Governance, Risk & Compliance Management. Julian Hunn, Operations Manager Professional Standards

Governance, Risk & Compliance Management Julian Hunn, Operations Manager Professional Standards

Session Plan GRC Governance, Risk & Compliance Management What is corporate governance? Directors duties under the Corporations Act Good corporate governance, corporate growth and long-term competitive advantage What are the obligations and risks of a Responsible Manager? ASIC s approach to investigations and enforcement Managing reputational risk

Key Business Risks in 2014 Top 10 business risks Globally 1. Loss of reputation or brand value 2. Business interruption 3. Privacy 4. Theft, Fraud & Corruption 5. Changes in Legislation and Regulation 6. Cyber Security 7. Cross border issues 8. Intensified competition 9. Economic conditions 10. IT failure Sources KPMG, Protiviti, Control Risks, Kroll

What is Corporate Governance? Corporate governance is a broad-ranging term which, amongst other things, encompasses the rules, relationships, policies, systems and processes whereby authority within organisations is exercised and maintained. The governance attributes of an organisation are shaped by a variety of factors, both "internal" (eg constitution, organisational policies) and "external" (eg laws, regulations, community expectations).

Integrated Governance, Risk and Compliance In order to execute effective governance, the board of directors and executive management must effectively oversee a number of key business processes: Strategy and operation planning Risk management Ethics and compliance Performance measurement and monitoring Mergers, acquisitions and other transformational transactions Management evaluation, compensation and succession planning Communication and reporting

Strategic Risk Management Enabling Transparency, Accountability and Integrity

GRC Underpinned by Culture

Enabling Transparency, Accountability and Integrity Governance Processes Risk Management Processes Compliance Processes Strategy and operation planning Risk management Ethics and compliance Performance measurement and monitoring Mergers, acquisitions and other transformational transactions Management evaluation, compensation and succession planning Communication and reporting Risk identification Risk assessment Risk response Risk mitigation Incident tracking and remediation Control activities Monitoring and reporting Standards and procedures High-level oversight Due care in the delegation of authority and responsibility Effective communication and training Monitoring, auditing and reporting processes Ongoing process improvement The better the quality of the controls, the more effective the brakes. And the more effective the brakes, the faster the business can go. SAI Global

ASIC Review of Financial Advice Industry Practice The questionnaire sent out by ASIC covered the following topics: 1. Business model; 2. Risk management and compliance frameworks; 3. Adviser training regimes; 4. Adviser monitoring and supervision; 5. Products advised on and client strategies; and 6. Complaints handling and compensation arrangements ASIC Review of Financial Advice Industry Practice: Phase 2

ASIC Review of Financial Advice Industry Practice The Report comes down to 12 recommendations for licensees and advisers 1. Product concentration 2. FOFA implementation 3. Risk management 4. Training of advisers 5. Adviser file reviews 6. Recruitment 7. Breach reports 8. Document retention 9. Approved product lists 10. Risk profile 11. Higher-risk strategies 12. Complaints handling ASIC Review of Financial Advice Industry Practice: Phase 2

ASIC Review of Financial Advice Industry Practice Recommendation 3 - Risk management Licensees should dedicate adequate resources to their risk management function. The resources should be proportionate to the nature and scale of their operations. Licensees should ensure that effective controls are implemented that are commensurate with the level of risk identified, focusing more heavily on those risks that would have a greater impact on the business and/or investors, and a higher probability of occurring.

ASIC Review of Financial Advice Industry Practice Recommendation 4 - Training of advisers Licensees should ensure that even experienced advisers remain abreast of all regulatory and product changes, and continue to develop their skills. Recommendation 6 - Recruitment Licensees should always conduct reference checks on their new advisers by contacting previous licensees. Police and criminal checks alone are not adequate. Where references are not available, licensees should ensure that additional controls are in place to monitor new advisers.

Complying with your AFS licence and the law You have obligations relating to: 1. Conduct and disclosure 2. The provision of your financial services 3. The competence, knowledge and skills of your responsible managers, as well as their good fame and character 4. The training and competence of your representatives and authorised representatives 5. Ensuring your representatives (including authorised representatives) comply with the financial services laws 6. Compliance, managing conflicts of interest and risk management 7. The adequacy of your financial, technological and human resources, and 8. Your dispute resolution and compensation arrangements (if your clients are retail clients)

Obligations of Australian Financial Services (AFS) licensees - s912a of the Corporations Act Regulatory Guide 104 Licensing: Meeting the general obligations Licensees must comply with the general obligations under s912a(1) and licence applicants must be able to demonstrate in their licence application that they can comply with them: see RG 104.2 RG 104.6. Regulatory Guide 105 Licensing: Organisational competence Licensees must comply with the organisational competence obligation in s912a(1)(e) and licence applicants must be able to demonstrate in their licence application that they can comply with it. ASIC assesses your compliance with this obligation by looking at the knowledge and skills of your responsible managers.

Responsible Managers What is a Responsible Manager? Responsible Managers are senior managers who have satisfied the necessary qualifications and experience criteria, and are appointed to demonstrate that the licensee has the competence to provide financial services (in the case of an Australian Financial Services Licence holder) or credit activities (in the case of an Australian Credit Licensee (ACL). Responsible Managers are required to fulfil the skill and knowledge requirements outlined by ASIC in RG 105 (AFSL) or RG 206 (ACLs). Responsible Managers are also obligated to keep their knowledge and skills up-to date. How many Responsible Managers should be appointed? According to ASIC, the number of people you need to nominate as responsible managers will depend on the nature, scale and complexity of your business However we expect that you will nominate two or more responsible managers. [RG105.38]. Each business should aim to ensure that the sum total of its Responsible Managers knowledge, skills and experience covers the entire range of financial services and products offered by that business.

Responsible Managers What is involved in the role? Responsible Managers are essentially tasked with the responsibility of overseeing and managing the provision of financial services and/or credit activities (as the case may be). Responsible Managers are effectively gatekeepers of the specific sections of the business for which they are responsible. Responsible Managers are also key players in the business compliance arrangements. However, despite the vital importance of their role, a Responsible Manager is not: legally responsible for the business; or an Officer or Director, unless they also meet the definition of Officer or Director in the Corporations Act (in which case they will be personally liable for certain breaches of the Corporations Act).

Responsible Managers - Generic Knowledge Part 01: Financial services law and regulation Part 02: Regulatory environment and amendments to the Corporations Act Part 03: Key regulators and their roles Part 04: AFS licensing regime and disclosure essentials Part 05: AFS disclosure requirements Part 06: The adviser-client relationship Part 07: Sector regulation: insurance, managed investments and super Part 08: Anti-money laundering Part 09: Managing conflicts of interest Part 10: Other regulation: taxation, privacy and ASX rules

The Role of a Responsible Manager So before accepting (or continuing in) a role as an Responsible Manager, make sure that: 1. You have the time or capability to do the role properly 2. Your job description carefully defines your role and responsibilities as a Responsible Manager 3. You re given the authority and autonomy to properly exercise those responsibilities otherwise you could be liable for something that is outside your control 4. The licensee has adequate compliance arrangements or a keen appetite for improving them, and 5. Management don t override your decisions on a commercial basis!

General Duties of Directors The Corporations Act 2001 specifies four main duties for directors: 1. Care and diligence 2. Good faith 3. Improper use of position 4. Improper use of information Are There Additional Directors Duties under the Corporations Act? 1. Insolvent trading 2. Financial information 3. Disclosing directors interests 4. Lodging information with ASIC 5. Continuous disclosure What are the Consequences of Breaching Directors Duties Laws? 1. Criminal sanctions 2. Civil sanctions 3. Disqualification 4. Commercial consequences

. What s your personal liability? Responsible Managers can act in one or all of the following capacities for an AFS licensee: As an employee or authorised representative, providing advice As a director, or Purely as a Responsible Manager. Advice Provider As an employee or authorised representative of an AFS licensee, you could be personally liable if your advice breaches the financial services laws, e.g. you don t comply with the best interests duty. Your professional indemnity insurance should cover this liability. Director You could be personally liable if you breach your director s duties for example, the company trades while insolvent. So ensure the licensee has adequate directors and officers insurance and your contract requires the licensee to indemnify you while performing your director s role (to the extent allowed by law).

What s your personal liability? Responsible Manager Only Unless your personal acts or omissions caused or contributed to a breach of the AFS laws by the licensee who has appointed you a Responsible Manager it s highly unlikely that you would be found personally liable. If you did contribute to the breach, then you could be banned for a period, or for life, and you could be fined.

Directors & Officers (D&O) Insurance As corporate governance grows increasingly complex, directors and officers need to be aware of the increased potential for claims that may from decisions and actions taken within the scope of their regular duties. In this context claims may come not only from external sources (e.g. from Regulators such as ASIC, creditors, shareholders, clients,competitors), but also from within (e.g. from the Company itself ). Exclusions Fraud, cases where directors obtain illegal remuneration and criminal conduct are typical exclusions from the D&O Policy.

ASIC s Strategic Framework

ASIC s submission Senate Economics Committee s inquiry These policy suggestions cover: Raising financial adviser competence through a national exam Helping remove bad apple advisors and managers from the industry Enhancing whistle-blower protections Strengthening ASIC s licensing powers Streamlining search warrant powers Reviewing the level, consistency and availability of penalties

ASIC s Approach to enforcement

ASIC s Approach to enforcement

Breach reports by outcome

ASIC Enforcement Statistics Area of enforcement Jul-Dec 2011 Jan-Jun 2012 Jul-Dec 2012 Jan-Jun 2013 Jul-Dec 2013 Total (July 2011 - Dec 2013) % Market integrity 11 9 18 9 21 68 100% Insider trading 6 0 8 6 7 27 40% Market manipulation 1 0 1 1 2 5 7% Continuous disclosure 1 7 2 0 3 13 19% Market integrity rules 2 2 7 2 7 20 29% Other market misconduct 1 0 0 0 2 3 4% Corporate governance 36 12 13 6 13 80 100% Action against directors 28 8 9 1 7 53 66% Insolvency 2 0 0 1 1 4 5% Action against liquidators 3 2 2 3 4 14 18% Action against auditors 2 2 2 1 1 8 10% Other corporate governance misconduct 1 0 0 0 0 1 1% Financial Services 59 57 57 63 78 314 100% Unlicensed conduct 5 1 2 1 0 9 3% Dishonest conduct, misleading statements, unconscionable conduct 18 16 29 24 16 103 33% Misappropriation, theft, fraud 15 5 3 6 10 39 12% Credit 3 16 14 20 28 81 26% Other financial services misconduct 18 19 9 12 24 82 26% Small business compliance and deterrence 248 225 347 293 228 1341 100% Action against directors 246 221 332 286 223 1308 98% Efficient registration and licensing 2 4 15 7 5 33 2%

ASIC Enforcement Statistics

Market Integrity

Enforcement Comparison - Report 387

Reputation Risk It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you ll do things differently. - Warren Buffett

Strategic Alignment Strategic alignment with a focus on sustainable reputation begins at the top, with brand oversight, strategy setting, business planning, image building and branding

Areas of Regulatory Focus Market Integrity Tax crimes Bribery & Corruption The role of Gatekeepers Self-managed superannuation fund (SMSF) Managing Reputational Risk For GRC professionals, your task is to ensure that when your organisation is harvesting the opportunities innovation brings, that: 1. risk are mitigated 2. the right policies and procedures are in place 3. most importantly that these are backed up by appropriate supervisory arrangements, review, and the right organisational culture. * Speech by Greg Medcraft, Chairman, Australian Securities and Investments Commission to Governance Risk and Compliance Conference 31 October 2013.

Thank You