MLC Nominees Pty Limited ( Trustee ) RSE Licensee No. L ABN AFSL No RSE Registration No. R

Transcription

1 MasterKey Custom Superannuation Fund Risk Management Plan Dated MLC Nominees Pty Limited ( Trustee ) RSE Licensee No. L ABN AFSL No RSE Registration No. R Miller Street, North Sydney, New South Wales Page 1

2 Document Control Version 4.3 dated Document Change Control Document Details Amendments Version 1.0 Dated 18/08/05 Initial draft for review Version 1.1 Dated 19/08/05 Minor changes following further agreed research by Risk Standard Leader APRA Trustee Licensing Project. Version 1.2 dated 25/08/05 Incorporates changes from GM, Risk Management WMS, and Head of Risk WMS. Version 1.3 Dated 12/09/05 Following APRA letter 26/08/05 the inclusion of the Risk Register as applicable to Fund risks. Version 2.0 dated 23/09/05 Incorporating Directors feedback and the additional clarification inserted following the APRA letter 26/08/05 requesting changes. Version 2.1 dated 26/09/05 Correction of minor typos in version 2.0. Version 2.2 dated 27/09/05 Changes following input from the CEO 26/09/05. Version 2.3 dated 28/09/05 Changes following input from the Chairman, plus GM Risk Management clarification on timing of Fund Operational Compliance Plan commencement. Version 3.0 dated 10/10/05 Changes as per Board meeting 10/10/05. Version 4.0 dated 1/05/06 Changes requested by APRA 12/04/06. Version 4.1 dated 1/05/06 Changes requested by APRA 12/04/06 with dollar financial parameters in the Risk Consequence Guidelines Table. Version 4.2 dated 1/05/06 Changes requested by APRA 12/04/06 with the Risk Consequence Guidelines Table exactly mirroring the RMS Table. In addition, Risk Management Group term updated with the new name Risk and Governance, and mention made that SLA, TCP & OCP are now in place. Version 4.3 dated 31/05/07 Changes as a result of Trustee transfer from MLCI to MLCN and the MLCN annual review process Sign-off for MLC Nominees Pty Limited. Name Function/Role Date Board of Directors Board of Directors Meeting 23 May 2007 Document Approval Name Function/Role Date Basil Foulkes GM Risk Management WMS 22 May 2007 James Wincott Head of Operational Risk WMS 22 May 2007 Deborah Latimer Head of Compliance WMS 22 May 2007 Brian Marriott COO Office of the Trustee 22 May 2007 Page 2

3 Table Of Contents 1. INTRODUCTION PARTIES RESPONSIBLE FOR THE RISK MANAGEMENT PLAN THE TRUSTEE AND RISK MANAGEMENT EVENT MANAGEMENT THE INVESTMENT STRATEGY REPORTING REVIEW, MONITORING AND MAINTENANCE OF THE RISK MANAGEMENT PLAN INDEPENDENT REVIEW COMPLIANCE STATEMENT DEFINITIONS...16 APPENDICES...20 APPENDIX A RISK REGISTER...21 APPENDIX B CONSEQUENCE RATING GUIDELINES...33 Page 3

4 1. Introduction This document represents the Risk Management Plan for the Fund and forms an important part of the Trustee s overall governance approach. This plan has been prepared to enable the Trustee to submit, obtain and retain a Registrable Superannuation Entity licence from the Australian Prudential Regulation Authority and has been formulated to comply with Section 29P of the Superannuation Industry (Supervision) Act 1993 (Cth). The Trustee is committed to implementing and supporting this Plan. The Plan is subject to change. 1.1 Purpose The purpose of this Plan is to inform interested parties, including Members, of the Risk Management Framework in place in relation to the Fund. In addition, the processes and procedures set out in the Risk Management Plan are critical to ensuring the protection of Member funds through effective Risk Management in MLC Nominees and its Service Providers. This document is available free of charge from either our internet site or by phoning free call The Risk Management process followed and the Risk Management Plan itself has been established with reference to the following guidance: ASFA Best Practice Paper No. 19 A Risk Management Framework for Superannuation Funds the requirements set out in the Superannuation Safety Amendment Act 2004 (Cth) the Australian Prudential Regulation Authority Superannuation Guidance Note SGN Risk Management ; and Australian and New Zealand Standard - AS / NZS 4360:2004 Risk Management. The Trustee has developed the Risk Management Plan to: assist it in managing the Material Risks it has identified in its own operations and in the operations of the Fund; and provide assurance to Members and other stakeholders that significant Risks are being identified and managed. The Risk Management Plan is used to demonstrate the Trustee s methodology in: identifying the Material Risks of the Fund measuring the Likelihood of the Risk occurring and the impact on the Fund should the Risk occur; and assessing adequate Controls are in place to manage the Risks. This methodology is also used to recognise and analyse Risks associated when changing processes, offering new products or classes of membership, moving premises or changing systems and personnel. The Trustee recognises it will not entirely eliminate most Risks identified, however it attempts to manage the Risks and ensure that the Risks are kept to acceptable levels. Page 4

5 2. Parties Responsible For The Risk Management Plan 2.1 The Trustee The Trustee of the Fund is MLC Nominees (RSE Licence Number L ). MLC Nominees is an Approved Trustee under the Superannuation Industry (Supervision) Act 1993 (Cth). The Trustee is responsible for protecting the rights and interests of Members and is accountable to them for the management of the Fund. MLC Nominees is also the approved trustee for other Registrable Superannuation Entities, being the National Australia Personal Superannuation Fund (RSE Registration Number R ), which is closed to new investors and will be wound up within the next twelve months, The Universal Superannuation Scheme (RSE Registration Number R ), and HML Superannuation Fund (RSE Registration Number R ) which is closed to new members, all publicly regulated superannuation funds. In order to assist in the discharge of its duties, the Trustee outsources a number of key functions through Service Level Agreements to the parties nominated under The Fund Administrator. The day to day implementation of the Trustee s Risk Management Framework is outsourced to National Wealth Management Services Limited. The Trustee has established a Risk Committee and delegated certain responsibilities to that Committee. The role of the Risk Committee is described below. 2.2 The Risk Committee The Risk Committee is responsible for the oversight of the implementation of the Risk Management Framework and the Board reviews the Risk Management Framework at least annually. The Risk Committee monitors the appropriateness and implementation of Controls on behalf of the Trustee. Comprehensive reports are delivered to both the Board and Risk Committee on a quarterly basis. The Board and Risk Committee receive and review comprehensive information on Risk and compliance activities and any issues requiring further attention of the Trustee. 2.3 Wealth Management Risk and Governance The Wealth Management Risk and Governance area is responsible for the development and facilitation of the Risk Management Framework. Additionally, this area is responsible for the education of the Service Providers at all levels, in relation to Risk and compliance initiatives and processes. Page 5

6 2.4 The Fund Administrator The Trustee has delegated all Fund administration functions to the Service Providers including management of Member accounts, and all other operational elements (except for custodial arrangements) involved in managing the Fund. Custodial arrangements have been outsourced to RBC Global Services Australia Pty Limited ABN Service Level Agreements have been entered into by the Trustee with the Service Providers. These agreements outline amongst other things, the nature of the services to be provided and the nature of the monitoring and reporting required. 2.5 MasterKey Custom Superannuation Fund The Trust is governed by a trust deed which is dated 22 March 1993, as amended. 2.6 Major Stakeholders in this Risk Management Plan The Fund is operated for the benefit of its Members, as is the Risk Management program. Other stakeholders who have an interest in, or are affected by the operation of the Fund, are: The Trustee The Service Providers; and The Regulators the Australian Prudential Regulation Authority and the Australian Securities and Investments Commission. 3. The Trustee and Risk Management 3.1 The Risk Profiling Methodology The strategy, policy and procedure for Risk identification, assessment and treatment is described as Risk Profiling. Risk Profiling is a structured assessment of the Fund s environment to identify potential Risks to achieving its objectives and to ensure that they are appropriately managed through the implementation of Controls. Risk Profiles are kept up to date by monitoring changes in the environment, assessing the potential impact and Likelihood of those changes and if required, initiating enhanced related Controls. The MLC Nominees Board and Risk Committee consider and approve their risk profile annually, whilst the Service Providers consider and approve their Risk Profile six monthly. Page 6

7 3.2 Risk Profiling Process Identifying and Assessing Risks The Risk Management Process begins with an annual Risk workshop in which the Trustee Board identifies, analyses and assesses each Material Risk. Treatment Strategies are reviewed and subsequently any required enhancements are monitored by the Board. Scope of Material Risks The Risk Management Plan addresses Material Risks relevant to the Fund. The effective management of these Risks is a critical element of MLC Nominees role as Trustee and in the delivery of its strategic Risk objectives. The Material Risks identified in the Risk Register (Appendix A) relate to the following broad Risk categories: 1. Trustee / Fund Governance functions of the Trustee Board in regards to potential conflicts of interests and related party transactions 2. Investment Risks setting and achievement of investment objectives and strategies, monitoring and review of investments or investment managers 3. Liquidity Risk Managing cashflows to meet Member obligations, investment settlements and other fund costs as they arise 4. Outsourcing Risk selection, appointment and monitoring of service providers to ensure obligations of the Service Level Agreements are met 5. Insurance Risk the Risk of some loss, damage etc in regards to Members insurance claims, payment of claims and remittance of premiums to insurers 6. Business Continuity / Disaster Recovery Planning loss of business operations due to the business continuity or disaster recovery arrangements being inadequate, incomplete, non-existent or not appropriately tested 7. Legal / Regulatory Risk Risk of loss due to failure to meet legal and /or regulatory obligations; and 8. Operational Risk the Risk of loss resulting from inadequate or failed processes, people and systems or from external events. The Trustee s Risk Appetite has been established by the Trustee. If the current Residual Risks were to exceed this Appetite, Action Plans would be developed. Page 7

8 Risk Rating Consequence and Likelihood During the review process, each Risk is rated in terms of its: Consequence (impact on Fund) - refer Appendix B for details; and Likelihood (probability of occurrence). The ratings are based on the Likelihood and Consequence ratings below. The Likelihood rating assessment is based on the following criteria: the anticipated frequency of occurrence the external environment procedures / Controls currently in place; and history of breaches and audit items. The Consequence rating assessment is based on the following pre-determined criteria: financial considerations impacts on reputation regulatory impacts affect on the management of the Service Providers; and impact on staff. Once the factors are considered, each Risk is classified according to its probable Consequence and Likelihood into the following categories: Consequence Catastrophic Almost certain Major Likely Moderate Possible Minor, or Unlikely, or Insignificant Rare Likelihood Page 8

9 Each Risk is then given an Inherent Risk rating according to the interaction of its Likelihood and Consequence as outlined in the Risk rating matrix below: CONSEQUENCE INSIGN. MINOR MODERATE MAJOR CATASTR ALMOST CERTAIN MED MED HIGH HIGH HIGH LIKELY LOW MED MED HIGH HIGH LIKELIHOOD POSSIBLE UNLIKELY LOW LOW LOW LOW MED MED MED MED HIGH HIGH RARE LOW LOW LOW MED MED After examining the effects of the Controls in reducing the Likelihood and Consequence of the Risk, Risks are re-rated by reference to the Risk rating matrix table. Controls are verified by Wealth Management Risk and Governance and their effectiveness determines the level of Residual Risk retained by the Trustee. 3.3 Risk Treatment Using all of the information gained, actions are then proposed and decisions made as to whether the Trustee should: accept the level of Risk considering the Trustee s Risk Appetite and the benefit to be obtained from enhancing the current Control environment in relation to costs involved reduce the potential Consequences or Likelihood by modifying / strengthening the Control environment through implementing Action Plans transfer the Risk associated with the activity eg through insurance, termination or outsourcing the activity; and / or terminate the activity if Residual Risks are deemed to exceed the Trustee s Risk Appetite. The level of Risk Appetite the Trustee accepts is reflected as the Residual Risk in the Fund s Risk Register. Where Risk Appetite is breached, Controls and Action Plans are instituted to return the Risk back within tolerance. Page 9

10 3.4 Ensuring Compliant Outcomes Wealth Management Risk and Governance utilise the Wealth Management Risk Management systems to support the Risk Profiling process. Compliance plans are in place which enables the Trustee and management to understand their obligations and the Controls in place, including monitoring arrangements, to meet those obligations. The Compliance Team within Wealth Management Risk and Governance undertake independent verification and testing of these Controls so as to ensure compliant outcomes are in place and operating. By following this process the Trustee receives assurance that the Controls are robust and effective in meeting the required obligations. To assist this process, management, the Trustee, and the Compliance Team have available to them a number of tools. These tools include entity level and operational compliance plans, self assessment tools and verification programs. 4. Event Management Where an Event occurs, the Event Owner in conjunction with Wealth Management Risk and Governance is responsible for the management of the Event on behalf of the Trustee. The management process may include any of the following, which may operate concurrently: Identification and Reporting The Event Owner identifies, records and reports the Event to senior management of the Service Providers and Wealth Management Risk and Governance. Assessment and Containment The Event Owners and Wealth Management Risk and Governance then ensure that any financial loss is assessed and contained and that short term measures are in place to ensure that further loss is mitigated. This may involve discussions with relevant staff and management of the Service Providers and briefing the Risk Committee / MLC Nominees Board. Where appropriate, any short term measures invoked would be agreed to by the MLC Nominees Board and may include system adjustments, changes to processes, and if necessary, liaising with third parties. Investigation and Management Wealth Management Risk and Governance shall investigate how the Event occurred, whether any current Controls in place were breached and whether the incident is systemic in nature. Where appropriate, Wealth Management Risk and Governance shall then make a recommendation to the Risk Committee / MLC Nominees Board and develop long term strategies to manage the Event in the future (see Post Event Analysis below). Reporting Wealth Management Risk and Governance on behalf of the Trustee shall ensure that any breach of Controls within the Risk Management Plan are reported to the Australian Prudential Regulation Authority within 14 days of Wealth Management Risk and Governance becoming aware of the breach. Where the Event results in the Risk Management Plan being amended, a copy of the amended document must also be provided to the Australian Prudential Regulation Authority within 14 days of the amendment being made. In addition, the Event Owner and Page 10

11 / or Wealth Management Risk and Governance shall prepare a written report for the Risk Committee to the MLC Nominees Board. The report shall include as a minimum: details of the loss incurred the cause of the breach short and long term remedial action taken; and a copy of the breach notice provided to the Australian Prudential Regulation Authority. The breach shall then be recorded in the Event Management database (the breach register ). Reassessment Wealth Management Risk and Governance shall re-assess the relevant Risk in view of the Event occurring. Amendments to the Control environment or systems shall be tested with the assistance of management of the Service Providers, using an agreed testing plan. Further, any system or process changes shall be communicated to the relevant Service Providers and appropriate training provided where necessary. Generally, any Events (and subsequent reporting and adjustments) are viewed within a context of continuous improvement and an opportunity to improve processes, controls and skills. Post Event Analysis Wealth Management Risk and Governance, on behalf of the Trustee will review any Events with a view of improving the Risk Management Process. Critical Incidents Disruption to business activity Where Events occur which prevent or disrupt the Fund from operating in its normal environment, Wealth Management Risk and Governance shall inform the MLC Nominees Board via the Office of the Trustee and work with them in managing the Event. The Service Providers are required to have appropriate arrangements in place to support the Trustee should a critical incident occur. These arrangements are reviewed (6 monthly) and tested (at least annually) by the Service Providers in conjunction with Wealth Management Risk and Governance to determine their effectiveness and to identify any areas for improvement. 5. The Investment Strategy The Funds provide access to a broad range of investment options. The Trustee has established criteria under which the Platform Investment Committee ( PIC ) operates. The PIC has an independent chair and an independent director of the Trustee Board included amongst its members. The Trustee approves each investment sector offered to members and sets clearly defined criteria for each type of asset that can Page 11

12 be offered within that investment sector to members. Within the criteria approved by the Trustee, the PIC is delegated to approve the addition or removal of particular investment options to members. The responsibility of the PIC in relation to superannuation entities is as follows: Comply with, and take steps to ensure that the Trustee complies with section 52(2) of the SIS Act in making decisions in relation to investment options. This includes ensuring that the following matters (and any other relevant issues) are taken into account, having regard to the whole of the circumstances of the Superannuation Entity: (1) The Risk Profile of each investment option (2) Diversification issues i.e. making sure that the Funds have appropriate type and number of investment options in order to facilitate Members being able to achieve by their own selection a diversified portfolio (including making recommendations to the Trustee in relation to diversification requirements) (3) The liquidity of each investment option; and (4) The ability of the Superannuation Entity to discharge its liabilities recommend guidelines and assessment criteria to the Trustee under which the Investment Policy Team must base any recommendation to the PIC in relation to an investment option, including considering any recommendations made by the Investment Policy Team in relation to those guidelines and assessment criteria; review recommendations from the Investment Policy Team in relation to investment options and, if appropriate, approve the inclusion or removal of investment options in or from the PDS of the Superannuation Entity in accordance with the Trustee s approved criteria; review and monitor on an ongoing basis the investment options set out in the PDS of the Superannuation Entity to ensure that the investment options continue to be appropriate; ensure that information in relation to the investment options set out in the PDS of the Superannuation Entity is available and is updated as required, in accordance with Regulation 4.02 of the Superannuation Industry (Supervision) Regulations 1994 (Cth) and the APRA Superannuation Circular No. II.D.1 Managing Investments and Investment Choice; ensure that risk management statements are obtained and kept for each managed fund investment option set out in the PDS for the Superannuation Entity and, where required under the SIS Act, ensure that a properly executed risk management statement is in place for the Superannuation Entity; determine and communicate to the Investment Policy Team the voting direction of the Trustee in relation to all relevant corporate actions in accordance with the guidelines approved by the Trustee; make recommendations to the MLC Nominees Board to add investment sectors to, or remove investment sectors from, the PDS for the Superannuation Entity; review the annual reports of companies, the subject of listed investment options and notify the MLC Nominees Board of any audit qualifications; notify the MLC Nominees Board of any significant adverse event in relation to an investment option or material breach of a Fund s investment strategy by an Investment Manager or issuer in relation to an investment option that come to the attention of the Committee; ensure that, in respect of each managed fund investment option, a service level agreement is in place between the Investment Manager and the relevant Company. Each agreement must be in terms that are consistent with relevant industry standards, the general policies and procedures of the Companies and any obligations that the Companies may have to other companies in the Wealth Management Group; and Page 12

13 where an investment option has been (or may be) removed from the PDS of the Superannuation Entity, determine whether interests in the investment option should be sold on behalf of relevant Members in accordance with the SIS Act and Regulations and the governing rules of the Superannuation Entity. For each investment option, MLC Nominees Pty Limited invests all moneys as instructed by the Member in accordance with the investment option selected. Derivatives Statement The Fund does not allow any direct investments in financial derivatives, except where derivative securities are acquired as a result of a corporate action in relation to some other investment of the Fund. However, some of the available investment options may invest in derivatives, with details of such located in the disclosure documents for that option. Derivatives are financial instruments such as options, futures and swaps that are derived from their underlying securities and currencies. These instruments are generally used to hedge against risks from swings in securities prices or fluctuations in interest or currency rates. 6. Reporting The Risk reporting framework is fundamental to a sustainable and effective Risk Management Framework. The Service Providers are responsible for managing the Material Risks identified and reporting on these to the Risk Committee and / or Board on a regular basis. The flow of information and various assurances from the Service Providers up through to the MLC Nominees Board enable the Board to determine that all Risks are being managed within the Board s Risk Appetite. Confirmation that independent monitoring has been done, its scope, and the results will also be included in the Risk report. Wealth Management Risk and Governance reports to the Risk Committee and / or Board on a regular basis on the effectiveness of the Risk Management Framework. The Risk Committee will refer any issues it considers warrant consideration by the MLC Nominees Board to that Board for oversight, approval or action. 7. Review, Monitoring and Maintenance of the Risk Management Plan The Trustee is required to review this Risk Management Plan at least once a year to ensure that it complies with section 29P of the Superannuation Industry (Supervision) Act 1993 (Cth). This may be more often where the Trustee becomes aware of changes necessitating a review. If the Trustee becomes aware at any time that the Risk Management Plan does not comply with section 29P, it will modify, or repeal and replace the Risk Management Plan. The Trustee will also review the Risk Management Plan if it becomes a licensee for another Registrable Superannuation Entity, or becomes an acting trustee of a superannuation entity under Part 17 of the Superannuation Industry (Supervision) Act 1993 (Cth) of a fund following the Page 13

14 suspension or removal of the former trustee (and in the event of any of these circumstances occurring, the review of the Risk Management Plan must be completed within 60 days). The Trustee acknowledges there may also be occasions where the Australian Prudential Regulation Authority directs it to modify the Risk Management Plan and the direction must be carried out in a format and timeframe specified by the Australian Prudential Regulation Authority. If the Risk Management Plan is modified, repealed or replaced, a new Risk Management Plan, signed by the Trustee, will be provided to the Australian Prudential Regulation Authority within 14 days. There is no concession for materiality in the requirement to report modifications to the Australian Prudential Regulation Authority. Any modification in respect of the nature, assessment, Control, treatment, oversight and reporting of specific Risks or processes and Controls in general will be reported to the Australian Prudential Regulation Authority. All revisions to the Risk Management Plan must be reviewed and approved by the Risk Committee and the MLC Nominees Board. 8. Independent Review The MLC Nominees Board will ensure that an external auditor is appointed via a letter of engagement to perform an annual review. The auditor is required to report on whether: the Risk Management Plan is up to date in terms of its content, legislation, Fund or Trustee changes since the last review the Controls for any given Risk remain in place and are relevant and appropriate the items in the Action Plan are being managed and completed in the estimated time frames the Trustee has correctly reported to the Australian Prudential Regulation Authority any breaches of, amendments to or replacement of the Risk Management Plan Wealth Management Risk and Governance has performed a review of the Risk Management Plan; and Risk is being considered where the Trustee or Fund has initiated any additional services or where any other events have occurred which may trigger a review of the Risk Management Plan. If satisfied, the auditor will attest in writing that the Risk Management Framework adopted by the Trustee to identify, assess, control and review its identified Risks has been implemented and is operating effectively. The findings from the audit (if any) will be reported to the Risk Committee. The Risk Committee will then refer any issues it considers warrant consideration to the Board for oversight, approval or action. On an ongoing basis, the Risk Committee will oversee the successful resolution of the audit findings. Internal Audit and Wealth Management Risk and Governance are directed by the Risk Committee to monitor the implementation of appropriate Action Plans to address the findings from the audit undertaken. Internal Audit will report to the Risk Committee on the progress made by the Service Providers to implement the Action Plans. In addition, Internal Audit will meet with the independent approved auditor at least annually in order to discuss the annual audit. Page 14

15 9. Compliance Statement By formally signing and adopting this document as its Risk Management Plan, the Trustee certifies that it agrees with the methodology used in its compilation. The Trustee Board of Directors acknowledges that this document represents its Risk Management Plan and confirms that, in its opinion, it complies with Section 29P of the Superannuation Industry (Supervision) Act 1993 (Cth)... Signed Chairperson Dated 04/06/2007 Page 15

16 10. Definitions The following provides the definitions of key terms used throughout this document: AC : Almost certain. Action Plan : The agreed activities to assist the Service Provider to implement appropriate controls which are consistent with the Trustee s tolerance levels. APRA : Australian Prudential Regulation Authority. ASIC : Australian Securities and Investments Commission. BCM : Business Continuity Management. BCP : Business Continuity Planning. Catastr. : Catastrophic. CEO : Chief Executive Officer CIO : Chief Investment Officer. COO : Chief Operating Officer MLC Nominees Consequence : The assessment of how significant the exposure to a particular Risk could be to the Trustee and / or Fund. Control : An existing process, policy, device, practice or other action that acts to minimise Risk. Custodian : RBC Global Services Australia Pty Limited ABN AFSL , DRP : Disaster Recovery Plan. Event : A breakdown in Controls or incident which has or could lead to reputational and/or financial loss or any change that a Member would expect to be informed of. Event Owner : The party responsible for identifying, recording and reporting the Event to the senior management of the Service Provider. Fund : MasterKey Custom Superannuation Fund RSE Registration No. R Page 16

17 HOPS : Head of Platform Services, responsible for investment policy and research for the MLC group. Inherent Risk ( IR ) : Initial Risk rating assessment - the measure of the Likelihood and Consequence of each Risk occurring if Controls do not exist or if the documented Controls are not operating as intended. INS : Insignificant Li : Likely. Likelihood : The assessment of how likely it is that the Trustee and / or Fund could be exposed to the Risk. Maj : Major. Material Risk : The Superannuation Industry (Supervision) Regulations 1994 (Cth) section 4.07A defines material risk as those Risks that have the potential, should they be realised, to adversely affect the interests of Members or beneficiaries of the RSE operated by the Trustee or have a significant impact on the Service Provider operations, reputation, rate of return, profitability, or net assets of the Trustee. The Trustee Board considers such a definition to be appropriate in relation to its responsibilities and Fund operations. Member : A person who has been admitted to membership of the Fund for so long as he or she participates in the Fund. MLC Nominees : MLC Nominees Limited ABN AFSL No , RSE Number L (a wholly owned subsidiary of MLC Holdings Limited ABN ). Mod : Moderate. Outsource : The contractual transfer of the operational management of an internal business process to a third party. P : Possible. PDS : Product Disclosure Statement. PIC : Platform Investment Committee which has had delegated to it by the MLC Nominees Board of Directors (as well as other MLC entity Boards of Directors) ) the functional task for exercising the rules for policies and the investments offered. PIRP : The Public Information Release Process Page 17

18 Process : A group of logically related activities / tasks that, when performed, use the resources of the Trustee and / or the Service Provider to produce definitive results, or transform the input data through a series of activities / tasks (procedures) into a product or service (ultimate output of the process). Residual Risk ( RR ) : Net Risk rating assessment - the measure of the Likelihood and Consequence of each Risk occurring once the documented controls are operating and effective. Risk : The chance of something happening that will have an impact upon the (Trustee / Fund) objectives. Risk Appetite : Risk appetite is defined as the exposure to, or potential adverse impact arising from an Event, that the Trustee is willing to accept. The level of risk appetite the Trustee accepts is reflected as the Residual Risk in the Trustee's Risk Register and the Risk Register for the Fund it administers. Risk Management : The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Risk Management Framework : MLC Nominees framework for managing Risk, specifically: the process for systematically identifying, managing and mitigating the Risks associated with MLC Nominees and its Service Providers the process for determining Likelihood and for considering the Consequences if the identified Risk was to occur the process for assigning an overall Risk rating based on the interaction of the Likelihood and the Consequence ratings the process for overviewing existing Control effectiveness the process for assessing Residual Risk to enable the Trustee and / or management of the Service Provider to create Action Plans as appropriate the formal process for review and reporting; and the roles and responsibilities in managing Risk. Risk Management Process : The systematic application of policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating Risk. Risk Profile : The assessment of the Trustee s, Fund s or Service Providers Inherent and Residual Risks. Risk Profiling : The structured assessment of the Trustee s and Fund s environment to identify and assess potential Risks and to ensure that they are managed through the implementation of Controls. Risk Register : The table of Material Risks outlined in Appendix A. RMF : Risk Management Framework. RMP : Risk Management Plan. Page 18

19 RSE : Registrable Superannuation Entity. Service Providers : The following company undertakes services on behalf of the Trustee: MLC Investments Limited ABN ; SIRP : The Streamlined Information Release Process. SIS Act : Superannuation Industry (Supervision) Act 1993 (Cth). SLA : Service Level Agreement. Trustee : The person / entity appointed as Trustee of the Fund - in this case MLC Nominees Pty Ltd. U : Unlikely. WMS : Wealth Management Services. WM R&G : Wealth Management Risk & Governance. Page 19

20 Appendices Page 20

21 Appendix A Risk Register 1. Trustee / Fund Governance Legend: C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 1.1 Related Party Transactions and Potential Conflicts of Interest Owner Office of the Trustee / Service Provider / Company Secretariat Li Maj High The following elements are in place to mitigate this Risk: 1. Independent directors 2. Disclosure of related parties in Trustee / Fund documentation 3. Arms length service agreements with commercial terms are in place 4. Directors abstain from voting where required 5. Management of conflicts of interest in accordance with ASIC Policy Statement 181 and AFSA Best Practice Papers 3 and 7. Med Ongoing 1,2,3,5 Chief Operating Officer MLC Nominees 4 Company Secretary Page 21

22 1. Trustee / Fund Governance (Continued) Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 1.2 Unclear delineation of responsibilities between the Trustee and its Service Providers Failure to properly document delegations of functions to Service Providers Owner Office of the Trustee P Mod Med 1. Trustee Board Charter in place which describes: MLC Nominees Board s purpose Mission Statement Key responsibilities of the Board 2. Service Provider reporting to Trustee in relation to delegations 3. SLAs between the Trustee and Service Providers contain detailed service schedules (which includes mandatory reporting) reflecting the actual responsibilities delegated to the Service Provider. 4. Clearly articulated roles and responsibilities 5. Member Committee 6. Office of the Trustee embedment 7. Integrity of Directors and Service Providers Low 1,2,3,4,5,6,7 Ongoing Chief Operating Officer MLC Nominees Page 22

23 2. Investment Risks Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 2.1 Investment Risks Appropriateness of investment options on the recommended list Failure to ensure investment plans remain appropriate Inadequate monitoring and review Counterparty Owner Service Provider / Trustee / Office of the Trustee P Maj Med The Trustee has outsourced the investment strategy development to the PIC which is then required to present to the Trustee for consideration and approval. The implementation of the strategy and subsequent monitoring of performance is outsourced to the Service Providers. The following elements are in place: 1. Regular review and monitoring of investment menu / performance and reporting to the Trustee and Members by the PIC 2. Review of Events which may impact potential performance using internal and related party expertise 3. A default investment strategy is in place for Members regular review and advice sought in relation to ongoing appropriateness of the default strategy 4. Review of consistency between strategy and offer documents 5. Review of investment strategy as recommended by the PIC 6. PIC provide detailed assessments and recommendations in relation to investment strategy, including default investment strategies 7. Monitor the investment performance of the investment managers 8. Evaluation of investment managers with whom assets of the Fund are or may be invested 9. For counterparty risk, PIC selection process and reporting for counterparties Med Head of Platform Services as a member of the Platform Investment Committee is responsible for all of the below 1. Ongoing 2. Ongoing 3. Ongoing 4. Ongoing 5. Ongoing 6. Annually 7. Annually 8. Annually 9. Ongoing Page 23

24 2. Investment Risks (Continued) Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 2.1 Cont. Investment Risks (Continued) 10. Service Level Agreement between the Trustee and Service Providers. 10. Ongoing COO MLC Nominees 2.2 Investment Risk Concentration of equity assets above the stated maximum in the PDS for MKCSF. Owner Service Providers / Trustee Li Maj High 1. Monitoring Members accounts and alerting Members or their advisers when concentration in assets exceeds a predetermined level (investments in ASX Listed securities only). Med 1. Head of Platform Services ongoing Page 24

25 3. Liquidity Risks Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 3 Liquidity Risks Insufficient liquid funds available from among the assets supporting the policy obligations Owner Service Providers / Trustee U Mod Med The Trustee has outsourced liquidity management to the Service Providers. The monitoring and management of asset allocation is also outsourced to the Service Provider. The following elements are in place: 1. Minimum cash component limits for investment options in the Fund are set / alternatively where no minimum cash component limits are set, by only allowing investment in readily realisable investments 2. Fund flows regularly reviewed 3. Service Level Agreement between the Trustee and Service Providers requiring quarterly reports to the Trustee. 4. A default investment strategy is in place for Members regular review and advice sought in relation to ongoing appropriateness of the default strategy by PIC 5. The majority of investments are included in readily realisable investments 6. Minimum cash requirements for Member s accounts, and a top-up procedure should their cash levels fall below required level 7 PIC Charter allows for limits for the number of investment options and controls to ensure sufficient liquidity in the Funds. Low The Platform Investment Committee is responsible for all of the listed controls. Page 25

26 4. Outsourcing Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 4.1 Failure to achieve satisfactory contractual arrangements for outsourced material business activities resulting in adverse member impacts. Owner Trustee Board U Maj Med 1. Due diligence process undertaken in the appointment of third parties 2. Regular independent assurance of processes and controls 3. Service Level Agreements between Trustee and Service Providers contain detailed service schedules reflecting the actual responsibilities delegated and that an appropriately qualified person from the Service Provider undertakes the necessary role 4. Legal sign-off to Service Level Agreements, including ensuring that the Service Level Agreements contains requirements for the Service Providers to comply with relevant legislation 5. Regular review and update of Service Level Agreements. Med 1. Ongoing Management of Service Providers 2. Annually Head of Compliance WM R&G 3. Ongoing COO MLC Nominees 4. Ongoing Senior General Counsel WM 5. Annually COO MLC Nominees Page 26

27 4. Outsourcing (Continued) Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 4.2 Failure of the Service Providers to meet their obligations e.g. this accommodates the agency Risk caused by improper practices by Service Providers in the provision of services Owner Trustee Board / OTT P Maj Med 1. Provision of all administration functions outsourced to approved Service Providers 2. SLA contains terms allowing the Trustee to arrange for an independent assessment of the performance of the Service Providers 3. The Trustee has the power under the SLA to terminate the appointment of the Service Providers 4. Any Event of non-compliance or breaches is reported, with updates on these Events also reported until Event has been fully rectified and closed 5. Service Providers certification on compliance with SLA 6. Service Providers provide regular reporting on performance. 7. The SLA contains the Service Provider s indemnity in event of loss as a result of the Service Provider s negligence Med 1,2,3 Ongoing COO MLC Nominees 4 Ongoing Head of Risk WMS 5,6,7 Qtly - Management of Service Provider Page 27

28 5. Insurance Risk Legend: AC + Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 5.1 Member Insurance claims are not assessed appropriately (MLC cannot pay) Owner Service Provider P Maj Med 1. The Trustee has outsourced the claims assessment and payment functions to the Service Providers. The Service Providers have segregation of duties for assessing claims on behalf of the insurer and then as a delegate of the Trustee. 2. All claims that are denied by the insurer are referred to a specialised team for a final review before contacting the client with the appropriate decision. Low Ongoing- Management of Service Provider COO MLC Nominees Page 28

29 6. Business Continuity Plan / Disaster Recovery Plan Legend: AC + Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 6 Major disruption or loss to the business / or systems Owner Trustee Board / Office of the Trustee P Maj Med 1. The Trustee has delegated the task for ensuring appropriate business continuity and disaster recovery arrangements are in place to the Service Providers. 2. The Service Providers report on a quarterly basis to the Trustee in relation to the status of the business continuity and disaster recovery plans. Low Head of Operational Risk WMS & GM Technology are responsible for all of the below 1. Ongoing 2. Quarterly 3. The Service Providers are regularly reviewed to ensure currency and testing is scheduled annually. Reports of testing outcomes are provided to the Trustee. 3. Annually 4. Testing of recovery of the IT systems occurs annually and system backups are taken daily and held offsite. 4. Annually tests / daily backups 5. Review of BCPs / DRPs 5. Six Monthly 6. Testing of BCPs / DRPs 6. Annually 7. Incident Management Plan 7. Annually Page 29

30 7. Legal / Regulatory Risk Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 7 Non-compliance with regulation or legislation Owner Trustee Board / Service Provider AC Maj High The Trustee is required to ensure the Fund complies with all relevant laws. The following elements are in place: 1. A regulatory change framework is in place and provides Service Providers with details of legislative change. The framework is centrally managed by Compliance Department Wealth Management Risk and Governance 2. Reporting to the Trustee by the Service Provider regarding progress and issues in relation to legislative change / compliance, including details of any contravention in the required service delivery or the relevant law, including Events reporting, and certification 3. A Trustee compliance plan. 4. Operational compliance plan for Service Providers 5. Skills/knowledge/experience of the Trustee and the Service Providers Med 1,2,3,4,5 Ongoing - Head of Compliance WMS Page 30

31 8. Operational Risks Legend: AC = Almost Certain. C = Consequence. IR = Inherent Risk. L = Likelihood. Li = Likely. Maj = Major. Med = Medium. Min = Minor. Mod = Moderate. P = Possible. RR = Residual Risk. U = Unlikely. Risk ID Risk L C IR Controls RR Action Plans Monitoring 8.1 Failure to maintain adequate Member Records Owner Service Providers Li Mod Med 1. Controls such as computer security, segregation of duties and transactions records are in place to maintain Member records as well as complying with the management of personal data as required by the Privacy Act. 2. Regular reporting of Service Provider adherence to document retention requirements. Med 1. 6 monthly GM Technology & COO Products & Services 2. Annually COO Product & Services 8.2 Capacity / Resource Management of service providers to meet contractual obligations Owner Service Providers 8.3 System Security Breach of system security through hacking or other means Owner Service Providers P Maj Med 1. Succession planning is in place for key managem ent positions 2. The Service Level Agreement sets out obligations of the Service Provider including resourcing and training of staff. P Maj Med 1. Comprehensive computer security measures are in place including general, application controls and access controls. Ongoing security reviews occur in relation to sys tems where access is available to Members across the internet. 2. SLA provides for appropriate resource levels to be maintained to meet ongoing computer systems requirements for maintenance and enhancements. 3. Reporting of all significant control failures in relation to computer systems are made to the Trustee as they arise. Med 1. Ongoing Head of People and Organisational Development 2. Ongoing Management of Service Provider Med 1. Annually Head of Operational Risk WM & GM Technology 2. Ongoing GM Technology 3. Ongoing GM Technology Page 31

32 Risk ID 8.4 Fraud Risk L C IR Controls RR Action Plans Monitoring Risk of fraudulent activity by a member, adviser or employee of the service provider Risk of fraudulent activity by third party Owner Service Providers P Mod Med The Trustee requires that the Service Providers actively manage to minimise fraud. In addition, the following elements are in place: 1. System security and access controls 2. Segregation of staff duties 3. Probity checks on all new staff 4. Payment and settlement processes 5. Accounting and reconciliation procedures 6. Member identification and verification procedures. Low All - Ongoing Head of Risk WMS Page 32

33 Appendix B Consequence Rating Guidelines These guidelines are a support tool of the Risk Ratings Matrix and are used in determining the impact (i.e. its consequence) of a Risk. Consequence Rating Guidelines Rating Insignificant Minor Moderate Major Catastrophic Parameter Financial Reputation Regulatory Management Effort Employees Direct loss or opportunity cost of <$100K Reputation intact, internal knowledge only Minor breaches by individual staff members An Event, the impact of which can be absorbed through normal activity High staff turnover in noncritical area Direct loss or opportunity cost of between $100K and $500K Intra-industry knowledge of incident, but no media attention No fine/penalty minimal or no disruption to operations An Event, the consequences of which can be absorbed but some management effort is required to minimise the impact General staff morale problems A key employee leaves Direct loss or opportunity cost of between $500K and $5 million Adverse local media coverage Fine/penalty but no disruption to operations A significant Event, cannot be managed under normal circumstances requiring a moderate level of management effort Poor reputation as an employer Direct loss or opportunity cost of between $5 million and $30 million Adverse capital city media coverage Fine/penalty and disruption to operations Regulatory inquiry o Certain conditions imposed on licence A critical Event, which with a high level of management effort, can be endured Some key executives leave High staff turnover in critical areas Direct loss or opportunity cost of >$30 million Adverse global/national media coverage Major public concerns raised into the Trustee s performance Significant disruption to operations over an extended period of time Regulatory inquiry o Potential loss of licence A disaster with potential to lead to the appointment of a new trustee A large number of key executives or directors leave Page 33