APRA has released for further consultation details of amendments to Prudential Standard CPS 220 Risk Management and Prudential Practice Guide CPG 220 Risk Management which are due come into effect on 1 January 2015. (Background).
In a letter to ADI’s and insurers APRA says these amendments are in addition to including a definition of ‘ensure’ into the definitions standard for each industry and amending the risk management declaration wording to take account of materiality as foreshadowed in its letter of 8 May 2014.
The revised definition of “ensure” when used in relation to Board responsibility is:
‘Ensure: when used in relation to a responsibility of the board, means to take all reasonable steps and make all reasonable enquiries as are appropriate for a board so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed.’
CPS 220 has been amended to clarify the role of the board in setting risk appetite and in risk culture and the role of board committees (and the board) in the three lines of defence.
The three lines of defence model in Appendix A of CPG 220 (see image below) has been amended to more accurately reflect the role of the Board Risk and Board Audit Committees in assisting the Board.
The letter of 7 October also states that “the detailed description of the three lines of defence model in the CPG reflects APRA’s view of good practice (which might reasonably be adopted in the absence of sound reasons why an alternative approach is appropriate) rather than a mandatory requirement.”
The letter clarifies that the two directors (namely the chairperson of the Board and the chairperson of the Board Risk Committee) sign the declaration in Attachment A to the Prudential Standard on behalf of the whole board, and not in their individual capacity.
The 3 lines of defence (click to enlarge).