Add to collection(s) Add to saved
  1. Business
  2. Management

Update on APRA's Update on APRA s Risk Management Prudential

advertisement 
Update on APRA
APRA’ss
Risk Management
Prudential Standard
ROYCE BRENNAN
GENERAL MANAGER RISK
BT FINANCIAL GROUP
OUTLINE
1 APRA Risk Management Prudential Standards
1.
• Current state
• Future state
2. Overview of BT Financial Group’s Risk Management Framework
3. Controls Assurance framework within the three lines of defence
4. Controls Assurance by the Second Line of Defence (Risk)
• Purpose and Scope of the Controls Assurance Program
• Development of BTFG’s
BTFG s Annual Assurance Plan
2014 The Year of…
2
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS
Current State
Since its establishment as an integrated prudential regulator in 1998, APRA has
sought to take a consistent, harmonised approach to the setting of prudential
requirements for APRA-regulated institutions, irrespective of the industry in which the
p
institutions operate.
In this way, like risks are treated in a like manner. Harmonisation creates a common
l
language
andd also
l simplifies
i lifi compliance,
li
particularly
ti l l ffor groups th
thatt operate
t across
regulated industries.
Prior to APRA’s release of Combined Prudential Standard 220 separate risk
management standards existed for superannuation, life insurance and general
insurance companies
companies. The risk management requirements for ADIs were spread
throughout various prudential standards.
2014 The Year of…
3
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS
Future state
On 31 January 2014 APRA released a package to harmonise and enhance risk
management across the industry for ADIs, general and life insurance companies.
The package included:
•
•
•
•
Combined Prudential Standard 220 Risk Management;
Combined Prudential Standard 510 Governance;
APRA’s response paper to submissions received; and
Draft Combined Practice Guide 220.
Prior to the CPS being issued APRA had set risk management standards at an
industry specific level.
Note: the superannuation industry is still subject to an industry specific standard.
2014 The Year of…
4
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS
APRA’s standards become effective from 1 January 2015.
The main requirements of CPS 220 are to have a designated risk management
framework, including appointing a Chief Risk Officer (CRO) who:
• is independent, challenges and involved in decisions that may materially
affect the organisation’s risk profile.
• has a direct reporting line to the Chief Executive Officer (CEO) and
unrestricted access to the Board Risk Committee to be established also
under CPS 220.
• cannot be the CEO, Chief Financial Officer, the Appointed Actuary or the
Head of Internal Audit.
2014 The Year of…
5
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS
APRA’s standards become effective from 1 January 2015 and the main
q
of CPS 220 are to:
requirements
• establish a Board Risk Committee comprised of non-executive directors that
provides the Board with objective oversight of the implementation and operation of
the risk management framework.
• the Board Audit Committee must not only provide prior endorsement for the
appointment or removal of the institution’s external auditors but now also Heads of
Internal Audit.
Group’ss behalf
• meet risk management standards on a Group level attesting on the Group
and being able to identify, measure, evaluate, report and control or mitigate all
material risks across the Group and also capture material risks from any nonAPRA regulated institutions within the Group.
Group
2014 The Year of…
6
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS
Draft Prudential Practice Guide 220 contains APRA’s expectations on how the
standard will be met in practice:
•
Foster a risk management culture though:
− Codes of Conduct;
− ongoing risk education; and
g within risk
− pprocesses to ensure behaviour is monitored and managed
appetite.
•
Assess that
A
th t the
th Risk
Ri k Management
M
t Framework
F
k is
i ‘fit for
f purpose’’ andd bbe able
bl tto
provide a summary of this assessment.
2014 The Year of…
7
1. APRA RISK MANAGEMENT PRUDENTIAL STANDARDS
Draft Prudential Practice Guide 220 contains APRA’s expectations on how the
standard will be met in practice.
Ensure the Risk Management Framework contains a number of components which:
develops and uses risk appetite statements
determines materiality of risk categories and identify the key risk drivers
express risk tolerances and action risks that fall outside the risk tolerance
have sufficient information in the risk management strategy to communicate
how the institution identifies,
identifies measures
measures, evaluates
evaluates, monitors
monitors, reports and
mitigates material risks of its operations
• Structure the risk management function including, for example, by placing
risk management personnel within business line divisions.
•
•
•
•
2014 The Year of…
8
HOW DOES BT FINANCIAL GROUP MEET THE REQUIREMENTS OF
APRA’S RISK MANAGEMENT PRUDENTIAL STANDARDS?
Focusingg on BTFG’s risk management
g
framework,,
controls assurance and how the three lines of defense
provide the basis for annual attestations required
under
d CPS 220
220.
2014 The Year of…
9
2. OVERVIEW OF BT FINANCIAL GROUP’S RISK MANAGEMENT
FRAMEWORK
The Risk Management Framework enables a
structured approach to risk and compliance
management by the business. It provides:
• a deep understanding by Management and
Boards of their risks and obligations;
• a reduction in incidents and overdue issues
and satisfactory audit outcomes;
• a platform for robust engagement with the
regulators; and
• support for BTFG’s growth objectives.
2014 The Year of…
10
2. OVERVIEW OF BT FINANCIAL GROUP’S RISK MANAGEMENT
FRAMEWORK
Compliance with the Risk Management Framework is monitored
continuously and any material deviations or breaches are reported
to Business Unit Risk Forums, BT Risk Review Committee, BT
B d and,
Boards
d where
h appropriate,
i t R
Regulators:
l t
1st Line
Monitors their control environment through
management control self assessments and regular
review
i off kkey risks
i k andd controls
t l iindicators.
di t
2nd Line
BT Risk operates an independent controls
assurance program to assess the effectiveness of
controls
t l th
thatt mitigate
iti t kkey risks
i k andd achieve
hi
compliance obligations.
BT Risk chairs an Assurance Tripartite attended by
Internal Audit and External Audit to ensure
coordination and alignment while executing the
various Monitoring and Audit Plans throughout the
year.
3rd Line
2014 The Year of…
Evaluates, tests and reports on the adequacy and
effectiveness of the 2nd Line and 1st line controls
and monitoring that occur.
11
3. CONTROLS ASSURANCE FRAMEWORK WITHIN THE THREE LINES
OF DEFENCE
The diagram below illustrates the roles of the first, second and third lines of defence.
First line of defence
Second line of defence
Third line of defence
Business unit
Risk
Group Assurance
Identify key Identify
key
compliance obligations
Evaluation control framework
Control C
t l
framework
BT Risk Assurance & Monitoring
Validate key controls
• Control framework • Control self‐assessments
• 1st line Monitoring activities
Evaluation Second line of defence
Validate key
Validate key controls
2nd line Monitoring activities
line Monitoring activities
Comprehensive Assurance
2014 The Year of…
Group Assurance
“In a three lines of defence model, monitoring of controls should
controls should occur at each line of defence.”
Internal audits
Internal audits
External audit is part of the third line External
audit is part of the third line
of defence and they will evaluate and validate the BTFG internal control framework and key controls relating to their audits.
12
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE
Purpose of Controls Assurance
BU ) control environment
• Provide assurance on the Business Unit ((“BU”)
The BTFG Controls Assurance Function provides assurance to BTFG Governance Committees
and Business Unit Management with assurance that the Business Control Environment is
designed
g
and operating
p
g effectively.
y This includes assurance on the components
p
of the BU’s control
framework and validation of controls that mitigate key operational risks and support compliance
plan obligations. The next slide notes the components of the Business Control Environment that
will be evaluated in a 2 LOD review.
• Monitor key risk indicators
Provides business management with a view on the effectiveness of its controls and an ‘early
warning’ of control weaknesses. Examples of these indicators include reports such as the monthly
Single View of Issues and Incidents Report, incidents analysis, etc.
• H
Help
l BUs
BU enhance
h
its
it control
t l framework
f
k so that
th t BU managementt can obtain
bt i th
the earliest
li t
insights on the effectiveness of its key controls that fulfil compliance plan obligations and mitigate
key operational risks.
2014 The Year of…
13
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE
Scope of 2 LOD Controls Assurance
When performing reviews, the BTFG Controls Assurance Team will evaluate the holistic Business Control
Environment includingg keyy components
p
such as:
• Governance at the business unit level
• Business process documentation
• Risk assessment – risks and compliance obligations in the key business processes
• Control activities - These are controls that mitigate key process risks and/or meet key compliance plan
obligations.
• Business Unit Management’s
Management s monitoring of key controls (e.g.
(e g controls self assessment
assessment, compliance plans
attestations, monitoring key indicators, etc)
• Incident Management capability
• Audit and Monitoring outcomes
2014 The Year of…
14
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE
Development of BTFG’s Annual Assurance Plan
Two main inputs into the development of the Annual Assurance Plan are:
• Inherent risk assessments performed on each business unit (refer to Page 16)
• BTFG’s Assurance universe (refer to Page 18)
The following approach was taken to develop the Annual Assurance Plan.
Risk Assessment and
Assurance Universe
Develop Plan
• Inherent risk
assessments
completed for all
business units
• Establish BTFG’s
Assurance
Universe to
ensure all areas
that require
assurance are
considered
Review Plan
• Monitoring
Team develops
FY 2013 Plan
based on risk
assessments
• BTFG Risk
Leadership
Team (RLT)
and Business
Unit
managementt
review Plan
Share Plan
• Share and align
Plan with
Internal and
External
auditors to
ensure
comprehensive
coverage and
prevent
duplication in
assurance work
Approve Plan
• The BTFG RLT
and relevant
Governance
Committees
approve the
Pl
Plan
The following pages illustrate the Inherent Risk Assessment criteria and Assurance Universe.
2014 The Year of…
15
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE
Inherent Risk Assessments
The following four criteria were used to perform the Inherent Risk Assessment for each Business Unit.
Existing risk assessments
Nature of operations
Changes in business
In considering the nature of
operations, the factors assessed
were:
Existing risk
assessments:
• Business unit risk maps
• Risk and Control
Management reviews
(“RCM”)
• Risk
s Appetite
ppe e S
Statements
ae e s
(“RAS”)
• extent of regulation within the
business area (e.g. APRA, ASIC,
ATO, ASX, etc)
• nature of process, i.e. manual or
automated
• Key person risk
• degree of touch points and
handoffs between business units
and teams (including to outsourced
providers)
• degree of complexity and the use
of human judgement.
2014 The Year of…
Internal Control Framework
maturity
The following were considered
when assessing the internal
control framework:
Changes in strategy,
significant projects and
external environmental
factors such as new
regulatory reforms, industry
changes, economic factors
and natural/financial
disasters.
• Track
T k recordd ffrom assurance
activities
• High and Medium rated incidents
• Extent of key processes and
controls in scope for external
audits, investor statement audits,
APRA returns, etc; and
• Maturity of the first line of
defence’s internal control
framework, risk resources and
business unit monitoring.
16
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE
Inherent Risk Assessment output
Summary of Inherent Risk Assessments by Business Unit Area
BTFG Business Unit
Business Unit 1
Business Unit 2
Business Unit 3
Business Unit 4
Business Unit 5
Business Unit 6
Business Unit 7
Business Unit 8
Business Unit 9
Business Unit 10
Business Unit 11
Business Unit 12
Business Unit 13
Business Unit 13
Business Unit 14
Business Unit 15
Business Unit 16
Business Unit 17
Business Unit 18
Business Unit 19
Business Unit 20
Business Unit 21
Business Unit 22
Business Unit 22
Business Unit 23
Business Unit 24
Business Unit 25
Business Unit 26
Business Unit 27
Business Unit 28
Offshore Service Provider
Offshored Process 1
Offshored Process 2
Offshored Process 3
Offshored Process 4
Offshored Process 5
Offshored Process 6
Offshored Process 7
Offshored Process 8
Inherent Risk Rating
BU Risk assessments
BU Risk assessments
Inherent Risk Risk Maps/ Risk appetite Legal/ Score
RCAs
statements Compliance obligations
Manual/ automated) processing
Nature of operations
Nature
of operations
Key person Touch points risks
and outsourcing Complexity and human judgement
High
Medium
Medium
Medium
Medium
Medium
Medium
High
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
3.8
2.9
2.8
3.2
3.3
2.7
3.5
3.8
3.3
2.8
3.2
3.0
2.8
3.7
3.1
3.5
3.4
3.5
2.8
3.1
3.2
32
3.2
3.2
3.1
3.2
3.5
3.6
3.2
3
2
2
2
2
2
2
2
2
2
3
2
N/A
3
3
3
3
3
3
3
3
3
3
3
3
3
4
3
4
2
2
2
4
N/A
5
5
N/A
4
4
3
N/A
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
5
5
5
5
4
4
5
5
4
5
5
5
4
5
5
5
5
5
5
5
5
5
5
5
5
5
4
4
4
3
2
2
3
3
4
4
5
3
3
3
3
3
5
5
5
5
3
3
5
3
3
2
4
4
3
4
1
4
4
2
5
3
2
2
3
1
2
3
2
2
1
1
1
1
1
1
1
1
1
1
5
1
2
1
4
3
3
5
3
3
3
3
2
4
4
4
2
5
4
5
5
4
4
4
3
4
4
2
5
4
3
4
5
4
4
2
5
5
4
4
4
2
2
2
4
5
2
5
3
5
2
5
5
5
5
5
3
4
5
4
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
3.2
3.2
3.4
3.4
2.9
3.0
3.1
3.1
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
5
4
4
5
4
4
5
5
4
3
4
4
4
5
4
3
1
2
4
3
1
2
1
3
3
4
3
3
3
3
2
4
4
4
4
4
2
1
3
3
2014 The Year of…
Changes in business
Changes in business
Internal control framework
Internal control framework
Changes from Project Impacts from Track record: External Audit Maturity of BU BSRs
impacts external GA results & reliance
first line of defence
(business, IT, factors incidents
product)
5
5
5
5
2
2
2
2
5
2
1
3
2
2
5
2
1
2
2
5
5
4
3
2
2
4
4
1
2
4
2
N/A
4
1
2
1
4
4
4
4
2
2
5
5
5
5
2
2
4
4
4
2
2
3
1
3
4
2
4
2
2
2
4
4
4
3
1
3
4
2
4
3
2
2
4
N/A
1
4
2
3
5
5
5
2
3
3
3
3
3
2
3
3
5
3
3
2
3
3
3
3
5
2
2
4
5
3
4
2
3
3
3
4
1
2
3
3
3
3
2
2
3
3
3
5
1
2
2
3
4
1
5
2
2
3
3
3
5
2
2
4
3
4
5
1
3
3
3
1
2
2
4
4
5
4
2
3
4
4
5
N/A
2
4
3
3
4
N/A
2
3
3
3
3
3
2
2
4
2
3
3
3
3
2
2
4
2
3
4
4
4
4
4
4
3
2
2
2
2
3
3
2
3
4
4
4
4
4
4
2
3
3
3
3
3
3
3
3
3
17
4. CONTROLS ASSURANCE BY THE SECOND LINE OF DEFENCE
BTFG Assurance Universe
REAT MIS Compliance Plans
Equities MIS Compliance Plans
Superannuation Compliance Plan
Monthly Single View of Issues and Incidents
Risk Appetite Statements (RAS)
Risks and Controls Management (RCM)
Emerging themes etc
BTFG Business Units High and some Medium Risk BUs – from Annual Inherent Risk Assessment
Wrap Compliance Plans (i I
(i.e. Investment Wrap, Super Wrap and W
S
W
d
Asgard eWrap)
General Insurance Compliance Plan
Life Insurance Compliance Plan
Offshored Processes
BTFG Assurance
Assurance Program High and some Medium Risk processes –
from Annual Inherent Risk Assessment
from Annual Inherent Risk Assessment
Lenders Mortgage Insurance Compliance Plan
Project Assurance
j
Advice Compliance Plan
High risk and High priority projects
Private Wealth Compliance Plan
ASX Compliance Plans
APRA Prudential Standards Monitoring Universe
APRA Prudential Standards relevant to BTFG
AFSL Compliance Obligations Sarbanes‐Oxley (“SOX”) Processes –
y(
)
DE and OE
• BT Super
• BT Platform
• Equities
AML and NCCP Compliance Obligations p
g
2014 The Year of…
18
Questions?
19
Related documents
975 Senior Director Quality – Global, MA
975 Senior Director Quality – Global, MA
November-Section 2012
November-Section 2012
Sr. Quality Engineer Posting
Sr. Quality Engineer Posting
Code of practice for the assurance of academic quality and
Code of practice for the assurance of academic quality and
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Lecture notes 1
Lecture notes 1
Research Integrity and Assurance - Cornell University College of
Research Integrity and Assurance - Cornell University College of
Internal control framework
Internal control framework
Service Delivery Support Manager
Service Delivery Support Manager
Download
advertisement