a review are to be managed in accordance with the Compliance Policy. 8 Training and Awareness The Board must ensure that employees understand the importance of risk management, the way in which the risk management process works and their responsibilities with regard to the operational procedures. Staff must be made aware of their responsibilities for reporting of breaches of this Policy. The Risk Officer is responsible for championing the development and delivery of IAS s risk management training. Risk Management Policy 16

17 9 Non-compliance with these procedures Incidents of wilful non-compliance with this Policy are considered to be serious and may be grounds for dismissal. 10 Update to Policy This Policy will be reviewed and updated as required at least annually. 11 Point of Contact The Risk Officer is the point of contact for matters arising from this Policy. Risk Management Policy 17

18 SCHEDULE A Risk Management Responsibilities Board of Directors ASIC & Auditor Audit Risk & Compliance Committee Chief Executive Officer External Service Providers Risk Officer Executive Officer (Business Head) Executive Officer (Business Head) Risk Management Policy 18

19 SCHEDULE B Risk Ratings & Controls Category High (4-5) Medium (2-3) Low (1) Company Assets People Continuity Financial Information Technology Legal, Commercial & Compliance Market Investment Managers Product External Service Providers Group Company & ASX Listing MDAs Risk Management Policy 19

20 SCHEDULE C Risk Incident Register Risk Id No. / Date Source of Risk Nature of Incident Existing Controls Consequences and likelihood Initial Risk Rating Risk Management Policy 20

21 SCHEDULE D Risk Treatment Schedule and Plan Function / Activity Risk Ref Date of review Summary Recommended response and impact Risk Rating after treatment - Action plan 1 Proposed actions 2 Resources requirements 3 Responsibilities 4 Timing 5 Reporting and monitoring required Compiler Date Reviewer.. Date Risk Management Policy 21

22 SCHEDULE E Risk Management Review Executive Summary & Sign Off Executive Summary Review Number: xx/year Short Name: Functional Area: Process & Relevant Risk Management Obligation Reviewed: (summary) Scope: (summary) Results: (general statement of findings) Conclusion: (satisfactory/requires improvement/unsatisfactory) Remedial Action: - Risk Treatment Schedule & Plan attached Yes / No Date: # Any compliance incidents will be reported on the Compliance Incident Report and the actions will be monitored by Executive Responsible (Risk) and reported in accordance with the Compliance Policy. Sign Off The undersigned have accepted the results of the Review, and agreed that the proposed remedial action (if applicable) and reporting of results are appropriate. The results of all compliance reviews will be reported to the Executive responsible for the area being reviewed, the Chief Executive Officer and the Audit Risk and Compliance Committee. Risk Officer Executive Responsible Chief Executive Officer Date Date Date Risk Management Policy 22