© 2014 Finity Consulting Pty Limited

Focus on Risk Management

NZ Director Forum

Presented by John Smeed & Jacob Mamutil | 11 June 2014

Content

Current requirements in New Zealand

APRA’s approach

What are the lessons for best practice in New Zealand?

Regulatory requirements in NZ

Risk Management Programme

In accordance with IPSA Act section 73-74

And any guidelines published by RBNZ

Section 75 fine of $500,000 for failure to comply

3

Risk Management Programme Guideline

Risk Management Programme

Document describing

risk assessment

process… Capture all Material

Risks

Describe roles that accept

and mge risk

Prescribes Information

flows System for addressing

non-compliance

Contingency plans

Ongoing review process

Link to solvency

policy

4

Including but not limited to: • Insurance Risk • Credit Risk • Liquidity Risk • Market Risk • Operational Risk

Governing body - responsibilities

• Solvency

• Capital Adequacy

• Liquidity

• Establish Risk Tolerances and communicate in meaningful way

• Conflict of interest policy; Related party transactions on arms length terms

Responsibilities

• Reporting requirements

• Policies

• Procedures

• Controls

Approve

• Risk exposures to ensure consistency with tolerances

• Legal compliance and compliance with internal policies and procedures Monitor

5

Risk Management for APRA

regulated institutions in

Australia

APRA – setting the context

More rigorous governance requirements

Consistency across all financial institutions (soon to include

Health Insurance as well)

“APRA’s integrated structure and approach have been one of its main

strengths” - APRA submission to the Financial System Inquiry (March 2014)

7

Build on GFC learnings in

restraining excessive risk taking

Market discipline not effective

Global regulation inadequate

Light-touch prudential supervision

found wanting

“Australia punches above its weight internationally in

influencing supervisory regulation”

Focus on risk

APRA recently introduced:

More risk sensitive capital measures (LAGIC)

Internal Capital Adequacy Assessment Process (ICAAP)

Formal Risk Appetite

More intensive supervision, e.g. meeting regularly with

Boards

Now with CPS 220 and CPS 510

Chief Risk Officer

Separate Board Risk and Board Audit Committees

Risk culture

Tighter Board oversight of risk framework

8

CPS 220

9

Consolidates and integrates all risk management components

into a refined Risk Management Framework

Business Plan ICAAP

Risk Management Strategy (RMS) Risk Appetite Statement (RAS)

Risk Management Policies and Procedures

Scenario analysis and stress testing

Chief Risk Officer Risk Management Information System (MIS)

Risk Management Function Annual Risk Management Declaration

Independent Reviews APRA reporting

Building a successful risk culture

When “oversight” becomes “ensure”

“The Board must ensure that:…..” CPS 220 Para 13

Requires more Board involvement in the business

operations

Has been gradually softened following strong feedback

‘Response to Submissions’ January 2014 noted “ensure”

was not to be read in isolation…to be practically applied.

On 8 May 2014 APRA sent a letter to all CEOs that they

will insert a definition in the standards

that defines ‘ensure’ to mean ‘all reasonable steps

and make all appropriate enquiries… to determine, to

the best of its knowledge’

10

Best Practice in New Zealand

– what are the key learnings?

The Big Picture

12

Objectives / Mission Statement

Business Plan

Capital strategy &

targets

Risk Management Framework

and Strategy

Strategy Risk Appetite

Risk Management Programme should be holistic – integrated with the company’s business strategy, risk appetite and capital targets

Governance

Three lines of defence model

Is a useful structured approach

13

3rd Line

Independent assurance

2nd line

Independent review

1st line

Embedded risk owners

3 Lines of Defence governance model: APRA’s view

14 Source: APRA draft Prudential Practice Guide CPG 220 – Risk Management, page 19

Clear statement of Risk Appetite

Risk Appetite is the “degree of risk that the institution is prepared to

accept in pursuit of its strategic objectives and business plan”.

In making decisions, have to ask two questions:

Is the risk of the decision acceptable regardless of the amount of

reward?

If yes, is the risk worth taking for the level of reward?

Test: let’s take an informal survey on “your” risk appetite

15

Risk Appetite – here is a test

16

Activity Yes/No

1. Online shopping

2. Investing in something that is too good to be true

3. Run along any road at night

4. Cross the road when the light is red (no cars)

5. Go sky-diving

6. Take part in a car rally

7. Go rock climbing/abseiling

8. Go bungee jumping

9. Drive in excess of the speed limit on a quiet road

10. Make decisions independently rather than rely on experts

The Board’s role in risk governance

In Australia, APRA believes there is room for material

improvement (bordering on intervention!)

Strong Board engagement with management lays a solid

foundation for risk governance and makes good sense

The takeaway for Boards is that a passive approach is

not appropriate

17

Passive BALANCED Active

Stronger risk management

Benefits that can be achieved

Improved resilience to internal and external shocks

Improved communication and information flows lead to better

decision making

Reduced volatility of results through better understanding and

treatment of risks

Improved risk-return profile

18

Some questions for Boards

Have you had a holistic look at your risk management

programme?

Are the risk management accountabilities clear throughout the

business and reporting to the Board effective?

Are you comfortable that the business understands the firm’s

risk appetite?

What testing of risk culture would give the Board comfort?

Do you feel that you have provided the appropriate level of

challenge to management?

19

Contact

John Smeed

Tel: 09 363 2894

Mobile: 021 796 326

www.finityconsulting.co.nz

Jacob Mamutil

Tel: +61 2 8252 3318

Mobile: +61 411 012 060