The first changes relate to APRA’s approach to the Basel III liquidity reforms, including additional capital requirements for designated banks deemed to be systemically important to Australia’s financial system.
Furthermore, in an effort to harmonise and consolidate their risk management requirements, APRA released their final Prudential Standard CPS 220 Risk Management, which applies to authorised deposit-taking institutions (ADIs), general insurers, life insurers and single industry groups (Level 2 groups). It will also apply to conglomerate groups (Level 3 groups) that APRA intends to determine by 1 January 2015.
APRA also released a proposed prudential practice guide on risk management, a response paper addressing submissions received by APRA on the CPS 220 consultation package, and an amended Prudential Standard CPS 510 Governance to help ensure governance requirements related to risk management are aligned to CPS 220, all of which highlights the renewed focus given to risk management, risk culture and governance.
Directly influencing APRA’s approach, the Global Financial Crisis demonstrated major frailties in risk management in banks and other financial institutions in Europe and the United States.
The international response has been to strengthen capital requirements, liquidity buffers, risk management, risk culture and governance. While this predominantly affects the banking sector, it has wide-ranging implications for all industries. APRA’s initiative on CPS220 was in part a reflection these global developments. However, it was also part of APRA’s general move in recent years towards a more consistent approach to risk management and governance across all regulated industries.
KPMG believes the following themes additionally underpinned APRA’s approach:
- Stronger expectations on comprehensive risk management and appetite frameworks within banks and other regulated entities.
- More emphasis on an integrated and forward-looking approach to risk management, risk appetite and risk culture, both in individual regulated entities and at group level.
- A growing recognition of the importance of risk culture as the foundation for risk management.
- Increased focus on the role of the board, board risk committee and non-executive directors in overseeing and taking responsibility for risk management, appetite and culture.
CPS 220 is designed to develop:
- more focused attention by directors on risk appetite, risk management and risk culture, with the board taking ultimate ownership of these frameworks
- a stronger expectation of non-executive directors in providing challenge to management views
- well resourced, dedicated risk management function
- a more comprehensive and forward-looking approach to risk management – at an APRA defined Levels 1, 2 and 3 entity level
- increasing emphasis on the use of forward looking scenario and stress testing programs
- more focused, regular vetting of risk management systems and controls.
CPS 220 requires a comprehensive and integrated approach to risk management, with your risk appetite statement, risk management framework, risk and business strategy and risk culture all coordinated into a cohesive whole.
Risk appetite statements must be forward-looking and directly informed by stress testing, which (including calibration of risk appetite, risk limits and as part of ICAAP) is essential when assessing their suitability under CPS 220.
ADIs and other regulated entities must ensure that their risk management systems and controls are subject to annual and three-yearly independent reviews in accordance with CPS220.
The increased requirements for the board and the board risk committee and audit committee suggest the need to ensure that there are clear Board and Board committee charters, with appropriate demarcations to assist in the board’s understanding of revised roles and responsibilities.
Boards must provide APRA with an annual risk management declaration and also be aware of the implications associated with a qualified CPS 220 declaration and define thresholds that apply to providing one. For independent review teams this means understanding the most practical solution to undertake when completing risk management framework reviews.
Moving forward it’s clear that not adequately addressing risk may be the biggest risk of all.