APRA prudential practice guide on risk management

The draft CPG 220 is intended to provide guidance to APRA-regulated entities on how to meet the requirements under the new APRA Prudential Standard CPS 220 – Risk Management. However, Company Directors is concerned that CPG 220 goes beyond mere guidance and in fact imposes an even greater regulatory burden than is provided for under CPS 220, and particularly with respect to the expectations that it sets for the boards of APRA-regulated entities.

Key comments made in our submission included:

• While the draft CPG 220 is intended to provide additional guidance on APRA’s expectations for risk management under CPS 220, it will in fact have the effect of further increasing the standards of risk management governance for APRA-regulated entities and significantly extends the expectations of what a board should be responsible for with respect to risk management. In our view, this is inappropriate and unjustified. It should be limited to providing much needed guidance as to how APRA-regulated entities can meet their obligations under the new CPS 220 without adding greater obligations and expectations, particularly on the boards (and possibly the individual directors) of those entities.
• One of the most significant ways CPS 220 has increased risk governance standards for APRA-regulated entities beyond what is required under the Principles is the requirement that boards “ensure” the entity’s risk management framework is in place and operating effectively. Rather than clarifying what APRA’s intent was for these requirements for the board to “ensure” it fulfils its duties under CPS 220, draft CPG 220 blurs the roles and responsibilities of the board and of senior management further.
• The confusion in the draft CPG 220 between what the roles and responsibilities of the board are on the one hand, and what the roles and responsibilities of management are on the other hand suggests that APRA’s understanding and concept of board oversight is misconceived. APRA seems to see boards as having a hands-on role in company affairs, akin to that of management. As overseers of risk management, the board is not in a position to “ensure” the matters that it is required to under CPS 220 and draft CPG 220 as they are either matters that are outside their purview or they are matters that are not really capable of being determined with the requisite degree of certainty. Any suggestion that this blurring of the roles of the board and of management is good for governance and proper functioning of an organisation is, in our view, confused.
• By increasing the role and responsibilities of boards with respect to risk management, the effect of CPS 220 and draft CPG 220 will be to further add to the already heavy regulatory and compliance burden placed on the boards of APRA-regulated companies.
• The increased regulatory burden of APRA-regulated entities under CPS 220 and draft CPG 220 is also contrary to the federal government's current deregulation agenda, which seeks to identify and remove unnecessary and excessive regulation to ease the compliance burden of Australian businesses and improve productivity growth in Australia.