Practice management –Risk Management for in-house lawyers

Shari EmenDirector, PwC

Trustee Obligations - SIS CovenantsSection 52 of the SIS Act outlines Covenants to be included in the governing rules of registrable superannuation entities. Covenants relating to risk were introduced through the Stronger Super reforms s.52(8) applicable from 1 July 2013:

• Formulate, review regularly and give effect to a risk management strategy that relates to: [s.52(8)(a)]The activities, or proposed activities, of the trustee, to the extent that they are relevant to the

exercise of the trustee’s powers, or the performance of the trustee’s duties and functions, as trustee of the entity.

The risks that arise in operating the entity.

• Maintain and manage in accordance with the prudential standards financial resources to cover the operational risk that relates to the entity [s.52(8)(b)]

Prudential Standard SPS 220 Risk ManagementRSE licensee must establish and maintain a holistic risk management framework:• have a written strategic business plan;• maintain a Board-approved risk appetite statement;• maintain a Board-approved risk management strategy that describes the key elements of the risk

management framework;• have a designated risk management function responsible for assisting in the development,

implementation and maintenance of the RMF;• subject to effective and comprehensive review at least every three years and subject to a regular

compliance audit;• notify APRA when the RSE licensee becomes aware of a significant breach or failure of the RMF;• submit a risk management declaration on an annual basis; and• maintain adequate technical, human and financial resources for the RSE licensee’s business

operations.

Risk requirements across Prudential StandardsThe requirements of SPS 220 Risk Management cannot be considered in isolation. Trustees must examine the broader requirements within other Prudential Standards, the policies and procedures for which must form part of the RSE Licensee’s risk management framework.

• SPS 114 Operational Risk Financial Requirement - must determine a target amount of financial resources to address the operational risks of each RSE within the RSE licensee’s business operations.

• SPS 231 Outsourcing - must ensure all risks arising from outsourcing material business activities be appropriately managed to ensure that the RSE licensee is able to meet its obligations to its beneficiaries.

Risk requirements across Prudential Standards• SPS 232 Business Continuity Management - must identify, assess and manage potential

business continuity risks

• SPS 250 Insurance - Board is responsible for having an Insurance Management Framework that reflects the risks associated with offering insured benefits and acquiring insurance and that is appropriate to the size, business mix and complexity

• SPS 510 Governance - must have a Remuneration Policy that aligns remuneration and risk management. Performance based components of remuneration must be designed to encourage behaviour that supports the risk management framework.

Must have a Board Audit Committee, which assists the Board by providing an objective non-executive review of the effectiveness of the financial reporting and risk management framework.

Risk requirements across Prudential Standards• SPS 520 Fit & Proper - RSE licensees need to prudently manage the risk that persons in

positions of responsibility might not be fit and proper.

• SPS 530 Investment Governance – RSE Licensees must implement an investment governance framework, which among other things, includes at a minimum structures, policies and processes for investment performance and risk measurement, assessment and reporting; and must reflect the risks associated with investments, as a material risk area identified in SPS 220.

Key issues arising from new regime• Roles, responsibilities & reporting lines of the risk function• Requirements for a CRO• Risk appetite and tolerance should be regularly reported to the Board, enhancements required

for risk appetite definitions and measures/limits• Alignment to Strategy and Business Plan• Risk culture• Management of investment risks • Prudential policies do not reflect SPGs and Trustee’s own business practices (RMF, RMS, RAS,

Fit & Proper, Board renewal, Remuneration, Insurance Management Framework, Investment Governance Framework, Investment Strategy Business Continuity Management, Outsourcing)