Add to collection(s) Add to saved
  1. Business
  2. Finance

Risk Management Policy

advertisement 
[Company Logo]
Risk Management
Policy
[Date]
[Author]
[Company Name]
[AFSL]
Contents
1.
Introduction ........................................................................................................................ 3
1.1.
Commitment to Risk Management ................................................................................ 4
2.
Scope .................................................................................................................................. 4
3.
Risk Management & Planning ........................................................................................... 4
4.
5.
3.1.
Risk Tolerance .............................................................................................................. 5
3.2.
Risk Categories ............................................................................................................. 5
The Risk Planning Process ............................................................................................... 6
4.1.
Risk Identification .......................................................................................................... 7
4.2.
Risk Rating .................................................................................................................... 8
4.3.
Treatment Options ........................................................................................................ 8
4.4.
Ongoing Monitoring and Review ................................................................................... 9
4.5.
Risk Reporting............................................................................................................... 9
Maintain Risk Register ....................................................................................................... 9
APPENDIX 1 – Regulatory Guide 104: Licensing: Meeting the general obligations ................ 10
APPENDIX 2 – Key Definitions .............................................................................................. 11
APPENDIX 3 – Risk Process ................................................................................................. 12
APPENDIX 3 – Risk Process (Continued) .............................................................................. 13
APPENDIX 4 – Risk Table ..................................................................................................... 14
APPENDIX 5 - Risk Register .................................................................................................. 15
Risk Management Policy | June 2014
Page | 2
1.
Introduction
Risk management aims to manage uncertainty and includes actions taken to identify, assess, monitor and
reduce the impact of risks to the business.
The purpose of this Policy is to provide “xxxxxx” with a clear and consistent understanding of the legislative
requirements and business requirements applicable to Risk Management.
An Australian Financial Services (AFS Licensee) is subject to the conduct obligations of Chapter 7 of the
Corporations Act 2001 (Cth) (Corporations Act) , and as such, is obliged to have adequate risk management
systems (see s912A(1)(h)).
Regulatory Guide 104, states that an AFS Licensee’s risk management systems should:
(a)
be based on a structured and systematic process that takes into account the licensee’s obligations
under the Corporations Act;
(b)
identify and evaluate risks faced by the Licensee’s business, focusing on risks that adversely affect
consumers or market integrity and including risks of non-compliance with financial services laws;
(c)
establish and maintain controls designed to manage or mitigate those risks; and
(d)
fully implement and monitor those controls to ensure they are effective.
An effective risk management system will depend on the nature, scale and complexity of the business and
the firms risk profile.
This risk management Policy encompasses the following key objectives:

To identify its’ business environment, stakeholders and legal and business obligations;

To identify risks to the business, its’ clients or broader market;

To analyse those risks;

To design and implement controls to manage these risks;

To test the controls; and

To monitor risk issues on an ongoing basis and if necessary mitigate and change risks.
Risk Management Policy | June 2014
Page | 3
1.1.
Commitment to Risk Management
The Board and management of “xxxxxxx” are committed to the implementation and maintenance of a formal
risk management system, including the integration of risk management throughout the organisation which
is integral to achieving ”xxxxxx” strategic and operational objectives.
Specific benefits of effective risk management include:

Improved planning, performance and effectiveness

Improved information for decision making

Improved stakeholder relationships

Economy and efficiency

Enhanced reputation

Director protection
2.
Scope
This policy applies to the Board and to all staff at “xxxxxx”.
3.
Risk Management & Planning
As a general principle, the risk management process should be undertaken in conjunction with strategic
planning, however risk management overall is a dynamic process and all parties covered by this Policy are
expected to manage risk and/or identify new risks on a day- to- day basis.
Risk Management Policy | June 2014
Page | 4
3.1.
Risk Tolerance
Risk tolerance is the amount of risk, on a broad level, that “xxxxxxx" is willing to accept in pursuit of value,
and should reflect the Company’s:

risk management philosophy;

capacity to take on risk;

objectives, business plans and respective stakeholder demands;

evolving industry and market conditions; and

tolerance for failures with quantitative values, where applicable.
3.2.
Risk Categories
Based on their nature and source “xxxxxx” risks are broadly categorised as follows:
Regulatory and Compliance Risks – relates to the risks of failure to comply with the applicable
statutory or compliance regime or licence obligations, which includes:

Impact of regulatory changes on the Company;

Legislative obligations under, for example, the Corporations Act, ASX Listing Rules, AML/ CTF,
Privacy Act, Income Tax Assessment Act, ASIC Act, Competition and Consumer Act 2010(Cth),
Tax Agent Services Act 2009; and

AFS Licence conditions.
People – risks associated with key person reliance, human behaviour, or risks relating to the harm
of people or assets, including:

Key person risk or single point sensitivity risk;

Risk of physical or mental harm to staff;

Human behaviour – errors, fraud, costs, turnover;

Monitoring, supervision and training; and

Authorised representatives.
Reputation Risk - risks relating to the Company’s reputation and standing which could affect the
business, stakeholders and staff, including:

Media scrutiny and headline reputation risk,

Regulator interest; and

Business relationships.
Risk Management Policy | June 2014
Page | 5
Business Process and Systems - risks relating to the business process and systems including:

Internal governance;

Processing errors, delays or failure to meet standards; and

Knowledge risks within the business such as IT systems, intellectual property.
Financial Risks - risks of negative financial impact to the Company through inappropriate
management of areas such as:

Revenue;

Compliance with relevant regulatory guides and any AFS licence conditions;

Adequate financial records;

Professional & public liability;

Compensation arrangements;

Occupational health and safety implications; and

Property damage and security.
These categories of risk must be reviewed at least annually to ensure that all relevant risks have been
considered and if necessary mitigation steps to be adjusted where necessary.
4.
The Risk Planning Process
“XXXXXX” uses a risk management process that consists of the following key stages:

Risk identification: Identifying all reasonably foreseeable risks associated with its activities.

Risk rating: Quantifying those risks.

Risk controls: Assessing the risk, identifying options to treat risks and developing mitigation
plans.

Risk monitoring and reporting: Reporting risk management activities and risk specific
information to the Board as required.
Risk Management Policy | June 2014
Page | 6
RISK MANAGEMENT PROCESS
4.1.
Risk Identification
A key mechanism for the identification of the Company’s risks is the development and maintenance of the
Risk Register. The Risk Register identifies the key risks that may potentially prevent the Company from
achieving its objectives. The register outlines the inherent risk rating, the controls currently in place to
manage those risks and the residual risk rating. Risks are added to the Risk Register on a periodic basis
throughout the year, when necessary.
Risk Management Policy | June 2014
Page | 7
4.2.
Risk Rating
Once risks have been identified, risks will be assessed and rated in terms of the potential consequence of
the risk and the likelihood of the risk occurring (see risk table in the Appendix). This assessment should
include consideration of the controls in place to mitigate those risks.
A risk may be classified into more than one category, for example it could have People, Financial and
Reputational implications. The category with the highest risk rating is chosen for the risk (see Appendix 1
for process).
Risks are assessed at three different levels, namely, inherent risk rating, residual risk rating and the current
risk rating.
Inherent Risk Rating: This is the level of risk to the business when there are no controls in place, which
can also be understood as the level of risk if all the controls were to fail. It shows the level of risk (which is
a combination of the likelihood and consequence) that exists if nothing was done about the risk.
Current Risk Rating: This the level of risk given the current controls in place. This risk rating shows the
current level of risk in the business. To determine the current risk rating the effectiveness of current controls
in reducing the likelihood and/or consequence of a risk must be assessed.
If the current risk rating is assessed as being unacceptable, options to reduce the risk rating need to be
explored. These options are referred to as ‘treatment options’. Treatment options must be developed for all
risks with a current rating of Very High and High, unless the Board determines that no treatment is required.
Residual Risk Rating: This is the level of risk after accepted treatment options are implemented. This
involves assessing the effectiveness of proposed control or treatment options to reduce the likelihood and/or
consequence of a risk.
Unless all of the treatment options have been implemented, the current risk rating will sit somewhere
between the inherent risk rating and the residual risk rating.
4.3.
Treatment Options
Options for treating each risk with a current risk rating assessed to be unacceptably high will be identified
(which includes all risks with a current risk rating of High or Very High. The options will be evaluated and
those found to be most efficient and effective will be flagged for implementation. Only those treatment
options required to achieve an acceptable level of risk in the most efficient and effective manner need to be
implemented. Risk treatment plans will be prepared and implemented.
The following options may be used for treating risks and will be determined in the light of risk appetite, risk
and treatment option assessment:

Avoid the risk;

Mitigate the risk;

Transfer the risk; and

Accept the risk.
Risk Management Policy | June 2014
Page | 8
4.4.
Ongoing Monitoring and Review
Ongoing review is essential to ensure that our Risk Management Framework remains relevant the risk
controls. Priority should be given to monitoring the risks with the highest inherent risk ratings.
4.5.
Risk Reporting
The Risk Officer must report risks with High and Very High current risk ratings quarterly to the Board.
Updates will also be provided on current treatment plans / control effectiveness for specific risks as
requested from time-to-time.
On a quarterly basis reports are obtained from the risk data base which reports, including but not limited to,
the following information:

Risks current in relation to the issues above

The impact level of those risks outlined

Risks where the inherent or current risk has increased over the quarter

All new risks identified in the quarter with risk rating, and treatment plan if required
Furthermore, formal reviews of the identified risks should be conducted at least annually. This process will
involve internal consultation and reassessing the appropriateness of the evaluation of the risk and the
treatments/controls established.
5.
Maintain Risk Register
Regularly update the Register and undertake a full review of the Register annually. See Appendix 5 for
details.
Risk Management Policy | June 2014
Page | 9
APPENDIX 1 – Regulatory Guide 104: Licensing: Meeting the general
obligations
Risk Management Policy | June 2014
Page | 10
APPENDIX 2 – Key Definitions
Term
Definition
Risk
The effect of uncertainty on objectives. It is measured in terms of
consequence and likelihood. (Ref: AS/NZS ISO 31000:2009 )
Risk assessment
The overall process of risk identification, risk analysis and risk evaluation.
See Appendix 4 for details.
Residual risk
The level of risk that remains after assessing the effectiveness of the
controls, management strategies and other mechanisms currently in place
to mitigate a particular risk.
Risk management
Co-ordinated activities to direct and control an organisation with regard to
risk. (Ref: AS/NZS ISO 31000:2009)
Risk tolerance
The level of risk deemed (usually by the governing body) acceptable to the
organisation, where no further treatment is required to reduce either the
likelihood of an occurrence or its consequence, or both.
Risk treatment
The process of selection and implementation of measures to modify risk.
(For example, key risk treatment measures may include: avoiding,
modifying, sharing or retaining risks).
Risk Capacity
Risk capacity is the amount of money the Company could afford to lose
without putting the achievement of (financial) goals at risk. It represents an
absolute, downside constraint on strategy selection. The Company should
not embark on a course of action where the worst case scenario involves
the possibility, no matter how remote, of a loss greater than its risk
capacity.
Risk Management Policy | June 2014
Page | 11
APPENDIX 3 – Risk Process
Where a risk may fall within more than 1 category (e.g. People, Financial or Reputational) please use the
following steps to determine the appropriate category:
Step 1
Identify the risk: e.g. using Non-Approved Products
Step 2
What are the categories of consequences?
1.
Financial consequence – there could be a risk in a professional indemnity policy that there is no
cover in place for client losses relating to the use of non-approved products.
Likelihood:
Consequence:
Risk Rating:
2.
Reputational consequence – where a non-approved product collapses and an adviser is
associated with recommending the product, both the Adviser and Licensee can suffer significant
reputational damage.
Likelihood:
Consequence:
Risk rating will be:
3.
Possible
Severe
HIGH
Possible
Severe
HIGH
Regulatory and Compliance consequence – Increased risk of failure to provide appropriate
advice, as the product would not have had due diligence and may not have met the research
requirements. There could also be licencing implications from the regulator.
Likelihood:
Consequence:
Risk rating will be:
Possible
Moderate
MEDIUM
Step 3
What is the risk rating for this risk? There are two high risks (financial & reputational) and 1 medium risk
rating (regulatory and compliance).
The highest risk rating is nominated as the risk rating associated with the risk, making this a High risk rating.
The risk categorisation nominated is the one which is associated with the highest risk and as the most
appropriate. In this example we would identify this as a “Financial risk”.
Risk Category Financial
Risk Rating
High
Risk Management Policy | June 2014
Page | 12
APPENDIX 3 – Risk Process (Continued)
Identify
Risk Reference:
RISK-1
The Risk:
Failure to adequately monitor and supervise advisers
Date Risk Identified:
01-Jan-12
Reported By:
R isk M an ag er R eview D ate:
01-Jan-13
Company:
Category:
Regulation and Compliance
Department:
R isk T yp e:
Assess
Inadequate resources including:
- auditors not adequately performing their duties
- higher risk advisers monopolizing auditor time
- resignation of auditors
- failure to complete scheduled audits
- inadequate tool or process
Risk Source / Casual Factor:
IMPACT: The risk of inadequately monitoring and supervision of Advisers, may lead to:
- Advisers acting without authority or outside authority or outside of AFSL
- failure of business protocols
- brand damage
- fraud
- increase in complaints / claims
- poor client outcomes
- corporations Act breaches
- regulatory action
- dedicated adviser audit manager
Existing Controls:
- current adviser audit monitoring program
- auditor panels
- ongoing training of auditors
- ongoing training of advisers for quality outcomes
- audit tools
Inherent Risk Rating
Likelihood Rating:
5. Very Likely
Consequence Rating:
5. Severe
Inherent Risk Rating:
4. Very High
Inherent Risk Score:
25
Control
Risk Owner:
Treatment Review Date:
Approach:
7-Nov-13
Mitigate
Estimated Cost to Treat:
Treatment Option 1
1. Complete annual audit plan. Work in progress.
Risk Rating after treatment:
Accept or Reject:
Accept
Time for Implementation:
Ongoing
Action Plan
1. Implementation of Business Health (Online Compliance System) to assist in automating the audit process, assist
with reporting and monitoring adviser audit results and also removing some of the subjectivity
Proposed Actions:
2. Risk Trigger Reporting requested from IRESS (still waiting draft report)
3. CRM reporting on outstanding audits almost complete
Advice
Resource Requirements:
Human Resources
Business Health as a system
Responsibilities:
Management team
Timing:
Ongoing
Reporting and Monitoring
Requirements:
Monthly
Residual Risk Rating
Likelihood Rating:
3. Possible
Consequence Rating:
3. Moderate
Residual Risk Rating:
2. Medium
Residual Risk Score:
9
Current Risk Rating:
2. Medium
Current Risk Score:
9
Current Risk Rating
Current Likelihood Rating:
3. Possible
Risk Management Policy | June 2014
Current Consequence Rating:
3. Moderate
Page | 13
APPENDIX 4 – Risk Table
Consequence
Regulatory
&
Compliance
People
Reputation
Business
Process &
Systems
Financial
Likelihood
Probability:
Serious breach of
regulation or
systemic noncompliance.
Intervention by
regulator highly
likely.
Serious effect on
physical or mental
well-being. Major or
ongoing treatment
required.
Technical noncompliance. No
reporting obligations
and ongoing scrutiny
or attention from
regulator unlikely.
Non-compliance or
breaches requiring
reporting to
regulator. Minor
remedial action.
Physical or mental
well-being affected.
No treatment
required.
Physical or mental
well-being affected.
Minor treatment
required.
Non-headline
Industry press
headline exposure
Major headline
exposure (industry
and non-industry)
Minor errors in
systems or
processes requiring
corrective action, or
minor delay without
impact on overall
schedule.
Policy procedural
rule occasionally not
met or services do
not fully meet
needs.
One or more key
requirements not
met. Inconvenient
but not client
threatening.
Strategies not
consistent with
corporate agenda.
Trends show service
is degraded.
Critical system
failure, bad policy
advice or ongoing
non-compliance.
Business severely
affected.
<$XXXK Flat Dollar
<$XXXXK Flat Dollar
<$XXXXXK Flat Dollar
<$XXXXXM Flat Dollar
>$XXXXM Flat Dollar
Negligible
Minor
Moderate
Major
Severe
1
2
3
4
5
exposure
Major breach of
regulation likely to
lead to significant
regulatory action
(e.g. suspension
from ASX or EU).
Life threatening
physical or mental
injuries.
Hospitalisation
required.
Repeated highprofile headline
exposure. Regulator
interest.
Licence to operate
threatened (e.g.
show cause for
AFSL, delisting from
ASX).
Physical or mental
injury(ies) causing
death.
Intense public,
political and media
scrutiny.
Once a year
5
Very Likely
L
5
M
10
H
15
VH
20
VH
25
Once every 2
years
4
Likely
L
4
M
8
H
12
H
16
VH
20
Once every 5
years
3
Possible
L
3
M
6
M
9
H
12
H
15
Once every 10
years
2
Unlikely
L
2
L
4
M
6
M
8
M
10
Unlikely to happen
within 10 years
1
Rare
L
1
L
2
L
3
L
4
M
5
Risk Management Policy | June 2014
Page | 14
APPENDIX 5 - Risk Register
Inherent Risk Rating
4. Very High
4. Very High
4. Very High
4. Very High
4. Very High
4. Very High
4. Very High
3. High
3. High
3. High
3. High
3. High
3. High
3. High
3. High
3. High
3. High
1. Low
Current Risk Rating
Residual Risk Rating
Risk Reference
3. High
2. Medium
RISK-1
3. High
3. High
RISK-2
3. High
2. Medium
RISK-3
4. Very High
3. High
RISK-4
3. High
2. Medium
RISK-5
3. High
3. High
RISK-6
4. Very High
3. High
RISK-7
3. High
2. Medium
RISK-8
3. High
3. High
RISK-9
3. High
2. Medium
RISK-10
3. High
2. Medium
RISK-11
2. Medium
2. Medium
RISK-12
2. Medium
2. Medium
RISK-13
3. High
3. High
RISK-14
3. High
1. Low
RISK-15
2. Medium
1. Low
RISK-16
2. Medium
2. Medium
RISK-17
1. Low
1. Low
RISK-18
Risk Management Policy | June 2014
The Risk
Approach
Date Risk Identified
Risk OwnerRisk Manager Review Date
Non-compliance with legislation (Corporations Act,
Mitigate
Taxation - Income,12/2/2011
GST, Payroll)
xxxx
2/18/2014
Loss of key personnel
Mitigate
12/2/2011 xxxx
5/6/2014
Lack of a Defensible Basis for Asset Allocation Mitigate
11/2/2012 xxxx
5/5/2014
Revenue model becomes impaired
Mitigate
5/6/2014 xxxx
5/6/2014
Inadequate business growtth
Mitigate
5/6/2014 xxxx
5/14/2014
Loss of clients
Mitigate
12/6/2011 xxxx
5/14/2014
Unavailability of Debt Funding
Mitigate
6/15/2012 xxxx
5/2/2014
Revenue model becomes impaired
Mitigate
3/26/2012 xxxx
5/7/2014
Inadequate business growth
Mitigate
7/1/2011 xxxx
5/6/2014
Loss of revenue from major client
Mitigate
12/31/2006 xxxx
5/2/2014
Loss of revenue from major partner
Mitigate
12/31/2008 xxxx
5/2/2014
Non-compliance with legislation
Mitigate
5/2/2014 xxxx
7/31/2014
Non-compliance with Credit Licence conditions Mitigate
5/2/2014 xxxx
7/31/2014
Non-compliance with AFS Licence conditions Mitigate
5/2/2014 xxxx
5/6/2014
Failure of hardware & infrastructure
Mitigate
5/6/2014 xxxx
5/6/2014
Lack of occupational health safety & welfare
Mitigate
5/7/2014 xxxx
5/7/2014
Breach of confidentiality
Mitigate
11/1/2012 xxxx
5/2/2014
Loss of key personnel
Accept
5/11/2012 xxxx
5/2/2014
Page | 15
Related documents
Teacher Creativity form - gifted
Teacher Creativity form - gifted
Oral Presentation Judging Checklist
Oral Presentation Judging Checklist
OPERATION & PRODUCTION IN INDUSTRIAL MANAGEMENT
OPERATION & PRODUCTION IN INDUSTRIAL MANAGEMENT
Sample Evaluation Form: Enhancing Agency Cultural Competence
Sample Evaluation Form: Enhancing Agency Cultural Competence
Common rating errors
Common rating errors
Training Risk Management Methodology no 2
Training Risk Management Methodology no 2
Rating Biases and Personal Perceptions
Rating Biases and Personal Perceptions
ACTIA Risk Management Templates
ACTIA Risk Management Templates
Urgent Issue! - Institute For Sustainable Infrastructure
Urgent Issue! - Institute For Sustainable Infrastructure
Two Variable Risk Matrix and Three Variable Risk Calculator
Two Variable Risk Matrix and Three Variable Risk Calculator
Download
advertisement