Risk Management ROYCE BRENNAN BT FINANCIAL GROUP

Similar documents
Perpetual s Risk Management Framework

Risk Committee Charter. Bank of Queensland

Risk Management at ANZ

APRA s risk assessment model. Maryanne Hinwood Head of PAIRS Australian Prudential Regulation Authority

RISK MANAGEMENT FRAMEWORK OVERVIEW

RISK MANAGEMENT POLICY October 2015

RISK MANAGEMENT FRAMEWORK

Deloitte Global Risk Management Survey, eighth edition Setting a higher bar Australian edition 2013

DEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES

Focus on Risk Management

Headline Verdana Bold Managing tax Balancing current challenge with future promise The EYE, Amsterdam, 30 November - 1 December 2016

Goodman Group. Risk Management Policy. Risk Management Policy

GROUP RISK COMMITTEE MANDATE

CBUS REMUNERATION POLICY

DEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES

QBE INSURANCE GROUP LIMITED RISK AND CAPITAL COMMITTEE CHARTER. Nature of committee: Risk and Capital Committee. Owner: Company Secretary.

Pillar 3 Annual Remuneration Disclosures

32 / RISK MANAGEMENT

ANZ Board Charter. 1.2 ANZ places great importance on the values of honesty, integrity, quality and trust.

ASX REDUCING RED TAPE CONSULTATION FEEDBACK FORM

Pillar 3 report Table of contents

The Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) Completion Guidance 22 February 2018

2012 RISK APPETITE SURVEY ACTUARIES INSTITUTE

AMP Bank Limited. Remuneration disclosures. For the period 1 January 2015 to 31 December 2015

Operational Risk Framework - Auditor s Perspective. Mr. Syed Rehan Ashraf United Gulf Bank SVP / Head of Credit & Risk Management

MODEL RISK: A VIEW FROM THE THIRD LINE. Tom Bryant March 2016 MODEL RISK AN EXPERIMENT INCREASING PROFILE

Rolling Up Operational Risk

Solvency and Financial Condition Report Aegon Ireland

Solvency Assessment and Management: Pillar 2 - Sub Committee ORSA and Use Test Task Group Discussion Document 35 (v 3) Use Test

Risk management policy

Risk Management Framework

ERM/ORSA Training Thai General Insurance Association (TGIA)

Effective Assurance Frameworks

Certified Enterprise Risk Professional (CERP) Test Content Outline

Risk Management Policy

Risk Appetite Survey Current state of the Insurance Industry

Internal governance. Supervisory Statement SS21/15. April 2015

Audit & Risk Committee Report

Risk Review Committee Charter

Document Hierarchy. Remuneration Policy. Board Policy

Day 2: Session 2 Tax governance, risk and control

in brief corrs PRUDENTIAL STANDARDS FOR SUPERANNUATION OCTOBER 2011 NEW APPROACH

Risk Management Policy and Framework

Basel III Pillar 3. Capital adequacy and risks disclosures as at 30 June 2013

APRA s Perspective on Financial Services Risk Management. Tom Karp Executive General Manager Supervisory Support APRA

Risk Management Policy (v7.0)

Reducing red tape proposed amendments to ASX s admission and notification requirements

Guidance Statement GS 002 Special Considerations in the Audit of Risk Management Requirements for Registrable Superannuation Entities and Licensees

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

University Risk Management Policy

Applying COSO s Enterprise Risk Management Integrated Framework

Westpac Pillar 3 Report September 2010

Supervisory Statement SS21/15 Internal governance. April (Updating October 2014)

ASX Clear: Guidance Note on Clearing Participants Liquidity Risk Management Frameworks

Risk An overview and MIS An audit Perspective

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Pillar 3 Disclosures. Invesco UK Limited

SEPTEMBER 2014 INCORPORATING THE REQUIREMENTS OF THE RESERVE BANK OF INDIA

Professional Diploma in Banking Risk Management Practices

Corporate Governance of Federally-Regulated Financial Institutions

Basel III Pillar 3. Annual Remuneration Disclosures as at 30 June Commonwealth Bank of Australia ACN

FIRST CHOICE CREDIT UNION LTD PUBLIC DISCLOSURES 30 JUNE 2017

TD BANK INTERNATIONAL S.A.

Banking & Capital Markets. Banks: Prudential Regulation

Enterprise Risk Management & the Actuarial Profession in General Insurance

Public Disclosure of Prudential Information in accordance with APRA Prudential Standard APS 330

Solvency and Financial Condition Report 20I6

MLC Derivatives Policy

Draft Revised Corporate Risk Oversight Guidelines and Draft Revised Integrated Business Reporting Guidelines

Pillar 3 report Table of contents

PwC Assurance Main contacts

Talent and accountability incentives governance Risk appetite and risk responsibilities

Enterprise Risk Management Policy Adopted by the AMP Limited Board on 2 February 2017

Fiduciary Risk Range of Practice - April 2012

Basel II Pillar 3. Capital Adequacy and Risk Disclosures. Determined to offer strength in uncertain times. as at 30 June 2009

Combined Assurance Approach

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Home Capital Group Inc. Home Trust Company Home Bank Risk and Capital Committee Charter

Common Disclosure Template - Capital

Solvency and Financial Condition Report December 31, 2017

PST Board Assurance Framework

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Draft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017

Nucleus Financial Group plc. Nucleus 2018 Pillar 3 disclosure

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

A Fund Governance Framework for Not-for-Profit Superannuation Funds. Third edition April A joint document produced by:

Corporate Governance Statement

Pillar 3 Disclosure ICAP Europe Limited

SOLVENCY AND FINANCIAL CONDITION REPORT EUROLIFE LTD

Consultation on Domestic Actuarial Regime and Related Governance Requirements under Solvency II. Consultation Paper CP92

CITIGROUP INC. RISK MANAGEMENT COMMITTEE CHARTER As of January 18, 2018

EUROPEAN STANDARD OF ACTUARIAL PRACTICE 2 (ESAP 2) ACTUARIAL FUNCTION REPORT UNDER DIRECTIVE 2009/138/EC

Pillar 3 report Table of contents

The Rating Agency View of Capital Modelling. Simon Harris Team Managing Director European Insurance

Corporate Governance Guideline

Northern Trust Corporation Liquidity Coverage Ratio Public Disclosure

APRA AND ASIC UPDATES 1.1 ASIC

AIST GOVERNANCE CODE. AIST Governance Code

Head of Actuarial Control

Pillar 3 report Table of contents

Transcription:

Update on APRA s Risk Management Prudential Standard ROYCE BRENNAN GENERAL MANAGER RISK BT FINANCIAL GROUP

OUTLINE 1. APRA Risk Management Prudential Standards Current state Future state 2. Overview of BT Financial Group s Risk Management Framework 3. Controls Assurance framework within the three lines of defence 4. Controls Assurance by the Second Line of Defence (Risk) Purpose and Scope of the Controls Assurance Program Development of BTFG s Annual Assurance Plan 2

1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Current State Since its establishment as an integrated prudential regulator in 1998, APRA has sought to take a consistent, harmonised approach to the setting of prudential requirements for APRA-regulated institutions, irrespective of the industry in which the institutions operate. In this way, like risks are treated in a like manner. Harmonisation creates a common language and also simplifies compliance, particularly l for groups that t operate across regulated industries. Prior to APRA s release of Combined Prudential Standard 220 separate risk management standards existed for superannuation, life insurance and general insurance companies. The risk management requirements for ADIs were spread throughout various prudential standards. 3

1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Future state On 31 January 2014 APRA released a package to harmonise and enhance risk management across the industry for ADIs, general and life insurance companies. The package included: Combined Prudential Standard 220 Risk Management; Combined Prudential Standard 510 Governance; APRA s response paper to submissions received; and Draft Combined Practice Guide 220. Prior to the CPS being issued APRA had set risk management standards at an industry specific level. Note: the superannuation industry is still subject to an industry specific standard. 4

1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS APRA s standards become effective from 1 January 2015. The main requirements of CPS 220 are to have a designated risk management framework, including appointing a Chief Risk Officer (CRO) who: is independent, challenges and involved in decisions that may materially affect the organisation s risk profile. has a direct reporting line to the Chief Executive Officer (CEO) and unrestricted access to the Board Risk Committee to be established also under CPS 220. cannot be the CEO, Chief Financial Officer, the Appointed Actuary or the Head of Internal Audit. 5

1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS APRA s standards become effective from 1 January 2015 and the main requirements of CPS 220 are to: establish a Board Risk Committee comprised of non-executive directors that provides the Board with objective oversight of the implementation and operation of the risk management framework. the Board Audit Committee must not only provide prior endorsement for the appointment or removal of the institution s external auditors but now also Heads of Internal Audit. meet risk management standards on a Group level attesting on the Group s behalf and being able to identify, measure, evaluate, report and control or mitigate all material risks across the Group and also capture material risks from any non- APRA regulated institutions within the Group. 6

1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Draft Prudential Practice Guide 220 contains APRA s expectations on how the standard will be met in practice: Foster a risk management culture though: Codes of Conduct; ongoing risk education; and processes to ensure behaviour is monitored and managed within risk appetite. Assess that t the Risk Management Framework is fit for purpose and be able to provide a summary of this assessment. 7

1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS Draft Prudential Practice Guide 220 contains APRA s expectations on how the standard will be met in practice. Ensure the Risk Management Framework contains a number of components which: develops and uses risk appetite statements determines materiality of risk categories and identify the key risk drivers express risk tolerances and action risks that fall outside the risk tolerance have sufficient information in the risk management strategy to communicate how the institution identifies, measures, evaluates, monitors, reports and mitigates material risks of its operations Structure the risk management function including, for example, by placing risk management personnel within business line divisions. 8

HOW DOES BT FINANCIAL GROUP MEET THE REQUIREMENTS OF APRA S RISK MANAGEMENT PRUDENTIAL STANDARDS? Focusing on BTFG s risk management framework, controls assurance and how the three lines of defense provide the basis for annual attestations required under CPS 220. 9

2. OVERVIEW OF BT FINANCIAL GROUP S RISK MANAGEMENT FRAMEWORK The Risk Management Framework enables a structured approach to risk and compliance management by the business. It provides: a deep understanding by Management and Boards of their risks and obligations; a reduction in incidents and overdue issues and satisfactory audit outcomes; a platform for robust engagement with the regulators; and support for BTFG s growth objectives. 10

2. OVERVIEW OF BT FINANCIAL GROUP S RISK MANAGEMENT FRAMEWORK Compliance with the Risk Management Framework is monitored continuously and any material deviations or breaches are reported to Business Unit Risk Forums, BT Risk Review Committee, BT Boards and, where appropriate, Regulators: 1 st Line Monitors their control environment through management control self assessments and regular review of key risks and controls indicators. 2 nd Line BT Risk operates an independent controls assurance program to assess the effectiveness of controls that t mitigate t key risks and achieve compliance obligations. BT Risk chairs an Assurance Tripartite attended by Internal Audit and External Audit to ensure coordination and alignment while executing the various Monitoring and Audit Plans throughout the year. 3 rd Line Evaluates, tests and reports on the adequacy and effectiveness of the 2 nd Line and 1 st line controls and monitoring that occur. 11

3. CONTROLS ASSURANCE FRAMEWORK WITHIN THE THREE LINES OF DEFENCE The diagram below illustrates the roles of the first, second and third lines of defence. First line of defence Business unit Second line of defence Risk Third line of defence Group Assurance Control framework Identify key compliance obligations Evaluation control framework BT Risk Assurance & Monitoring Evaluation Second line of defence Group Assurance In a three lines of defence model, monitoring of controls should occur at each line of defence. Validate key controls Validate key controls Control framework Control self assessments 2 nd line Monitoring activities Internal audits External audit is part of the third line 1 st line Monitoring activities of defence and they will evaluate and validate the BTFG internal control framework and key controls relating to their audits. Comprehensive Assurance 12

4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Purpose of Controls Assurance Provide assurance on the Business Unit ( BU ) control environment The BTFG Controls Assurance Function provides assurance to BTFG Governance Committees and Business Unit Management with assurance that the Business Control Environment is designed and operating effectively. This includes assurance on the components of the BU s control framework and validation of controls that mitigate key operational risks and support compliance plan obligations. The next slide notes the components of the Business Control Environment that will be evaluated in a 2 LOD review. Monitor key risk indicators Provides business management with a view on the effectiveness of its controls and an early warning of control weaknesses. Examples of these indicators include reports such as the monthly Single View of Issues and Incidents Report, incidents analysis, etc. Help BUs enhance its control framework so that t BU management can obtain the earliest insights on the effectiveness of its key controls that fulfil compliance plan obligations and mitigate key operational risks. 13

4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Scope of 2 LOD Controls Assurance When performing reviews, the BTFG Controls Assurance Team will evaluate the holistic Business Control Environment including key components such as: Governance at the business unit level Business process documentation Risk assessment risks and compliance obligations in the key business processes Control activities - These are controls that mitigate key process risks and/or meet key compliance plan obligations. Business Unit Management s monitoring of key controls (e.g. controls self assessment, compliance plans attestations, monitoring key indicators, etc) Incident Management capability Audit and Monitoring outcomes 14

4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Development of BTFG s Annual Assurance Plan Two main inputs into the development of the Annual Assurance Plan are: Inherent risk assessments performed on each business unit (refer to Page 16) BTFG s Assurance universe (refer to Page 18) The following approach was taken to develop the Annual Assurance Plan. Risk Assessment and Assurance Universe Develop Plan Review Plan Share Plan Approve Plan Inherent risk assessments completed for all business units Establish BTFG s Assurance Universe to ensure all areas that require assurance are considered Monitoring Team develops FY 2013 Plan based on risk assessments BTFG Risk Leadership Team (RLT) and Business Unit management review Plan Share and align Plan with Internal and External auditors to ensure comprehensive coverage and prevent duplication in assurance work The BTFG RLT and relevant Governance Committees approve the Plan The following pages illustrate the Inherent Risk Assessment criteria and Assurance Universe. 15

4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Inherent Risk Assessments The following four criteria were used to perform the Inherent Risk Assessment for each Business Unit. Existing risk assessments Nature of operations Changes in business Internal Control Framework maturity Existing risk assessments: Business unit risk maps Risk and Control Management reviews ( RCM ) Risk Appetite e Statements e ( RAS ) In considering the nature of operations, the factors assessed were: extent of regulation within the business area (e.g. APRA, ASIC, ATO, ASX, etc) nature of process, i.e. manual or automated Key person risk degree of touch points and handoffs between business units and teams (including to outsourced providers) degree of complexity and the use of human judgement. Changes in strategy, significant projects and external environmental factors such as new regulatory reforms, industry changes, economic factors and natural/financial disasters. The following were considered when assessing the internal control framework: Track record from assurance activities High and Medium rated incidents Extent of key processes and controls in scope for external audits, investor statement audits, APRA returns, etc; and Maturity of the first line of defence s internal control framework, risk resources and business unit monitoring. 16

4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE Inherent Risk Assessment output Summary of Inherent Risk Assessments by Business Unit Area BTFG Business Unit Inherent Risk Rating Inherent Risk Score Risk Maps/ RCAs BURiskassessments Nature ofoperations operations Changesinbusiness Risk appetite statements Legal/ Compliance obligations Manual/ automated) processing Key person risks Touch points and outsourcing Complexity and human judgement Changes from BSRs Project impacts (business, IT, product) Impacts from external factors Track record: GA results & incidents Internal control framework External Audit reliance Business Unit 1 High 3.8 3 4 5 4 1 4 5 5 5 5 5 2 2 Business Unit 2 Medium 2.9 2 2 5 3 4 3 4 2 2 5 2 1 3 Business Unit 3 Medium 2.8 2 2 5 2 4 3 4 2 2 5 2 1 2 Business Unit 4 Medium 3.2 2 2 5 2 2 5 2 2 5 5 4 3 2 Business Unit 5 Medium 3.3 2 4 4 3 5 3 5 2 4 4 1 2 4 Business Unit 6 Medium 2.7 2 N/A 4 3 3 3 5 2 N/A 4 1 2 1 Business Unit 7 Medium 3.5 2 5 5 4 2 3 4 4 4 4 4 2 2 Business Unit 8 High 3.8 2 5 5 4 2 3 4 5 5 5 5 2 2 Business Unit 9 Medium 3.3 2 N/A 4 5 3 2 4 4 4 4 2 2 3 Business Unit 10 Medium 2.8 2 4 5 3 1 4 2 1 3 4 2 4 2 Business Unit 11 Medium 3.2 3 4 5 3 2 4 2 2 2 4 4 4 3 Business Unit 12 Medium 3.0 2 3 5 3 3 4 2 1 3 4 2 4 3 Business Unit 13 Medium 2.8 N/A N/A 4 3 2 2 4 2 2 4 N/A 1 4 Business Unit 14 Medium 3.7 3 3 5 3 2 5 5 2 3 5 5 5 2 Business Unit 15 Medium 3.1 3 3 5 5 1 4 2 3 3 3 3 3 2 Business Unit 16 Medium 3.5 3 3 5 5 1 5 5 3 3 5 3 3 2 Business Unit 17 Medium 3.4 3 3 5 5 1 5 3 3 3 3 3 5 2 Business Unit 18 Medium 3.5 3 3 5 5 1 4 5 2 4 5 3 4 2 Business Unit 19 Medium 2.8 3 3 5 3 1 4 2 3 3 3 4 1 2 Business Unit 20 Medium 3.1 3 3 5 3 1 4 5 3 3 3 3 2 2 Business Unit 21 Medium 3.2 3 3 5 5 1 3 5 3 3 3 5 1 2 Business Unit 22 Medium 3.2 3 3 5 3 1 4 5 2 3 4 1 5 2 Business Unit 23 Medium 3.2 3 3 5 3 1 4 5 2 3 3 3 5 2 Business Unit 24 Medium 3.1 3 3 5 2 1 2 5 2 4 3 4 5 1 Business Unit 25 Medium 3.2 3 3 5 4 5 5 3 3 3 3 1 2 2 Business Unit 26 Medium 3.5 3 3 5 4 1 4 4 4 4 5 4 2 3 Business Unit 27 Medium 3.6 4 3 4 3 2 3 5 4 4 5 N/A 2 4 Business Unit 28 Medium 3.2 3 3 4 4 1 4 4 3 3 4 N/A 2 3 Offshore Service Provider Offshored Process 1 Medium 3.2 3 3 5 4 1 3 4 3 3 3 2 4 3 Offshored Process 2 Medium 3.2 3 3 4 3 2 4 4 3 3 4 2 4 3 Offshored Process 3 Medium 3.4 3 3 4 4 4 3 4 3 3 4 2 4 3 Offshored Process 4 Medium 3.4 3 3 5 4 3 3 4 3 3 4 2 4 3 Offshored Process 5 Medium 2.9 3 3 4 4 1 3 2 2 2 4 3 4 3 Offshored Process 6 Medium 3.0 3 3 4 5 2 3 1 2 2 4 3 4 3 Offshored Process 7 Medium 3.1 3 3 5 4 1 2 3 4 4 4 2 2 3 Offshored Process 8 Medium 3.1 3 3 5 3 3 4 3 2 2 3 3 3 3 17 Maturity of BU first line of defence

4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE BTFG Assurance Universe REAT MIS Compliance Plans Equities MIS Compliance Plans Superannuation Compliance Plan Wrap Compliance Plans (i.e. Investment Wrap, Super Wrap and Asgard ewrap) Monthly Single View of Issues and Incidents Risk Appetite Statements (RAS) Risks and Controls Management (RCM) Emerging themes etc BTFG Business Units High and some Medium Risk BUs from Annual Inherent Risk Assessment General Insurance Compliance Plan Life Insurance Compliance Plan BTFG Assurance Program Offshored Processes High and some Medium Risk processes from Annual Inherent Risk Assessment Lenders Mortgage Insurance Compliance Plan Advice Compliance Plan Project Assurance High risk and High priority projects Private Wealth Compliance Plan ASX Compliance Plans AFSL Compliance Obligations APRA Prudential Standards Monitoring Universe APRA Prudential Standards relevant to BTFG Sarbanes Oxley ( SOX ) Processes DE and OE BT Super BT Platform Equities AML and NCCP Compliance Obligations 18

Questions? 19

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback