The Board of an APRA-regulated entity is ultimately responsible for all aspects of governance, oversight and compliance with all relevant laws and regulations. This guide consolidates specific requirements and guidance for RSE licensee boards from APRA’s prudential standards and prudential practice guides (PPGs). It does not introduce new requirements or guidance and excludes obligations that come from primary legislation.
Governance
Governance standards require entities to act with honesty and integrity and to be run by people with the right skills, knowledge and experience. They include foundational requirements for good governance and the fitness and propriety of people in positions of responsibility.
Accountability
Prudential standard
Fit and Proper Policy
The Fit and Proper Policy must be approved by the Board of an RSE licensee (the Board).
Nothing in this Prudential Standard prevents an RSE licensee from adopting and applying a group Fit and Proper Policy used by a connected entity, provided that the policy has been approved by the Board in accordance with paragraph 8 and meets the requirements of this Prudential Standard.
Practice guide
Fit and Proper Policy
SPS 520 requires that each individual member of the Board satisfies the requirements of propriety, including character, honesty, integrity, diligence and judgement. Each individual would also be expected to make a contribution to the Board satisfying the requirements of fitness at a collective level.
Criteria to determine if a responsible person is fit and proper
Under SPS 520, the skills and experience required by each responsible person depend on the person’s role. This, in turn, is affected by the role undertaken by other responsible persons. For example, a director is generally expected to understand the role and responsibilities of a director and have a general knowledge of the entity, its business and its regulatory environment. However, each director is not generally expected to have all the competencies that the Board collectively needs if other directors have those competencies or they are obtained from external consultants or experts and the Board does not unquestionably rely on their advice.
Prudential standard
The role of the Board and senior management
An RSE licensee must have a conflicts management framework, approved by the Board of an RSE licensee (the Board), to ensure that the RSE licensee identifies all potential and actual conflicts in the RSE licensee’s business operations and takes all reasonably practicable actions to ensure that they are avoided or prudently managed.
The Board is ultimately responsible for the development and maintenance of the RSE licensee’s conflicts management framework.
The Board must take all reasonable steps to ensure that all responsible persons and other employees of the RSE licensee clearly understand:
the need to identify all potential conflicts;
the circumstances that might give rise to a conflict;
the content and purpose of the RSE licensee’s conflict management framework; and
their obligations, where applicable, as a responsible person of the RSE licensee.
The Board must have in place appointment procedures that require incoming responsible persons to disclose all relevant duties and relevant interests prior to the person taking up the appointment.
RSE licensees that are part of a group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the RSE licensee’s business operations and its specific requirements.
Conflicts management framework
An RSE licensee’s conflicts management framework must provide reasonable assurance that all conflicts are being clearly identified, avoided or prudently managed and must, at a minimum, include:
a conflicts management policy, approved by the Board, that meets the requirements of this Prudential Standard;
Conflicts management policy
An RSE licensee must have a conflicts management policy that is approved by the Board. At a minimum, the conflicts management policy must include controls and processes applying to all responsible persons and all employees of the RSE licensee for:
identifying and monitoring all potential and actual conflicts;
avoiding conflicts where required to do so;
where there is a conflict, managing that conflict, or ensuring that the conflict is managed in accordance with the requirements to give priority to the duties to, and interests of, beneficiaries in sections 52(2)(d) and 52A(2)(d) of the SIS Act;
ensuring that appropriate action is taken in the event of a conflict arising, including on-going evaluation of management of the conflict and provision for escalation or alternative action if required;
recording in the minutes of Board, board committee and other relevant meetings details of each conflict identified and the action taken to avoid or manage this conflict; and
processes for the development and maintenance of the registers required in paragraphs 15(c) and (d).
Review of conflicts management framework
In addition to the comprehensive review required in paragraph 20, an RSE licensee must, on an annual basis, review its conflicts management framework and report the results of this review to the Board.
Practice guide
Conflicts management framework
The Board of an RSE licensee (the Board) is ultimately responsible for the management of conflicts throughout the entirety of its business operations.
SPS 521 requires that an RSE licensee have in place a conflicts management framework approved by the Board to ensure that the RSE licensee identifies all potential and actual conflicts in its business operations and takes all reasonably practical actions to ensure that they are avoided or prudentially managed. A sound conflicts management framework supports the ability of the Board to assess conflicts on an ongoing basis and address unexpected conflicts of duty or interest appropriately and in a timely manner. Prudent practice in relation to conflicts management would include continual assessment of the conflicts management framework in light of changes to matters such as:
an RSE licensee’s business operations;
the structure of the RSE licensee;
the RSE licensee’s service providers and any changes to or within service providers; and
responsible persons and changes in their composition or circumstances which would impact the RSE licensee’s business operations.
Audit
Prudential standard
Obligations of RSE licensees – RSE auditor appointment
An RSE licensee must ensure that the RSE auditor has access to all data, information, reports and staff in respect of the RSE licensee’s business operations that the RSE auditor reasonably believes necessary to fulfil their role and responsibilities under the SIS Act, the Corporations Act (if applicable) and this Prudential Standard. This must include access to the Board of the RSE licensee (the Board), Board Audit Committee, internal auditor(s) and any information has provided to the RSE licensee, as required by the RSE auditor.
Obligations of RSE licensees – RSE auditor’s report
An RSE licensee must ensure that the RSE auditor provides a report to the Board on the audit of the operations of each RSE within the RSE licensee’s business operations, for each year of income, that complies with this Prudential Standard (refer to paragraph 22). The auditor’s report must cover the operations of the RSE licensee in respect of that RSE to the extent required to provide the assurances specified in paragraph 22.
Special purpose engagements
Unless otherwise determined by APRA, an auditor engaged for a special purpose engagement must submit, within three months of the date of the notice commissioning the report, the auditor’s report simultaneously to APRA and to the Board.
Board
Prudential standard
The role of the Board and senior management
The Board is ultimately responsible for the sound and prudent management of an ’s business operations.
The Board, in fulfilling its functions, may delegate authority to management to act on behalf of the Board with respect to certain matters, as decided by the Board. This delegation of authority must be clearly set out and documented. The Board must have mechanisms in place for monitoring the exercise of delegated authority. The Board cannot abrogate its responsibility for functions delegated to management.
The Board must ensure that the directors and the senior management of the RSE licensee, collectively, have the full range of skills needed for the effective and prudent operation of the RSE licensee’s business operations, and that each director has skills that allow them to make an effective contribution to Board deliberations and processes. This includes the requirement for directors, collectively, to have the necessary skills, knowledge and experience to understand the risks of the RSE licensee’s business operations, including its legal and prudential obligations, and to ensure that the RSE licensee’s business operations are managed in an appropriate way taking into account these risks. This does not preclude the Board from supplementing its skills and knowledge by engaging external consultants and experts.
Where the Board establishes a board committee that has responsibility for activities that have the potential to have a material impact on the interests, or reasonable expectations, of beneficiaries, or to the long term financial soundness of the RSE licensee, any of its RSEs or connected entities, an RSE licensee must ensure that only a director of the RSE licensee holds the position of chairperson on that board committee.
The Board must provide the RSE auditor and the RSE actuary, as relevant, with the opportunity to raise matters directly with the Board.
RSE licensees that are part of a corporate group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the RSE licensee’s business operations and its specific requirements.
Governance framework
An RSE licensee must at all times have a governance framework that sets out how the Board oversees and exercises its authority in relation to the business operations of the RSE licensee and which encompasses the totality of systems, structures, policies, processes and people within an RSE licensee’s business operations.
The Board is ultimately responsible for the establishment, implementation and oversight of the governance framework.
An RSE licensee’s governance framework must, at a minimum, include:
a formal charter that sets out the roles, responsibilities and objectives of the Board;
the Board’s policy in relation to voting rights and procedures for the decisions of the Board;
the Board’s policies on:
the size and composition of the Board and any Board committees;
Board renewal;
the nomination, appointment and removal of directors, including defined director terms in office and maximum tenure periods;
Board composition
The chairperson of the Board must be a director of the RSE licensee.
A majority of directors of an RSE licensee must be ordinarily resident in Australia.
Board performance assessment
The Board must have procedures for assessing, at least annually, the Board’s performance relative to its objectives. It must also have in place a procedure for assessing, at least annually, the performance of individual directors.
Board renewal
The Board must have in place a formal policy on Board renewal. This policy must provide details of how the Board intends to renew itself in order to ensure it remains open to new ideas and independent thinking, while retaining adequate expertise.
Board nomination, appointment and removal
The Board must establish and implement policies and processes for the nomination, appointment and removal of directors. These policies and processes must, at a minimum, address:
the length of the term for which a director is appointed to the Board;
the maximum tenure limit for an individual director;
how vacancies will be managed, including, where applicable, how the RSE licensee will comply with the vacancy requirements in Part 9 of the SIS Act;
the process by which a candidate will be nominated for a vacant Board position;
the factors that will be considered when assessing the suitability of a nominated candidate, including how the RSE licensee assesses the independence of the candidate where relevant and the Board’s process for determining whether a particular candidate is appointed;
the process by which a director will be appointed to the Board;
the factors that will determine when an existing director will be re-appointed, including whether the director has served on the Board for a period that could, or could reasonably be perceived to, materially interfere with their ability to act in the best interests of beneficiaries;
the process by which the Board will resolve disputes about nominations, appointment, re-appointment or removal of directors;
when and how a director will be removed from the Board; and
the Board’s policy on voting rights and procedures in relation to nomination, appointment, reappointment and removal of a director.
Board Audit Committee
An RSE licensee must have a Board Audit Committee, which assists the Board by providing an objective non-executive review of the effectiveness of the RSE licensee’s financial reporting and risk management framework unless, with respect to risk management, there is another Board Committee which carries out this function.
The Board Audit Committee must have sufficient powers to enable it to obtain all information necessary for the performance of its functions.
The Board Audit Committee must have at least three members. All members of the Committee must be non-executive directors.
The chairperson of the Board may sit on the Board Audit Committee, but may not chair the Committee except where the chairperson of the Board is the only independent director (within the definition of section 10 of the SIS Act) on the Board.
Auditor independence
The Board must, to the extent practical, undertake steps to satisfy itself that the RSE auditor is independent of the RSE licensee and the RSE, and that there is no conflict of interest situation that could compromise, or be seen to compromise, the independence of the RSE auditor.
Practice guide
Principles
A number of principles underpin a sound and effective governance framework for an RSE licensee. These include:
responsibility — the board of directors (the Board) is ultimately responsible and accountable for the decisions and actions taken by an RSE licensee;
independence — demonstrated by a Board that discharges its review and oversight role effectively and independent of the interests of dominant shareholders, management, and competing or conflicting business interests;
renewal — a policy of renewal provides for fresh insight and general reinvigoration of a Board while also ensuring ongoing effective oversight and understanding of the business of the RSE licensee by the Board;
expertise — demonstrated by a Board with the necessary expertise to fulfil its role and functions, and access to independent expertise not readily available amongst the current directors;
diligence — demonstrated by a Board that discharges its duties and responsibilities carefully and conscientiously;
prudence — demonstrated by a Board with a clear focus on the prudent management of the RSE licensee’s business operations;
transparency — demonstrated by a Board that is open and honest in its dealings on behalf of the RSE licensee; and
oversight — demonstrated by a Board that is able to satisfy itself that the management and operation of the RSE conforms to its strategy, direction and policies.
Governance framework
APRA expects that a Board would establish a process to ensure that governance risks are properly and regularly evaluated and managed by the Board. Governance risks include, but are not limited to, risks associated with:
accountability and transparency of decision-making processes;
delegation of roles and responsibilities;
remuneration arrangements;
fitness and propriety; and
the management of conflicts of interest.
APRA’s view is that a prudent Board would determine a target size for the Board and its committees and reflect in the Board’s renewal policy an outline of how the Board intends to achieve and maintain this target size.
APRA’s view is that board size influences a Board’s capacity to operate effectively. APRA considers it would be prudent practice for an RSE licensee to periodically review the total number of directors on the Board and assess whether the size of the Board supports the effective functioning and decision-making of the Board. The size of the Board is ultimately a matter for the RSE licensee to set in light of the size, business mix and complexity of their business operations. APRA’s view, however, is that there are likely to be very limited circumstances where an RSE licensee would need a Board of more than 12 directors.
It would be prudent practice for the Board to consider using relevant board committees to provide appropriate oversight of key governance matters. Such committees may include a dedicated nomination committee or another appropriate board committee, such as the board risk committee.
The responsibilities of a dedicated nomination committee might include:
overseeing the nomination, appointment, reappointment and removal processes for directors of the Board;
recommending candidates for appointment to the Board; and
overseeing remuneration and performance assessment policies and processes (if these roles are not otherwise performed by the Board Remuneration Committee).
The Board and senior management
As stated in SPS 510, the Board has ultimate responsibility for the sound and prudent management of an RSE licensee’s business operations. A well-functioning Board will review and approve business strategies and significant policies of the RSE licensee. It will also satisfy itself that an effective system of risk management and internal control is established and maintained, and that senior management monitors the effectiveness of the risk management framework.
Composition of the Board
Section 10(1) of the SIS Act contains a definition of ‘independent director’, a term that is used in Part 9 of the SIS Act, which deals with equal representation of employers and members in relation to standard employer-sponsored funds. APRA’s view is that a prudent equal representation Board would consider the benefits of the appointment of at least one independent director.
A non-equal representation Board might similarly consider the benefits of the appointment of one or more directors who are free from any business or other association that could materially interfere with the exercise of their independent judgement. Such directors broaden the skills and capabilities that can be brought to the board table, and improve decision-making by bringing an objective perspective to issues the board considers. They are also well placed to hold other directors accountable for their conduct, particularly in relation to conflicts of interest.
Further, APRA’s view is that a prudent RSE licensee would consider whether the appointment of an independent or non- affiliated director, as relevant, as chairperson of the Board would benefit the Board’s fulfilment of its duties.
When assessing whether a director is a non- affiliated director, the Board may have regard to whether the director:
is a substantial shareholder of the RSE licensee or an officer of, or otherwise associated directly with, a substantial shareholder of the RSE licensee;
is employed, or has previously been employed, in an executive capacity by the RSE licensee, another group member or a standard employer sponsor and there has not been a period of at least three years between ceasing such employment and serving on the Board;
has within the last three years been a director of a standard employer sponsor, a principal of a material professional adviser or a material consultant to the RSE licensee or another group member, or an employee materially associated with the service provided;
is a material supplier of the RSE licensee’s business operations or another group member, or an officer of or otherwise associated directly or indirectly with a material supplier;
has a material contractual relationship with the RSE licensee or another group member other than as a director;
is eligible to be a member representative or employer representative on the Board; or
has served as a member representative or employer representative at any time in the last three years.
APRA’s view is that membership of an RSE within the RSE licensee’s business operations does not preclude a director from being considered to be non-affiliated.
APRA considers it prudent practice for a Board to also closely consider whether it would be appropriate to include independent and/or non-affiliated directors, as relevant, within the membership of its Board Audit Committee.
RSE licensees that are part of a corporate group
Where an RSE licensee is part of a corporate group, APRA expects that the Board would consider the potential impact on the RSE licensee of the operations, including but not limited to, the policies and procedures of representative’ and ‘employer representative’.other entities in the group. If the RSE licensee is the head of the group, APRA expects the Board would consider the impact of the operations of member entities of the group on all RSE licensees within the group.
Board renewal
APRA expects a Board renewal policy would document the maximum tenure period for each director, including the circumstances where the RSE licensee may deviate from the terms of its tenure policy. APRA’s view is that long periods of tenure can affect a person’s capacity to exercise independent judgement. APRA expects that the length of each director’s tenure would be examined shortly before the end of each term served and that there would be limited circumstances in which maximum tenure limits exceeding 12 years would be appropriate.
APRA expects that circumstances where a person is reappointed as a director at the end of the RSE licensee’s maximum tenure period would be exceptional. APRA also expects that, in the absence of exceptional circumstances, a director would serve on the Board for at least the term for which the director was appointed. Decisions about the appointment and removal of individual directors would ordinarily be considered by the Board of the RSE licensee. An appropriate length of term of appointment for directors would ordinarily be in the vicinity of three to four years.
Board nomination, appointment and removal
APRA’s view is that the Board would be expected to have in place robust processes to support the nomination of appropriate candidates for appointment to the Board. This would include processes to support open and effective communication and consultation with organisations with a right to nominate directors for appointment to the Board. APRA considers that it would be appropriate for the Board to have processes in place to respond to the situation where a sponsoring organisation nominates or appoints a director that the Board considers unsuitable for appointment.
The Board’s policy for nominating and appointing directors would be expected to ensure that terms of tenure are staggered to support continuity and the appropriate transfer of knowledge and skills to new directors.
Board committees
A well-functioning Board will typically consider whether there may be merit in establishing board committees for the purpose of overseeing critical functions. Whilst SPS 510 only requires the establishment of a Board Audit Committee, the Board may find the establishment of other committees beneficial for certain functions and for strengthening the overall governance arrangements of the RSE licensee.
While some functions and responsibilities of directors may be delegated to board committees where appropriate, the Board retains ultimate responsibility for ensuring that those duties are performed.
In establishing committees, a well-functioning Board will have regard to the risk profile of the RSE licensee and the complexity of its business, as well as the experience and expertise of the directors.
Where board committees are established, it would be prudent practice for these committees to have clearly defined charters that set out their role and objectives, responsibilities, authorities and tenure, and for the charters of these committees to be regularly reviewed. It would also be prudent practice that board committees report regularly to the Board.
Board Risk Committee
SPS 510 does not require an RSE licensee to establish a dedicated Board Risk Committee. However, APRA expects that the Board would have considered the necessity of such a committee and the suitability of arrangements for dealing with risk issues at the Board level. Typically, APRA expects larger and more complex RSE licensees would have a separate Board Risk Committee.
Board performance assessment
SPS 510 requires the Board to assess its performance and that of individual directors relative to its objectives. In undertaking this assessment, a well-functioning Board would typically consider and document the objectives that it sets for the Board collectively and for individual directors.
Objectives for the Board could include:
establishing the overall strategy for the RSE licensee and ensuring reporting against this strategy;
assessing operating and financial conditions against forecasts;
assessing senior management performance against agreed criteria, which would include, for relevant senior management, the effectiveness of risk controls; and
making key decisions in a timely manner.
Objectives for individual directors may include:
demonstrating the required expertise for their role;
attendance and participation at Board meetings; and
contributing to Board deliberations and the overall direction of the RSE licensee.
APRA expects the Board to consider whether its annual Board assessment would be best undertaken by a party who is free from connection to the RSE licensee or its associates. At a minimum, APRA expects the Board assessment would be undertaken by an external party at least every three years.
APRA expects that a Board would have in place a documented policy on Board performance assessments which includes:
the timeframe within which assessments will be conducted;
how sufficient objectivity in performance assessments will be achieved;
how the Board will manage the outcomes of performance assessments and recommended courses of action in the event of performance that is below expectations; and
a reasonable timeframe for action after performance assessments have been conducted.
Remuneration
Prudential standard
A. Requirements for SFIs
Role of the
The Board, or , of an APRA-regulated entity is ultimately responsible for the entity’s remuneration framework and its effective application.
The Board, or relevant oversight function, must approve the remuneration policy required under paragraph 22 of this Prudential Standard.
The Board must establish a Board Remuneration Committee that:
oversees the design, operation and monitoring of the remuneration framework;
is appropriately composed to enable it to exercise competent and independent judgment when fulfilling requirements under paragraph 25(a) above; and
has the powers necessary to perform its functions.
Board Remuneration Committee
The Board Remuneration Committee must have at least three members and all members must be non-executive directors of the entity.
Specified roles
The Board, or relevant oversight function, must approve the variable remuneration outcomes for persons in specified roles as follows:
individually for senior managers and executive directors; and
on a cohort basis for highly-paid material risk-takers, other material risk-takers and risk and financial control personnel.
Other requirements
In relation to the requirements for a Board Remuneration Committee and remuneration policy, where an APRA-regulated entity is part of a , or corporate group in the case of a , the Board of the APRA-regulated entity may:
use a group Board Remuneration Committee as the Board Remuneration Committee for the APRA-regulated entity, provided that:
the requirements set out in this Prudential Standard are met;
all members of the group Board Remuneration Committee are non-executive directors of the Head of the group in the context of an , or ; and
the Board of the entity has free and unfettered access to the group Board Remuneration Committee; and
adopt and apply a group remuneration policy that is also used by a related body corporate or a connected entity provided that the group remuneration policy:
meets the requirements of this Prudential Standard;
has been approved by the Board or relevant oversight function; and
gives appropriate regard to the entity’s business activities, its specific requirements and its remuneration framework.
B. Requirements for Non-SFIs
Role of the Board
The Board, or relevant oversight function, of an APRA-regulated entity is ultimately responsible for the entity’s remuneration framework and its effective application.
The Board, or relevant oversight function, must approve the remuneration policy required under paragraph 75 of this Prudential Standard.
Specified roles
The Board, or relevant oversight function, must approve the variable remuneration outcomes for persons in specified roles as follows:
individually for senior managers and executive directors; and
on a cohort basis for highly-paid material risk-takers, other material risk-takers and risk and financial control personnel.
Other requirements
In relation to the requirements for a remuneration policy, where an APRA-regulated entity is part of a group, or corporate group in the case of a private health insurer, the Board of the APRA-regulated entity may adopt and apply a group remuneration policy that is also used by a related body corporate or a connected entity provided that the group remuneration policy:
meets the requirements of this Prudential Standard;
has been approved by the Board or relevant oversight function; and
gives appropriate regard to the entity’s business activities, its specific requirements and its remuneration framework.
Disclosures
An APRA-regulated entity must disclose information on the governance of the remuneration framework. This must include:
information on how the Board exercises its discretion in determining remuneration outcomes; and
a description of how the Board oversees remuneration policies and the input provided by the Board Risk Committee, other Board committees, or the risk function, including the Chief Risk Officer.
Practice guide
SFI specific requirements include establishing a Board Remuneration Committee, applying a material weight to non-financial measures in variable remuneration arrangements, applying minimum deferral periods and clawback arrangements, and periodically reviewing the remuneration framework.
Under CPS 511, the Board, or relevant oversight function, is ultimately responsible for the entity’s remuneration framework and its effective application.
APRA expects Boards to ensure that remuneration practices are well supported by broader frameworks and policies that influence behaviour, beyond financial rewards. This includes clear accountabilities and expectations for risk management, effective consequence management and a strong tone from the top on risk culture.
In providing oversight of remuneration, other prudential standards and guidance are also applicable, in particular requirements on governance and risk management. Broader regulatory requirements and expectations, including guidance provided by the Australian Securities and Investments Commission (ASIC), are also relevant for the Board.
Under CPS 511, the Board of a SFI is required to establish a Board Remuneration Committee (RemCo) to oversee the design and implementation of the remuneration framework. The RemCo is responsible for making recommendations to the Board annually on the remuneration arrangements and variable remuneration outcomes for persons in specified roles.
A prudent Board would ensure that the RemCo is composed of members with the appropriate skills, experience and expertise to exercise competent and independent judgment. This includes a clear understanding of what constitutes good risk management.
While the Board of a non-SFI is not required to establish a RemCo, it must put in place arrangements to meet the requirements of CPS 511 and ensure there is appropriate oversight of the remuneration framework and key remuneration decisions.
In determining the variable remuneration outcomes for individuals and cohorts in specified roles, the assessment of performance and risk is a critical input. It is important for the RemCo to ensure it understands the performance and risk outcomes for persons in specified roles, as well as for the entity overall.
APRA expects that the assessment of performance and risk would include direct input from senior risk management personnel, and not be based on self-assessments alone.
Good practice would be for risk and internal audit executives to present a comprehensive assessment of key risk and audit metrics on at least an annual basis, to inform remuneration decision making and outcomes.
Under CPS 511, the RemCo must consult the Board Risk Committee and Chief Risk Officer to enable risk outcomes to be appropriately reflected in remuneration outcomes for persons in specified roles. The use of joint meetings with the Board Risk Committee can be an effective mechanism for providing insights into risk considerations for the RemCo. It would not be prudent to rely on cross-membership between the RemCo and the Board Risk Committee as the sole means of providing a view on risk.
There may be occasions where the Board would need to exercise its discretion to challenge and override remuneration recommendations, and make downward adjustments for individuals, cohorts or all personnel.
A prudent Board would be actively engaged in the oversight of key remuneration decisions, providing robust challenge and independent scrutiny. Board oversight and discretion to adjust variable remuneration would be particularly relevant in unusual or exceptional circumstances. These circumstances may include:
material cases of adverse risk or conduct outcomes, especially where these have impacted the entity’s prudential standing or prudential reputation;
periods of stress in which the entity may be experiencing negative financial performance and erosion of its regulatory capital base; and
periods of stress in which the entity is provided with exceptional public sector support.
It is important that the Board uses its discretion in a timely and informed manner, rather than acting only on the basis of realised outcomes. For example, it could be appropriate for a Board to reduce pre-emptively variable remuneration during a period of stress, rather than waiting for losses to be realised. It would not be prudent to act only once risk issues are made public, to adopt management recommendations without challenge, or to excuse poor risk outcomes on the basis of good intent.
It is the responsibility of the Board and RemCo to guide management on the reporting it needs to fulfil its role. A prudent Board and RemCo would regularly review the information they are provided with to ensure that reporting is sufficient and insightful. Poor quality, inadequate, incomplete or voluminous reporting can significantly hamper oversight and challenge.
Good practice would be for the RemCo to be provided with formal documented performance and risk assessments for individuals in specified roles, and summaries for relevant cohorts such as risk and financial control personnel. This would include clear qualitative and quantitative assessments for measures that have formed the basis of decisions, including key metrics, and an outline of how assessments have flowed through to remuneration outcomes. It would not be prudent to rely on verbal discussion and generalised attestations as evidence of performance or risk assessments, or high-level summaries of major incidents.
Good practice for cohorts would be to assess, on an aggregated basis by business unit or role type, similar information to that which is reviewed for individual remuneration decisions. Additional information may also be useful, such as trends and outliers, summary indicators that show distributions, averages or medians, and other data-driven insights.
An entity that is part of a wider corporate group may adopt and apply the group remuneration policy, provided that it meets the requirements of CPS 511 and has been approved by the Board. Good practice would be for the entity to assess how the policy complies with each requirement of CPS 511, is appropriate for its specific business activities and risk profile, and meets the spirit and intent of the standard.
Under CPS 511, the variable remuneration outcomes for persons in specified roles must be approved by the Board, on either an individual or cohort basis. APRA expects the remuneration policy would define the particular specified roles for the entity, and summarise the remuneration arrangements for these roles.
Specified roles are defined in CPS 511 and are intended to capture those individuals and cohorts who can have a material influence on the performance and risk profile of the entity, in both the short and long-term. Specified roles comprise senior managers, executive directors, material risk-takers (including highly-paid material risk-takers) and all risk and financial control personnel.
A prudent Board would closely monitor the remuneration of risk and financial control personnel as a cohort, to ensure arrangements are adequate to attract and retain suitably qualified, skilled and experienced staff.
A prudent entity would take reasonable steps to identify which service providers may give rise to material conflicts or risks. This may include a materiality threshold or definition, approved by the Board, which would be used to identify the scale and nature of service providers that are likely to present a material conflict or risk.
In assessing whether material weight is being applied effectively in the design and determination of variable remuneration outcomes, a prudent Board would consider whether the weighting:
is a sufficient incentive to influence an individual’s behaviour, priorities and decisions;
is robust and cannot be overshadowed or diminished by performance or outperformance on financial measures;
is applied to measures over which the individual has a reasonable degree of control and influence;
is applied to measures that effectively support the objectives of the remuneration framework, including risk management; and
has been demonstrated to work in practice to incentivise prudent outcomes over time, where this is possible to determine.
A prudent Board would establish clear guidelines to ensure appropriate weight is applied to non-financial measures in the determination of variable remuneration. This could include a minimum level or range. Good practice would be for the Board to review these guidelines on an annual basis to ensure it is operating as intended in driving expected behaviours.
To assess whether the weighting for non-financial measures is driving intended behaviours and outcomes in practice, a prudent Board would consider how effectively risk and conduct is managed. Reporting on non-financial measures for the entity as a whole, as well as aggregate information on risk adjustments, would support this assessment. Entities with a high reliance on downward adjustments for adverse risk and conduct outcomes would investigate root causes and, where appropriate, consider if the weighting to non-financial measures needs to be increased or the design improved.
A prudent Board would consider a wide range of evidence and ensure appropriate mechanisms are in place to escalate issues. Good practice would be to consider, for example, known incidents, findings from audits and regulatory reviews, product failures, trends in conduct or risk incidents. APRA expects that a risk adjustment would be considered, for an individual or cohort, in the event of a breach of a prudential standard or other regulation.
In gauging the severity of a case, a prudent entity would consider a range of factors. This would include the expected or actual impact on the entity’s reputation, customers or beneficiaries and prudential standing, as well as any financial loss. An individual’s contribution to circumstances which led to the adverse outcome would also be considered, potentially including inaction. Good practice would be to develop a severity scale, with example cases and any precedents, to guide decision-making on the level of severity and indicative remuneration impacts that would be expected to result. This scale would support a Board in applying proportionate downward-adjustments to variable remuneration, and in applying consistency across different cases.
The scope of the triennial review would encompass the role of the Board, the design of remuneration arrangements, and the effectiveness of risk and conduct adjustments. This would include any key design features, such as the definition of material risk-takers and the application of non-financial measures. The review would also assess the appropriateness of any remuneration adjustments made, to ensure that triggers and criteria for downward adjustments are prudently calibrated.
CPS 511 requires the triennial review to be conducted by operationally independent, appropriately experienced and competent persons. A prudent entity may consider the use of external expertise to meet this requirement. Where internal staff conduct the review, a prudent Board would gain assurance that they are operationally independent and are able to provide an objective review, with the requisite skills, experience and expertise.
Risk Management
Risk Management standards require entities to maintain effective risk management strategies and systems. They include requirements about managing operational risk, and risks specific to an industry including credit risk, insurance risk and investment risk.
Market Risk
Prudential standard
Operational Risk
Chapter 1 — Introduction
Under SPS 220, the Board of an RSE licensee is ultimately responsible for the risk management framework. It is APRA’s view that a core element of an effective risk management framework is a strong risk culture that exhibits organisational attributes and behaviours which reflect an intolerance of fraud.
Chapter 3 — Development and implementation of the fraud risk management framework
Fraud prevention
Measures that an RSE licensee may consider adopting in the establishment of a strong risk culture include, but are not limited to:
establishing an ethical culture supported and modelled by the Board and senior management who are seen to follow policies and procedures, and provide suitable role models for both employees and organisations with whom an RSE licensee may engage;
Fraud response
APRA expects that an RSE licensee would capture all incidents of fraud and maintain a process that manages incidents of fraud as part of its fraud risk management framework, with appropriate linkage to its ORFR strategy. An effective process that manages incidents of fraud would report all such incidents to senior management and as appropriate, to relevant Board Risk Committees and the Board.
Prudential standard
Roles and responsibilities
The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.
The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements.
The Board must:
oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern;
approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and
approve the service provider management policy, and review risk and performance reporting on material service providers.
Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.
Operational risk management
Operational risk profile and assessment
An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must:
maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;
Business continuity plan
An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily.
Monitoring, notifications and review
An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.
Practice guide
Roles and responsibilities
The Board
Allocate responsibility
A prudent Board would have a clear understanding of who is responsible within the entity for each aspect of operational risk management, including business continuity and the management of service provider arrangements. It should have reasonable assurance that there are no gaps in responsibilities.
Processes for delegation from, and reporting to, the Board and senior management should be clear and documented, including for the escalation of risks and issues.
Oversee the risk profile
The Board would typically:
oversee updates to an entity’s operational risk profile and ensure risks outside of its appetite are addressed promptly;
oversee the effectiveness of key internal controls;
be kept informed of areas of any material weaknesses and major remediation efforts;
understand the material operational risks that arise from new ventures; and
ensure internal audit provides assurance and has appropriate capabilities for this task.
Challenge and approve
The Board, in approving the BCP and overall tolerances for the disruption of critical operations, would also ensure that the BCP aligns with its tolerances.
While the Board approves the service provider management policy, it may delegate approval of non-material changes.
Senior management
Senior managers play an important role in equipping Boards to make effective decisions. APRA expects that information provided to the Board is targeted and timely.
Boards may delegate to senior management the ability to approve more granular policies, tolerance levels and plans which sit beneath, and align to, Board-approved documents.
Business continuity
Test the BCP
Test results and the execution of any findings such as remediation would be reported to and reviewed by the Board, with associated follow-up actions formally tracked and reported. Reports on BCP tests would typically include:
Audit the BCP
Internal audit is an important vehicle for assurance. The Board may consider seeking assurance through expert opinion or other means to complement internal audit.
Prudential standard
Roles and responsibilities
The Board of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
Testing control effectiveness
An APRA-regulated entity must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
Practice guide
Considerations for the Board
This section sets out key information a Board could consider in relation to its responsibilities under CPS 234. The remainder of the PPG elaborates on this information, and contains additional detail on information security aimed at a broader audience. A Board member may find it beneficial to acquaint themselves with this additional detail as necessary.
Under CPS 234, the Board of an APRA-regulated entity is ultimately responsible for the information security of the entity. In order for a Board to be able to more effectively discharge its responsibilities (including oversight, seeking assurance and, as appropriate, challenging management), it could consider the following:
roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types of information that the Board might find useful to effectively fulfil its role and discharge its responsibilities;
information security capability — consider the sufficiency of the regulated entity’s information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the information security strategy;
policy framework — whether information security policies reflect Board expectations;
implementation of controls — regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entity’s information assets;
testing control effectiveness — regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted; and
internal audit — consider the sufficiency of internal audit’s coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions; and consider where further assurance, including through expert opinion or other means, is warranted.
In considering the above, the Board would normally take into account the use of third parties and related parties (including group functions) by the APRA-regulated entity.
Roles and responsibilities
Board delegations
APRA does not seek to impose restrictions on a Board’s ability to delegate information security roles and responsibilities to Board sub-committees, management committees or individuals. However, APRA expects that a Board would clearly outline how it expects to be engaged with respect to information security, including escalation of risks, issues and reporting. Refer to Attachment H for common examples of the types of information that the Board might find useful in this regard.
Sufficient and timely information
The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to governing bodies would normally be supported by defined escalation paths and thresholds. An APRA-regulated entity could benefit from implementing processes for periodic review of audience relevance and fitness for use.
Adaptive and forward-looking investment
Under CPS 234, an APRA-regulated entity must actively maintain an information security capability with respect to changes in vulnerabilities and threats. Accordingly, an entity would typically adopt an adaptive and forward-looking approach to maintaining its information security capability, including ongoing investment in resources, skills and controls. This would commonly be achieved through the execution of an information security strategy which responds to the changing environment throughout the year. The strategy could be informed by existing and emerging information security vulnerabilities and threats, contemporary industry practices, information security incidents, both internal and external, and known information security issues. Oversight of execution of the strategy is normally the responsibility of the Board or a delegated governing body with representation from across the organisation.
Incident management
Response to a security compromise
An APRA-regulated entity would typically have clear accountability and communication strategies to limit the impact of information security incidents. Under CPS 234, this includes escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate. A regulated entity could also include customer communication as part of any such communication strategy where appropriate. Incident response plans would also typically assist in compliance with regulatory notification requirements.
Internal audit
Assurance to the Board
Internal audit is an important vehicle by which the Board can gain assurance that information security is maintained. This assurance would typically be achieved through the inclusion of information security within the APRA-regulated entity’s internal audit plan. The Board could also choose to gain assurance through expert opinion or other means to complement the assurance provided by the internal audit function. This typically occurs where the required skills do not reside within the internal audit function or the area subject to audit pertains to third parties or related parties.
Use of assurance reports from third parties
Under CPS 234, an APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a third party or related party in certain circumstances. Where that assessment identifies material deficiencies in the information security control assurance provided by the third party or related party, or no assurance is available, this would typically be highlighted in reporting to the Board.
Attachment B: Training and awareness
An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material to assist the Board and other governing bodies to execute their duties. Sound practice would involve tracking training undertaken and testing the understanding of relevant information security policies, both on commencement and periodically.
Other control considerations
Outsourcing/offshoring of data management responsibilities
In APRA’s view, the following would normally be applied to the assessment and ongoing management of outsourced/offshored data management responsibilities:
Board/senior management’s understanding, acceptance and approval of the resulting risk profile; and
Risk management
Prudential standard
The role of the Board and senior management
The Board of the RSE licensee (the Board) is ultimately responsible for the risk management framework.
The Board is ultimately responsible for maintaining the solvency of the RSE licensee and ensuring that the RSE licensee’s business operations have adequate resources to undertake the activities for which it holds an RSE licence.
RSE licensees that are part of a group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the RSE licensee’s business operations and its specific requirements.
Risk appetite statement
An RSE licensee must maintain an up-to-date risk appetite statement that covers the RSE licensee’s business operations and each category of material risk. The risk appetite statement must be approved by the Board.
Risk management strategy
An RSE licensee must maintain an up–to-date RMS for its business operations that covers each material risk identified under paragraphs 10 to 13 inclusive. The RMS must be approved by the Board.
Risk management function
An RSE licensee must have a designated risk management function that, at a minimum:
is responsible for assisting the Board, board committees and senior management to develop and maintain the risk management framework;
has the necessary authority and reporting structure to the Board, board committees and senior management to conduct its risk management activities in an effective and independent manner; and
is required to notify the Board of any material deviation from, or material breach of, the risk management framework.
Risk management declaration
The Board must, on an annual basis, provide APRA with a declaration on risk management (risk management declaration) signed by two directors that satisfies the requirements set out in Attachment A of this Prudential Standard.
If the Board qualifies the risk management declaration, the qualified declaration must include a description of any material deviation from the RSE licensee’s risk management framework and the steps taken, or proposed to be taken, to remedy those deviations.
Practice guide
Risk culture
An RSE licensee’s risk culture is strongly influenced by the ‘tone at the top’. APRA expects the Board of an RSE licensee (the Board) to demonstrate its commitment to risk management and foster an environment of active engagement with risk management processes and outcomes, and in which the risk management function is influential and respected.
Risk appetite statement
APRA expects that the Board would be actively engaged in the development, and be able to demonstrate ownership, of the risk appetite statement. APRA considers that this might be achieved, in part, through reporting and communication processes and structures that enable the Board and Board Risk Committee (as appropriate) to:
understand how senior management interprets and applies risk tolerances;
be satisfied that senior management interpretation and application of the risk appetite is appropriate; and
take factors (a) and (b) into account when reviewing the risk appetite statement.
A prudent RSE licensee would consider a variety of processes to assess risks. Where an RSE licensee has the capability to use risk quantification techniques, such techniques may form part of setting and monitoring the risk appetite statement. Risk quantification techniques may provide an RSE licensee with assurance that the risk does not exceed an RSE licensee’s risk tolerance and also its risk capacity. These techniques may not be appropriate for all types of risk. APRA expects the results of such analysis and testing would be reported to the Board, or Board Risk Committee, and may be considered when establishing or reviewing the risk appetite statement.
Risk management declaration
SPS 220 requires the Board to provide APRA with a risk management declaration on an annual basis. Whilst this declaration does not have to be audited, APRA expects that the two directors of the RSE licensee who sign the declaration would have obtained reasonable assurance, and if necessary considered independent advice, on the matters upon which they have made a declaration.
Governance
Prudential standards CPS 510 and SPS 510 set out the minimum governance requirements of an APRA-regulated institution. The ultimate responsibility for the sound and prudent management of an APRA-regulated institution’s business operations rests with its board of directors. APRA therefore considers it prudent practice for the board to seek to understand and regularly assess the financial risks arising from climate change that affect the institution, now and into the future.
APRA is of the view that climate risks can and should be managed within an institution’s overall business strategy and risk appetite, and a board should be able to evidence its ongoing oversight of these risks.
The board of an institution may delegate certain functions of the management of climate risks but, as with other risks, needs to maintain mechanisms for monitoring the exercise of this delegated authority. Board-level engagement is important to ensure that work on climate risks holds sufficient standing within an institution, and gives the board the requisite institution-wide insights to strategically respond to the risks.
In fulfilling its obligations under CPS 510 and SPS 510, a prudent board is, in overseeing the management of climate risks, likely to:
ensure an appropriate understanding of, and opportunity to discuss, climate risk at the board and sub-committee levels, which may include appropriate training for board members;
set clear roles and responsibilities of senior management in the management of climate risks, and hold senior management to account for these responsibilities;
re-evaluate the risks, opportunities and accountabilities arising from climate change on a periodic basis, and consider these risks and opportunities in approving the institution’s strategies and business plans;
take both a shorter-term view (consistent with the institution’s regular business planning horizon) and longer-term view when assessing the impact of climate risks and opportunities; and
ensure that, where climate risks are found to be material, the institution’s risk appetite framework incorporates the risk exposure limits and thresholds for the financial risks that the institution is willing to bear.
Risk management
Under CPS 220 and SPS 220, the board of an APRA-regulated institution is ultimately responsible for both the institution’s risk management framework, and for the oversight of its operation by management. Senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the board. APRA considers it prudent for climate risks to be considered within an institution’s existing framework, including the boardapproved risk appetite statement, risk management strategy and business plan.
Risk reporting
To facilitate well-informed decision-making, APRA expects that a prudent institution would establish procedures to routinely provide relevant information on its material climate risk exposures, including monitoring and mitigation actions, to the board and senior management. This information would allow the board and senior management to understand and review the activities, and to make decisions consistent with the institution’s overall risk appetite and risk management approach.
Scenario analysis
A prudent institution would maintain appropriate documentation of the method and results of its climate risk scenario analysis and stress testing, including an assessment of the limitations of the analysis for assessing the climate risks faced by the institution. Material results should be communicated to the institution’s board and senior management, and used to inform business planning and strategy setting, as well as setting and reviewing the institution’s overall climate risk management approach.
Business Operations
Business Operations standards require RSE licensees to manage their business operations to achieve the outcomes they seek for members. They include requirements for strategic planning, investment governance, operational risk resourcing and insurance.
Business operations
Prudential standard
RSE licensees that are part of a group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board must approve the use of group policies and functions and must ensure that these policies and functions have appropriate regard to the RSE licensee’s business operations.
ORFR strategy
The Board must approve the ORFR strategy and is ultimately accountable for ensuring the implementation of the RSE licensee’s ORFR strategy.
Shortfall management
An RSE licensee’s replenishment plan must be approved by the Board prior to implementation.
Review and audit
An RSE licensee must review the appropriateness of its ORFR target amount and tolerance limit at least annually and following a material operational risk incident or material change to the RSE licensee’s business operations. The findings of the review must be reported to the Board.
APRA may require the appointment of an external expert to provide an assessment of, and report on, the adequacy and effectiveness of, the RSE licensee’s approach to meeting the requirements of this Prudential Standard. The report must be paid for by the RSE licensee and must be made available to APRA, together with the Board’s preliminary response within 30 business days after it has been provided to the RSE licensee.
Practice guide
Review and audit
In addition to its approach to monitoring operational risks under Prudential Standard CPS 230 Operational Risk Management (CPS 230), a prudent RSE licensee would implement forward looking triggers and reporting processes that alert the Board to matters that may need pre-emptive action or response in relation to the ORFR. These may relate to the funding, management, investment and use of the ORFR financial resources and the appropriateness of the ORFR target amount itself.
Prudential standard
RSE licensees that are part of a group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board of the RSE licensee (the Board) must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the RSE licensee’s business operations.
Shortfall limit
An RSE licensee must set a shortfall limit, approved by the Board, for each defined benefit fund within its business operations. For the purposes of this Prudential Standard, a ‘shortfall limit’ is the extent to which an RSE licensee considers that a fund can be in an unsatisfactory financial position with the RSE licensee still being able to reasonably expect that, because of corrections to temporary negative market fluctuations in the value of fund assets, the fund can be restored to a satisfactory financial position within one year.
The shortfall limit approved by the Board must be calculated and expressed in the same way as required under the reporting standards made under the Financial Sector (Collection of Data) Act 2001.
The Board must determine and implement a monitoring process designed to detect, on a timely basis, when the fund has, or may have, fallen into an unsatisfactory financial position and/or breached the shortfall limit.
Unsatisfactory financial position – RSE licensee requirements
When an RSE licensee receives a statement from the RSE actuary under paragraph 31, the RSE licensee must:
set out a plan (restoration plan) to return the fund to a satisfactory financial position within the timeframe referred to in paragraph 31(a)(ii). The restoration plan may be developed in consultation with the employer-sponsor and the RSE actuary and must be approved by the Board within three months of receiving the statement from the RSE actuary;
provide a copy of the restoration plan to APRA and the RSE actuary as soon as practicable but no later than 15 business days after the Board has approved the plan; and
At a minimum, a restoration plan must outline:
the process by which the RSE actuary and the Board will monitor and review progress towards restoration of the fund to a satisfactory financial position.
Self-insurance
An RSE licensee that is permitted to self-insure insured benefits must:
develop a contingency plan for an orderly transfer of insurance assets and obligations, for activation in the event that the Board has decided that, by self-insuring benefits, the RSE licensee is no longer acting in the best interest of beneficiaries as a whole.
Practice guide
Shortfall limit
Purpose and significance
Reporting Standard SRS 160.0 Defined Benefit Matters sets out how the shortfall limit approved by the Board is to be calculated and expressed. The limit is the ratio of ‘net assets available for member benefits (net of ORFR reserves) of defined benefit interests’ to ‘defined benefit interests in vested benefits’ determined by the Board of the RSE licensee to be the shortfall limit within the meaning given in SPS 160, and designated as a percentage to one decimal place. If a defined benefit interest includes an accumulation component, it is acceptable to calculate and express the shortfall limit in terms of the defined benefit component of the defined benefit interest.
APRA expects that an RSE licensee would consider a range of factors when setting a shortfall limit. These could include factors such as the extent to which vested benefits exceed minimum benefits, asset mix, impact of fluctuations in market value of fund assets, whether the defined benefit fund pays pensions, membership profile, whether the fund is open or closed to new members, accrued benefits and the weighted average term of projected defined benefit liabilities. A prudent RSE licensee may also seek assurance of the support provided by the employer-sponsor(s). After determining a shortfall limit based on objective factors, the Board would be able to set the shortfall limit at a higher level if it had a concern about an employersponsor’s financial ability or willingness to fund a possible restoration plan.
A Board may set a shortfall limit that triggers action if the funding level falls below a satisfactory financial position i.e. a vested benefits index (VBI) level of 100 per cent. Such a limit may, for example, be set for a fund where minimum benefits are close to, or equal to, vested benefits. APRA would expect that, in such circumstances, the Board’s policy would include an outline of the actions to be taken if there was any deviation from the full funding of vested benefits, with the aim of preventing the defined benefit fund becoming technically insolvent.
A prudent RSE licensee may also set a funding buffer in excess of vested benefits. In these circumstances, the RSE licensee may decide to set a trigger for review and action above a VBI of 100 per cent. For example, a response may be triggered if the level of VBI falls below 105 per cent. In such circumstances, APRA would expect that Board policies and procedures would include action to be taken should the position deteriorate below the level set by the Board, even though the fund is not in an unsatisfactory financial position.
SPS 160 requires the Board to determine and implement a monitoring process so that deterioration in the defined benefit fund’s financial position may be detected in a timely manner. In APRA’s view, a monitoring process might include a regular estimate of vested benefits and of the value of fund assets. Alternatively, the process might be based on the regular monitoring of investment returns, with adverse experience triggering an estimate of vested benefits and the value of fund assets. The frequency at which such estimates are undertaken would be expected to increase with market volatility, and may also be related to the margin by which current and projected VBI exceeds 100 per cent. For example, an annual review may be adequate where the fund has a sufficient buffer above 100 per cent VBI, with the sufficiency of the buffer assessed after taking into account the extent to which vested benefits are linked to the investment return on defined benefit assets. Some form of stress testing may be needed to determine the potential impact of movements in investment markets on the fund’s VBI level.
Prudential standard
RSE licensees that are part of a group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the RSE licensee’s business operations and its specific requirements.
Insurance management framework
The Board is ultimately responsible for the insurance management framework.
Practice guide
Selection of insurer
Critical to the selection process is that it is done on an arm’s length basis and in the best financial interests of the beneficiaries. The Board is responsible for ensuring that it conducts an objective selection process including a due diligence review for the selection of an insurer. Given the risks associated with conflicts of interest and duty, an independent certification is required for insurance arrangements with connected entities.
A prudent RSE licensee would have in place a formal process for appointing an insurer, including appropriate delegations for appointing the insurer. The Board may choose to delegate elements of the tender and/or selection process, but it would be sound practice for the Board, or a relevant Board committee, to review and approve the selection criteria.
Risk management framework
Under Prudential Standard SPS 220 Risk Management, an RSE licensee is responsible for ensuring that it identifies, manages and regularly reviews all material risks to its business operations through its risk management framework. An RSE licensee must also have and maintain a Board-approved Risk Management Strategy (RMS). While an RSE licensee may have a number of different approaches to the development of its risk management framework, the following paragraphs provide guidance that may assist an RSE licensee in this regard.
Risk management framework
Under Prudential Standard SPS 220 Risk Management (SPS 220), an RSE licensee is responsible for ensuring that it identifies, manages and regularly reviews all material risks to its business operations through its risk management framework. An RSE licensee must also have and maintain a Board-approved Risk Management Strategy (RMS). While an RSE licensee may have a number of different approaches to the development of its risk management framework, the following guidance may assist an RSE licensee in this regard.
Prudential standard
Strategic objectives
An must set specific strategic objectives for the sound and prudent management of its business operations that support achieving the outcomes the RSE licensee seeks for beneficiaries. The strategic objectives must be approved by the Board.
Business plan
An RSE licensee must create and maintain a written rolling plan, of at least three years’ duration, that covers the entirety of the RSE licensee’s business operations (business plan). The business plan must be approved by the Board and set out the RSE licensee’s approach for implementing and delivering on its strategic objectives.
Financial resource management
An RSE licensee must ensure that the use of any new fee power, or the use of an existing power for the first time, is approved by the Board.
Transfer of MySuper product assets
The Board is accountable for ensuring that, following the cancellation of an authority to offer a MySuper product, any affected MySuper product assets are transferred into another MySuper product within the timeframe stipulated in section 29SAB of the SIS Act.
The Board must ensure that there are clear roles and responsibilities at a senior executive level for the purpose of meeting the requirements in paragraphs 36 to 43 of this Prudential Standard.
Prudential standard
The role of the Board
The Board of an RSE licensee (the Board) must, for the RSE licensee’s business operations, at a minimum:
approve investment objectives for each investment option offered in each RSE;
approve an investment strategy, in respect of each RSE, that is consistent with the RSE licensee’s duties to beneficiaries, including those in section 52(6) and (13) (if applicable) of the SIS Act and the requirements in this Prudential Standard:
for the whole of that RSE; and
in respect of each investment option offered in that RSE;
monitor and assess regularly whether the investment objectives are being met; and
take appropriate and timely action regarding information contained in reports to the Board on investment matters.
RSE licensees that are part of a group
Where an RSE licensee is part of a corporate group, and the RSE licensee utilises group policies or functions, the Board must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the RSE licensee’s business operations.
Investment governance framework
The Board is ultimately responsible for the establishment, implementation, oversight and maintenance of an RSE licensee’s investment governance framework.
An RSE licensee’s investment governance framework must, at a minimum, include:
all Board policies relating to investment activities;
structures, policies and processes relating to investment activities, including for investment performance and risk measurement, assessment, stress-testing, valuations and reporting to the Board and senior management; and
Monitoring investments
An RSE licensee must determine appropriate measures, for the purposes of monitoring performance on an ongoing basis, in respect of each MySuper product, each investment option and each investment within an investment option. These measures must include appropriate performance benchmarks and a methodology for setting performance benchmarks. These measures, other than performance benchmarks for each investment within an investment option, must be approved by the Board.
An RSE licensee must ensure that the performance of each investment option and each MySuper product is regularly reported to the Board and senior management. This reporting must include an assessment of the sources of out-performance and under-performance relative to appropriate performance benchmarks as determined by the RSE licensee under paragraph 25.
Reviewing the investment strategy
For each investment strategy, an RSE licensee must have a review policy that is approved by the Board and that, at a minimum, requires each investment strategy to be reviewed against its investment objectives on at least an annual basis. The policy must also include:
the triggers that will cause an interim review of the investment strategy in addition to the annual review;
the processes for reporting the results of each review to the Board; and
the criteria that will determine whether the investment strategy must be changed.
On receipt of the results of a review of an investment strategy undertaken in accordance with the review policy, the Board must ensure that any decision to amend the investment strategy is supported by sufficient justification and analysis.
Investment stress testing
An RSE licensee must have a comprehensive investment stress testing program that is approved by the Board and is integrated into an RSE licensee’s investment governance framework.
The comprehensive investment stress testing program must, at a minimum include:
the roles and responsibilities of persons (both internal and external) involved in the design, implementation, review, reporting and oversight of investment stress testing, including the role of the Board, relevant Board committees and senior management;
An RSE licensee must ensure that the results of the comprehensive investment stress testing program are:
reviewed periodically by the Board, relevant Board committees, and senior management; and
The Board must document the methodology for stress scenario selection and how the results of the comprehensive stress testing program have been used in decision-making.
Liquidity and cash flow management
An RSE licensee must, at a minimum, have a liquidity management plan, approved by the Board, for each RSE within its business operations that:
covers each investment option in the RSE;
outlines the procedures determined by the RSE licensee for measuring and managing liquidity on an ongoing basis;
includes consideration of how the liquidity of investment options in an RSE can be managed in a range of stress scenarios;
identifies the circumstances the RSE licensee considers to be a significantly adverse liquidity outcome that requires action (liquidity event);
outlines what action the RSE licensee will take when a liquidity event occurs;
outlines the roles and responsibilities of persons involved in the management and oversight of liquidity risk, including the role of the Board, relevant Board committees and senior management; and
outlines information, including key metrics, that must be reported to the Board, relevant Board committees and senior management, to ensure adequate oversight of liquidity risk.
An RSE licensee must ensure that information, including key metrics referred to in paragraph 36(g) are periodically reviewed by the Board, relevant Board committees and senior management, to ensure that such information and key metrics remain suitable.
Valuation governance framework
The valuation governance framework must include a Board-approved valuation policy which, at a minimum, outlines:
the roles and responsibilities of persons for the oversight and management of valuation processes and procedures, including the Board, relevant Board committees and senior management;
the key metrics and information that must be reported to the Board, relevant Board committees and senior management, and the frequency of that reporting;
the valuation methodology employed for each asset class (and sub-asset class and instrument/holding vehicle type where relevant), including the sources of valuation inputs;
the circumstances under which independent external valuations are to be obtained;
the frequency of valuation of investments having regard to the prevailing market, economic environment, member equity considerations and matters concerning the ongoing appropriateness of the asset valuation;
the circumstances in which interim valuations are to be made, to ensure the approach taken is consistent and transparent;
the triggers that would require an interim valuation of investments outside of the frequency determined under paragraph 40(e) and which reflect the circumstances identified in paragraph 40(f);
a review process to ensure that the valuation policy remains effective;
the validation of valuation outputs including any back-testing procedures; and
the circumstances as to when to accept, reject or reassess valuations of investments to ensure that an RSE licensee’s valuations remain appropriate, including an escalation procedure for the resolution of any disputed valuations.
An RSE licensee must ensure that the key metrics and information referred to in paragraph 40(b) are periodically reviewed by the Board, relevant Board committees and senior management, to ensure that such information and the key metrics remain appropriate to enable sufficient oversight of valuation risk.
Practice guide
The role of the board
Board responsibility
An RSE licensee’s Board (the Board) is ultimately responsible for ensuring its governance of investments supports effective investment decisions that deliver quality retirement outcomes for beneficiaries that are consistent with the strategic direction of each RSE within the RSE licensee’s business operations.
An effective Board balances the need to provide review and challenge of key investment decisions, with an appropriate delegation framework that allows the Board to maintain visibility, knowledge and appropriate control and oversight of the exercise of delegations.
The Board would be able to demonstrate that it has:
an appropriate mix of investment-related skills and expertise;
clearly documented delegations that consider the roles and decision-making responsibilities within the RSE licensee, ensuring segregation of duties between those implementing investment decisions and those reviewing performance and risk outcomes;
access to external experts and their advice, views and insights to support the Board fulfilling its obligations under SPS 530, as required; and
appropriate oversight and reporting mechanisms.
When considering the appropriate level of Board oversight of investments, APRA expects the Board would be able to demonstrate how it effectively governs the number and complexity of investment decisions and ensures an appropriate non-executive assessment of investment decisions.
APRA expects an RSE licensee would consider establishing a Board committee, such as a Board Investment Committee, to support the Board. It is important that the governance arrangements for such committees are well considered and documented in a charter or terms of reference, to ensure appropriate membership with expertise, diversity and the necessary resources to support its effective function.
RSE licensee that are part of a group
The use of group policies may enable an RSE licensee to operate in a manner that is consistent with the group. When approving the use of group policies, a Board would demonstrate why it considers the policies to be appropriate to deliver outcomes to beneficiaries, including how conflicts between RSE licensee policies and group policies are to be managed, in accordance with the requirements of Prudential Standard SPS 521 Conflicts of Interest, as well as how the Board will be engaged in the process of reviewing these policies over time.
Investment governance framework
Establishing the framework
APRA expects the Board would demonstrate how it understands, in a practical way, its role in the investment governance framework and how it ensures that appropriate approvals to changes in the framework are managed.
APRA expects the Board would provide clear strategic investment direction, including the setting of investment objectives and investment strategies. The Board would also demonstrate their involvement in the implementation of the investment governance framework, including how it goes about making key investment decisions and reviewing and challenging key investment reports to support oversight.
Risk factor considerations
Investment risk
An RSE licensee would demonstrate how the investment risk assessment has informed the investment strategy and is consistent with appetite and tolerances for investment risk exposures. APRA expects that the key findings would be subject to dedicated discussion with the Board and Board committee, where relevant.
Asset allocation
Where an RSE licensee implements investment portfolio positions away from strategic positions to either manage risk or generate excess returns, APRA expects portfolios would be managed in accordance with a specific and formal policy that covers permitted ranges, internal reporting (including to the Board and Board committee, where relevant) and a review and approval process for making changes to the asset allocation.
Giving effect to the investment strategy
Selection processes
Due diligence
Where an RSE licensee manages assets internally, the RSE licensee would ensure due diligence is conducted in accordance with a specifically documented process to ensure that appropriate systems, data, processes and personnel are in place to manage investments. This would be conducted by persons independent to those managing the investments. APRA expects either the Board or Board committee, where relevant, would approve internally managed investment strategies.
Rebalancing
An RSE licensee would demonstrate how their approach to rebalancing considers:
reporting to the Board and Board committee, where relevant; and
Where an RSE licensee uses an investment option as a liquidity provider, an RSE licensee would be able to demonstrate and clearly document the appropriateness of this purpose with reference to liquidity impacts, member equity and how these are considered through stress testing. An RSE licensee would also ensure liquidity provider arrangements are subject to periodic review and regular oversight by the Board or Board committee, where relevant.
Monitoring investments
Monitoring investment performance
While APRA expects performance and risk outcomes of investment options would be reported to the Board on at least a quarterly basis, it is open to an RSE licensee to adopt a different approach to reporting on individual underlying investments where it provides the Board and/or Board committee with sufficient visibility over drivers of performance outcomes and the opportunity to better understand particular assets or asset classes.
APRA expects an RSE licensee would be able to demonstrate how the approach for reporting to the Board and/or Board committee supports information about performance that is timely, relevant and enables effective challenge and understanding of the drivers of performance through attribution analysis. At a minimum, such monitoring would include information with respect to the legislated annual performance assessment and APRA heatmaps.
Stress testing
Stress testing results
Clear and meaningful reporting to the Board and Board committees enables the Board to understand and challenge the insights from stress testing and the potential actions relating to investment decisions that might be taken to respond to the results.
APRA expects an RSE licensee would demonstrate how its stress testing program informs, at a minimum, its business planning process and investment strategy, including risk tolerances and liquidity management plan. APRA expects stress testing results would promote challenge from, and provide insights to, the Board about the potential impacts of different scenarios on outcomes for beneficiaries.
Stress testing methodology
The Board would demonstrate how it provides input and challenge in the development and consideration of the plausible, but severe, scenarios most relevant to the RSE’s investments.
An RSE licensee would ensure that reporting to the Board would explain the basis for choosing scenarios, the assumptions used, including any key limitations, the outcomes of the stress testing and potential actions that are to be considered, including any rebalancing or risk mitigation activities.
Valuation governance
Valuation governance framework
An RSE licensee’s valuation framework would ensure:
effective Board and management ownership, oversight, robust policies and processes, and the allocation of adequate expertise and resources to the valuation of investments. This would be supported by the RSE licensee’s Board approved valuation policy that is well understood by those responsible for its application;
Valuation policy
It is important that the Board has adequate expertise and resources available to it to support a robust valuations framework. A Board may consider delegating oversight of valuation processes to a Board committee, for example, the Board Investment Committee or a Valuation Committee.
Where a Board delegates oversight of valuation processes to a Board committee, APRA expects that the committee would be comprised of persons who have sufficient skills, knowledge and information to provide meaningful oversight of valuation processes.
Independent external valuations
APRA expects an RSE licensee would consider seeking regular independent valuations across asset classes, either on a sample or rotational basis. Reporting to the Board, or Board committee, on independent valuations would ordinarily include the number and type of independent valuations conducted and any key findings or deviations (delta) between methodologies.
Frequency
APRA expects an RSE licensee would determine the circumstances in which valuations would be reported to the Board and management.
Recovery and Resolution
Recovery and Resolution standards require entities to strengthen crisis preparedness. They include requirements such as resolution, recovery and exit planning.
Recovery
Prudential standard
Role of the Board
The Board of an APRA-regulated entity is ultimately responsible for the oversight of the entity’s recovery and exit planning. The Board of an APRA-regulated entity must:
approve the recovery and exit plan;
oversee reviews of the recovery and exit plan and ensure any findings are addressed by management; and
oversee the execution of any recovery and exit actions.
The Board of an SFI must also form a view on the sufficiency of recovery capacity to restore financial resilience in periods of stress. Where the Board views recovery capacity to be insufficient, the SFI must improve its recovery and exit plan or take other actions to improve its financial resilience.
Notification
An APRA-regulated entity must provide a copy of the recovery and exit plan to APRA following each review, within three months of the recovery and exit plan being approved by the Board.
Practice guide
Role of the Board
Changes in market conditions, business models or growth plans can impact the assumptions used in recovery and exit planning, and it is important that the plan continually evolves over time. APRA expects Board oversight to play a key role in maintaining the credibility of the plan over time.
Resolution
Prudential standard
Role of the Board
The Board of an APRA-regulated entity must support APRA in resolution planning and is ultimately responsible for ensuring that the entity meets the requirements of this Prudential Standard. The Board must ensure that there are clear roles and responsibilities at a senior executive level for the purpose of meeting the requirements in this Prudential Standard.
The Board must provide oversight of and approve, where applicable:
a resolvability assessment; and
a pre-positioning plan.
Practice guide
Developing a resolution plan
Role of the Board
Once an APRA-regulated entity has been subject to CPS 900, the Board of the entity must ensure that the entity meets the requirements of this Prudential Standard. In practice, this would mean that the entity is ready for the execution of the resolution plan (‘resolvable’). It would involve the Board overseeing the steps in preparing for resolution, including the implementation of pre-positioning actions and maintenance of capabilities necessary for resolution.