CPS/SPS 220 Risk Management: Time for an Independent Review?

All financial institutions regulated by the Australian Prudential Regulation Authority (APRA) are required to have their risk management frameworks reviewed by independent and competent persons on a triennial basis, under the Risk Management Prudential Standards CPS 220 and SPS 220. CPS 220 was extended to the Private Health Insurance (PHI) sector in 2018, as part of the sector’s transition from the Private Health Insurance Administration Council (PHIAC) to APRA’s regulatory environment. This year the PHI sector will be going through their first round of triennial comprehensive reviews.

These comprehensive reviews must assess the appropriateness, effectiveness and adequacy of the institutions risk management framework, having regard to the size, business mix and complexity of the institution.

Hall Advisory has completed a number of these comprehensive reviews across the insurance, banking and superannuation sectors. Through our independent reviews of risk management frameworks and our involvement in uplifting these frameworks across the finance industry, we have seen a number of areas consistently needing further improvement. These observations are consistent with those from our network of specialist consulting and in-house risk and compliance professionals. Some of these development areas may resonate with you also.

Strategic and Business Planning

Under CPS/SPS 220, organisations are required document a Board approved business plan outlining the approach for implementing its strategic objectives over a three-year period, at a minimum. The plan is required to be a rolling plan that is reviewed on an annual basis, with the outcomes of the annual review reported to the Board. Organisations must also be able to demonstrate appropriate alignment between the business planning and risk management frameworks, with all relevant material risks being identified and reassessed upon any interim strategic changes.

Through our independent reviews, we often observe insufficient alignment between the business planning and risk management frameworks, with relevant strategic risks not being adequately identified within the risk register. We also from time to time observe a lack of rigour around the documentation and review process for strategic and business planning, such that the requirements of CPS/SPS 220 are not adequately met. This can arise as a result of the risk and compliance function not being sufficiently engaged in the strategic and business planning processes of the organisation and other executives not being familiar with the detailed regulatory requirements in this respect.

Risk Culture

Boards are required under CPS/SPS 220 to form a view of the risk culture in the organisation and how it supports the organisation to operate within its risk appetite. We see some organisations falling short at the first logical step - clearly articulating the desired risk culture and expected behaviours.

Once this is articulated, it enables the Board to form a view on its organisations risk culture relative to its target state. A good way to do this is via a formalised risk culture assessment by an independent party, such as the risk management function, internal audit, or an external consultant. Often the involvement of an external party can provide comfort to employees to express their views freely on an anonymous basis, which can provide for a richer analysis of the cultural issues at play.

Hall Advisory has conducted a number of risk culture assessments which deep dive into an organisations risk culture through tailored risk culture surveys and interviews with stakeholders across the organisation. This enables the Board to get an understanding on where improvements can be made or if undesirable behaviour is occurring.

We are often asked by our clients to undertake a risk culture assessment in conjunction with CPS/SPS 220 independent triennial review, which can be an efficient process that optimises the insights and findings delivered through both reviews.

Risk Management Frameworks and Risk Appetite Statements

Documented RMFs and risk appetite statements (RAS) are ever evolving and can always benefit from some improvements. Most comprehensive reviews will result in some findings for enhancements to these documents.

Common areas requiring uplift in RMFs include specifying roles and responsibilities, articulating desired risk culture, addressing emerging risks, improving risk likelihood/consequence rating descriptions/metrics, improving how controls are captured and monitored, and specifying the process for linking risk with strategic planning. For larger and more sophisticated organisations, more advanced methods of risk identification and assessment may be recommended, including the consideration of risk interconnectivity, the rounding out of top-down / bottom-up risk workshop processes, and enhancement of the approach to risk aggregation.

RAS’s tend to lack qualitative descriptions of the risk appetite for each risk category, the process for setting appropriate risk tolerances, the development of operational risk limits and metrics / key risk indicators (KRIs), and their linkage to specific risks and appetites at the enterprise level. Sometimes we see that they key concepts underpinning the risk appetite statement have not been clearly and coherently defined, resulting in potential confusion and varied interpretation by the business. This is often compounded by a lack of tailored risk training to better facilitate implementation of the risk appetite statement.

Watch out for our pending blog piece focusing on risk appetite, which will delve further into more of the common pitfalls in this space and the process of getting your risk appetite framework right (or progressively closer to)!

Allocating Responsibilities and Resources

This is an area that usually has to play catch up after big transitions and changes in organisations or even changes in frameworks, policies and procedures. We’ve seen many gaps in the roles and responsibilities specified within risk management frameworks and those as listed in position descriptions. Usually the position descriptions are left stale and not updated in line with risk management and compliance responsibilities until a change in resource triggers an update

Another common issue is inadequate risk resourcing. Organisations have seen some major pressure from increased legislative requirements, and this impacts the resources undertaking day-to-day risk and compliance work along with any proactive risk work. It’s a balance to maintain enough resources to continue with the usual work, address new projects or business change initiatives as well as increased work arising from new legislative requirements. Risk resources should be reassessed regularly to ensure that they remain at an adequate level to enable the risk function to complete all of its responsibilities.

Sometimes we see instances where it appears that resources are inadequate but it’s actually as a result of unclear or unallocated responsibilities so employees don’t know who is responsible for certain tasks. This can include blurred lines across the business (Line 1) versus the risk team’s (Line 2) responsibilities. It’s important to update those position descriptions and the documented roles and responsibilities in policies and procedures so everyone can focus on the right tasks! Enhanced risk training programs and targeted projects to engage the business in the ownership of risk are also beneficial in this respect.

Policy Management

Some policies and frameworks require regular review under the Prudential Standards. Issues with managing regular policy reviews generally occur as a result of under resourcing or lack of review processes. A simple way to track all policies and procedure documents is via a review calendar.

Speaking of policy review, don’t forget to have your RMF annually reviewed by internal audit or external audit, per CPS/SPS 220 requirements. While unexpected, we find this requirement occasionally falls through the cracks!

Compliance Frameworks

CPS/SPS 220 requires organisations to have a designated and appropriately resourced compliance function that supports senior management in effectively managing compliance risks.

We often see compliance frameworks that have gradually fallen into a state of disrepair, as a result of the competing priorities for under-resourced risk and compliance functions, many of which are consolidated within the same team. This case be the case irrespective of whether a systems-based or manual approach is adopted in managing the vast array of existing compliance obligations and new regulatory developments. Sufficient resources need to be invested in maintaining the framework, verifying the effectiveness of controls implemented in respect of compliance obligations, and rolling out an effective compliance training program.

On occasion, we observe the processes supporting the execution of the annual Risk Management Declarations (RMDs) that must be submitted to APRA as lacking in formality, without documented and consistent processes from year to year. Opportunities to further integrate the RMD approval process with the compliance framework and existing assurance processes are also typically identified. The adequacy of systems and processes in place to ensure the effective implementation of both audit and independent review findings is also relevant here, and opportunities for further improvement are identified for some organisations.

Need help?

Do these issues sound familiar? Or are you due for a comprehensive review of your organisation’s risk management framework?

Hall Advisory is able to assist you with independently conducting a comprehensive review of your risk management framework, conducting an external assessment of risk culture, or providing specialist advice and assistance in improving your risk management policies and procedures.

Check out our Core Services page on our website for a detailed list of the services that we provide and please contact us if we can be of assistance.