Update on APRA s Risk Management Prudential Standard ROYCE BRENNAN GENERAL MANAGER RISK BT FINANCIAL GROUP
OUTLINE 1. APRA Risk Management Prudential Standards Current state Future state 2. Overview of BT Financial Group s Risk Management Framework 3. Controls Assurance framework within the three lines of defence 4. Controls Assurance by the Second Line of Defence (Risk) Purpose and Scope of the Controls Assurance Program Development of BTFG s Annual Assurance Plan 2
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Current State Since its establishment as an integrated prudential regulator in 1998, APRA has sought to take a consistent, harmonised approach to the setting of prudential requirements for APRA-regulated institutions, irrespective of the industry in which the institutions operate. In this way, like risks are treated in a like manner. Harmonisation creates a common language and also simplifies compliance, particularly l for groups that t operate across regulated industries. Prior to APRA s release of Combined Prudential Standard 220 separate risk management standards existed for superannuation, life insurance and general insurance companies. The risk management requirements for ADIs were spread throughout various prudential standards. 3
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Future state On 31 January 2014 APRA released a package to harmonise and enhance risk management across the industry for ADIs, general and life insurance companies. The package included: Combined Prudential Standard 220 Risk Management; Combined Prudential Standard 510 Governance; APRA s response paper to submissions received; and Draft Combined Practice Guide 220. Prior to the CPS being issued APRA had set risk management standards at an industry specific level. Note: the superannuation industry is still subject to an industry specific standard. 4
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS APRA s standards become effective from 1 January 2015. The main requirements of CPS 220 are to have a designated risk management framework, including appointing a Chief Risk Officer (CRO) who: is independent, challenges and involved in decisions that may materially affect the organisation s risk profile. has a direct reporting line to the Chief Executive Officer (CEO) and unrestricted access to the Board Risk Committee to be established also under CPS 220. cannot be the CEO, Chief Financial Officer, the Appointed Actuary or the Head of Internal Audit. 5
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS APRA s standards become effective from 1 January 2015 and the main requirements of CPS 220 are to: establish a Board Risk Committee comprised of non-executive directors that provides the Board with objective oversight of the implementation and operation of the risk management framework. the Board Audit Committee must not only provide prior endorsement for the appointment or removal of the institution s external auditors but now also Heads of Internal Audit. meet risk management standards on a Group level attesting on the Group s behalf and being able to identify, measure, evaluate, report and control or mitigate all material risks across the Group and also capture material risks from any non- APRA regulated institutions within the Group. 6
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Draft Prudential Practice Guide 220 contains APRA s expectations on how the standard will be met in practice: Foster a risk management culture though: Codes of Conduct; ongoing risk education; and processes to ensure behaviour is monitored and managed within risk appetite. Assess that t the Risk Management Framework is fit for purpose and be able to provide a summary of this assessment. 7
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Draft Prudential Practice Guide 220 contains APRA s expectations on how the standard will be met in practice. Ensure the Risk Management Framework contains a number of components which: develops and uses risk appetite statements determines materiality of risk categories and identify the key risk drivers express risk tolerances and action risks that fall outside the risk tolerance have sufficient information in the risk management strategy to communicate how the institution identifies, measures, evaluates, monitors, reports and mitigates material risks of its operations Structure the risk management function including, for example, by placing risk management personnel within business line divisions. 8
HOW DOES BT FINANCIAL GROUP MEET THE REQUIREMENTS OF APRA S RISK MANAGEMENT PRUDENTIAL STANDARDS? Focusing on BTFG s risk management framework, controls assurance and how the three lines of defense provide the basis for annual attestations required under CPS 220. 9
2. OVERVIEW OF BT FINANCIAL GROUP S RISK MANAGEMENT FRAMEWORK The Risk Management Framework enables a structured approach to risk and compliance management by the business. It provides: a deep understanding by Management and Boards of their risks and obligations; a reduction in incidents and overdue issues and satisfactory audit outcomes; a platform for robust engagement with the regulators; and support for BTFG s growth objectives. 10
2. OVERVIEW OF BT FINANCIAL GROUP S RISK MANAGEMENT FRAMEWORK Compliance with the Risk Management Framework is monitored continuously and any material deviations or breaches are reported to Business Unit Risk Forums, BT Risk Review Committee, BT Boards and, where appropriate, Regulators: 1 st Line Monitors their control environment through management control self assessments and regular review of key risks and controls indicators. 2 nd Line BT Risk operates an independent controls assurance program to assess the effectiveness of controls that t mitigate t key risks and achieve compliance obligations. BT Risk chairs an Assurance Tripartite attended by Internal Audit and External Audit to ensure coordination and alignment while executing the various Monitoring and Audit Plans throughout the year. 3 rd Line Evaluates, tests and reports on the adequacy and effectiveness of the 2 nd Line and 1 st line controls and monitoring that occur. 11
3. CONTROLS ASSURANCE FRAMEWORK WITHIN THE THREE LINES OF DEFENCE The diagram below illustrates the roles of the first, second and third lines of defence. First line of defence Business unit Second line of defence Risk Third line of defence Group Assurance Control framework Identify key compliance obligations Evaluation control framework BT Risk Assurance & Monitoring Evaluation Second line of defence Group Assurance In a three lines of defence model, monitoring of controls should occur at each line of defence. Validate key controls Validate key controls Control framework Control self assessments 2 nd line Monitoring activities Internal audits External audit is part of the third line 1 st line Monitoring activities of defence and they will evaluate and validate the BTFG internal control framework and key controls relating to their audits. Comprehensive Assurance 12
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Purpose of Controls Assurance Provide assurance on the Business Unit ( BU ) control environment The BTFG Controls Assurance Function provides assurance to BTFG Governance Committees and Business Unit Management with assurance that the Business Control Environment is designed and operating effectively. This includes assurance on the components of the BU s control framework and validation of controls that mitigate key operational risks and support compliance plan obligations. The next slide notes the components of the Business Control Environment that will be evaluated in a 2 LOD review. Monitor key risk indicators Provides business management with a view on the effectiveness of its controls and an early warning of control weaknesses. Examples of these indicators include reports such as the monthly Single View of Issues and Incidents Report, incidents analysis, etc. Help BUs enhance its control framework so that t BU management can obtain the earliest insights on the effectiveness of its key controls that fulfil compliance plan obligations and mitigate key operational risks. 13
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Scope of 2 LOD Controls Assurance When performing reviews, the BTFG Controls Assurance Team will evaluate the holistic Business Control Environment including key components such as: Governance at the business unit level Business process documentation Risk assessment risks and compliance obligations in the key business processes Control activities - These are controls that mitigate key process risks and/or meet key compliance plan obligations. Business Unit Management s monitoring of key controls (e.g. controls self assessment, compliance plans attestations, monitoring key indicators, etc) Incident Management capability Audit and Monitoring outcomes 14
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Development of BTFG s Annual Assurance Plan Two main inputs into the development of the Annual Assurance Plan are: Inherent risk assessments performed on each business unit (refer to Page 16) BTFG s Assurance universe (refer to Page 18) The following approach was taken to develop the Annual Assurance Plan. Risk Assessment and Assurance Universe Develop Plan Review Plan Share Plan Approve Plan Inherent risk assessments completed for all business units Establish BTFG s Assurance Universe to ensure all areas that require assurance are considered Monitoring Team develops FY 2013 Plan based on risk assessments BTFG Risk Leadership Team (RLT) and Business Unit management review Plan Share and align Plan with Internal and External auditors to ensure comprehensive coverage and prevent duplication in assurance work The BTFG RLT and relevant Governance Committees approve the Plan The following pages illustrate the Inherent Risk Assessment criteria and Assurance Universe. 15
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Inherent Risk Assessments The following four criteria were used to perform the Inherent Risk Assessment for each Business Unit. Existing risk assessments Nature of operations Changes in business Internal Control Framework maturity Existing risk assessments: Business unit risk maps Risk and Control Management reviews ( RCM ) Risk Appetite e Statements e ( RAS ) In considering the nature of operations, the factors assessed were: extent of regulation within the business area (e.g. APRA, ASIC, ATO, ASX, etc) nature of process, i.e. manual or automated Key person risk degree of touch points and handoffs between business units and teams (including to outsourced providers) degree of complexity and the use of human judgement. Changes in strategy, significant projects and external environmental factors such as new regulatory reforms, industry changes, economic factors and natural/financial disasters. The following were considered when assessing the internal control framework: Track record from assurance activities High and Medium rated incidents Extent of key processes and controls in scope for external audits, investor statement audits, APRA returns, etc; and Maturity of the first line of defence s internal control framework, risk resources and business unit monitoring. 16
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Inherent Risk Assessment output Summary of Inherent Risk Assessments by Business Unit Area BTFG Business Unit Inherent Risk Rating Inherent Risk Score Risk Maps/ RCAs BURiskassessments Nature ofoperations operations Changesinbusiness Risk appetite statements Legal/ Compliance obligations Manual/ automated) processing Key person risks Touch points and outsourcing Complexity and human judgement Changes from BSRs Project impacts (business, IT, product) Impacts from external factors Track record: GA results & incidents Internal control framework External Audit reliance Business Unit 1 High 3.8 3 4 5 4 1 4 5 5 5 5 5 2 2 Business Unit 2 Medium 2.9 2 2 5 3 4 3 4 2 2 5 2 1 3 Business Unit 3 Medium 2.8 2 2 5 2 4 3 4 2 2 5 2 1 2 Business Unit 4 Medium 3.2 2 2 5 2 2 5 2 2 5 5 4 3 2 Business Unit 5 Medium 3.3 2 4 4 3 5 3 5 2 4 4 1 2 4 Business Unit 6 Medium 2.7 2 N/A 4 3 3 3 5 2 N/A 4 1 2 1 Business Unit 7 Medium 3.5 2 5 5 4 2 3 4 4 4 4 4 2 2 Business Unit 8 High 3.8 2 5 5 4 2 3 4 5 5 5 5 2 2 Business Unit 9 Medium 3.3 2 N/A 4 5 3 2 4 4 4 4 2 2 3 Business Unit 10 Medium 2.8 2 4 5 3 1 4 2 1 3 4 2 4 2 Business Unit 11 Medium 3.2 3 4 5 3 2 4 2 2 2 4 4 4 3 Business Unit 12 Medium 3.0 2 3 5 3 3 4 2 1 3 4 2 4 3 Business Unit 13 Medium 2.8 N/A N/A 4 3 2 2 4 2 2 4 N/A 1 4 Business Unit 14 Medium 3.7 3 3 5 3 2 5 5 2 3 5 5 5 2 Business Unit 15 Medium 3.1 3 3 5 5 1 4 2 3 3 3 3 3 2 Business Unit 16 Medium 3.5 3 3 5 5 1 5 5 3 3 5 3 3 2 Business Unit 17 Medium 3.4 3 3 5 5 1 5 3 3 3 3 3 5 2 Business Unit 18 Medium 3.5 3 3 5 5 1 4 5 2 4 5 3 4 2 Business Unit 19 Medium 2.8 3 3 5 3 1 4 2 3 3 3 4 1 2 Business Unit 20 Medium 3.1 3 3 5 3 1 4 5 3 3 3 3 2 2 Business Unit 21 Medium 3.2 3 3 5 5 1 3 5 3 3 3 5 1 2 Business Unit 22 Medium 3.2 3 3 5 3 1 4 5 2 3 4 1 5 2 Business Unit 23 Medium 3.2 3 3 5 3 1 4 5 2 3 3 3 5 2 Business Unit 24 Medium 3.1 3 3 5 2 1 2 5 2 4 3 4 5 1 Business Unit 25 Medium 3.2 3 3 5 4 5 5 3 3 3 3 1 2 2 Business Unit 26 Medium 3.5 3 3 5 4 1 4 4 4 4 5 4 2 3 Business Unit 27 Medium 3.6 4 3 4 3 2 3 5 4 4 5 N/A 2 4 Business Unit 28 Medium 3.2 3 3 4 4 1 4 4 3 3 4 N/A 2 3 Offshore Service Provider Offshored Process 1 Medium 3.2 3 3 5 4 1 3 4 3 3 3 2 4 3 Offshored Process 2 Medium 3.2 3 3 4 3 2 4 4 3 3 4 2 4 3 Offshored Process 3 Medium 3.4 3 3 4 4 4 3 4 3 3 4 2 4 3 Offshored Process 4 Medium 3.4 3 3 5 4 3 3 4 3 3 4 2 4 3 Offshored Process 5 Medium 2.9 3 3 4 4 1 3 2 2 2 4 3 4 3 Offshored Process 6 Medium 3.0 3 3 4 5 2 3 1 2 2 4 3 4 3 Offshored Process 7 Medium 3.1 3 3 5 4 1 2 3 4 4 4 2 2 3 Offshored Process 8 Medium 3.1 3 3 5 3 3 4 3 2 2 3 3 3 3 17 Maturity of BU first line of defence
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE BTFG Assurance Universe REAT MIS Compliance Plans Equities MIS Compliance Plans Superannuation Compliance Plan Wrap Compliance Plans (i.e. Investment Wrap, Super Wrap and Asgard ewrap) Monthly Single View of Issues and Incidents Risk Appetite Statements (RAS) Risks and Controls Management (RCM) Emerging themes etc BTFG Business Units High and some Medium Risk BUs from Annual Inherent Risk Assessment General Insurance Compliance Plan Life Insurance Compliance Plan BTFG Assurance Program Offshored Processes High and some Medium Risk processes from Annual Inherent Risk Assessment Lenders Mortgage Insurance Compliance Plan Advice Compliance Plan Project Assurance High risk and High priority projects Private Wealth Compliance Plan ASX Compliance Plans AFSL Compliance Obligations APRA Prudential Standards Monitoring Universe APRA Prudential Standards relevant to BTFG Sarbanes Oxley ( SOX ) Processes DE and OE BT Super BT Platform Equities AML and NCCP Compliance Obligations 18
Questions? 19