Risk management systems of responsible entities

Transcription

1 Attachment to CP 263: Draft regulatory guide REGULATORY GUIDE 000 Risk management systems of responsible entities July 2016 About this guide This guide is for Australian financial services (AFS) licensees that are responsible entities. It gives specific guidance on how these entities may comply with their obligation under s912a(1)(h) of the Corporations Act 2001 (Corporations Act) to maintain adequate risk management systems.

2 About ASIC regulatory documents In administering legislation ASIC issues the following types of regulatory documents. Consultation papers: seek feedback from stakeholders on matters ASIC is considering, such as proposed relief or proposed regulatory guidance. Regulatory guides: give guidance to regulated entities by: explaining when and how ASIC will exercise specific powers under legislation (primarily the Corporations Act) explaining how ASIC interprets the law describing the principles underlying ASIC s approach giving practical guidance (e.g. describing the steps of a process such as applying for a licence or giving practical examples of how regulated entities may decide to meet their obligations). Information sheets: provide concise guidance on a specific process or compliance issue or an overview of detailed guidance. Reports: describe ASIC compliance or relief activity or the results of a research project. Document history This draft guide was issued in July 2016 and is based on legislation and regulations as at the date of issue. Disclaimer This guide does not constitute legal advice. We encourage you to seek your own professional advice to find out how the Corporations Act and other applicable laws apply to you, as it is your responsibility to determine your obligations. Examples in this guide are purely for illustration; they are not exhaustive and are not intended to impose or imply particular rules or requirements. Page 2

3 Contents A Overview... 4 Legislative obligation... 4 What this guide covers... 5 Who this guide applies to... 9 ASIC s interim approach to compliance...10 B Establishing a risk management system...11 Risk management systems...11 Developing risk management systems...12 Implementation and review of risk management systems...13 Setting risk management in context...13 Policy or statement on risk appetite...14 Risk management culture...15 Structure and risk ownership...16 Liquidity risk management...16 Relevant industry, local and international standards...17 Good practice guidance...17 C Identifying and assessing risks...20 Identifying risks...20 Risks relevant to the business and the schemes...21 Strategies for assessing risks...22 Selecting risk identification and assessment methodologies...23 Good practice guidance...23 D Managing risks...24 Determining appropriate risk treatments...24 Controls or measures to manage or mitigate risks...24 Use of technology...25 Compliance with other relevant obligations as an AFS licensee...25 Residual risks...26 Monitoring and review...27 Stress testing and scenario analysis...27 Good practice guidance...29 Appendix: Examples of risks and risk treatments...31 Strategic risk...31 Governance risk...32 Operational risk...32 Market and investment risk...39 Liquidity risk...42 Key terms...46 Related information...48 Page 3

4 A Overview Key points As Australian financial services (AFS) licensees, responsible entities (including dual-regulated entities) are legally obliged to have adequate risk management systems. These systems are fundamental to mitigating exposure to relevant risks and informing business decision making. This guide provides guidance on how responsible entities may comply with this obligation, including: establishing and maintaining risk management systems that are suitable for the responsible entity s business and the schemes operated (see Section B); identifying and assessing risks (see Section C); and managing risks (see Section D). Legislative obligation RG RG RG RG RG Under s912a(1)(h) of the Corporations Act 2001 (Corporations Act), responsible entities have an ongoing obligation to maintain adequate risk management systems. This obligation also applies to responsible entities that are dual-regulated entities. A dual-regulated entity is a registerable superannuation entity (RSE) licensee that also operates schemes. In Regulatory Guide 104 Licensing: Meeting the general obligations (RG 104), we set out our general guidance for AFS licensees on what is required to comply with s912a(1)(h). Based on our experiences and changes in the managed investment sector, we considered that additional tailored guidance would assist responsible entities. In , we reviewed the risk management systems of a selected group of responsible entities, ranging in size and complexity, to assess the systems adequacy and strategic and operational effectiveness: see Report 298 Adequacy of risk management systems of responsible entities (REP 298). In 2015, we surveyed 118 responsible entities asking them about their risk management systems, including their processes for managing liquidity risk and conducting stress testing. The survey was a proactive response to increased volatility in global and domestic markets: see Media Release (15-020MR) ASIC enquires into risk management by responsible entities (13 February 2015). Page 4

5 RG RG RG Based on these reviews, we identified that there were inconsistencies between the risk management systems of responsible entities and improvements could be made to some responsible entity s arrangements. Further, there have been a number of significant developments in relation to responsible entities that highlight the importance of having an adequate risk management system in place, including: (d) (e) an increase in the amount of assets managed in the managed funds sector; growth in the number of schemes operated; diversification in the size, complexity and nature of the types of schemes managed by responsible entities; changes in market conditions; and a number of high-profile collapses of responsible entities. This guide draws on the findings of our reviews and provides guidance on specific areas to improve the risk management systems of responsible entities. What this guide covers RG RG RG RG RG This guide outlines our expectations of responsible entities when complying with the obligation within s912a(1)(h). While RG 104 gives guidance on risk management systems for AFS licensees generally, this guide focuses specifically on the business of responsible entities, the schemes they operate and the particular risks they face. The sections of this guide detail our expectations for responsible entities to have: overarching risk management systems in place (Section B); processes for identifying and assessing risks (Section C); and processes for managing risks that are appropriate for the nature, scale and complexity of the business and schemes operated (Section D). We have also included in this guide additional good practice guidance. This guidance is not mandatory; it is intended to help responsible entities improve their risk management systems to operate at a level above their statutory obligations. Table 1 provides a summary of our expectations of responsible entities and the good practice guidance. Page 5

6 Table 1: Summary of guidance Section Expectations for compliance with s912a(1)(h) Good practice guidance (not mandatory) Section B (Establishing a risk management system) Responsible entities should: maintain documented risk management systems that support: a risk governance structure; clearly defined roles and responsibilities; policies and procedures for identifying, assessing and understanding each of the material risks of the responsible entity s business and the schemes operated; policies and procedures for ensuring that there are adequate controls in place to manage the risks identified; policies and procedures for ensuring there is adequate oversight of the risk management systems by both the party responsible for ownership of the risk and the compliance function, including appropriate reporting; and a policy or statement on the responsible entity s risk appetite and the risk tolerance for each material risk identified; foster a strong risk management culture; take into account relevant industry, local and international standards; include, as a component of the risk management systems, a liquidity risk management process; ensure the board or its delegate reviews whether the risk management systems have been complied with, are operating effectively and remain current as frequently as appropriate, given the nature, scale and complexity of the responsible entity s business and the schemes it operates (at a minimum, annually); and if relying on external service providers for risk management functions, maintain a strong understanding of risk management and have sufficient skills to independently monitor and assess the performance and ongoing suitability of the service provider. Responsible entities may: at least annually, conduct an independent review to determine whether the risk management systems have been complied with and are operating effectively; at least every three years, conduct a comprehensive independent review of the appropriateness, effectiveness and adequacy of the risk management systems; segregate functions to allow for independent checks and balances; establish a designated risk management function and/or risk management committee; appoint a chief risk officer; and publicly disclose appropriate details of the responsible entity s risk management system. Page 6

7 Section Expectations for compliance with s912a(1)(h) Good practice guidance (not mandatory) Section C (Identifying and assessing risks) Responsible entities should: maintain one or more risk registers as part of their risk identification and assessment process; ensure that their risk management systems address all material risks including (but not limited to) strategic risk, governance risk, operational risk, market and investment risk, and liquidity risk at both the responsible entity and scheme level; when choosing methodologies for identifying and assessing risks, take into account: the nature, scale and complexity of the business; processes based on forward-looking analysis; ensuring an appropriate level of human input; ensuring senior management involvement in the process; and whether different processes should be used for different schemes; and adopt appropriate methods to assess risks, which may include: self-assessment; stress testing and/or scenario analysis; loss data analysis; change management; and electronic systems. Responsible entities may use risk indicators and regularly report on these to the board and senior management. Page 7

8 Section Expectations for compliance with s912a(1)(h) Good practice guidance (not mandatory) Section D (Managing risks) Responsible entities should: implement appropriate strategies for managing each of the risks identified, including: a control monitoring and assurance process; conducting stress testing and/or scenario analysis of liquidity risks of the business and the schemes they operate as part of their risk management systems as frequently as appropriate, given the nature, scale and complexity of the business (at a minimum, annually); reviewing their framework for stress testing and/or scenario analysis to ensure the tested scenarios are relevant and appropriate in light of the business and market conditions as frequently as appropriate, given the nature, scale and complexity of the business (at a minimum, annually); and if stress testing and/or scenario analysis is not conducted, document why this is the case, keep appropriate internal records of this rationale and review this decision regularly; have adequately experienced staff regularly review and monitor the risks identified; ensure there is regular reporting and escalation of issues to the board, risk committee and compliance committee, as appropriate; and ensure compliance with other relevant obligations as an AFS licensee. Responsible entities may: conduct regular stress testing and/or scenario analysis of all material risks of the business and the schemes they operate; have a written risk treatment plan; and include in the compliance plan for their schemes, procedures for ensuring that the key risks identified for the responsible entity and relevant scheme are managed on an ongoing basis. Page 8

9 RG RG In the appendix to this guide we give examples of risks and risk treatments that we consider are particularly relevant to responsible entities, based on our regulatory experience. These examples may help responsible entities establish and review their arrangements to identify, assess and manage risks, and may be considered by responsible entities as part of these processes. The examples of risks in this guide are not intended to be exhaustive. We expect that, through the application of a structured and systematic process, responsible entities will identify, assess and manage risks relevant to their business and the schemes they operate in an ongoing and dynamic way. Who this guide applies to RG This guide is for responsible entities, including dual-regulated entities, but may also apply to: AFS licensees not currently operating a scheme; investor directed portfolio services (IDPS) and managed discretionary account (MDA) operators; and entities operating unregistered managed investment schemes. Dual-regulated entities RG Dual-regulated entities also need to meet the risk management requirements set out in various legislation and the prudential standards regulated by the Australian Prudential Regulation Authority (APRA). Note 1: The Superannuation Legislation Amendment (Service Providers and Other Governance Measures) Act 2013 amended the Corporations Act so that dual-regulated entities will need to comply with the obligation in s912a(1)(h) to have adequate risk management systems. This guide applies to these entities in addition to requirements under the Superannuation Industry (Supervision) Act 1993; however, the obligation to have an adequate risk management system excludes risks that relate solely to the operation of a regulated superannuation fund by the RSE licensee. Note 2: APRA has issued Prudential Standard SPS 220 Risk management (PDF 55.5 KB) to help RSE licensees develop their risk management systems ( RG RG Responsible entities that are part of a corporate group subject to regulation by APRA may take into account APRA s prudential standards and prudential practice guidance on risk management when developing and implementing risk management systems as required in this guide. This guidance is intended to act in unison with APRA s requirements for risk management. It is not expected that there will be any conflict between the requirements of either regulator; however, if for any reason a responsible entity believes they cannot comply with this guidance because of a conflicting APRA requirement, they should inform ASIC as soon as practical. Page 9

10 Other entities that may benefit from this guidance RG RG RG We expect all AFS licensees authorised to operate a scheme to consider this guide, even if they are not currently operating any schemes. This will help ensure they have in place a compliant risk management system that can be applied to the schemes on commencement of their operation. We expect IDPS and MDA operators to consider this guidance when establishing and reviewing their risk management systems, as these services would need to be registered as managed investment schemes if they could not rely on our relief for IDPSs and MDAs. All aspects of this guide may not be relevant to entities operating unregistered managed investment schemes. However, we recommend that operators of such schemes consider this guidance when establishing and reviewing their risk management systems. ASIC s interim approach to compliance RG The requirements outlined in this guide are not new but are ASIC s view of the current requirements regarding risk management for responsible entities. As such there is no transitional period for compliance with these requirements. However, we intend to take a constructive and conciliatory approach to any breaches of this guidance for a period of 12 months from the date of release, if the relevant responsible entity can show that it is taking steps to bring its risk management system into compliance with this guidance. Page 10

11 B Establishing a risk management system Key points A responsible entity should ensure its risk management system comprises documented processes to identify, assess and treat risks and that this system is suitable for its business and the schemes it operates. This section sets out our guidance for responsible entities on: developing a risk management system; implementing and reviewing risk management systems; setting risk management in context; risk appetite; the role of culture and structure in risk management systems; liquidity management; and relevant industry, local and international standards. This section also sets out our good practice guidance for establishing a risk management system. Risk management systems RG RG The international standard for risk management defines risk as the effect of uncertainty on objectives and risk management as coordinated activities to direct and control an organization with regard to risk : see International Standard ISO 31000:2009 Risk management: Principles and guidelines. An effective risk management system: (d) (e) (f) (g) (h) (i) (j) (k) creates and protects value; is an integral part of all organisational processes; is part of decision making; explicitly addresses uncertainty; is systematic, structured and timely; is based on the best available information; is tailored; takes human and cultural factors into account; is transparent and inclusive; is dynamic, iterative and responsive to change; and facilitates continual improvement of the organisation. Page 11

12 Developing risk management systems RG RG RG RG RG RG RG A risk management system includes all structures, systems and subsystems, policies, procedures, and staff that a responsible entity uses to identify, assess and treat risks or to monitor and review the relevant controls or measures. It may be regarded as a framework (similar to that referred to in APRA s requirements and guidance on risk management) comprising all elements that allow the responsible entity to perform its risk management functions as required by the Corporations Act. An adequate risk management system enables material risks faced by the responsible entity and the schemes it operates to be identified, analysed and treated in a comprehensive and systematic way. The adequacy of a responsible entity s risk management system will depend on the nature, scale and complexity of its business and the schemes it operates. We consider the following to be core processes that are essential to an adequate risk management system in any responsible entity s business: setting out the context in which the risk management system operates, including a policy or statement on the responsible entity s risk appetite (see RG RG ); identifying and assessing risks (see Section C); and managing risks, including reviewing and monitoring the risk management system (see Section D and RG RG ). A responsible entity should ensure that: its risk management system comprises documented processes to identify, assess and manage material risks; and these processes are suitable for its business and the schemes it operates. We expect responsible entities to maintain a strong understanding of risk management in the context of the business, even if the establishment and the monitoring of the risk management systems are done by a small group of employees or external third-party service providers (e.g. compliance and risk management consultants). We expect those who carry out the risk management function to have appropriate knowledge and skills. Where external third-party service providers are used, we expect responsible entities to have sufficient skills to independently identify key risks and to monitor and assess the service provider s performance and ongoing suitability. We note that under s601fb, responsible entities retain ultimate responsibility for the operation of the scheme. Page 12

13 RG RG We understand that if a responsible entity is part of a corporate group, the risk management system of the responsible entity, or the policies and procedures for its risk management system, may be subject to the overarching approach of the corporate group or form part of its risk management framework. Some responsible entities may rely on the risk management system of a related entity to assist with complying with their risk management obligations. This may be appropriate for businesses that are part of a larger corporate group; however, if this approach is adopted, each responsible entity should take into consideration their specific individual risks and requirements. The responsible entity should carefully assess the risk management system of the corporate group or related entity to ensure that it is appropriate and tailored as necessary. Implementation and review of risk management systems RG RG RG Risk management systems are most effective if applied and adhered to in day-to-day decision making at all levels. Therefore, it is essential that a responsible entity ensures that all processes, policies and procedures that form part of its risk management system are implemented and applied to the day-to-day operation of its business and the schemes it operates. We consider that the development of an adequate risk management system is not a set and forget or one-off process. The system should adapt and evolve to take into account internal changes within the responsible entity and the schemes it operates, as well as changes in the external environment. We consider that the responsible entity s senior management has a specific role in ensuring that the risk management system is current, relevant, effective and appropriate to the business on an ongoing basis. To ensure that risk management systems are always current, they should be monitored and reviewed by the board or its delegate as frequently as appropriate, given the nature, scale and complexity of the business and the schemes operated. This should be at least annually. The nature, scale and complexity of the business and the schemes operated will also determine the level of detail of the review. Setting risk management in context RG A responsible entity should consider and document the context in which its risk management system is developed. That is, the internal and external environment in which its business operates, including the objectives of the business. Page 13

14 RG An adequate risk management system requires a thorough understanding of the internal and external factors that could affect the responsible entity s ability to achieve its goals and objectives. Table 2 lists some examples of these factors. Table 2: Examples of internal and external factors Internal factors Goals and objectives in the strategic and business plans, including the objectives of the relevant schemes (e.g. whether a scheme will be a liquid scheme offering redemptions on demand or an illiquid scheme). Particular business strategies may create specific risks affecting the business. Capabilities of the organisation (e.g. financial, human and technological resources). Information flow and decision-making processes. Culture of the responsible entity. External factors Business, financial, competitive, political, economic, social, cultural, technological and environmental factors the business faces. Expectations of external stakeholders (including shareholders) about the operation of the business. Legal and regulatory changes that affect the operation of the business and the schemes. New product offerings in the market that compel a responsible entity to compete more effectively. Policy or statement on risk appetite RG RG RG RG RG A responsible entity should set out in writing its risk appetite. This statement should outline the responsible entity s attitude towards risk taking while carrying out its business plans, including the amount of risk (which may refer to the level of losses) it is willing to take to pursue its business strategies and achieve its objectives. This statement should address the risks relevant to the responsible entity s overall strategy to achieve its objectives and set out the limits to these risks. The responsible entity may have one such policy or statement setting out its risk appetite in aggregate, or separate policies (e.g. for each business unit). The policy or statement should be approved by the board or its delegate. During this process the risk tolerance for each material risk should be identified. This can be expressed in qualitative or quantitative terms, where appropriate. The risk tolerance will reflect the risk appetite. A responsible entity should ensure its risk appetite is reviewed at appropriate intervals and that it takes into account changes in the internal and external context in which the business operates, including changes to the objectives and strategic direction of the business. Responsible entities may adopt the following approach in setting and applying a policy or statement on risk appetite: Senior management sets the policy or statement on risk appetite for the business. Page 14

15 (d) The board or its delegate approves the policy or statement on risk appetite. Based on this statement, risk tolerance is set and documented for each material risk, broken down into clearly defined limits or thresholds for particular activities of the business to support the decision-making process. Risk management processes, policies and procedures to implement and monitor the limits and thresholds are developed and communicated to staff, so that they are applied to support day-to-day operational decision making. Risk management culture RG RG RG RG We expect responsible entities to foster a strong risk management culture throughout their organisations. The effectiveness of an adequate risk management system depends on the whole organisation understanding the value of managing risks effectively, and acting accordingly. We expect responsible entities to ensure that all relevant staff understand the purposes of risk management, including ensuring legal and regulatory compliance, as well as its value to the organisation. This can be done through induction, training and education programs. The board and senior management have specific responsibilities to ensure that a responsible entity as an AFS licensee complies with its obligation to have an adequate risk management system. We acknowledge that the board may not be directly involved in the day-to-day operation of the policies, procedures and processes for the risk management system and may delegate the supervision of these roles. However, the board s commitment to fostering a strong risk management culture within the organisation is especially important, as the board is in a position to provide leadership and make sure that relevant measures are implemented effectively. An effective risk management culture may include: (d) (e) communicating with staff about the importance of managing risks to achieve strategic business objectives; providing sufficient resources for all risk management functions; relevant staff receiving ongoing training about risk management (e.g. general risk management training and/or training that is relevant to a staff member s role and responsibilities) to help them identify risks and understand how they can be managed; discouraging breaches of any risk management procedures by staff through adequate consequence management; and assigning a designated director the responsibility of making sure the risk management system for the responsible entity and schemes it Page 15

16 operates are adequate (or a designated director having responsibility over particular parts of the risk management system). RG We expect responsible entities to maintain and implement remuneration policies that are aligned with, and supportive of, the risk management systems of their business, including the schemes they operate. Structure and risk ownership RG RG RG RG A responsible entity s risk management system should include details of the functions, roles and responsibilities for implementing and carrying out specific risk management activities. We consider that an adequate risk structure requires: (d) (e) staff who perform risk management functions to have the appropriate knowledge and skills; decision making that is cognisant of the risk management system; key staff to take responsibility for owning risks and developing processes to mitigate them; regular reviews; and that risk owners regularly monitor and report on those risks. We expect responsible entities risk management systems to require relevant staff to report internally to identified escalation points (e.g. the risk management committee, the designated risk management function or the board) about compliance with risk management processes, policies and procedures on a regular basis, and whenever any issues are identified (e.g. exceeding the risk tolerance for particular risk, or a failure to follow the relevant processes). Such reporting increases the risk-related information available in the organisation, to assist decision making and improve risk management systems where systemic issues about their operation are identified. We also consider that responsible entities should ensure that there are processes for regular reporting and escalation of issues to the board and/or any risk or compliance committee established. Liquidity risk management RG Effective liquidity risk management is important for a responsible entity to ensure the financial obligations and needs of the business and schemes operated are met, including: investor redemptions; Page 16

17 (d) payment of distributions; changes in operational needs; and unexpected expenses. RG We expect risk management systems of responsible entities to include a liquidity risk management process, designed to ensure there are adequate financial resources to meet the financial obligations and needs of the responsible entity and the schemes operated. Relevant industry, local and international standards RG RG RG In developing, implementing and reviewing its risk management system, we consider that a responsible entity should take into account relevant industry, local and international standards. We appreciate that in many cases compliance with the guidance may not be mandatory and a wide range of material may exist. We consider at a minimum responsible entities should take into account the guidance that exists for the key risk areas identified for the business and schemes operated. As outlined above, we consider liquidity is a key risk area for schemes and that a responsible entity should consider the liquidity risk management principles outlined in the International Organization of Securities Commissions (IOSCO s) Principles of Liquidity Risk Management for Collective Investment Schemes. Note: See IOSCO, Principles of liquidity risk management for collective investment schemes: Final report (PDF 231 KB), March Good practice guidance RG Additional strategies that may be implemented by responsible entities in establishing and maintaining risk management systems include: (d) (e) supplementary reviews of the risk management system; segregating functions to allow for independent checks and balances; designating a risk management function and committee; appointing a chief risk officer; and publicly disclosing appropriate details about their risk management system. Page 17

18 Review of risk management systems RG RG RG Responsible entities may undertake the following additional independent reviews of their risk management systems: a review to determine whether the risk management systems have been complied with and are operating effectively (at least annually); and a comprehensive review of the appropriateness, effectiveness and adequacy of the risk management systems (at least every three years). The above reviews should be carried out by an independent, appropriately trained and competent person. This does not require an external party and can be done internally, as long as the responsible entity is satisfied that any other roles carried out by the person reviewing the risk management systems do not have an impact on their ability to perform an objective review and will not limit the robustness of the review. These additional reviews are similar to those referred to in APRA s requirements and guidance on risk management. Segregation of functions to allow for independent checks and balances RG Depending on the nature, scale and complexity of the business, we encourage responsible entities to segregate functions to allow for independent checks and balances. This may include, for example, segregating the internal function in charge of valuing assets from the investment management function. We consider this will help manage conflicts of interests that may arise, and builds in an additional level of oversight to identify any issues. Designated risk management function and committee RG RG Depending on the nature, scale and complexity of the business, we consider it is good practice for responsible entities to establish a designated risk management function and/or risk management committee. We understand that this may not be feasible for some responsible entities. The designated risk management function may have a hands-on role in ensuring the day-to-day operation of a responsible entity (including the schemes it operates) is conducted in alignment with its risk management system. To achieve this, the designated risk management function may be independent from the operating units of the responsible entity s business. It may also have the specific responsibility of monitoring compliance with risk management processes, policies and procedures, as well as reporting to the board and any risk management committee all significant breaches of the processes, policies and procedures. Page 18

19 RG The responsibilities of a risk management committee may include: (d) helping senior management develop the risk management system; reviewing the effectiveness of the risk management system; reporting to the board and/or senior management on breaches of risk tolerance or risk management processes, policies and procedures, according to the responsible entity s escalation policy; and reporting to the board and/or senior management on the risk management system and its performance. Appointing a chief risk officer RG Depending on the nature, scale and complexity of the business, we consider it is good practice for responsible entities to appoint a dedicated chief risk officer. Generally, the chief risk officer will be a key member of senior management to ensure they have sufficient stature and authority to influence risk-based decision making. It is important for any chief risk officer to communicate freely and have direct and unfettered access to the board, senior management and any risk or compliance committee established. Disclosure of risk management policies RG In addition to its obligation to disclose information about significant risks and risk management arrangements in the Product Disclosure Statement (PDS) under Pt 7.9 of the Corporations Act, a responsible entity may provide additional transparency to investors about its arrangements by publicly disclosing appropriate details of its risk management systems for example, on its website or in its annual report. Page 19

20 C Identifying and assessing risks Key points This section sets out our guidance for responsible entities on identifying and assessing risks, including: maintaining documented processes for identifying and assessing risks. The processes should be suitable for the business s objectives and operations, including for the schemes it operates; ensuring its risk management system addresses all material risks. These may include strategic risk, governance risk, operational risk, market and investment risk, and liquidity risk; addressing risks for its business (i.e. at the responsible entity level) and for the schemes it operates (i.e. at the scheme level); maintaining one or more risk registers as part of their risk identification process; and taking into account certain factors when choosing processes for identifying and assessing risks. It also sets out our good practice guidance for identifying and assessing risks. Identifying risks RG RG RG RG Risk identification is the process used by responsible entities to identify risks that will affect their ability to pursue business strategies and achieve the objectives of their business. We do not consider that any one particular method for identifying risks is the most appropriate and applicable for all responsible entities. Responsible entities should adapt the processes for risk identification in their risk management systems as the business develops and business risk profiles change, over time and in different market conditions. Risks need to be identified at any given point in time to ensure responsible entities can effectively manage them in the operation of their business and day-to-day decision making. There are different ways to identify the risks that can affect a responsible entity s business. For example, evidence-based methods that rely on reviewing audit reports, post-event reports, historical data or risk registers can help to identify existing and emerging risks that the responsible entity may face. Observations from our regulatory experience indicate that incorporating this approach to risk identification in strategic and business planning is particularly helpful in identifying risks. Responsible entities may Page 20

21 use a systematic team approach that uses focus groups and brainstorming to identify risks. Purpose-built computer software can also be used. RG RG A responsible entity should document the processes, policies and procedures it uses to identify risks. We expect responsible entities to maintain one or more risk registers for recording material risks to the business and schemes as part of their risk identification process. A responsible entity should select the format of the risk register(s) that is most suitable for the business and schemes operated. Risks relevant to the business and the schemes RG RG We appreciate that the risks identified by responsible entities as part of their risk management systems will depend on the nature, scale and complexity of their business and risk profile, and will be different for each responsible entity. Our regulatory experience suggests that certain types of schemes (e.g. unlisted property schemes, mortgage schemes, agribusiness schemes, quoted schemes, hedge funds and novel schemes) are subject to more complex risks. A responsible entity should ensure that its risk management system addresses all the material risks faced by its business at both the responsible entity and scheme level. These may include, but are not limited, to the following risks: (d) Strategic risk Any risk that arises out of a responsible entity s business strategies and business plan. Governance risk Any risk that threatens the ability of a responsible entity to make reasonable and impartial business decisions in the best interests of members. This risk may arise if a responsible entity does not have the appropriate processes in place to: (i) (ii) support sound and transparent decision making that is not influenced by conflicts of interests; and ensure that decisions related to the schemes are in the best interest of members. Operational risk The risk of loss, for the business or schemes, resulting from inadequate or failed internal processes, people and systems or from external events. Market and investment risk The risk that a scheme operated by a responsible entity will not meet its objectives. Specific investment risks include those relating to investment governance and structure, market conditions, counterparty failure, product suitability, and valuation and pricing. Page 21

22 (e) Liquidity risk The risk that the responsible entity will not have adequate financial resources to meet its financial obligations and needs, either at the responsible entity level or at the scheme level (including meeting the scheme s objectives and members expectations for redemptions). As previously outlined, we consider that liquidity risk is a key risk area for schemes. Note: For a detailed description of these risks, including examples of specific risks, and treatments to manage these risks based on our regulatory experience, see the appendix to this guide. Strategies for assessing risks RG RG RG Risk assessment is the process of describing identified risks, including by reference to the inherent risk, determining the likelihood of a risk eventuating and the significance of its potential impact. This process can help a responsible entity determine whether the identified risks are acceptable in light of its risk appetite and develop appropriate treatments for those risks. Examples of different methods that responsible entities may adopt for assessing risks include the following: (d) (e) Self-assessment The responsible entity, its senior management and those in the designated risk management function (if applicable) assess risks through the business and the schemes it operates. This may include risk mapping, where risks are prioritised according to the significance of the risk and likelihood of a risk eventuating and mapped into four quadrants. Stress testing and/or scenario analysis The responsible entity uses techniques such as stress testing and/or scenario testing to assess how it will be impacted by different scenarios. See also RG RG Loss data analysis The responsible entity implements processes to analyse observed incidents to evaluate the actual losses caused by risks. Change management The responsible entity implements processes to assess how the business and schemes operated are affected by change, to ensure objectives are still met. Electronic systems The responsible entity uses purpose-built computer software to assess risks. Responsible entities may also seek expert advice and appoint an external consultant to help in the process of assessing the likelihood of a risk eventuating and the significance of its potential impact. Page 22

23 RG RG We do not consider that any one particular approach for assessing risks will be the most appropriate and applicable to the operation of all responsible entities. A responsible entity should document its risk assessment processes. Documenting the reasons why particular assessments are made, including the thinking that led to the decisions about identified risks, provides a useful context for future risk assessment. Selecting risk identification and assessment methodologies RG When considering which approach or combination of approaches to adopt in identifying and assessing risks, responsible entities may consider: (d) (e) (f) the nature, scale and complexity of the business; incidents and complaints, trends or developments in the industry, and changes to the business environment; processes based on a forward-looking analysis in accordance with strategic and business plans (e.g. when assessing the risk of not having adequate technological or human resources, identification of risks should be based on forward planning); the need to ensure there is an appropriate level of human input in the process sole or disproportionate reliance on electronic systems may not be adequate; senior management involvement in the process (e.g. any determination about whether an identified risk is at an acceptable level in light of the policy or statement on risk appetite); and if applicable, whether different processes should be used to identify and assess risks for different schemes in light of the operation of each particular scheme. Good practice guidance RG Responsible entities may use risk indicators to provide an early signal of increasing risk exposures in various areas of the business. Regular reporting on the risk indicators can give the board and senior management an insight into the changes in the external and internal environment that may indicate risk concerns. It can also help ensure that risk levels are managed within defined tolerances. Page 23

24 D Managing risks Key points This section sets out our guidance for responsible entities on managing risks, including: determining appropriate risk treatments; controls or measures to manage or mitigate risk; use of technology; compliance with other relevant obligations as an AFS licensee dealing with residual risks; monitoring and review; and stress testing and scenario analysis. It also sets out our good practice guidance for managing risks. Determining appropriate risk treatments RG RG There are different ways that responsible entities may manage risks. For example, they may: (d) (e) do nothing if the identified risk is within acceptable risk tolerance levels; avoid the risk by not undertaking the relevant activities that give rise to the risk; prevent the eventuation of the risk through specific actions, such as developing rules and documented policies and procedures; reduce or mitigate the consequences or impact of realised risks (e.g. through contingency, emergency or business continuity plans); and/or transfer the risks to other parties, through insurance, outsourcing or indemnification. Risks faced by the business should be considered as a whole, given that some risks may be interrelated (e.g. liquidity and valuation risks). Controls or measures to manage or mitigate risks RG We expect responsible entities to have adequate controls to manage or mitigate risks (e.g. performance standards for external service providers). It is also important for the responsible entity to implement a control monitoring and assurance process that considers the: adequacy of coverage of controls and whether appropriate remediation and response strategies are in place for material risks; Page 24

25 effectiveness of internal controls designed to ensure risks have been mitigated; and appropriateness of monitoring strategies and ongoing testing (e.g. selfassessment, real-time transaction monitoring and reporting, and control assurance reviews by independent teams). RG RG The appendix to this guide includes examples of controls and measures for treating the risks that we consider are most relevant to the business of a responsible entity. The examples of risk treatments in the appendix are not mandatory. Nor are the risk management strategies exhaustive. We expect responsible entities to implement strategies for managing risks that are appropriate to the nature, scale and complexity of the business and scheme operated. Use of technology RG There are a variety of technological resources that can be used to help responsible entities manage risks. These technologies come in a variety of forms. These technologies can help by analysing and storing data, automating compliance processes, monitoring trading and streamlining regulatory reporting. External service providers may be used to facilitate this process and also to store data. The use of these technologies may result in enhanced and more cost-effective management of risks. However, it is important to ensure that there is appropriate human oversight and review of any technological resources used. Compliance with other relevant obligations as an AFS licensee RG Apart from the obligations contained within s912a(1)(h), we expect responsible entities to comply with their other existing obligations as an AFS licensee. As outlined in Table 3, many of these obligations are also relevant to assisting the management of risks. Table 3: Other relevant AFS licence obligations Obligation Explanation Further guidance Compensation for retail clients: s912b If financial services are provided to retail clients, an AFS licensee must have arrangements for compensating those persons for loss or damage suffered due to breaches by the licensee or its representatives. We consider adequate PI insurance is another important measure to manage operational risk. Regulatory Guide 126 Compensation and insurance arrangements for AFS licensees (RG 126) Page 25

26 Obligation Explanation Further guidance Adequate financial resources: s912a(1)(d) Adequate records of scheme operation: s601ha(1)(e) Adequate technological resources: s912a(1)(d) Breach reporting: s912d An AFS licensee must have adequate financial resources. All responsible entities must comply with minimum financial requirements. We consider these requirements are another important measure to assist and manage liquidity risk affecting the responsible entity itself. We expect responsible entities to ensure that their financial resources will be adequate to be able to carry on their business in compliance with their licensee obligations, or to wind up their business in an orderly manner. The compliance plan of a registered scheme must set out the arrangements for ensuring adequate records of the scheme s operations are kept. In complying with this obligation, we expect that a responsible entity will ensure that it keeps adequate records of the establishment, implementation and review of its risk management system for the schemes operated. An AFS licensee must have adequate technological resources. We expect that in complying with this obligation a responsible entity will maintain secure and stable information systems. This will assist in managing relevant risks, including system failure and malicious cyber activity. An AFS licensee must tell ASIC in writing within 10 business days about any significant breach (or likely breach) of their obligations. We expect that a responsible entity will ensure that it reports any breach of s912a(1)(h). We consider processes to identify, escalate, report and analyse breaches (including trends) can help manage risks. Regulatory Guide 166 Licensing: Financial requirements (RG 166) and Class Order [CO 13/760] Financial requirements for responsible entities and operators of investor directed portfolio services. Regulatory Guide 134 Managed investments: Constitutions (RG 134) Report 429 Cyber resilience: Health check (REP 429) Regulatory Guide 78 Breach reporting by AFS licensees (RG 78) Residual risks RG Residual risks often remain, even after measures to treat risks have been applied. Understanding the concept of residual risk is an important consideration when identifying, assessing and managing risks, as it determines whether residual risks are within acceptable risk tolerance levels or require further treatment. It can also help inform future risk assessments. Monitoring residual risks can help ensure they do not increase to a level above the responsible entity s risk appetite, and determine whether further treatment should be applied to manage those risks. Page 26