APRA has mandated an insurerย to undertake a risk remediation program & has increased its capital requirements in response to concerns about its risk governance.
APRAโs decision follows a prudential review that identified significant weaknesses in the insurer’s risk governance, risk management & compliance practices. These included capability & capacity weaknesses in the risk function, ineffectiveness of the โthree lines of defenceโ model, & weak risk reporting. The review also revealed unclear accountabilities and responsibilities across the business, & overall, an immature risk culture.
Given the heightened prudential risk arising from the identified weaknesses, APRA has also imposed an additional $50 million capital requirement in the form of an operational risk charge.
๐๐๐๐จ๐ช๐ง๐๐ฃ๐ ๐๐ค๐ข๐ฅ๐ก๐๐๐ฃ๐๐ ๐ง๐๐จ๐ ๐ข๐๐ฉ๐ช๐ง๐๐ฉ๐ฎ
There are many benefits in measuring compliance risk maturity:
- Identification of gaps & weaknesses in your compliance arrangements;
- A prioritised action plan to close out gaps by adopting a risk-based approach;
- Enables the allocation of resources (including human, technology & financial) to those areas of strategic, customer or regulatory importance;
- Provides transparent criteria to benchmark progress & facilitate board reporting; &
- Enables different maturity levels to be set as targets for each of the 4 components.
๐๐ค๐ฌ ๐ฉ๐ค ๐๐ค๐ฃ๐๐ช๐๐ฉ ๐๐ฃ ๐๐ฃ๐๐ก๐ฎ๐จ๐๐จ ๐ค๐ ๐๐ค๐ข๐ฅ๐ก๐๐๐ฃ๐๐ ๐ง๐๐จ๐ ๐ข๐๐ฉ๐ช๐ง๐๐ฉ๐ฎ (๐๐ฃ ๐ฉ๐๐ ๐๐ฃ๐จ๐ช๐ง๐๐ฃ๐๐ ๐๐ฃ๐๐ช๐จ๐ฉ๐ง๐ฎ)
Step 1 –ย there are 4 components or categories that are assessed from a compliance risk perspective – (1) governance, (2) process & procedures, (3) people and (4) systems & reporting. A compliance review is conducted to determine the firm’s current state against each of these components;
Step 2 –ย the current state is assessed as either ‘basic, evolving, established, advanced or optimised’. Pre-agreed criteria is used to describe each phase of maturity enabling a robust conversation to take place so that a realistic current state is determined. The current state is plotted on the matrix for each category;
Step 3 –ย recognising the cost-benefit trade-off, the board sets the desired level of risk maturity to be achieved over a defined period for each component. For example, the Board may set a target that within 18 months: systems will be ‘Advanced’ while people will be ‘Optimised’. This enables a strategic allocation of resources & a plan that can be shared with key stakeholders;
Step 4 –ย actions are developed, cost & approved to achieve the target level of risk maturity for each of the 4 components;
Step 5 –ย Progress to plan is monitored & included in board reporting.
Please contact me if you would like to explore the compliance reviews & risk maturity assessments I provide.