The Board of an APRA-regulated entity is ultimately responsible for all aspects of governance, oversight and compliance with all relevant laws and regulations. This guide consolidates specific requirements and guidance for life insurer boards from APRA’s prudential standards and prudential practice guides (PPGs). It does not introduce new requirements or guidance and excludes obligations that come from primary legislation.
Governance
Governance standards require entities to act with honesty and integrity and to be run by people with the right skills, knowledge and experience. They include foundational requirements for good governance and the fitness and propriety of people in positions of responsibility.
Accountability
Managing conflicts of interest
To this end, a life company would typically have procedures in place to identify decisions which involve a conflict of interest. A prudent director may wish to be satisfied that there are systems and processes in place to ensure that all conflicts of interest within the scope of s. 48 are identified and properly managed. In some cases this will necessarily involve the conflict being brought to the attention of the Board of directors. It may also be appropriate to seek relevant independent expert advice such as legal or actuarial advice to ensure that directors are fully informed of their obligations and can gain a level of comfort that the nature of the interests has been properly characterised.
Prudential standard
Practice guide
Criteria to determine if a responsible person is fit and proper
Under LPS 520 the skills and experience required by each responsible person depends on the person’s role. This, in turn, is affected by the role undertaken by other responsible persons. For example, a director is generally expected to understand the role and responsibilities of a director and have a general knowledge of the institution, its business and its regulatory environment. However, each director is not generally expected to have all the competencies that the Board collectively needs if other directors have those competencies or they are obtained from external consultants or experts.
Actuarial
Prudential standard
Actuarial advice framework
An insurer must have a board-approved framework for the provision of actuarial advice (actuarial advice framework) that enables the Appointed Actuary to perform the functions of the role and that complies with the applicable prudential requirements. Before approving the actuarial advice framework, the board must consider advice provided by the Appointed Actuary in relation to the actuarial advice framework.
The actuarial advice framework must be appropriately documented and:
specify by whom actuarial advice must be considered (in particular, the circumstances in which it must be considered by the board), having regard to the materiality policy;
Practice guide
Actuarial advice framework
The Appointed Actuary is expected to play an active role in the development of the framework and in any future amendments to it. CPS 320 requires approval of the framework by the board, having taken into account advice from the Appointed Actuary.
Materiality policy
Once the materiality policy is established as part of the actuarial advice framework, materiality thresholds would not ordinarily need to be continually assessed by the board but would be subject to periodic review.
Audit
Prudential standard
Obligations of a life company
A life company must ensure that the following are provided to its Board or Board Audit Committee (if not already sighted by the Board or Board Audit Committee):
reports, provided by the Auditor in accordance with this Prudential Standard, and any associated assessments and other material prepared in connection with fulfilling the requirements of this Prudential Standard;
commentary or responses provided by APRA to the life company on reports provided by the Auditor, and any associated assessments and other material; and
any commentary or response on the reports, associated assessments and other material provided by the Auditor that are given by the life company to APRA.
Board
Prudential standard
Additional requirements of the Head of a group
The Board of the Head of a group is ultimately responsible for oversight of the sound and prudent management of the group and must have the following committees for the group:
a group Board Audit Committee that meets the requirements of paragraphs 52 to 67 and that assists the Board by providing an objective non-executive review of the effectiveness of the group’s financial reporting and group risk management framework; and
a group Board Risk Committee that meets the requirements of paragraphs 80 to 87 and that assists the Board by providing an objective non-executive oversight of the implementation and operation of the group risk management framework.
The Board of a Head of a group must ensure that directors and senior management of the group, collectively, have the full range of skills needed for the effective oversight and prudent management, respectively, of the group. This does not lessen the responsibility of each of the individual Boards of the institutions within the group for their institutions.
A. Governance arrangements – locally incorporated APRA-regulated institutions
The Board and senior management
The Board of directors (the Board) of a locally-incorporated APRA-regulated institution is ultimately responsible for oversight of the sound and prudent management of that institution.
The Board must have a formal charter that sets out the roles and responsibilities of the Board.
The Board, in fulfilling its functions, may delegate authority to management to act on behalf of the Board with respect to certain matters, as decided by the Board. This delegation of authority must be clearly set out and documented. The Board must have mechanisms in place for monitoring the exercise of delegated authority. The Board cannot abrogate its responsibility for oversight of the functions delegated to management.
The Board must ensure that directors and senior management of the institution collectively have the full range of skills needed for the effective and prudent operation of the institution, and that each director has skills that allow them to make an effective contribution to Board deliberations and processes. This includes the requirement for directors, collectively, to have the necessary skills, knowledge and experience to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks. This does not preclude the Board from supplementing its skills and knowledge by engaging external consultants and experts.
Directors and senior management of a locally incorporated APRA-regulated institution must be available to meet with APRA on request.
The Board must provide the auditor and the Appointed Actuary of the institution, as relevant, with the opportunity to raise matters directly with the Board.
Independence
If the Board of a locally incorporated APRA-regulated institution is in doubt about a director’s independence for the purposes of this Prudential Standard, the APRA-regulated institution may refer the matter to APRA for guidance.
Board composition
The Board of a locally incorporated APRA-regulated institution must have a minimum of five directors at all times.
The Board must have a majority of independent directors at all times. For a locally incorporated APRA-regulated institution that is a of another APRA-regulated institution or overseas equivalent, exceptions may apply as set out at paragraphs 37 to 39. For a locally incorporated APRA-regulated institution that is a subsidiary of a parent company that is not prudentially regulated, exceptions may apply as set out at paragraph 40.
The chairperson of the Board must be an independent director of the APRA-regulated institution.
A majority of directors present and eligible to vote at all Board meetings must be non-executive directors.
The chairperson of the Board cannot have been the Chief Executive Officer (CEO) of the APRA-regulated institution at any time during the previous three years. If the position of the CEO is unexpectedly vacated, the chairperson may serve as an interim CEO. After a period of 90 days, approval must be sought from APRA to allow this arrangement to continue.
The chairperson must be available to meet with APRA on request.
For a locally owned and incorporated APRA-regulated institution, a majority of directors must be ordinarily resident in Australia.
For a foreign-owned, locally incorporated APRA-regulated institution, at least two of the directors must be ordinarily resident in Australia, at least one of whom must also be independent.
Board representation
Where an individual shareholding is greater than 15 per cent, as approved under the Financial Sector (Shareholdings) Act, the Board representation of that shareholding may be greater than allowed in paragraph 34, although it must still be broadly proportionate to the shareholding concerned.
For a locally incorporated ADI that operates as a special service provider, the ADI may apply to APRA for approval for alternative Board composition arrangements that meet the objectives of this Prudential Standard. APRA may approve alternative arrangements for the ADI if satisfied that those arrangements will, in APRA’s opinion, achieve the objectives of this Prudential Standard.
Locally incorporated APRA-regulated institutions that are subsidiaries of other APRA-regulated institutions or overseas equivalents
For a locally incorporated APRA-regulated institution that is a subsidiary of another APRA-regulated institution or an overseas equivalent, the Board must have a majority of non-executive directors, but these non-executive directors need not all be independent.
An institution to which paragraph 37 applies will be required to have, at a minimum, two independent directors, in addition to an independent chairperson, where the Board has up to seven members. Where the Board has more than seven members, the institution will be required to have at least three independent directors, in addition to an independent chairperson.
For the purposes of meeting the requirements in paragraph 38, the independent directors on the Board of the parent company or its other subsidiaries may also sit as independent directors on the Board of the institution.
Subsidiaries of a parent that is not prudentially regulated
For a locally incorporated APRA-regulated institution that is a subsidiary of another entity not covered by the arrangements in paragraphs 37 to 39 of this Prudential Standard, the Board must have a majority of independent directors. However, independent directors on the Board of the parent company or its other subsidiaries may also sit as independent directors on the Board of the institution.
Joint ventures
For the purposes of this Prudential Standard, a locally incorporated APRA-regulated institution that operates as a joint venture can be considered as part of the group of each . Independent directors of a parent may sit as independent directors on the Board of the joint venture entity. However, the general concessions available to subsidiaries in paragraphs 37 to 39 are not available to joint ventures.
APRA-regulated institutions that are part of a group or any other corporate group
Where a locally incorporated APRA-regulated institution is part of a group or any other corporate group, and the APRA-regulated institution utilises group policies or functions, the Board of the APRA-regulated institution must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the APRA-regulated institution’s business and its specific requirements.
Board performance assessment
The Board of a locally incorporated APRA-regulated institution must have procedures for assessing, at least annually, the Board’s performance relative to its objectives. It must also have in place a procedure for assessing, at least annually, the performance of individual directors.
Board renewal
The Board of a locally incorporated APRA-regulated institution must have in place a formal policy on Board renewal. This policy must provide details of how the Board intends to renew itself in order to ensure it remains open to new ideas and independent thinking, while retaining adequate expertise. The policy must give consideration to whether directors have served on the Board for a period that could, or could reasonably be perceived to, materially interfere with their ability to act in the best interests of the institution. The policy must include the process for appointing and removing directors, including the factors that will determine when an existing director will be re-appointed.
B. Governance arrangements – foreign ADIs, Category C insurers and EFLICs
As in the case of locally incorporated APRA-regulated institutions, the ultimate responsibility for the safety and soundness of a foreign ADI or a Category C insurer resides with its Board. Foreign ADIs and Category C insurers must nominate a senior officer (whether a director or senior executive) outside Australia with delegated authority from the Board (senior officer outside Australia) who will be responsible for overseeing the Australian branch operation.
C. Audit arrangements
Board Audit Committee
An APRA-regulated institution (excluding foreign ADIs and Category C insurers but including EFLICs) must have a Board Audit Committee, which assists the Board by providing an objective non-executive review of the effectiveness of the institution’s financial reporting and risk management framework.
The Board Audit Committee is required to provide prior endorsement for the appointment or removal of the institution’s auditor and Head of Internal Audit. If the auditor or Head of Internal Audit is removed from their position, the reasons for removal must be discussed with APRA as soon as practicable, and no more than 10 business days, after the Committee’s endorsement is agreed upon.
The Board Audit Committee must review the engagement of the auditor at least annually, including making an assessment of whether the auditor meets the Audit Independence tests set out in APES 110 Code of Ethics for Professional Accountants, as well as the additional auditor independence requirements set out in this Prudential Standard.
For a foreign ADI or a Category C insurer, the assessment referred to in paragraph 58 is the responsibility of the senior officer outside Australia, and for an EFLIC, it is the responsibility of the Compliance Committee.
The Board Audit Committee must regularly review the internal and external audit plans, ensuring that they cover all material risks and financial reporting requirements of the institution. It must also regularly review the findings of audits, and ensure that issues are being managed and rectified in an appropriate and timely manner.
The Board Audit Committee must ensure the adequacy and independence of both the internal and external audit functions.
The members of the Board Audit Committee must, at all times, have free and unfettered access to senior management, the internal auditor, the heads of all risk management functions, the auditor and the Appointed Actuary, as applicable, and vice versa.
The Board Audit Committee must ensure that the APRA-regulated institution maintains policies and procedures for employees of the institution to submit, confidentially, information about accounting, internal control, compliance, audit, and other matters about which the employee has concerns. The Committee must also ensure that the APRA-regulated institution has a process for ensuring employees are aware of these policies and for dealing with matters raised by employees under these policies.
Members of the Board Audit Committee must be available to meet with APRA on request.
The Board Audit Committee must invite the auditor and the Appointed Actuary, as applicable, to meetings of the Committee.
The internal auditor must have a reporting line and unfettered access to the Board Audit Committee.
independence
The Board of the APRA-regulated institution, senior officer outside Australia or the Compliance Committee, as relevant, must, to the extent practical, undertake steps to satisfy itself that the auditor, who undertakes work for the APRA-regulated institution in relation to the Prudential Acts, prudential standards or reporting standards, is independent of the institution, and that there is no conflict of interest situation that could compromise, or be seen to compromise, the independence of the auditor.
D. Board Risk Committee
The Board of an APRA-regulated institution (excluding foreign ADIs and Category C insurers but including EFLICs) must have a Board Risk Committee, which assists the Board by providing an objective non-executive oversight of the implementation and operation of the institution’s risk management framework.
Attachment A – Director Independence
A director is not independent if the director:
is a substantial shareholder of the APRA-regulated institution or an officer of, or otherwise associated directly with, a substantial shareholder of the institution;
is employed, or has previously been employed in an executive capacity by the APRA-regulated institution or another member of the group, and there has not been a period of at least three years between ceasing such employment and serving on the Board;
has within the last three years been a principal of a material professional adviser or a material consultant to the APRA-regulated institution or another member of the group, or an employee materially associated with the service provided;
is a material supplier or customer of the APRA-regulated institution or another member of the group, or an officer of or otherwise associated directly or indirectly with a material supplier or customer; or
has a material contractual relationship with the APRA-regulated institution or another member of the group other than as a director.
Attachment B – Compliance Committee for eligible foreign life insurance companies
Purpose of the Compliance Committee
The purpose of the Compliance Committee (referred to in this Attachment as ‘the Committee’) is to:
ensure the eligible foreign life insurance company (EFLIC) complies with the requirements in, or imposed under, the Life Insurance Act; and
assist the Board in meeting its responsibilities under the Life Insurance Act.
As required by subsections 16ZF(1) and (4) of the Life Insurance Act, the Board must delegate sufficient powers of management to the members of the Committee to enable Committee members to ensure that the EFLIC complies with the requirements in, or imposed under, the Life Insurance Act. The Board must do so irrespective of anything to the contrary in the EFLIC’s constitution.
Continuing responsibility of the Board
Establishment of the Committee does not free the Board from ultimate responsibility for ensuring the Australian branch of the EFLIC complies with the requirements in, or imposed under, the Life Insurance Act.
In recognition of this, the Board must:
have the power to appoint and remove, at its discretion, members of the Committee, as long as certain composition and residency requirements pertaining to the Committee continue to be met (refer to paragraphs 5 to 8 of this Attachment);
ensure that the delegation of relevant managerial powers (of the kind referred to in paragraph 16ZF(1)(a) and (b) of the Life Insurance Act) is not irrevocable, and that the Board retains the powers delegated; and
establish adequate procedures for monitoring and supervising the operation of the Committee, as well as assessing its performance.
Composition and residency status of Committee members
The Committee must comprise at least five members appointed by the Board. Those members must include:
at least one director of the Board of the EFLIC;
Appointment and removal of Committee members
The power to appoint and remove members of the Committee resides with the Board.
The Board must have appointed all members and formally constituted the Committee within seven days of receiving notification of registration.
The Board must ensure that the Committee as a whole possesses the necessary skills and expertise to ensure that the EFLIC complies with the requirements in, or imposed under, the Life Insurance Act, and to discharge the duties and responsibilities of the Committee provided for in this Prudential Standard.
While membership of the Committee is the responsibility of the Board, the powers to appoint and remove members of the Committee must not be used in a manner that impedes, discourages or otherwise hinders the Committee from discharging its duties and responsibilities. Examples that would be cause for concern by APRA would be an excessive turnover of members, or the removal of members at inappropriate times (for example at critical reporting periods). If requested to do so by APRA, an EFLIC must, within a time stipulated by APRA (which must not be unreasonable), provide a written report to APRA responding to any queries APRA has regarding the removal of members.
Remuneration
Prudential standard
A. Requirements for SFIs
Role of the
The Board, or , of an APRA-regulated entity is ultimately responsible for the entity’s remuneration framework and its effective application.
The Board, or relevant oversight function, must approve the remuneration policy required under paragraph 22 of this Prudential Standard.
The Board must establish a Board Remuneration Committee that:
oversees the design, operation and monitoring of the remuneration framework;
is appropriately composed to enable it to exercise competent and independent judgment when fulfilling requirements under paragraph 25(a) above; and
has the powers necessary to perform its functions.
Board Remuneration Committee
The Board Remuneration Committee must have at least three members and all members must be non-executive directors of the entity.
Specified roles
The Board, or relevant oversight function, must approve the variable remuneration outcomes for persons in specified roles as follows:
individually for senior managers and executive directors; and
on a cohort basis for highly-paid material risk-takers, other material risk-takers and risk and financial control personnel.
Other requirements
In relation to the requirements for a Board Remuneration Committee and remuneration policy, where an APRA-regulated entity is part of a , or corporate group in the case of a , the Board of the APRA-regulated entity may:
use a group Board Remuneration Committee as the Board Remuneration Committee for the APRA-regulated entity, provided that:
the requirements set out in this Prudential Standard are met;
all members of the group Board Remuneration Committee are non-executive directors of the Head of the group in the context of an , or ; and
the Board of the entity has free and unfettered access to the group Board Remuneration Committee; and
adopt and apply a group remuneration policy that is also used by a related body corporate or a connected entity provided that the group remuneration policy:
meets the requirements of this Prudential Standard;
has been approved by the Board or relevant oversight function; and
gives appropriate regard to the entity’s business activities, its specific requirements and its remuneration framework.
B. Requirements for Non-SFIs
Role of the Board
The Board, or relevant oversight function, of an APRA-regulated entity is ultimately responsible for the entity’s remuneration framework and its effective application.
The Board, or relevant oversight function, must approve the remuneration policy required under paragraph 75 of this Prudential Standard.
Specified roles
The Board, or relevant oversight function, must approve the variable remuneration outcomes for persons in specified roles as follows:
individually for senior managers and executive directors; and
on a cohort basis for highly-paid material risk-takers, other material risk-takers and risk and financial control personnel.
Other requirements
In relation to the requirements for a remuneration policy, where an APRA-regulated entity is part of a group, or corporate group in the case of a private health insurer, the Board of the APRA-regulated entity may adopt and apply a group remuneration policy that is also used by a related body corporate or a connected entity provided that the group remuneration policy:
meets the requirements of this Prudential Standard;
has been approved by the Board or relevant oversight function; and
gives appropriate regard to the entity’s business activities, its specific requirements and its remuneration framework.
Disclosures
An APRA-regulated entity must disclose information on the governance of the remuneration framework. This must include:
information on how the Board exercises its discretion in determining remuneration outcomes; and
a description of how the Board oversees remuneration policies and the input provided by the Board Risk Committee, other Board committees, or the risk function, including the Chief Risk Officer.
Practice guide
SFI specific requirements include establishing a Board Remuneration Committee, applying a material weight to non-financial measures in variable remuneration arrangements, applying minimum deferral periods and clawback arrangements, and periodically reviewing the remuneration framework.
Under CPS 511, the Board, or relevant oversight function, is ultimately responsible for the entity’s remuneration framework and its effective application.
APRA expects Boards to ensure that remuneration practices are well supported by broader frameworks and policies that influence behaviour, beyond financial rewards. This includes clear accountabilities and expectations for risk management, effective consequence management and a strong tone from the top on risk culture.
In providing oversight of remuneration, other prudential standards and guidance are also applicable, in particular requirements on governance and risk management. Broader regulatory requirements and expectations, including guidance provided by the Australian Securities and Investments Commission (ASIC), are also relevant for the Board.
Under CPS 511, the Board of a SFI is required to establish a Board Remuneration Committee (RemCo) to oversee the design and implementation of the remuneration framework. The RemCo is responsible for making recommendations to the Board annually on the remuneration arrangements and variable remuneration outcomes for persons in specified roles.
A prudent Board would ensure that the RemCo is composed of members with the appropriate skills, experience and expertise to exercise competent and independent judgment. This includes a clear understanding of what constitutes good risk management.
While the Board of a non-SFI is not required to establish a RemCo, it must put in place arrangements to meet the requirements of CPS 511 and ensure there is appropriate oversight of the remuneration framework and key remuneration decisions.
In determining the variable remuneration outcomes for individuals and cohorts in specified roles, the assessment of performance and risk is a critical input. It is important for the RemCo to ensure it understands the performance and risk outcomes for persons in specified roles, as well as for the entity overall.
APRA expects that the assessment of performance and risk would include direct input from senior risk management personnel, and not be based on self-assessments alone.
Good practice would be for risk and internal audit executives to present a comprehensive assessment of key risk and audit metrics on at least an annual basis, to inform remuneration decision making and outcomes.
Under CPS 511, the RemCo must consult the Board Risk Committee and Chief Risk Officer to enable risk outcomes to be appropriately reflected in remuneration outcomes for persons in specified roles. The use of joint meetings with the Board Risk Committee can be an effective mechanism for providing insights into risk considerations for the RemCo. It would not be prudent to rely on cross-membership between the RemCo and the Board Risk Committee as the sole means of providing a view on risk.
There may be occasions where the Board would need to exercise its discretion to challenge and override remuneration recommendations, and make downward adjustments for individuals, cohorts or all personnel.
A prudent Board would be actively engaged in the oversight of key remuneration decisions, providing robust challenge and independent scrutiny. Board oversight and discretion to adjust variable remuneration would be particularly relevant in unusual or exceptional circumstances. These circumstances may include:
material cases of adverse risk or conduct outcomes, especially where these have impacted the entity’s prudential standing or prudential reputation;
periods of stress in which the entity may be experiencing negative financial performance and erosion of its regulatory capital base; and
periods of stress in which the entity is provided with exceptional public sector support.
It is important that the Board uses its discretion in a timely and informed manner, rather than acting only on the basis of realised outcomes. For example, it could be appropriate for a Board to reduce pre-emptively variable remuneration during a period of stress, rather than waiting for losses to be realised. It would not be prudent to act only once risk issues are made public, to adopt management recommendations without challenge, or to excuse poor risk outcomes on the basis of good intent.
It is the responsibility of the Board and RemCo to guide management on the reporting it needs to fulfil its role. A prudent Board and RemCo would regularly review the information they are provided with to ensure that reporting is sufficient and insightful. Poor quality, inadequate, incomplete or voluminous reporting can significantly hamper oversight and challenge.
Good practice would be for the RemCo to be provided with formal documented performance and risk assessments for individuals in specified roles, and summaries for relevant cohorts such as risk and financial control personnel. This would include clear qualitative and quantitative assessments for measures that have formed the basis of decisions, including key metrics, and an outline of how assessments have flowed through to remuneration outcomes. It would not be prudent to rely on verbal discussion and generalised attestations as evidence of performance or risk assessments, or high-level summaries of major incidents.
Good practice for cohorts would be to assess, on an aggregated basis by business unit or role type, similar information to that which is reviewed for individual remuneration decisions. Additional information may also be useful, such as trends and outliers, summary indicators that show distributions, averages or medians, and other data-driven insights.
An entity that is part of a wider corporate group may adopt and apply the group remuneration policy, provided that it meets the requirements of CPS 511 and has been approved by the Board. Good practice would be for the entity to assess how the policy complies with each requirement of CPS 511, is appropriate for its specific business activities and risk profile, and meets the spirit and intent of the standard.
Under CPS 511, the variable remuneration outcomes for persons in specified roles must be approved by the Board, on either an individual or cohort basis. APRA expects the remuneration policy would define the particular specified roles for the entity, and summarise the remuneration arrangements for these roles.
Specified roles are defined in CPS 511 and are intended to capture those individuals and cohorts who can have a material influence on the performance and risk profile of the entity, in both the short and long-term. Specified roles comprise senior managers, executive directors, material risk-takers (including highly-paid material risk-takers) and all risk and financial control personnel.
A prudent Board would closely monitor the remuneration of risk and financial control personnel as a cohort, to ensure arrangements are adequate to attract and retain suitably qualified, skilled and experienced staff.
A prudent entity would take reasonable steps to identify which service providers may give rise to material conflicts or risks. This may include a materiality threshold or definition, approved by the Board, which would be used to identify the scale and nature of service providers that are likely to present a material conflict or risk.
In assessing whether material weight is being applied effectively in the design and determination of variable remuneration outcomes, a prudent Board would consider whether the weighting:
is a sufficient incentive to influence an individual’s behaviour, priorities and decisions;
is robust and cannot be overshadowed or diminished by performance or outperformance on financial measures;
is applied to measures over which the individual has a reasonable degree of control and influence;
is applied to measures that effectively support the objectives of the remuneration framework, including risk management; and
has been demonstrated to work in practice to incentivise prudent outcomes over time, where this is possible to determine.
A prudent Board would establish clear guidelines to ensure appropriate weight is applied to non-financial measures in the determination of variable remuneration. This could include a minimum level or range. Good practice would be for the Board to review these guidelines on an annual basis to ensure it is operating as intended in driving expected behaviours.
To assess whether the weighting for non-financial measures is driving intended behaviours and outcomes in practice, a prudent Board would consider how effectively risk and conduct is managed. Reporting on non-financial measures for the entity as a whole, as well as aggregate information on risk adjustments, would support this assessment. Entities with a high reliance on downward adjustments for adverse risk and conduct outcomes would investigate root causes and, where appropriate, consider if the weighting to non-financial measures needs to be increased or the design improved.
A prudent Board would consider a wide range of evidence and ensure appropriate mechanisms are in place to escalate issues. Good practice would be to consider, for example, known incidents, findings from audits and regulatory reviews, product failures, trends in conduct or risk incidents. APRA expects that a risk adjustment would be considered, for an individual or cohort, in the event of a breach of a prudential standard or other regulation.
In gauging the severity of a case, a prudent entity would consider a range of factors. This would include the expected or actual impact on the entity’s reputation, customers or beneficiaries and prudential standing, as well as any financial loss. An individual’s contribution to circumstances which led to the adverse outcome would also be considered, potentially including inaction. Good practice would be to develop a severity scale, with example cases and any precedents, to guide decision-making on the level of severity and indicative remuneration impacts that would be expected to result. This scale would support a Board in applying proportionate downward-adjustments to variable remuneration, and in applying consistency across different cases.
The scope of the triennial review would encompass the role of the Board, the design of remuneration arrangements, and the effectiveness of risk and conduct adjustments. This would include any key design features, such as the definition of material risk-takers and the application of non-financial measures. The review would also assess the appropriateness of any remuneration adjustments made, to ensure that triggers and criteria for downward adjustments are prudently calibrated.
CPS 511 requires the triennial review to be conducted by operationally independent, appropriately experienced and competent persons. A prudent entity may consider the use of external expertise to meet this requirement. Where internal staff conduct the review, a prudent Board would gain assurance that they are operationally independent and are able to provide an objective review, with the requisite skills, experience and expertise.
Risk Management
Risk Management standards require entities to maintain effective risk management strategies and systems. They include requirements about managing operational risk, and risks specific to an industry including credit risk, insurance risk and investment risk.
Credit Risk
Prudential standard
The role of the Board of a Level 3 Head
The Board of a Level 3 Head must:
approve the aggregate risk exposures policy for the Level 3 group;
ensure that adequate systems and controls are in place to identify, measure, aggregate, manage, monitor and report on material risk exposures in the Level 3 group in a timely manner and that those systems and controls are documented;
engage in oversight, which may be via a board committee, of the approach to the identification, measurement, management and monitoring of aggregate risk exposures and compliance with the aggregate risk exposures policy, which includes receiving regular reviews of material aggregate risk exposures of the Level 3 group; and
review the aggregate risk exposures policy at least annually to ensure that this policy remains adequate and appropriate for identifying, measuring, aggregating, managing and monitoring the Level 3 group’s risk exposures.
Notification requirements
A Level 3 Head must submit to APRA a copy of its aggregate risk exposures policy as soon as practicable, and no more than 10 business days, after Board approval.
Practice guide
Introduction
The Board of a Level 3 Head (the Board) is responsible for the effective management of material risks posed to the Level 3 group. The Board is best positioned to have a holistic view of the risks posed to the group, and oversee controls to ensure that the group does not assume risks beyond its risk appetite.
Material aggregate risks include those that could have a material impact, both financial and operational, on the Level 3 group or on a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material aggregate risk, and that this would vary according to the group’s risk profile. Where an institution is considered to have business operations that are material to the Level 3 group, a material external risk to that institution would normally constitute a material aggregate risk exposure for the group.
The materiality of an aggregate risk exposure depends on the size, nature and complexity of the exposure to the group. Where a material aggregate risk exposure is identified, the Board would also need to understand the material drivers of this risk. For instance, decision-makers may need to understand whether the aggregate risk exposure is comprised of a high number of small exposures or a low number of material individual risk exposures.
A Level 3 Head’s governance arrangements, risk data aggregation capabilities and reporting would reflect how the Board makes decisions and oversees aggregate risk exposures. APRA expects that risk aggregation capabilities and risk reporting are relevant, appropriate for the intended purpose and meet business specifications (i.e. fit-for– purpose) for the needs of the Board and other decision-makers in the Level 3 group.
Governance and aggregate risk exposures policy
The Board is responsible for determining the appropriate level of aggregate risk exposures. The policy would be expected to outline the governance arrangements for procedures, systems and controls that are in place for the appropriate management of exposures. The Board is required to approve this policy but can delegate implementation of policy and oversight of exposures to a board committee, such as the Board Risk Committee.
3PS 221 requires the aggregate risk exposures policy to include exposure limits that are commensurate with the Level 3 group’s capital strength, risk appetite, risk profile, and the size, business mix and complexity of the group. A Board may consider how exposures of the Level 3 group interact to change the aggregate risk of the group. For instance, an exposure to an overseas counterparty would be considered as part of a limit to that counterparty and to the relevant geographical location. APRA expects that the Level 3 Head would have processes to confirm that the classifications of risks facilitate an appropriate assessment of the risk profile and to ensure the group does not assume more risk than its risk appetite.
APRA expects the Board and senior management of the Level 3 group to understand the limitations and assumptions relating to material aggregated risk exposures. A Level 3 Head is expected to use stress testing and scenario analysis to assess the adequacy of its aggregation capabilities and risk reporting. The results of these assessments would feed into the Board’s awareness of aggregate risk exposures and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits. In addition, these assessments would highlight any limitations with aggregation capabilities and risk reporting in periods of stress.
Aggregate risk data capabilities
APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management. Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have the data necessary for appropriate risk aggregation and that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation.
Risk reporting
APRA expects a Level 3 Head to have access to and commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision-makers. APRA expects reporting on material aggregate risk exposures to be presented to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of aggregate risks can change quickly, the frequency of reporting would be expected to increase.
The reporting of aggregate risk exposures to the Board would have sufficient breadth to provide the Board with a holistic view of the aggregate risk exposure profile of the Level 3 group. APRA expects that the Board would request reports for more detail on individual exposures or particular risk categories, accompanied by meetings with relevant senior management. Reporting would support the Board in understanding, and the senior management of the Level 3 group in understanding and tracking, aggregate risk exposures against the group’s risk appetite and capital strength.
Prudential standard
The role of the Board of a Level 3 Head
The Board of a Level 3 Head must:
approve the ITE policy for the Level 3 group;
ensure that adequate systems and controls are in place to identify, measure, manage, monitor and report on material ITEs in the Level 3 group in a timely manner and that those systems and controls are documented;
engage in oversight, which may be via a board committee, of the approach to the identification, measurement, management and monitoring of ITEs and compliance with the ITE policy, which includes receiving regular reviews of which ITEs are deemed to be material to the operations of the Level 3 group; and
review the ITE policy at least annually, to ensure that this policy remains adequate and appropriate for identifying, measuring, managing and monitoring material risks in relation to ITEs.
If a prudentially regulated institution in the Level 3 group proposes to accept terms and conditions, in dealing with Level 3 institutions in the group, that are not consistent with terms and conditions that would be negotiated on an arms-length basis in such a dealing, those terms and conditions must first be approved by the Board of the Level 3 Head with justification fully and clearly documented.
Practice guide
Introduction
Intra-group transactions and exposures (ITEs) expose Level 3 institutions in a Level 3 group to contagion risks. Where an institution is facing financial or operational stress, this may affect other institutions within the group with material ITEs to that institution. Therefore, the Board of a Level 3 Head (the Board) needs to understand the material ITEs within the group and manage the associated risks prudently. ITEs that can pose a risk of contagion would include, for example:
equity investments;
loan or funding arrangements;
reinsurance arrangements;
guarantees or indemnities; and
operational risks from intra-group service provision.
Material ITEs include those that would have a potential to have a material impact, both financial and operational, on the Level 3 group or a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material ITE, and that this would vary according to the group’s risk profile.Where an institution is considered to have business operations that are material to the Level 3 group, a material ITE to that institution would constitute a material ITE for the group.
The materiality of an ITE depends on the size, nature and complexity of the exposure to the group. Where a material ITE is identified, the Board would also need to understand the material drivers of this risk. For instance, decision makers may need to understand whether the ITE is comprised of a high number of low risk intra-group arrangements or a low number of material individual risk exposures.
A Level 3 Head’s governance arrangements, data capabilities, and reporting in relation to ITEs would reflect how the Board makes decisions and oversees material ITEs. APRA expects data capabilities and ITE risk reporting to be relevant and appropriate for the intended purpose and to meet business specifications (i.e. fit-for–purpose) for the needs of the Board and other decision makers in the Level 3 group.
Governance and ITE policy
APRA expects the Board to have a holistic view of material ITEs within the group and establish a framework to monitor and control the associated risks. The Board would consider the group’s critical business operations and assess the potential impact of a stress on these operations to the group.
APRA expects a Level 3 Head to use stress testing and scenario analysis to assess the adequacy of its data capabilities and risk reporting on ITEs. The results of these assessments would feed into the Board’s awareness of material ITEs and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits.
The risks associated with ITEs could be magnified where the transactions with related parties have not been conducted on an armslength basis or on equivalent terms and conditions given to third parties. APRA expects a Level 3 Head to have processes and controls to mitigate such risks. In accordance with 3PS 222, the Board is required to approve these non-arm’s length transactions.
Intra-group data capabilities
APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management. Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have data on material ITEs and expects that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation.
Risk reporting
Good practice is that risk reporting is accurate, comprehensive, clear and useful, and can be provided to decision makers on a timely basis. Risk reporting would be based on risk data and be presented in a manner that is clear, concise, and useful to the intended recipient. A Level 3 Head would determine respective risk reporting requirements that best suit the needs of its Board and senior management of the Level 3 group given the size, business mix and complexity of the group.
APRA expects a Level 3 Head to have access to commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision makers. APRA expects reporting on the group’s material ITEs to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of risk can change quickly, the frequency of reporting would be expected to increase in such circumstances.
The reporting of material ITEs to the Board would have sufficient breadth to provide the Board with a coordinated view of the roles and relationships between subsidiaries to one another and to the Level 3 Head. This coordinated view would assist the Board in understanding, and senior management of the Level 3 group in understanding and tracking, how ITEs affect the risk profile of prudentially regulated institutions within the group.
APRA expects that the Board would request reports on material individual ITEs or the ITEs to particular institutions, accompanied by meetings with relevant senior management. Reporting would support the Board in understanding, and the Level 3 group’s senior management in understanding and tracking, of ITEs against the group’s risk appetite and capital strength.
Insurance Risk
Insurance tenders
Responding to a tender
For large group insurance tenders the insurer may decide to vary its standard pricing policies and procedures. APRA expects that if the Appointed Actuary’s advice is not followed or if there are variations from standard pricing policies and procedures, these matters will be adequately documented and will be approved at the appropriate level of the company. The appropriate level may be the Board if the variation is sufficiently material.
Market Risk
Prudential standard
Operational Risk
Prudential standard
Roles and responsibilities
The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.
The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements.
The Board must:
oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern;
approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and
approve the service provider management policy, and review risk and performance reporting on material service providers.
Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.
Operational risk management
Operational risk profile and assessment
An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must:
maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;
Business continuity plan
An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily.
Monitoring, notifications and review
An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.
Practice guide
Roles and responsibilities
The Board
Allocate responsibility
A prudent Board would have a clear understanding of who is responsible within the entity for each aspect of operational risk management, including business continuity and the management of service provider arrangements. It should have reasonable assurance that there are no gaps in responsibilities.
Processes for delegation from, and reporting to, the Board and senior management should be clear and documented, including for the escalation of risks and issues.
Oversee the risk profile
The Board would typically:
oversee updates to an entity’s operational risk profile and ensure risks outside of its appetite are addressed promptly;
oversee the effectiveness of key internal controls;
be kept informed of areas of any material weaknesses and major remediation efforts;
understand the material operational risks that arise from new ventures; and
ensure internal audit provides assurance and has appropriate capabilities for this task.
Challenge and approve
The Board, in approving the BCP and overall tolerances for the disruption of critical operations, would also ensure that the BCP aligns with its tolerances.
While the Board approves the service provider management policy, it may delegate approval of non-material changes.
Senior management
Senior managers play an important role in equipping Boards to make effective decisions. APRA expects that information provided to the Board is targeted and timely.
Boards may delegate to senior management the ability to approve more granular policies, tolerance levels and plans which sit beneath, and align to, Board-approved documents.
Business continuity
Test the BCP
Test results and the execution of any findings such as remediation would be reported to and reviewed by the Board, with associated follow-up actions formally tracked and reported. Reports on BCP tests would typically include:
Audit the BCP
Internal audit is an important vehicle for assurance. The Board may consider seeking assurance through expert opinion or other means to complement internal audit.
Prudential standard
Roles and responsibilities
The Board of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
Testing control effectiveness
An APRA-regulated entity must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
Practice guide
Considerations for the Board
This section sets out key information a Board could consider in relation to its responsibilities under CPS 234. The remainder of the PPG elaborates on this information, and contains additional detail on information security aimed at a broader audience. A Board member may find it beneficial to acquaint themselves with this additional detail as necessary.
Under CPS 234, the Board of an APRA-regulated entity is ultimately responsible for the information security of the entity. In order for a Board to be able to more effectively discharge its responsibilities (including oversight, seeking assurance and, as appropriate, challenging management), it could consider the following:
roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types of information that the Board might find useful to effectively fulfil its role and discharge its responsibilities;
information security capability — consider the sufficiency of the regulated entity’s information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the information security strategy;
policy framework — whether information security policies reflect Board expectations;
implementation of controls — regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entity’s information assets;
testing control effectiveness — regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted; and
internal audit — consider the sufficiency of internal audit’s coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions; and consider where further assurance, including through expert opinion or other means, is warranted.
In considering the above, the Board would normally take into account the use of third parties and related parties (including group functions) by the APRA-regulated entity.
Roles and responsibilities
Board delegations
APRA does not seek to impose restrictions on a Board’s ability to delegate information security roles and responsibilities to Board sub-committees, management committees or individuals. However, APRA expects that a Board would clearly outline how it expects to be engaged with respect to information security, including escalation of risks, issues and reporting. Refer to Attachment H for common examples of the types of information that the Board might find useful in this regard.
Sufficient and timely information
The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to governing bodies would normally be supported by defined escalation paths and thresholds. An APRA-regulated entity could benefit from implementing processes for periodic review of audience relevance and fitness for use.
Adaptive and forward-looking investment
Under CPS 234, an APRA-regulated entity must actively maintain an information security capability with respect to changes in vulnerabilities and threats. Accordingly, an entity would typically adopt an adaptive and forward-looking approach to maintaining its information security capability, including ongoing investment in resources, skills and controls. This would commonly be achieved through the execution of an information security strategy which responds to the changing environment throughout the year. The strategy could be informed by existing and emerging information security vulnerabilities and threats, contemporary industry practices, information security incidents, both internal and external, and known information security issues. Oversight of execution of the strategy is normally the responsibility of the Board or a delegated governing body with representation from across the organisation.
Incident management
Response to a security compromise
An APRA-regulated entity would typically have clear accountability and communication strategies to limit the impact of information security incidents. Under CPS 234, this includes escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate. A regulated entity could also include customer communication as part of any such communication strategy where appropriate. Incident response plans would also typically assist in compliance with regulatory notification requirements.
Internal audit
Assurance to the Board
Internal audit is an important vehicle by which the Board can gain assurance that information security is maintained. This assurance would typically be achieved through the inclusion of information security within the APRA-regulated entity’s internal audit plan. The Board could also choose to gain assurance through expert opinion or other means to complement the assurance provided by the internal audit function. This typically occurs where the required skills do not reside within the internal audit function or the area subject to audit pertains to third parties or related parties.
Use of assurance reports from third parties
Under CPS 234, an APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a third party or related party in certain circumstances. Where that assessment identifies material deficiencies in the information security control assurance provided by the third party or related party, or no assurance is available, this would typically be highlighted in reporting to the Board.
Attachment B: Training and awareness
An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material to assist the Board and other governing bodies to execute their duties. Sound practice would involve tracking training undertaken and testing the understanding of relevant information security policies, both on commencement and periodically.
Other control considerations
Outsourcing/offshoring of data management responsibilities
In APRA’s view, the following would normally be applied to the assessment and ongoing management of outsourced/offshored data management responsibilities:
Board/senior management’s understanding, acceptance and approval of the resulting risk profile; and
Risk management
Prudential standard
The role of the Board
The Board of an APRA-regulated institution is ultimately responsible for the institution’s risk management framework and is responsible for the oversight of its operation by management. In particular, the Board must ensure that:
it sets the risk appetite within which it expects management to operate and approves the institution’s risk appetite statement and risk management strategy (RMS);
it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those changes;
senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board;
the operational structure of the institution facilitates effective risk management;
policies and processes are developed for risk-taking that are consistent with the RMS and the established risk appetite;
sufficient resources are dedicated to risk management; and
it recognises uncertainties, limitations and assumptions attached to the measurement of each material risk.
Risk management framework
An APRA-regulated institution must maintain a risk management framework for the institution that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and provides the Board with a comprehensive institution-wide view of material risks.
The MIS must provide the Board of the APRA-regulated institution, board committees of the APRA-regulated institution and senior management of the institution with regular, accurate and timely information concerning the institution’s risk profile. The MIS must be supported by a robust data framework that enables the aggregation of exposures and risk measures across business lines, prompt reporting of limit breaches, and forward-looking scenario analysis and stress testing. Data quality must be adequate for timely and accurate measurement, assessment and reporting on all material risks across the institution and must provide a sound basis for making decisions.
Risk appetite
An APRA-regulated institution must maintain an appropriate, clear and concise risk appetite statement for the institution that addresses the institution’s material risks. The Board is responsible for setting the risk appetite of the institution and must approve the institution’s risk appetite statement.
Risk management strategy
An APRA-regulated institution must maintain an RMS for the institution that addresses each material risk listed under paragraph 26. The RMS must be approved by the Board.
Business plan
The business plan must be a rolling plan of at least three years’ duration that is reviewed at least annually, with the results of the review reported to the Board. The business plan must cover the entirety of the institution and be approved by the Board.
Risk management function
The CRO must have a direct reporting line to the CEO, and have regular and unfettered access to the Board and the Board Risk Committee.
Risk management declaration
The Board of an APRA-regulated institution must make an annual declaration to APRA on risk management of the institution (risk management declaration) that must satisfy the requirements set out in Attachment A to this Prudential Standard. The declaration must be signed by the chairperson of the Board and the chairperson of the Board Risk Committee. In the case of a Category C insurer, foreign ADI, or EFLIC, the risk management declaration must be signed by the senior officer outside Australia or two members of the Compliance Committee, as relevant.
The Board of an APRA-regulated institution must qualify the risk management declaration of the institution if there has been any significant breach of, or material deviation from, the risk management framework or the requirements set out in Attachment A to this Prudential Standard. Any qualification must include a description of the cause and circumstances of the qualification and steps taken, or proposed to be taken, to remedy the problem.
Attachment A – Risk Management Declaration
For the purposes of paragraph 49 of this Prudential Standard, the Board of an APRA-regulated institution must provide APRA with a risk management declaration of the institution stating that, to the best of its knowledge and having made appropriate enquiries, in all material respects:
the institution has in place systems for ensuring compliance with all prudential requirements;
the systems and resources that are in place for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks, and the risk management framework, are appropriate to the institution, having regard to the size, business mix and complexity of the institution;
the risk management and internal control systems in place are operating effectively and are adequate having regard to the risks of the institution they are designed to control;
the institution has a RMS that complies with this Prudential Standard, and the institution has complied with each measure and control described in the RMS;
where it is a , the institution’s Reinsurance Management Strategy complies with Prudential Standard GPS 230 Reinsurance Management, for selecting and monitoring reinsurance programs; and
the APRA-regulated institution is satisfied with the efficacy of the processes and systems surrounding the production of financial information at the institution.
Practice guide
Risk Governance
The second line of defence
The second line of defence comprises the specialist risk management function(s) that are functionally independent of the first line of defence. The second line of defence supports the Board and its committees by:
developing risk management policies, systems and processes to facilitate a consistent approach to the identification, assessment and management of risks;
providing specialist advice and training to the Board, board committees and first line of defence on risk-related matters;
objective review and challenge of:
the consistent and effective implementation of the risk management framework throughout the APRA-regulated institution; and
the data and information captured as part of the risk management framework which are used in the decision-making processes within the business, in particular the completeness and appropriateness of the risk identification and analysis, ongoing effectiveness of risk controls, and prioritisation and management of action plans; and
oversight of the level of risk in the institution and its relationship to the risk appetite, and any necessary reporting and escalation to the Board or its committees.
In order to be effective, risk management functions would have:
appropriate seniority and authority, with access to the responsible board committees.
The third line of defence
The third line of defence comprises the function(s) that, in accordance with CPS 220, provide to the Board and its committees:
at least annually, independent assurance that the risk management framework has been complied with and is operating effectively; and
at least every three years, a comprehensive review of the appropriateness, effectiveness and adequacy of the risk management framework.
Role of the Board
Under CPS 220, the Board is ultimately responsible for the risk management framework of the APRA-regulated institution and is responsible for the oversight of its operation by management. An institution must have, at all times, a risk management framework that governs the way the institution manages risks arising in the institution. Together, the Board Risk Committee and Board Audit Committee assist the Board in its oversight of the operation by management of the overall risk management framework.
The Board Audit Committee assists the Board to fulfil its corporate governance and oversight responsibilities in relation to an entity’s financial reporting, internal control system, risk management framework and internal and external audit functions (i.e. independent assurance).
Consistent with normal practice, for the purpose of discharging its responsibilities, the Board is able to obtain such recommendations and advice from board committees, external advisers and management as it considers prudent. The Board is entitled to place reasonable reliance on those inputs, provided directors approach their tasks with an enquiring mind and make an independent assessment of the matters for decision.
The Board is directly responsible for the broader strategy of the APRA-regulated institution and is required to approve the risk appetite statement, business plan and risk management strategy. Effective design of these documents and related processes by the institution will facilitate their integration, with each process appropriately supporting the others.
The Board approval and oversight responsibilities for the risk management framework are unaffected if risk management and business operations are outsourced to a third party or are performed by another part of a group.
In determining whether the Board has met its responsibilities under CPS 220, APRA will assess the steps taken by the Board to ensure it meets those responsibilities. For example, APRA expects senior management to report on the material risks and escalate material risk issues to the Board or the Board Risk Committee level. The Board and/or Board Risk Committee could also obtain independent views and reports as they deem appropriate, as well as consider risk issues escalated from the risk management function. APRA expects that the Board would clearly communicate its expectations in respect of the reporting and escalation to be provided by management, the risk management function(s) and internal audit. Where the Board considers that the risk reporting is ineffective or that material risk issues have failed to be escalated, APRA expects the Board to adopt all appropriate measures (including directions for management remedial actions and reports) to identify and address the reasons for the failure.
Risk management culture
CPS 220 requires a Board to ensure that they form a view of the risk culture in the institution and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes. APRA’s view is that a sound risk culture is a core element of an effective risk management framework. Risk culture refers to ‘the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss and act on the organisation’s current and future risk’3. APRA expects that the Board would have a view of the risk culture that is appropriate for ensuring that the institution operates within the risk appetite.
An institution’s risk culture is strongly influenced by the ‘tone at the top’. APRA expects the Board and senior management to demonstrate their commitment to risk management and foster a sound risk management environment in which staff will be actively engaged with risk management processes and outcomes, and a risk management function that is influential and respected. The development of the risk culture is likely to occur through an iterative process involving both the Board and senior management.
Group risk management
CPS 220 allows an APRA-regulated institution that is part of a group to meet the requirements of the standard on a group basis provided that the Board of the institution is satisfied that the requirements are met in respect to that institution.
Risk management framework
CPS 220 requires the Board to ensure that it recognises uncertainties, limitations and assumptions attached to the measurement of each material risk. In addition to recognition of these matters by the Board, APRA expects that they would be well understood within the institution.
Risk can arise from structures that impede transparency, such as special-purpose or related structures. APRA expects that the APRA-regulated institution’s operational structure and associated risks would be well understood in the institution, recognised by the Board, taken into account in the risk management framework and reported, as appropriate (including to the Board or its committees where necessary).
Stress testing, including both scenario analysis and sensitivity analysis is used to assess a range of potential impacts as a result of different material risks. Stress testing is important in considering potential changes that could occur in the external operating environment, and provides a more forward looking view of an APRA-regulated institution’s risk profile. APRA expects that stress testing would be based on a combination of robust modelling and informed expert judgement, with effective senior management engagement and appropriate Board oversight.
Risk appetite statement
APRA expects that the Board would be actively engaged with management in developing and reviewing the risk appetite statement, and would be able to demonstrate ownership of the statement. APRA considers that this might be achieved, in part, through reporting and communication processes and structures that enable the Board and/or Board Risk Committee to:
identify the APRA-regulated institution’s overall current risk profile and how this compares to its risk appetite and capital strength;
be satisfied that senior management’s interpretation and application of the risk appetite and tolerances is appropriate; and
appropriately align risk appetite to the approach adopted in the risk management framework for assessing, monitoring and managing the different material risks.
An APRA-regulated institution would generally use a variety of approaches and processes to assess different material risks. An institution with the capability to use risk quantification techniques would generally use them in the setting and monitoring of its risk appetite statement. Risk quantification techniques may provide an institution with assurance that the risk does not exceed the institution’s risk tolerance and/or risk capacity. These techniques may not be appropriate for all types of risk. APRA expects senior management to assess the appropriateness of such techniques before they are adopted and on an ongoing basis. APRA expects that the results of such analysis and testing would be reported to the Board and/or Board Risk Committee and be taken into account when establishing or reviewing the risk appetite statement. APRA expects the Board and/or Board Risk Committee to recognise the limitations and assumptions relating to any models used to measure components of risk that could materially affect its decision-making.
Risk management strategy
APRA expects that a risk management strategy would contain sufficient information to communicate, in general terms the APRA-regulated institution’s approach to risk management. This includes how it identifies, measures, evaluates, monitors, reports and controls or mitigates the material risks of its operations. CPS 220 requires that the risk management strategy list the policies and procedures dealing with risk management matters. Where these policies and procedures require Board approval under other prudential standards, approval of the strategy does not negate the Board’s responsibility to approve those individual documents.
Chief risk officer
CPS 220 sets out requirements for the independence of the CRO and specifies roles that cannot also be performed by the CRO. CPS 220 recognises that an APRA-regulated institution may seek approval for alternative arrangements to those required. This may be where the institution is materially constrained in appointing a CRO who is free from conflicts of interest, or for other reasons particular to that institution. APRA expects these instances normally to be limited to smaller and less complex institutions, but will consider applications from all APRA-regulated institutions, provided the applicant clearly sets out the exceptional circumstances that might warrant APRA considering the alternative proposal. Where an institution seeks an alternative arrangement under CPS 220, the Board is expected to demonstrate to APRA that it has undertaken a process to identify conflicts, has established structural oversight and controls to mitigate the additional risk and is satisfied that the risk management framework will ensure these mitigants are adhered to. APRA will assess the appropriateness of alternative arrangements on a case-by-case basis. APRA expects that the Board would take into account the following controls and other mitigating factors that manage conflicts of interests including, but not limited to:
alternative sources of risk-based challenge to business lines;
the resources allocated to risk management;
executive level engagement in risk issues;
the strength of compliance and audit mechanisms;
oversight from the Board and its committees;
the experience and capabilities of the other risk management function personnel; and
the robustness of the regulated institution’s and, where appropriate, the group’s risk management framework.
CPS 220 requires that the risk management function, via a CRO, has direct and unfettered access to the CEO, Board, Board Risk Committee and senior management. CPS 220 also requires the reporting line for the risk management function to be independent from business lines and to directly report to the CEO. Where an APRAregulated institution is part of a group, including a Level 2 and/or Level 3 group, the CRO of that institution may report to the group CRO as long as the group CRO reports directly to the group CEO.
Monitoring and reporting
Oversight and escalation processes
APRA expects an APRA-regulated institution’s risk management framework to ensure that the Board and senior management receive regular, concise and meaningful assessment of actual risks relative to the institution’s risk appetite and the operation and effectiveness of controls.
Risk management declaration
CPS 220 requires the Board to provide APRA with a risk management declaration on an annual basis. While this declaration does not have to be audited, APRA expects that the Board would have obtained reasonable assurance and, if necessary, considered independent advice on the matters covered by the declaration, prior to the signing of the declaration by the required signatories. The extent of enquiry required prior to making the declaration is a matter for the judgment of each Board of an APRA-regulated institution. The wording of the declaration allows materiality to be taken into account when making the declaration.
CPS 220 allows an APRA-regulated institution’s risk management declaration to be encompassed in the risk management declaration documentation of a Level 2 and/or Level 3 group where applicable. Where a Level 1 institution’s declaration is encompassed within the group declaration, the Level 1 institution’s Board remains responsible for any qualifications in the declaration that relate to that institution. Where a risk management declaration is made on a Level 2 and/or Level 3 group basis, CPS 220 requires any qualification to identify whether it related to the Level 1 institution or the group’s risk management framework. A qualification for the institution may not mean that a groupwide qualification needs to be made, and vice versa. However, where a group’s Board has taken the decision that a qualification at the institution level does not result in a group declaration qualification, the reason for this decision would be articulated.
APRA notification requirements
APRA expects that an APRA-regulated institution would be in regular dialogue with its supervisors about potential material changes to the institution. APRA expects that, at the latest, notification in accordance with the requirements in CPS 220 would be made within 10 business days of the Board becoming aware of a current or proposed material change to the institution’s risk profile or business operations.
Governance
Prudential standards CPS 510 and SPS 510 set out the minimum governance requirements of an APRA-regulated institution. The ultimate responsibility for the sound and prudent management of an APRA-regulated institution’s business operations rests with its board of directors. APRA therefore considers it prudent practice for the board to seek to understand and regularly assess the financial risks arising from climate change that affect the institution, now and into the future.
APRA is of the view that climate risks can and should be managed within an institution’s overall business strategy and risk appetite, and a board should be able to evidence its ongoing oversight of these risks.
The board of an institution may delegate certain functions of the management of climate risks but, as with other risks, needs to maintain mechanisms for monitoring the exercise of this delegated authority. Board-level engagement is important to ensure that work on climate risks holds sufficient standing within an institution, and gives the board the requisite institution-wide insights to strategically respond to the risks.
In fulfilling its obligations under CPS 510 and SPS 510, a prudent board is, in overseeing the management of climate risks, likely to:
ensure an appropriate understanding of, and opportunity to discuss, climate risk at the board and sub-committee levels, which may include appropriate training for board members;
set clear roles and responsibilities of senior management in the management of climate risks, and hold senior management to account for these responsibilities;
re-evaluate the risks, opportunities and accountabilities arising from climate change on a periodic basis, and consider these risks and opportunities in approving the institution’s strategies and business plans;
take both a shorter-term view (consistent with the institution’s regular business planning horizon) and longer-term view when assessing the impact of climate risks and opportunities; and
ensure that, where climate risks are found to be material, the institution’s risk appetite framework incorporates the risk exposure limits and thresholds for the financial risks that the institution is willing to bear.
Risk management
Under CPS 220 and SPS 220, the board of an APRA-regulated institution is ultimately responsible for both the institution’s risk management framework, and for the oversight of its operation by management. Senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the board. APRA considers it prudent for climate risks to be considered within an institution’s existing framework, including the boardapproved risk appetite statement, risk management strategy and business plan.
Risk reporting
To facilitate well-informed decision-making, APRA expects that a prudent institution would establish procedures to routinely provide relevant information on its material climate risk exposures, including monitoring and mitigation actions, to the board and senior management. This information would allow the board and senior management to understand and review the activities, and to make decisions consistent with the institution’s overall risk appetite and risk management approach.
Scenario analysis
A prudent institution would maintain appropriate documentation of the method and results of its climate risk scenario analysis and stress testing, including an assessment of the limitations of the analysis for assessing the climate risks faced by the institution. Material results should be communicated to the institution’s board and senior management, and used to inform business planning and strategy setting, as well as setting and reviewing the institution’s overall climate risk management approach.
Financial Resilience
Financial Resilience standards require entities to maintain adequate financial resources to withstand stresses. They include requirements such as maintaining capital and liquidity.
Capital
Prudential standard
Responsibility for capital management
As a consequence of the key role played by capital in the financial strength of a life company, the Board of a life company must ensure that:
the life company as a whole; and
each fund
has capital that is adequate for the scale, nature and complexity of its business and its risk profile, such that it is able to meet its obligations under a wide range of circumstances.
Internal Capital Adequacy Assessment Process
A life company must have in place an Internal Capital Adequacy Assessment Process (ICAAP) that considers each fund of the life company, as well as the life company as a whole. The ICAAP must:
be approved by the Board initially, and when significant changes are made.
A life company that is part of a group may rely on the ICAAP of the group provided that the Board of the life company is satisfied that the group ICAAP meets the criteria in paragraph 13 in respect of the life company.
The ICAAP must include at a minimum:
a strategy for ensuring adequate capital is maintained over time, including specific capital targets set in the context of the life company’s risk profile, the Board’s risk appetite and regulatory capital requirements. This includes plans for how target levels of capital are to be met and the means available for sourcing additional capital where required;
The ICAAP report submitted to APRA by the life company must be accompanied by a declaration approved by the Board and signed by the CEO stating whether:
capital management has been undertaken by the life company in accordance with the ICAAP over the period and, if not, a description of, and explanation for, deviations;
the life company has assessed the capital targets contained in its ICAAP to be adequate given the size, business mix and complexity of its operations; and
the information included in the ICAAP report is accurate in all material respects.
Practice guide
Part A – Internal Capital Adequacy Assessment Process
Board ownership of the ICAAP
Under the capital standards, the Board of a regulated institution has primary responsibility for the capital management of that institution. This obligation goes beyond the need to ensure compliance with regulatory capital requirements and requires the Board to ensure that each regulated institution holds capital resources commensurate with its risk profile.
Consistent with that overarching responsibility, the capital standards require each regulated institution to have an ICAAP that has been approved by its Board.
While the ICAAP may be developed by the regulated institution’s senior management with input from relevant areas and experts across the organisation (including the Appointed Actuary where relevant), the capital standards require the Board to be actively engaged in the development and finalisation of the ICAAP and the oversight of its implementation on an ongoing basis.
APRA expects the Board to robustly challenge the assumptions and methodologies behind the ICAAP and the associated documentation. APRA expects the Board to understand and to be able to explain the key aspects of the ICAAP and why it is considered appropriate for the institution.
Risk appetite and risk management framework
The Board is responsible for the risk appetite of a regulated institution and for ensuring that the institution has an appropriate risk management framework. Risk appetite is a fundamental part of both risk management and capital management.
Requirements for the ICAAP
Proportionality
Under the capital standards, the ICAAP of a regulated institution must be appropriate for its size, business mix and complexity. Each institution’s ICAAP will be tailored to the circumstances of the institution. For more complex institutions, appropriately sophisticated processes are expected; for simpler institutions with limited product offerings and simple investment structures, simplified approaches may suffice. The complexity or otherwise of an institution’s ICAAP will be expected to reflect the Board’s and senior management’s view of the institution’s functional complexity.
Group ICAAP considerations
Under the capital standards, a regulated institution may make use of a group ICAAP or components of that ICAAP. In doing so, the Board of each regulated institution in the group is still required to ensure that the ICAAP is appropriate and meets the requirements of the capital standards in relation to the institution.
Documenting the ICAAP
A regulated institution’s ICAAP will include a range of processes and systems for assessing capital requirements relative to the risks to which the institution is exposed, setting target capital levels, projecting and monitoring the capital position, taking action if capital levels fall below target levels, and reporting on the process and its outcomes to the Board. These underlying processes will ordinarily be documented in various policies and procedural documents.
Setting the target levels of capital
APRA expects that the Board will satisfy itself that the capital targets are in line with the risk appetite. This will include consideration of the Board’s appetite for potential breaches of regulatory capital requirements.
Trigger levels and related actions to manage the capital position
To avert capital falling below target operating levels and, in the most severe case, breaching regulatory requirements, an institution is required under the capital standards to have capital triggers in place. These triggers are intended to serve as early warning indicators and thereby provide the Board and senior management with time to rectify problems and restore capital while the institution continues to operate.
Stress testing
The capital standards require a regulated institution to include stress testing and scenario analysis in its ICAAP. Stress testing and scenario analysis can assist in the formulation of capital targets and trigger levels by:
being readily understandable to the Board and senior management.
Review of the ICAAP
It will be appropriate to consider a range of factors in reviewing the ICAAP, including:
the consistency of the ICAAP outcomes with the risk appetite of the Board and the risk capacity of the entity;
APRA expects that a regulated institution will have in place processes to report the outcomes of the review to the Board and senior management, as well as processes to assess and respond to any recommendations for change arising out of the review.
ICAAP summary statement
An ICAAP summary statement is a high-level document that describes and summarises the capital assessment and management processes of the regulated institution. It serves as a roadmap to the ICAAP that allows the Board and APRA to understand the capital management processes of the institution. APRA anticipates that the ICAAP summary statement will refer to other policies and procedures, but will be relatively self-contained.
Prudential standard
Part B – Valuation of policy liabilities for friendly society business, life insurer non-participating business and life insurer participating business
Accounting standard led method
The amount deducted from Australian Policy Owners’ Retained Profits or Overseas Policy Owners’ Retained Profits when a distribution is made to the owners of participating policies is the cash value of the declared bonus. An alternative basis for valuing bonus, consistent with the basis used for valuation of AASB 17 fulfilment cash flows (excluding the risk adjustment for non-financial risks) may be adopted by the Board provided that the Board gives priority to the interests of participating policy owners (as a group) when making the decision to adopt this basis.
Other
Prudential standard
Operational requirements
Allocation or distribution of approved benefit fund surplus
The board of a friendly society must seek and consider the written advice of the Appointed Actuary prior to making any allocation or distribution of surplus under modified section 56 of the Act with respect to each approved benefit fund of the friendly society. The Appointed Actuary's advice must include, as applicable:
the effect of the proposal on the approved benefit fund’s compliance with the requirements of Prudential Standard LPS 110 Capital Adequacy (LPS 110) and Prudential Standard LPS 112 Capital Adequacy: Measurement of Capital (LPS 112);
whether or not the proposed distribution is consistent with representations made to members;
the level of unallocated surplus after the proposed allocation or distribution, relative to the liabilities of the fund, and whether or not the level is unduly large;
the extent to which level of unallocated surplus may give rise to undue intergenerational inequity;
the extent to which the proposal is fair and equitable with regard to different members of the particular approved benefit fund and the general membership of the friendly society;
the extent to which the proposal would equitably reflect the relative contribution of different members to the creation of the surplus;
the extent to which the surplus has arisen due to management fund fees being less than the cost of servicing the approved benefit fund;
the possible and probable effects of the proposal on the finances of the approved benefit fund, and the friendly society more generally; and
the probable future course of surplus creation in the approved benefit fund and hence the probable future surplus available for allocation or distribution.
Approval and amendment of benefit fund rules and consequential approval of a friendly society’s constitution
Adequate adoption
For the purpose of subsection 16B(2) of the Act, a friendly society adopting new benefit fund rules, or adopting amendments to existing approved benefit fund rules, may only do so by:
subject to paragraph 35, a resolution of the friendly society’s Board of directors.
Restructure of approved benefit funds
Approval of application for restructure of approved benefit funds
In order for APRA to approve an application by a friendly society under paragraph 56, the friendly society must obtain consent for the restructure, in relation to each approved benefit fund that is involved in the restructure, by either:
a special resolution, in accordance with section 9 of the Corporations Act 2001, by the members (or a class of members as determined by APRA) of each approved benefit fund that is involved in the restructure; or
if APRA so determines, a resolution of the Board of directors of the friendly society.
Termination of approved benefit funds
Before APRA can approve an application by a friendly society under paragraph 74, the friendly society must obtain consent for the termination, by either:
a special resolution, in accordance with section 9 of the Corporations Act 2001, by the members (or a class of members as determined by APRA) of the approved benefit fund that is proposed to be terminated; or
if APRA so determines, a resolution of the Board of directors of the friendly society.
Amendment of rules and constitution
If a friendly society has distributed assets in accordance with paragraph 81, the Board of directors of the friendly society must within 30 days of that distribution:
resolve to amend the approved benefit fund rules and, if applicable, the constitution of the friendly society, in the manner set out in the document required to be given to APRA under item 4 of Schedule 1 to Form 6, to give effect to the proposed termination of the approved benefit fund;
provide APRA with a copy of the resolutions made under this paragraph and paragraph 78;
apply to APRA for approval of a proposed amendment of its approved benefit fund rules in accordance with section 16Q of the Act; and
if applicable, apply to APRA for approval of any proposed amendment of its constitution in accordance with section 16U of the Act.
Practice guide
Adequate adoption of benefit fund rules or amendments of approved benefit fund rules
For a new benefit fund, where the benefit fund rules have not yet been approved, the appropriate method of adoption may be either by resolution of the Board of directors of the friendly society or by a special resolution of the members of the friendly society (or a class of members as determined by APRA) in accordance with the requirements of the Corporations Act 2001 (the Corporations Act) at the discretion of the friendly society. A resolution by the Board of directors would be the usual method of adoption, as the benefit fund would not normally have any members. However, LPS 700 does not preclude the friendly society from seeking the approval of the other members of the friendly society.
For an amendment to the approved benefit fund rules of an existing approved benefit fund, the appropriate method of adoption may be either by a special resolution of the members of the friendly society (or a class of members as determined by APRA) in accordance with the requirements of the Corporations Act or by resolution of the Board of directors of the friendly society. Subject to APRA approval, a resolution by the Board of directors may be appropriate in certain circumstances as set out in LPS 700.
If a friendly society applies to APRA for approval of a proposed amendment of its approved benefit fund rules in relation to a restructure of benefit funds pursuant to section 52 of the Life Act or a termination of a benefit fund pursuant to section 53 of the Life Act, the society may, under subparagraph 34(b) of LPS 700, adopt the amendments by a resolution of the Board of directors. In this case, it is considered that resolution by the Board of directors will not prejudice the rights of members of the benefit fund provided the requirements of paragraphs 53 to 73 of LPS 700 or paragraphs 74 to 89 of LPS 700 (as applicable) are complied with.
Termination of approved benefit funds
LPS 700 sets out, consistent with subsection 53(2) of the Life Act, the requirements for termination of an approved benefit fund including:
- how the termination takes place, including a requirement for member or Board approval of relevant proposed amendments to approved benefit fund rules or the constitution of the society;
Recovery and Resolution
Recovery and Resolution standards require entities to strengthen crisis preparedness. They include requirements such as resolution, recovery and exit planning.
Recovery
Prudential standard
Role of the Board
The Board of an APRA-regulated entity is ultimately responsible for the oversight of the entity’s recovery and exit planning. The Board of an APRA-regulated entity must:
approve the recovery and exit plan;
oversee reviews of the recovery and exit plan and ensure any findings are addressed by management; and
oversee the execution of any recovery and exit actions.
The Board of an SFI must also form a view on the sufficiency of recovery capacity to restore financial resilience in periods of stress. Where the Board views recovery capacity to be insufficient, the SFI must improve its recovery and exit plan or take other actions to improve its financial resilience.
Notification
An APRA-regulated entity must provide a copy of the recovery and exit plan to APRA following each review, within three months of the recovery and exit plan being approved by the Board.
Practice guide
Role of the Board
Changes in market conditions, business models or growth plans can impact the assumptions used in recovery and exit planning, and it is important that the plan continually evolves over time. APRA expects Board oversight to play a key role in maintaining the credibility of the plan over time.
Resolution
Prudential standard
Role of the Board
The Board of an APRA-regulated entity must support APRA in resolution planning and is ultimately responsible for ensuring that the entity meets the requirements of this Prudential Standard. The Board must ensure that there are clear roles and responsibilities at a senior executive level for the purpose of meeting the requirements in this Prudential Standard.
The Board must provide oversight of and approve, where applicable:
a resolvability assessment; and
a pre-positioning plan.
Practice guide
Developing a resolution plan
Role of the Board
Once an APRA-regulated entity has been subject to CPS 900, the Board of the entity must ensure that the entity meets the requirements of this Prudential Standard. In practice, this would mean that the entity is ready for the execution of the resolution plan (‘resolvable’). It would involve the Board overseeing the steps in preparing for resolution, including the implementation of pre-positioning actions and maintenance of capabilities necessary for resolution.