About this guide

The Board of an APRA-regulated entity is ultimately responsible for all aspects of governance, oversight and compliance with all relevant laws and regulations. This guide consolidates specific requirements and guidance for ADI boards from APRA’s prudential standards and prudential practice guides (PPGs). It does not introduce new requirements or guidance and excludes obligations that come from primary legislation. 

See the Prudential Handbook for the full suite of prudential standards and guidance applicable to ADIs. 

Governance

Governance standards require entities to act with honesty and integrity and to be run by people with the right skills, knowledge and experience. They include foundational requirements for good governance and the fitness and propriety of people in positions of responsibility. 

Board

Prudential Standard

Additional requirements of the Head of a group
The Board of the Head of a group is ultimately responsible for oversight of the sound and prudent management of the group and must have the following committees for the group:
a group Board Audit Committee that meets the requirements of paragraphs 52 to 67 and that assists the Board by providing an objective non-executive review of the effectiveness of the group’s financial reporting and group risk management framework; and
a group Board Risk Committee that meets the requirements of paragraphs 80 to 87 and that assists the Board by providing an objective non-executive oversight of the implementation and operation of the group risk management framework.
The Board of a Head of a group must ensure that directors and senior management of the group, collectively, have the full range of skills needed for the effective oversight and prudent management, respectively, of the group. This does not lessen the responsibility of each of the individual Boards of the institutions within the group for their institutions.

A. Governance arrangements – locally incorporated APRA-regulated institutions

The Board and senior management
The Board of directors (the Board) of a locally-incorporated APRA-regulated institution is ultimately responsible for oversight of the sound and prudent management of that institution.
The Board must have a formal charter that sets out the roles and responsibilities of the Board.
The Board, in fulfilling its functions, may delegate authority to management to act on behalf of the Board with respect to certain matters, as decided by the Board. This delegation of authority must be clearly set out and documented. The Board must have mechanisms in place for monitoring the exercise of delegated authority. The Board cannot abrogate its responsibility for oversight of the functions delegated to management.
The Board must ensure that directors and senior management of the institution collectively have the full range of skills needed for the effective and prudent operation of the institution, and that each director has skills that allow them to make an effective contribution to Board deliberations and processes. This includes the requirement for directors, collectively, to have the necessary skills, knowledge and experience to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks. This does not preclude the Board from supplementing its skills and knowledge by engaging external consultants and experts.
Directors and senior management of a locally incorporated APRA-regulated institution must be available to meet with APRA on request.
The Board must provide the auditor and the Appointed Actuary of the institution, as relevant, with the opportunity to raise matters directly with the Board.

Independence
If the Board of a locally incorporated APRA-regulated institution is in doubt about a director’s independence for the purposes of this Prudential Standard, the APRA-regulated institution may refer the matter to APRA for guidance.

Board composition
The Board of a locally incorporated APRA-regulated institution must have a minimum of five directors at all times.
The Board must have a majority of independent directors at all times. For a locally incorporated APRA-regulated institution that is a of another APRA-regulated institution or overseas equivalent, exceptions may apply as set out at paragraphs 37 to 39. For a locally incorporated APRA-regulated institution that is a subsidiary of a parent company that is not prudentially regulated, exceptions may apply as set out at paragraph 40.
The chairperson of the Board must be an independent director of the APRA-regulated institution.
A majority of directors present and eligible to vote at all Board meetings must be non-executive directors.
The chairperson of the Board cannot have been the Chief Executive Officer (CEO) of the APRA-regulated institution at any time during the previous three years. If the position of the CEO is unexpectedly vacated, the chairperson may serve as an interim CEO. After a period of 90 days, approval must be sought from APRA to allow this arrangement to continue.
The chairperson must be available to meet with APRA on request.
For a locally owned and incorporated APRA-regulated institution, a majority of directors must be ordinarily resident in Australia.
For a foreign-owned, locally incorporated APRA-regulated institution, at least two of the directors must be ordinarily resident in Australia, at least one of whom must also be independent.

Board representation
Where an individual shareholding is greater than 15 per cent, as approved under the Financial Sector (Shareholdings) Act, the Board representation of that shareholding may be greater than allowed in paragraph 34, although it must still be broadly proportionate to the shareholding concerned.
For a locally incorporated ADI that operates as a special service provider, the ADI may apply to APRA for approval for alternative Board composition arrangements that meet the objectives of this Prudential Standard. APRA may approve alternative arrangements for the ADI if satisfied that those arrangements will, in APRA’s opinion, achieve the objectives of this Prudential Standard.

Locally incorporated APRA-regulated institutions that are subsidiaries of other APRA-regulated institutions or overseas equivalents
For a locally incorporated APRA-regulated institution that is a subsidiary of another APRA-regulated institution or an overseas equivalent, the Board must have a majority of non-executive directors, but these non-executive directors need not all be independent.
An institution to which paragraph 37 applies will be required to have, at a minimum, two independent directors, in addition to an independent chairperson, where the Board has up to seven members. Where the Board has more than seven members, the institution will be required to have at least three independent directors, in addition to an independent chairperson.
For the purposes of meeting the requirements in paragraph 38, the independent directors on the Board of the parent company or its other subsidiaries may also sit as independent directors on the Board of the institution.

Subsidiaries of a parent that is not prudentially regulated
For a locally incorporated APRA-regulated institution that is a subsidiary of another entity not covered by the arrangements in paragraphs 37 to 39 of this Prudential Standard, the Board must have a majority of independent directors. However, independent directors on the Board of the parent company or its other subsidiaries may also sit as independent directors on the Board of the institution.

Joint ventures
For the purposes of this Prudential Standard, a locally incorporated APRA-regulated institution that operates as a joint venture can be considered as part of the group of each . Independent directors of a parent may sit as independent directors on the Board of the joint venture entity. However, the general concessions available to subsidiaries in paragraphs 37 to 39 are not available to joint ventures.

APRA-regulated institutions that are part of a group or any other corporate group
Where a locally incorporated APRA-regulated institution is part of a group or any other corporate group, and the APRA-regulated institution utilises group policies or functions, the Board of the APRA-regulated institution must approve the use of group policies and functions and must ensure that these policies and functions give appropriate regard to the APRA-regulated institution’s business and its specific requirements.

Board performance assessment
The Board of a locally incorporated APRA-regulated institution must have procedures for assessing, at least annually, the Board’s performance relative to its objectives. It must also have in place a procedure for assessing, at least annually, the performance of individual directors.

Board renewal
The Board of a locally incorporated APRA-regulated institution must have in place a formal policy on Board renewal. This policy must provide details of how the Board intends to renew itself in order to ensure it remains open to new ideas and independent thinking, while retaining adequate expertise. The policy must give consideration to whether directors have served on the Board for a period that could, or could reasonably be perceived to, materially interfere with their ability to act in the best interests of the institution. The policy must include the process for appointing and removing directors, including the factors that will determine when an existing director will be re-appointed.

B. Governance arrangements – foreign ADIs, Category C insurers and EFLICs
As in the case of locally incorporated APRA-regulated institutions, the ultimate responsibility for the safety and soundness of a foreign ADI or a Category C insurer resides with its Board. Foreign ADIs and Category C insurers must nominate a senior officer (whether a director or senior executive) outside Australia with delegated authority from the Board (senior officer outside Australia) who will be responsible for overseeing the Australian branch operation.

C. Audit arrangements

Board Audit Committee
An APRA-regulated institution (excluding foreign ADIs and Category C insurers but including EFLICs) must have a Board Audit Committee, which assists the Board by providing an objective non-executive review of the effectiveness of the institution’s financial reporting and risk management framework.
The Board Audit Committee is required to provide prior endorsement for the appointment or removal of the institution’s auditor and Head of Internal Audit. If the auditor or Head of Internal Audit is removed from their position, the reasons for removal must be discussed with APRA as soon as practicable, and no more than 10 business days, after the Committee’s endorsement is agreed upon.
The Board Audit Committee must review the engagement of the auditor at least annually, including making an assessment of whether the auditor meets the Audit Independence tests set out in APES 110 Code of Ethics for Professional Accountants, as well as the additional auditor independence requirements set out in this Prudential Standard.
For a foreign ADI or a Category C insurer, the assessment referred to in paragraph 58 is the responsibility of the senior officer outside Australia, and for an EFLIC, it is the responsibility of the Compliance Committee.
The Board Audit Committee must regularly review the internal and external audit plans, ensuring that they cover all material risks and financial reporting requirements of the institution. It must also regularly review the findings of audits, and ensure that issues are being managed and rectified in an appropriate and timely manner.
The Board Audit Committee must ensure the adequacy and independence of both the internal and external audit functions.
The members of the Board Audit Committee must, at all times, have free and unfettered access to senior management, the internal auditor, the heads of all risk management functions, the auditor and the Appointed Actuary, as applicable, and vice versa.
The Board Audit Committee must ensure that the APRA-regulated institution maintains policies and procedures for employees of the institution to submit, confidentially, information about accounting, internal control, compliance, audit, and other matters about which the employee has concerns. The Committee must also ensure that the APRA-regulated institution has a process for ensuring employees are aware of these policies and for dealing with matters raised by employees under these policies.
Members of the Board Audit Committee must be available to meet with APRA on request.
The Board Audit Committee must invite the auditor and the Appointed Actuary, as applicable, to meetings of the Committee.
The internal auditor must have a reporting line and unfettered access to the Board Audit Committee.

independence
The Board of the APRA-regulated institution, senior officer outside Australia or the Compliance Committee, as relevant, must, to the extent practical, undertake steps to satisfy itself that the auditor, who undertakes work for the APRA-regulated institution in relation to the Prudential Acts, prudential standards or reporting standards, is independent of the institution, and that there is no conflict of interest situation that could compromise, or be seen to compromise, the independence of the auditor.

D. Board Risk Committee
The Board of an APRA-regulated institution (excluding foreign ADIs and Category C insurers but including EFLICs) must have a Board Risk Committee, which assists the Board by providing an objective non-executive oversight of the implementation and operation of the institution’s risk management framework.

Attachment A – Director Independence
A director is not independent if the director:
is a substantial shareholder of the APRA-regulated institution or an officer of, or otherwise associated directly with, a substantial shareholder of the institution;
is employed, or has previously been employed in an executive capacity by the APRA-regulated institution or another member of the group, and there has not been a period of at least three years between ceasing such employment and serving on the Board;
has within the last three years been a principal of a material professional adviser or a material consultant to the APRA-regulated institution or another member of the group, or an employee materially associated with the service provided;
is a material supplier or customer of the APRA-regulated institution or another member of the group, or an officer of or otherwise associated directly or indirectly with a material supplier or customer; or
has a material contractual relationship with the APRA-regulated institution or another member of the group other than as a director.

Attachment B – Compliance Committee for eligible foreign life insurance companies

Purpose of the Compliance Committee
The purpose of the Compliance Committee (referred to in this Attachment as ‘the Committee’) is to:
ensure the eligible foreign life insurance company (EFLIC) complies with the requirements in, or imposed under, the Life Insurance Act; and
assist the Board in meeting its responsibilities under the Life Insurance Act.
As required by subsections 16ZF(1) and (4) of the Life Insurance Act, the Board must delegate sufficient powers of management to the members of the Committee to enable Committee members to ensure that the EFLIC complies with the requirements in, or imposed under, the Life Insurance Act. The Board must do so irrespective of anything to the contrary in the EFLIC’s constitution.

Continuing responsibility of the Board
Establishment of the Committee does not free the Board from ultimate responsibility for ensuring the Australian branch of the EFLIC complies with the requirements in, or imposed under, the Life Insurance Act.
In recognition of this, the Board must:
ensure that the delegation of relevant managerial powers (of the kind referred to in paragraph 16ZF(1)(a) and (b) of the Life Insurance Act) is not irrevocable, and that the Board retains the powers delegated; and
establish adequate procedures for monitoring and supervising the operation of the Committee, as well as assessing its performance.

Composition and residency status of Committee members
The Committee must comprise at least five members appointed by the Board. Those members must include:
at least one director of the Board of the EFLIC;

Appointment and removal of Committee members
The power to appoint and remove members of the Committee resides with the Board.
The Board must have appointed all members and formally constituted the Committee within seven days of receiving notification of registration.
The Board must ensure that the Committee as a whole possesses the necessary skills and expertise to ensure that the EFLIC complies with the requirements in, or imposed under, the Life Insurance Act, and to discharge the duties and responsibilities of the Committee provided for in this Prudential Standard.
While membership of the Committee is the responsibility of the Board, the powers to appoint and remove members of the Committee must not be used in a manner that impedes, discourages or otherwise hinders the Committee from discharging its duties and responsibilities. Examples that would be cause for concern by APRA would be an excessive turnover of members, or the removal of members at inappropriate times (for example at critical reporting periods). If requested to do so by APRA, an EFLIC must, within a time stipulated by APRA (which must not be unreasonable), provide a written report to APRA responding to any queries APRA has regarding the removal of members.
Related Guidance
APG 223

Risk management framework
Consistent with Prudential Standard CPS 220 Risk Management (CPS 220), where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore represents a risk that may have a material impact on the ADI, it would be prudent for the Board of directors (the Board) and senior management to specifically address residential mortgage lending in its risk management framework, in particular in the risk appetite statement, risk management strategy and business plans.

APRA’s expectations of an ADI Board for residential mortgage lending
Where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore a risk that may have a material impact on the ADI, APRA expects that the Board would take reasonable steps to satisfy itself as to the level of risk in the ADI’s residential mortgage lending portfolio and the effectiveness of its risk management framework. This would, at the very least, include:
specifically addressing residential mortgage lending in the ADI’s risk appetite, risk management strategy and business plans;
seeking assurances from senior management that the approved risk appetite is communicated to relevant persons involved in residential mortgage lending and is appropriately reflected in the ADI’s policies and procedures; and
seeking assurances from senior management that there is a robust management information system in place that:
tracks material risks against risk appetite;
provides periodic reporting on compliance with policies and procedures, reasons for significant breaches or material deviations and updates on actions being taken to rectify breaches or deviations; and
provides accurate, timely and relevant information on the performance and risk profile of the residential mortgage lending portfolio.

Oversight and review
Typically, senior management is responsible for monitoring compliance with material policies, procedures and risk limits and reporting material breaches or overrides to the Board. Further, where risk limits are routinely breached or policies and procedures overridden, senior management and the Board could consider whether this is indicative of a less prudent lending culture than that reflected in its risk appetite and what steps could be necessary to remedy any identified deficiency.
In order to establish robust oversight, the Board and senior management would receive regular, concise and meaningful assessment of actual risks relative to the ADI’s risk appetite and of the operation and effectiveness of internal controls. The information would be provided in a timely manner to facilitate early corrective action.
A prudent ADI would have controls in relation to its residential mortgage portfolio that have appropriate regard to the level of risk within the portfolio. Portfolios that have higher inherent risk, for example where the portfolio is usually operating at the higher end of risk limits, would typically be accompanied by stronger controls, including:
increased monitoring and more granular reporting to the Board and senior management;
Consistent with CPS 220, the aspects of the risk management framework that apply to the residential mortgage lending portfolio would be subject to a comprehensive review by an operationally independent and competent person at least every three years. The person would report the results of reviews to the Board, providing an independent and objective evaluation of the appropriateness, adequacy and effectiveness of the risk management framework with respect to the portfolio.

Management information systems
Further, a prudent ADI would have analytical capability that allows it to monitor, analyse and report key metrics against risk appetite and to assess the residential mortgage portfolio at both the individual loan level and portfolio level. The data, when collectively presented to the Board and senior management, would enable an accurate and meaningful assessment of the residential mortgage portfolio. A history of low defaults does not justify under-investment in management information systems.

Remuneration
Prudential Standard CPS 510 Governance (CPS 510) requires the Board-approved ADI remuneration policy to be aligned with prudent risk-taking. CPS 510 requires the remuneration policy to apply to responsible persons, risk and financial control personnel and all other persons whose activities may affect the financial soundness of the regulated institution.  Where the residential mortgage lending portfolio is material, a prudent ADI would apply its remuneration policy to the persons involved in residential mortgage lending. This would include remuneration of third parties, particularly mortgage broker firms, when they are responsible for origination of a material proportion of the residential mortgage loan portfolio. For the avoidance of doubt, the ADI remuneration policy is intended to capture an ADI’s engagement with its brokers, not how a broking firm pays its staff. Alternatively, the ADI may address such remuneration arrangements within its risk management framework with appropriate senior management or Board oversight.

Loan origination
When an ADI is increasing its residential mortgage lending rapidly or at a rate materially faster than its competitors, either across the portfolio or in particular segments or geographical areas, a prudent Board would seek explanation as to why this is the case. Rapid relative growth could be due to an unintended deterioration in the ADI’s loan origination practices, in which case APRA expects that an ADI’s risk management framework would facilitate rapid and effective measures to mitigate any consequences.

Overrides
Good practice is for regular override reporting to be provided to senior management and to the Board. Such reporting would include:
delinquency rates for residential mortgage loans approved as overrides and exceptions;
tracking against risk tolerance limits for overrides;
reasons for overrides; and
distribution of overrides across business units, products, locations, third-party originators and, where relevant, ADI officers associated with a disproportionate number of overrides.

Loan-to-valuation ratios
A prudent ADI would monitor exposures by LVR bands over time. Significant increases in high LVR lending would typically be a trigger for senior management to review risk targets and internal controls over high LVR lending, with Board oversight. APRA has not formally defined ‘high LVR lending’, but experience shows that LVRs above 90 per cent (including capitalised LMI premium or other fees) clearly expose an ADI to a higher risk of loss.

Hardship loans and collections
An ADI following good practice would include a carefully considered collections strategy in its credit risk management framework for residential mortgage lending. The framework could include:
appropriate reporting to senior management and the Board on delinquencies, including recoveries and cost of collections.

Stress testing
Results from portfolio stress tests enable the Board and senior management to review an ADI’s risk appetite, capital adequacy and relevant strategic business decisions in both current and potential environments. For example, stress tests might identify vulnerabilities in certain product or borrower segments that would prompt an ADI to tighten its loan origination criteria or lower risk appetite limits on those products.
Stress testing arrangements include well-documented policies and procedures governing the stress testing program, including timely communication of the stress test results to the Board, senior management and other relevant staff. When reporting results, sufficient information would be provided to enable the Board and senior management to understand and challenge stress test assumptions and conclusions. This includes quantitative information on the scenario, results, capital impact, key assumptions and recommended actions arising from the stress tests. 
 

Accountability

Remuneration

Prudential Standard

A. Requirements for SFIs

Role of the

The Board, or , of an APRA-regulated entity is ultimately responsible for the entity’s remuneration framework and its effective application.
The Board must establish a Board Remuneration Committee that:
oversees the design, operation and monitoring of the remuneration framework;
is appropriately composed to enable it to exercise competent and independent judgment when fulfilling requirements under paragraph 25(a) above; and
has the powers necessary to perform its functions.

Board Remuneration Committee
The Board Remuneration Committee must have at least three members and all members must be non-executive directors of the entity.

Specified roles
The Board, or relevant oversight function, must approve the variable remuneration outcomes for persons in specified roles as follows:
individually for senior managers and executive directors; and
on a cohort basis for highly-paid material risk-takers, other material risk-takers and risk and financial control personnel.

Other requirements
In relation to the requirements for a Board Remuneration Committee and remuneration policy, where an APRA-regulated entity is part of a , or corporate group in the case of a , the Board of the APRA-regulated entity may:
use a group Board Remuneration Committee as the Board Remuneration Committee for the APRA-regulated entity, provided that:
the requirements set out in this Prudential Standard are met;
all members of the group Board Remuneration Committee are non-executive directors of the Head of the group in the context of an , or ; and
the Board of the entity has free and unfettered access to the group Board Remuneration Committee; and
adopt and apply a group remuneration policy that is also used by a related body corporate or a connected entity provided that the group remuneration policy:
meets the requirements of this Prudential Standard;
has been approved by the Board or relevant oversight function; and
gives appropriate regard to the entity’s business activities, its specific requirements and its remuneration framework.

B. Requirements for Non-SFIs

Role of the Board
The Board, or relevant oversight function, of an APRA-regulated entity is ultimately responsible for the entity’s remuneration framework and its effective application.

Specified roles
The Board, or relevant oversight function, must approve the variable remuneration outcomes for persons in specified roles as follows:
individually for senior managers and executive directors; and
on a cohort basis for highly-paid material risk-takers, other material risk-takers and risk and financial control personnel.

Other requirements
In relation to the requirements for a remuneration policy, where an APRA-regulated entity is part of a group, or corporate group in the case of a private health insurer, the Board of the APRA-regulated entity may adopt and apply a group remuneration policy that is also used by a related body corporate or a connected entity provided that the group remuneration policy:
meets the requirements of this Prudential Standard;
has been approved by the Board or relevant oversight function; and
gives appropriate regard to the entity’s business activities, its specific requirements and its remuneration framework.

Disclosures
An APRA-regulated entity must disclose information on the governance of the remuneration framework. This must include:
information on how the Board exercises its discretion in determining remuneration outcomes; and
a description of how the Board oversees remuneration policies and the input provided by the Board Risk Committee, other Board committees, or the risk function, including the Chief Risk Officer.
Related Guidance
CPG 511

Role of the Board
Under CPS 511, the Board, or relevant oversight function, is ultimately responsible for the entity’s remuneration framework and its effective application. 
APRA expects Boards to ensure that remuneration practices are well supported by broader frameworks and policies that influence behaviour, beyond financial rewards. This includes clear accountabilities and expectations for risk management, effective consequence management and a strong tone from the top on risk culture.
In providing oversight of remuneration, other prudential standards and guidance are also applicable, in particular requirements on governance and risk management. Broader regulatory requirements and expectations, including guidance provided by the Australian Securities and Investments Commission (ASIC), are also relevant for the Board. 

Board Remuneration Committee
Under CPS 511, the Board of a SFI is required to establish a Board Remuneration Committee (RemCo) to oversee the design and implementation of the remuneration framework. The RemCo is responsible for making recommendations to the Board annually on the remuneration arrangements and variable remuneration outcomes for persons in specified roles.
A prudent Board would ensure that the RemCo is composed of members with the appropriate skills, experience and expertise to exercise competent and independent judgment. This includes a clear understanding of what constitutes good risk management.
While the Board of a non-SFI is not required to establish a RemCo, it must put in place arrangements to meet the requirements of CPS 511 and ensure there is appropriate oversight of the remuneration framework and key remuneration decisions.

Board oversight and discretion
There may be occasions where the Board would need to exercise its discretion to challenge and override remuneration recommendations, and make downward adjustments for individuals, cohorts or all personnel.
A prudent Board would be actively engaged in the oversight of key remuneration decisions, providing robust challenge and independent scrutiny. Board oversight and discretion to adjust variable remuneration would be particularly relevant in unusual or exceptional circumstances. These circumstances may include:
material cases of adverse risk or conduct outcomes, especially where these have impacted the entity’s prudential standing or prudential reputation;
periods of stress in which the entity may be experiencing negative financial performance and erosion of its regulatory capital base; and
periods of stress in which the entity is provided with exceptional public sector support.
It is important that the Board uses its discretion in a timely and informed manner, rather than acting only on the basis of realised outcomes. For example, it could be appropriate for a Board to reduce pre-emptively variable remuneration during a period of stress, rather than waiting for losses to be realised. It would not be prudent to act only once risk issues are made public, to adopt management recommendations without challenge, or to excuse poor risk outcomes on the basis of good intent.

Board reporting
It is the responsibility of the Board and RemCo to guide management on the reporting it needs to fulfil its role. A prudent Board and RemCo would regularly review the information they are provided with to ensure that reporting is sufficient and insightful. Poor quality, inadequate, incomplete or voluminous reporting can significantly hamper oversight and challenge.

Remuneration framework

Specified roles
Under CPS 511, the variable remuneration outcomes for persons in specified roles must be approved by the Board, on either an individual or cohort basis. APRA expects the remuneration policy would define the particular specified roles for the entity, and summarise the remuneration arrangements for these roles.

Material risk-takers
As set out in CPS 511, the variable remuneration outcomes of all material risk-takers must be approved by the Board on a cohort basis. Good practice is to develop, disclose and keep under review a threshold definition for material risk-takers, including quantitative indicators and qualitative criteria for the identification of such roles.

Risk and financial control personnel
A prudent Board would closely monitor the remuneration of risk and financial control personnel as a cohort, to ensure arrangements are adequate to attract and retain suitably qualified, skilled and experienced staff.  

Service providers
A prudent entity would take reasonable steps to identify which service providers may give rise to material conflicts or risks. This may include a materiality threshold or definition, approved by the Board, which would be used to identify the scale and nature of service providers that are likely to present a material conflict or risk.

Remuneration design

Determining a material weight
In assessing whether material weight is being applied effectively in the design and determination of variable remuneration outcomes, a prudent Board would consider whether the weighting:
is a sufficient incentive to influence an individual’s behaviour, priorities and decisions;
is robust and cannot be overshadowed or diminished by performance or outperformance on financial measures;
is applied to measures over which the individual has a reasonable degree of control and influence;
is applied to measures that effectively support the objectives of the remuneration framework, including risk management; and
has been demonstrated to work in practice to incentivise prudent outcomes over time, where this is possible to determine.
A prudent Board would establish clear guidelines to ensure appropriate weight is applied to non-financial measures in the determination of variable remuneration. This could include a minimum level or range. Good practice would be for the Board to review these guidelines on an annual basis to ensure it is operating as intended in driving expected behaviours.
To assess whether the weighting for non-financial measures is driving intended behaviours and outcomes in practice, a prudent Board would consider how effectively risk and conduct is managed. Reporting on non-financial measures for the entity as a whole, as well as aggregate information on risk adjustments, would support this assessment. Entities with a high reliance on downward adjustments for adverse risk and conduct outcomes would investigate root causes and, where appropriate, consider if the weighting to non-financial measures needs to be increased or the design improved.

Risk and conduct adjustments

Downward adjustments
A prudent Board would consider a wide range of evidence and ensure appropriate mechanisms are in place to escalate issues. Good practice would be to consider, for example, known incidents, findings from audits and regulatory reviews, product failures, trends in conduct or risk incidents. APRA expects that a risk adjustment would be considered, for an individual or cohort, in the event of a breach of a prudential standard or other regulation.

Audit

Disclosure

Risk Management

Risk Management standards require entities to maintain effective risk management strategies and systems. They include requirements such as managing operational risk and risks specific to an industry. 

Risk Management

Prudential Standard

The role of the Board
The Board of an APRA-regulated institution is ultimately responsible for the institution’s risk management framework and is responsible for the oversight of its operation by management. In particular, the Board must ensure that:
it sets the risk appetite within which it expects management to operate and approves the institution’s risk appetite statement and risk management strategy (RMS);
it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those changes;
senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the Board;
the operational structure of the institution facilitates effective risk management;
policies and processes are developed for risk-taking that are consistent with the RMS and the established risk appetite;
sufficient resources are dedicated to risk management; and
it recognises uncertainties, limitations and assumptions attached to the measurement of each material risk.

Risk management framework
An APRA-regulated institution must maintain a risk management framework for the institution that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and provides the Board with a comprehensive institution-wide view of material risks.
The MIS must provide the Board of the APRA-regulated institution, board committees of the APRA-regulated institution and senior management of the institution with regular, accurate and timely information concerning the institution’s risk profile. The MIS must be supported by a robust data framework that enables the aggregation of exposures and risk measures across business lines, prompt reporting of limit breaches, and forward-looking scenario analysis and stress testing. Data quality must be adequate for timely and accurate measurement, assessment and reporting on all material risks across the institution and must provide a sound basis for making decisions.

Risk appetite
An APRA-regulated institution must maintain an appropriate, clear and concise risk appetite statement for the institution that addresses the institution’s material risks. The Board is responsible for setting the risk appetite of the institution and must approve the institution’s risk appetite statement.

Risk management strategy
An APRA-regulated institution must maintain an RMS for the institution that addresses each material risk listed under paragraph 26. The RMS must be approved by the Board.

Business plan
The business plan must be a rolling plan of at least three years’ duration that is reviewed at least annually, with the results of the review reported to the Board. The business plan must cover the entirety of the institution and be approved by the Board.

Risk management function
The CRO must have a direct reporting line to the CEO, and have regular and unfettered access to the Board and the Board Risk Committee.

Risk management declaration
The Board of an APRA-regulated institution must make an annual declaration to APRA on risk management of the institution (risk management declaration) that must satisfy the requirements set out in Attachment A to this Prudential Standard. The declaration must be signed by the chairperson of the Board and the chairperson of the Board Risk Committee. In the case of a Category C insurer, foreign ADI, or EFLIC, the risk management declaration must be signed by the senior officer outside Australia or two members of the Compliance Committee, as relevant.

Attachment A – Risk Management Declaration
For the purposes of paragraph 49 of this Prudential Standard, the Board of an APRA-regulated institution must provide APRA with a risk management declaration of the institution stating that, to the best of its knowledge and having made appropriate enquiries, in all material respects:
the institution has in place systems for ensuring compliance with all prudential requirements;
the systems and resources that are in place for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating material risks, and the risk management framework, are appropriate to the institution, having regard to the size, business mix and complexity of the institution;
the risk management and internal control systems in place are operating effectively and are adequate having regard to the risks of the institution they are designed to control;
the institution has a RMS that complies with this Prudential Standard, and the institution has complied with each measure and control described in the RMS;
the APRA-regulated institution is satisfied with the efficacy of the processes and systems surrounding the production of financial information at the institution.
Related Guidance
APG 117

Interest rate risk in the banking book management framework
Attachment A to APS 117 states that an ADI’s Board of directors, or committee thereof, must review on a regular basis IRRBB management reports and satisfy itself that this risk is being appropriately managed. As good practice, APRA envisages that such reviews would occur on at least a quarterly basis.
CPG 220

Risk Governance

The second line of defence
The second line of defence comprises the specialist risk management function(s) that are functionally independent of the first line of defence. The second line of defence supports the Board and its committees by:
developing risk management policies, systems and processes to facilitate a consistent approach to the identification, assessment and management of risks;
providing specialist advice and training to the Board, board committees and first line of defence on risk-related matters;
objective review and challenge of:
the consistent and effective implementation of the risk management framework throughout the APRA-regulated institution; and
the data and information captured as part of the risk management framework which are used in the decision-making processes within the business, in particular the completeness and appropriateness of the risk identification and analysis, ongoing effectiveness of risk controls, and prioritisation and management of action plans; and
oversight of the level of risk in the institution and its relationship to the risk appetite, and any necessary reporting and escalation to the Board or its committees.
In order to be effective, risk management functions would have:
appropriate seniority and authority, with access to the responsible board committees.

The third line of defence
The third line of defence comprises the function(s) that, in accordance with CPS 220, provide to the Board and its committees:
at least annually, independent assurance that the risk management framework has been complied with and is operating effectively; and
at least every three years, a comprehensive review of the appropriateness, effectiveness and adequacy of the risk management framework.

Role of the Board
Under CPS 220, the Board is ultimately responsible for the risk management framework of the APRA-regulated institution and is responsible for the oversight of its operation by management. An institution must have, at all times, a risk management framework that governs the way the institution manages risks arising in the institution. Together, the Board Risk Committee and Board Audit Committee assist the Board in its oversight of the operation by management of the overall risk management framework.
The Board Audit Committee assists the Board to fulfil its corporate governance and oversight responsibilities in relation to an entity’s financial reporting, internal control system, risk management framework and internal and external audit functions (i.e. independent assurance).
Consistent with normal practice, for the purpose of discharging its responsibilities, the Board is able to obtain such recommendations and advice from board committees, external advisers and management as it considers prudent. The Board is entitled to place reasonable reliance on those inputs, provided directors approach their tasks with an enquiring mind and make an independent assessment of the matters for decision.
The Board is directly responsible for the broader strategy of the APRA-regulated institution and is required to approve the risk appetite statement, business plan and risk management strategy. Effective design of these documents and related processes by the institution will facilitate their integration, with each process appropriately supporting the others.
The Board approval and oversight responsibilities for the risk management framework are unaffected if risk management and business operations are outsourced to a third party or are performed by another part of a group.
In determining whether the Board has met its responsibilities under CPS 220, APRA will assess the steps taken by the Board to ensure it meets those responsibilities. For example, APRA expects senior management to report on the material risks and escalate material risk issues to the Board or the Board Risk Committee level. The Board and/or Board Risk Committee could also obtain independent views and reports as they deem appropriate, as well as consider risk issues escalated from the risk management function. APRA expects that the Board would clearly communicate its expectations in respect of the reporting and escalation to be provided by management, the risk management function(s) and internal audit. Where the Board considers that the risk reporting is ineffective or that material risk issues have failed to be escalated, APRA expects the Board to adopt all appropriate measures (including directions for management remedial actions and reports) to identify and address the reasons for the failure.

Risk management culture
CPS 220 requires a Board to ensure that they form a view of the risk culture in the institution and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensure the institution takes steps to address those changes. APRA’s view is that a sound risk culture is a core element of an effective risk management framework. Risk culture refers to ‘the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss and act on the organisation’s current and future risk’3. APRA expects that the Board would have a view of the risk culture that is appropriate for ensuring that the institution operates within the risk appetite.
An institution’s risk culture is strongly influenced by the ‘tone at the top’. APRA expects the Board and senior management to demonstrate their commitment to risk management and foster a sound risk management environment in which staff will be actively engaged with risk management processes and outcomes, and a risk management function that is influential and respected. The development of the risk culture is likely to occur through an iterative process involving both the Board and senior management.

Group risk management
CPS 220 allows an APRA-regulated institution that is part of a group to meet the requirements of the standard on a group basis provided that the Board of the institution is satisfied that the requirements are met in respect to that institution.

Risk management framework
CPS 220 requires the Board to ensure that it recognises uncertainties, limitations and assumptions attached to the measurement of each material risk. In addition to recognition of these matters by the Board, APRA expects that they would be well understood within the institution.
Risk can arise from structures that impede transparency, such as special-purpose or related structures. APRA expects that the APRA-regulated institution’s operational structure and associated risks would be well understood in the institution, recognised by the Board, taken into account in the risk management framework and reported, as appropriate (including to the Board or its committees where necessary).
Stress testing, including both scenario analysis and sensitivity analysis is used to assess a range of potential impacts as a result of different material risks. Stress testing is important in considering potential changes that could occur in the external operating environment, and provides a more forward looking view of an APRA-regulated institution’s risk profile. APRA expects that stress testing would be based on a combination of robust modelling and informed expert judgement, with effective senior management engagement and appropriate Board oversight.

Risk appetite statement
APRA expects that the Board would be actively engaged with management in developing and reviewing the risk appetite statement, and would be able to demonstrate ownership of the statement. APRA considers that this might be achieved, in part, through reporting and communication processes and structures that enable the Board and/or Board Risk Committee to:
identify the APRA-regulated institution’s overall current risk profile and how this compares to its risk appetite and capital strength;
be satisfied that senior management’s interpretation and application of the risk appetite and tolerances is appropriate; and
appropriately align risk appetite to the approach adopted in the risk management framework for assessing, monitoring and managing the different material risks.
An APRA-regulated institution would generally use a variety of approaches and processes to assess different material risks. An institution with the capability to use risk quantification techniques would generally use them in the setting and monitoring of its risk appetite statement. Risk quantification techniques may provide an institution with assurance that the risk does not exceed the institution’s risk tolerance and/or risk capacity. These techniques may not be appropriate for all types of risk. APRA expects senior management to assess the appropriateness of such techniques before they are adopted and on an ongoing basis. APRA expects that the results of such analysis and testing would be reported to the Board and/or Board Risk Committee and be taken into account when establishing or reviewing the risk appetite statement. APRA expects the Board and/or Board Risk Committee to recognise the limitations and assumptions relating to any models used to measure components of risk that could materially affect its decision-making.

Risk management strategy
APRA expects that a risk management strategy would contain sufficient information to communicate, in general terms the APRA-regulated institution’s approach to risk management. This includes how it identifies, measures, evaluates, monitors, reports and controls or mitigates the material risks of its operations. CPS 220 requires that the risk management strategy list the policies and procedures dealing with risk management matters. Where these policies and procedures require Board approval under other prudential standards, approval of the strategy does not negate the Board’s responsibility to approve those individual documents.

Chief risk officer
CPS 220 sets out requirements for the independence of the CRO and specifies roles that cannot also be performed by the CRO. CPS 220 recognises that an APRA-regulated institution may seek approval for alternative arrangements to those required. This may be where the institution is materially constrained in appointing a CRO who is free from conflicts of interest, or for other reasons particular to that institution. APRA expects these instances normally to be limited to smaller and less complex institutions, but will consider applications from all APRA-regulated institutions, provided the applicant clearly sets out the exceptional circumstances that might warrant APRA considering the alternative proposal. Where an institution seeks an alternative arrangement under CPS 220, the Board is expected to demonstrate to APRA that it has undertaken a process to identify conflicts, has established structural oversight and controls to mitigate the additional risk and is satisfied that the risk management framework will ensure these mitigants are adhered to. APRA will assess the appropriateness of alternative arrangements on a case-by-case basis. APRA expects that the Board would take into account the following controls and other mitigating factors that manage conflicts of interests including, but not limited to:
alternative sources of risk-based challenge to business lines;
the resources allocated to risk management;
executive level engagement in risk issues;
the strength of compliance and audit mechanisms;
oversight from the Board and its committees;
the experience and capabilities of the other risk management function personnel; and
the robustness of the regulated institution’s and, where appropriate, the group’s risk management framework.
CPS 220 requires that the risk management function, via a CRO, has direct and unfettered access to the CEO, Board, Board Risk Committee and senior management. CPS 220 also requires the reporting line for the risk management function to be independent from business lines and to directly report to the CEO. Where an APRAregulated institution is part of a group, including a Level 2 and/or Level 3 group, the CRO of that institution may report to the group CRO as long as the group CRO reports directly to the group CEO.

Monitoring and reporting

Oversight and escalation processes
APRA expects an APRA-regulated institution’s risk management framework to ensure that the Board and senior management receive regular, concise and meaningful assessment of actual risks relative to the institution’s risk appetite and the operation and effectiveness of controls.

Risk management declaration
CPS 220 requires the Board to provide APRA with a risk management declaration on an annual basis. While this declaration does not have to be audited, APRA expects that the Board would have obtained reasonable assurance and, if necessary, considered independent advice on the matters covered by the declaration, prior to the signing of the declaration by the required signatories. The extent of enquiry required prior to making the declaration is a matter for the judgment of each Board of an APRA-regulated institution. The wording of the declaration allows materiality to be taken into account when making the declaration.
CPS 220 allows an APRA-regulated institution’s risk management declaration to be encompassed in the risk management declaration documentation of a Level 2 and/or Level 3 group where applicable. Where a Level 1 institution’s declaration is encompassed within the group declaration, the Level 1 institution’s Board remains responsible for any qualifications in the declaration that relate to that institution. Where a risk management declaration is made on a Level 2 and/or Level 3 group basis, CPS 220 requires any qualification to identify whether it related to the Level 1 institution or the group’s risk management framework. A qualification for the institution may not mean that a groupwide qualification needs to be made, and vice versa. However, where a group’s Board has taken the decision that a qualification at the institution level does not result in a group declaration qualification, the reason for this decision would be articulated.

APRA notification requirements
APRA expects that an APRA-regulated institution would be in regular dialogue with its supervisors about potential material changes to the institution. APRA expects that, at the latest, notification in accordance with the requirements in CPS 220 would be made within 10 business days of the Board becoming aware of a current or proposed material change to the institution’s risk profile or business operations.
APG 223

Risk management framework
Consistent with Prudential Standard CPS 220 Risk Management (CPS 220), where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore represents a risk that may have a material impact on the ADI, it would be prudent for the Board of directors (the Board) and senior management to specifically address residential mortgage lending in its risk management framework, in particular in the risk appetite statement, risk management strategy and business plans.

APRA’s expectations of an ADI Board for residential mortgage lending
Where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore a risk that may have a material impact on the ADI, APRA expects that the Board would take reasonable steps to satisfy itself as to the level of risk in the ADI’s residential mortgage lending portfolio and the effectiveness of its risk management framework. This would, at the very least, include:
specifically addressing residential mortgage lending in the ADI’s risk appetite, risk management strategy and business plans;
seeking assurances from senior management that the approved risk appetite is communicated to relevant persons involved in residential mortgage lending and is appropriately reflected in the ADI’s policies and procedures; and
seeking assurances from senior management that there is a robust management information system in place that:
tracks material risks against risk appetite;
provides periodic reporting on compliance with policies and procedures, reasons for significant breaches or material deviations and updates on actions being taken to rectify breaches or deviations; and
provides accurate, timely and relevant information on the performance and risk profile of the residential mortgage lending portfolio.

Oversight and review
Typically, senior management is responsible for monitoring compliance with material policies, procedures and risk limits and reporting material breaches or overrides to the Board. Further, where risk limits are routinely breached or policies and procedures overridden, senior management and the Board could consider whether this is indicative of a less prudent lending culture than that reflected in its risk appetite and what steps could be necessary to remedy any identified deficiency.
In order to establish robust oversight, the Board and senior management would receive regular, concise and meaningful assessment of actual risks relative to the ADI’s risk appetite and of the operation and effectiveness of internal controls. The information would be provided in a timely manner to facilitate early corrective action.
A prudent ADI would have controls in relation to its residential mortgage portfolio that have appropriate regard to the level of risk within the portfolio. Portfolios that have higher inherent risk, for example where the portfolio is usually operating at the higher end of risk limits, would typically be accompanied by stronger controls, including:
increased monitoring and more granular reporting to the Board and senior management;
Consistent with CPS 220, the aspects of the risk management framework that apply to the residential mortgage lending portfolio would be subject to a comprehensive review by an operationally independent and competent person at least every three years. The person would report the results of reviews to the Board, providing an independent and objective evaluation of the appropriateness, adequacy and effectiveness of the risk management framework with respect to the portfolio.

Management information systems
Further, a prudent ADI would have analytical capability that allows it to monitor, analyse and report key metrics against risk appetite and to assess the residential mortgage portfolio at both the individual loan level and portfolio level. The data, when collectively presented to the Board and senior management, would enable an accurate and meaningful assessment of the residential mortgage portfolio. A history of low defaults does not justify under-investment in management information systems.

Remuneration
Prudential Standard CPS 510 Governance (CPS 510) requires the Board-approved ADI remuneration policy to be aligned with prudent risk-taking. CPS 510 requires the remuneration policy to apply to responsible persons, risk and financial control personnel and all other persons whose activities may affect the financial soundness of the regulated institution.  Where the residential mortgage lending portfolio is material, a prudent ADI would apply its remuneration policy to the persons involved in residential mortgage lending. This would include remuneration of third parties, particularly mortgage broker firms, when they are responsible for origination of a material proportion of the residential mortgage loan portfolio. For the avoidance of doubt, the ADI remuneration policy is intended to capture an ADI’s engagement with its brokers, not how a broking firm pays its staff. Alternatively, the ADI may address such remuneration arrangements within its risk management framework with appropriate senior management or Board oversight.

Loan origination
When an ADI is increasing its residential mortgage lending rapidly or at a rate materially faster than its competitors, either across the portfolio or in particular segments or geographical areas, a prudent Board would seek explanation as to why this is the case. Rapid relative growth could be due to an unintended deterioration in the ADI’s loan origination practices, in which case APRA expects that an ADI’s risk management framework would facilitate rapid and effective measures to mitigate any consequences.

Overrides
Good practice is for regular override reporting to be provided to senior management and to the Board. Such reporting would include:
delinquency rates for residential mortgage loans approved as overrides and exceptions;
tracking against risk tolerance limits for overrides;
reasons for overrides; and
distribution of overrides across business units, products, locations, third-party originators and, where relevant, ADI officers associated with a disproportionate number of overrides.

Loan-to-valuation ratios
A prudent ADI would monitor exposures by LVR bands over time. Significant increases in high LVR lending would typically be a trigger for senior management to review risk targets and internal controls over high LVR lending, with Board oversight. APRA has not formally defined ‘high LVR lending’, but experience shows that LVRs above 90 per cent (including capitalised LMI premium or other fees) clearly expose an ADI to a higher risk of loss.

Hardship loans and collections
An ADI following good practice would include a carefully considered collections strategy in its credit risk management framework for residential mortgage lending. The framework could include:
appropriate reporting to senior management and the Board on delinquencies, including recoveries and cost of collections.

Stress testing
Results from portfolio stress tests enable the Board and senior management to review an ADI’s risk appetite, capital adequacy and relevant strategic business decisions in both current and potential environments. For example, stress tests might identify vulnerabilities in certain product or borrower segments that would prompt an ADI to tighten its loan origination criteria or lower risk appetite limits on those products.
Stress testing arrangements include well-documented policies and procedures governing the stress testing program, including timely communication of the stress test results to the Board, senior management and other relevant staff. When reporting results, sufficient information would be provided to enable the Board and senior management to understand and challenge stress test assumptions and conclusions. This includes quantitative information on the scenario, results, capital impact, key assumptions and recommended actions arising from the stress tests. 
 

Guidance
CPG 229

Governance
Prudential standards CPS 510 and SPS 510 set out the minimum governance requirements of an APRA-regulated institution. The ultimate responsibility for the sound and prudent management of an APRA-regulated institution’s business operations rests with its board of directors. APRA therefore considers it prudent practice for the board to seek to understand and regularly assess the financial risks arising from climate change that affect the institution, now and into the future.
APRA is of the view that climate risks can and should be managed within an institution’s overall business strategy and risk appetite, and a board should be able to evidence its ongoing oversight of these risks.
The board of an institution may delegate certain functions of the management of climate risks but, as with other risks, needs to maintain mechanisms for monitoring the exercise of this delegated authority. Board-level engagement is important to ensure that work on climate risks holds sufficient standing within an institution, and gives the board the requisite institution-wide insights to strategically respond to the risks.
In fulfilling its obligations under CPS 510 and SPS 510, a prudent board is, in overseeing the management of climate risks, likely to:
ensure an appropriate understanding of, and opportunity to discuss, climate risk at the board and sub-committee levels, which may include appropriate training for board members;
set clear roles and responsibilities of senior management in the management of climate risks, and hold senior management to account for these responsibilities;
re-evaluate the risks, opportunities and accountabilities arising from climate change on a periodic basis, and consider these risks and opportunities in approving the institution’s strategies and business plans;
take both a shorter-term view (consistent with the institution’s regular business planning horizon) and longer-term view when assessing the impact of climate risks and opportunities; and
ensure that, where climate risks are found to be material, the institution’s risk appetite framework incorporates the risk exposure limits and thresholds for the financial risks that the institution is willing to bear.

Risk management
Under CPS 220 and SPS 220, the board of an APRA-regulated institution is ultimately responsible for both the institution’s risk management framework, and for the oversight of its operation by management. Senior management of the institution monitor and manage all material risks consistent with the strategic objectives, risk appetite statement and policies approved by the board. APRA considers it prudent for climate risks to be considered within an institution’s existing framework, including the boardapproved risk appetite statement, risk management strategy and business plan.

Risk reporting
To facilitate well-informed decision-making, APRA expects that a prudent institution would establish procedures to routinely provide relevant information on its material climate risk exposures, including monitoring and mitigation actions, to the board and senior management. This information would allow the board and senior management to understand and review the activities, and to make decisions consistent with the institution’s overall risk appetite and risk management approach.

Scenario analysis
A prudent institution would maintain appropriate documentation of the method and results of its climate risk scenario analysis and stress testing, including an assessment of the limitations of the analysis for assessing the climate risks faced by the institution. Material results should be communicated to the institution’s board and senior management, and used to inform business planning and strategy setting, as well as setting and reviewing the institution’s overall climate risk management approach.

Operational Risk

Prudential Standard

Roles and responsibilities
The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.
The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements.
The Board must:
oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern;
approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and
approve the service provider management policy, and review risk and performance reporting on material service providers.
Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.

Operational risk management

Operational risk profile and assessment
An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must:
maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;

Business continuity plan
An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily.

Monitoring, notifications and review
An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.

Guidance
CPG 230

Roles and responsibilities

The Board
Allocate responsibility
A prudent Board would have a clear understanding of who is responsible within the entity for each aspect of operational risk management, including business continuity and the management of service provider arrangements. It should have reasonable assurance that there are no gaps in responsibilities.
Processes for delegation from, and reporting to, the Board and senior management should be clear and documented, including for the escalation of risks and issues.
Oversee the risk profile
The Board would typically:
oversee updates to an entity’s operational risk profile and ensure risks outside of its appetite are addressed promptly;
oversee the effectiveness of key internal controls;
be kept informed of areas of any material weaknesses and major remediation efforts;
understand the material operational risks that arise from new ventures; and
ensure internal audit provides assurance and has appropriate capabilities for this task.
Challenge and approve
The Board, in approving the BCP and overall tolerances for the disruption of critical operations, would also ensure that the BCP aligns with its tolerances.
While the Board approves the service provider management policy, it may delegate approval of non-material changes.

Senior management
Senior managers play an important role in equipping Boards to make effective decisions. APRA expects that information provided to the Board is targeted and timely.
Boards may delegate to senior management the ability to approve more granular policies, tolerance levels and plans which sit beneath, and align to, Board-approved documents.

Business continuity
Test the BCP
Test results and the execution of any findings such as remediation would be reported to and reviewed by the Board, with associated follow-up actions formally tracked and reported. Reports on BCP tests would typically include:
Audit the BCP
Internal audit is an important vehicle for assurance. The Board may consider seeking assurance through expert opinion or other means to complement internal audit.

Prudential Standard

The role of the Board and senior management
The Board is ultimately responsible for oversight of any outsourcing of a material business activity undertaken by an APRA-regulated institution. Although outsourcing may result in the service provider having day-to-day managerial responsibility for a business activity, the APRA-regulated institution is responsible for complying with all prudential requirements that relate to the outsourced business activity.

Outsourcing policy
The Board of an APRA-regulated institution must approve the institution’s outsourcing policy, which must set out the approach to outsourcing of material business activities, including a detailed framework for managing all such outsourcing arrangements.
The Board of an APRA-regulated institution must ensure that outsourcing risks and controls are taken into account as part of the institution’s risk management strategy and when completing a risk management declaration required to be provided to APRA.

Assessment of outsourcing options
An APRA-regulated institution must be able to demonstrate to APRA that, in assessing the options for outsourcing a material business activity to a ‘third party’, it has:
involved the Board of the APRA-regulated institution, Board committee of the APRA-regulated institution, or senior manager of the institution with delegated authority from the Board, in approving the agreement;
Related Guidance
CPG 231

Factors to consider when entering into outsourcing arrangements
When a regulated institution decides to enter into an outsourcing agreement, there are a number of factors that may be appropriate for the Board to consider in addition to those outlined in the Prudential Standards.
When assessing options for outsourcing material business activities, it is good practice to establish an outsourcing team consisting of individuals from the relevant business area(s) and others with the necessary skills to assess the risks involved in outsourcing. They may include specialists in the relevant risk areas and external experts. This team would ensure that the outsourcing policy is followed at all times, including assessment of the initial tender and due diligence processes, evaluation of the outsourcing options, and making recommendations to senior management and the Board on the outsourcing proposal.

Prudential Standard

Additional requirements of the Head of a group
The Board of the Head of a group must:
ensure that the group’s BCM is appropriate to the nature and scale of its operations and is consistent with the group’s risk management strategy and risk management framework;
oversee the appropriateness of BCM across the group; and
ensure that the group’s business continuity plan (BCP) is reviewed at least annually by responsible senior management of the Head of the group.
The group internal audit function, or an appropriate external expert, must periodically review the group BCP and provide an assurance to the Board of the Head of the group, or delegated management, on the matters in paragraph 38 on a group basis.

The role of the Board and senior management
The Board is ultimately responsible for the business continuity of the institution. The Board remains ultimately responsible for BCM of the institution whether or not business operations are outsourced or are part of a corporate group.
The Board must ensure that the business continuity risks and controls are taken into account as part of the institution’s risk management strategy and when completing a risk management declaration required to be provided to APRA.

Business continuity management policy
The Board must approve the institution’s BCM policy.

Review and testing of the Business Continuity Plan
An APRA-regulated institution must review and test the institution’s BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management. 

Audit arrangements
An institution’s internal audit function, or an appropriate external expert, must periodically review the BCP and provide an assurance to the Board or to delegated management that:
the BCP is in accordance with the institution’s BCM policy and addresses the risks it is designed to control; and
testing procedures are adequate and have been conducted satisfactorily.

Prudential Standard

Roles and responsibilities
The Board of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

Testing control effectiveness
An APRA-regulated entity must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
Related Guidance
CPG 234

Considerations for the Board
This section sets out key information a Board could consider in relation to its responsibilities under CPS 234. The remainder of the PPG elaborates on this information, and contains additional detail on information security aimed at a broader audience. A Board member may find it beneficial to acquaint themselves with this additional detail as necessary.
Under CPS 234, the Board of an APRA-regulated entity is ultimately responsible for the information security of the entity. In order for a Board to be able to more effectively discharge its responsibilities (including oversight, seeking assurance and, as appropriate, challenging management), it could consider the following:
roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types of information that the Board might find useful to effectively fulfil its role and discharge its responsibilities;
information security capability — consider the sufficiency of the regulated entity’s information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the information security strategy;
policy framework — whether information security policies reflect Board expectations;
implementation of controls — regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entity’s information assets;
testing control effectiveness — regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted; and
internal audit — consider the sufficiency of internal audit’s coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions; and consider where further assurance, including through expert opinion or other means, is warranted.
In considering the above, the Board would normally take into account the use of third parties and related parties (including group functions) by the APRA-regulated entity.

Roles and responsibilities

Board delegations
APRA does not seek to impose restrictions on a Board’s ability to delegate information security roles and responsibilities to Board sub-committees, management committees or individuals. However, APRA expects that a Board would clearly outline how it expects to be engaged with respect to information security, including escalation of risks, issues and reporting. Refer to Attachment H for common examples of the types of information that the Board might find useful in this regard.

Sufficient and timely information
The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to governing bodies would normally be supported by defined escalation paths and thresholds. An APRA-regulated entity could benefit from implementing processes for periodic review of audience relevance and fitness for use.

Adaptive and forward-looking investment
Under CPS 234, an APRA-regulated entity must actively maintain an information security capability with respect to changes in vulnerabilities and threats. Accordingly, an entity would typically adopt an adaptive and forward-looking approach to maintaining its information security capability, including ongoing investment in resources, skills and controls. This would commonly be achieved through the execution of an information security strategy which responds to the changing environment throughout the year. The strategy could be informed by existing and emerging information security vulnerabilities and threats, contemporary industry practices, information security incidents, both internal and external, and known information security issues. Oversight of execution of the strategy is normally the responsibility of the Board or a delegated governing body with representation from across the organisation. 
 

Incident management

Response to a security compromise
An APRA-regulated entity would typically have clear accountability and communication strategies to limit the impact of information security incidents. Under CPS 234, this includes escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate. A regulated entity could also include customer communication as part of any such communication strategy where appropriate. Incident response plans would also typically assist in compliance with regulatory notification requirements.

Internal audit

Assurance to the Board
Internal audit is an important vehicle by which the Board can gain assurance that information security is maintained. This assurance would typically be achieved through the inclusion of information security within the APRA-regulated entity’s internal audit plan. The Board could also choose to gain assurance through expert opinion or other means to complement the assurance provided by the internal audit function. This typically occurs where the required skills do not reside within the internal audit function or the area subject to audit pertains to third parties or related parties.

Use of assurance reports from third parties
Under CPS 234, an APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a third party or related party in certain circumstances. Where that assessment identifies material deficiencies in the information security control assurance provided by the third party or related party, or no assurance is available, this would typically be highlighted in reporting to the Board.

Attachment B: Training and awareness
An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material to assist the Board and other governing bodies to execute their duties. Sound practice would involve tracking training undertaken and testing the understanding of relevant information security policies, both on commencement and periodically.

Credit Risk

Prudential Standard

The role of the Board and senior management

Board responsibilities
The Board of an ADI must review and approve, on at least an annual basis, the ADI’s credit risk appetite and credit risk management strategy.
The Board must regularly challenge, seek assurance and evidence from senior management that the credit risk policies, processes and practices are consistent with the credit risk management strategy (and, in turn, the credit risk appetite) of the ADI. The Board must obtain sufficient information to confirm whether or not the credit risk profile of the ADI is consistent with the credit risk management strategy, and require senior management to take appropriate and timely action if it is not.
The Board must ensure that senior management of the ADI has the capability and resources to appropriately manage the credit risk activities conducted by the ADI and that such activities operate within the credit risk management strategy, credit risk policies and credit risk appetite.

Credit administration, measurement and monitoring

Stress testing
Stress testing analyses must include contingency plans regarding actions the Board and senior management may take given certain scenarios.
An ADI’s stress testing arrangements must include well-documented and sound policies and processes governing the stress testing program, including the timely communication of information on scenarios, key assumptions, results and capital impacts to the ADI’s Board and senior management.

Controls over credit risk

Review of credit risk management processes

Classification of exposures and provisions
An ADI’s Board must obtain timely and appropriate information on the condition of the ADI’s credit portfolio, including the classification of exposures as performing and non-performing and the level of provisions. The information must include, at a minimum, results of the latest credit risk review process, comparative trends in the overall quality of exposures and measurements of existing or anticipated deterioration in asset quality and expected credit losses.

Attachment B – Prescribed provisioning
Where the Board or senior management of an ADI believe that the prescribed provisions calculated in accordance with this Prudential Standard do not reasonably address assessed loss outcomes, they must report additional specific provisions. The level of specific provisions required will depend on the type of exposure and term of payments past-due or the period of irregularity in cash flows due on an exposure.
Related Guidance
APG 220

Credit risk management framework
APS 220 requires the credit risk appetite statement to be reviewed and approved by the Board on at least an annual basis. This review process would typically be incorporated into, or aligned with, an ADI’s strategic and business planning process.

Role of the Board
The Board does not have direct day-to-day responsibility for credit risk management. However, APS 220 requires the Board to review and approve the credit risk appetite and credit risk management strategy, and ensure that senior management has the capability and resources to effectively manage credit risk. It is important that the Board clearly set expectations for the monitoring and reporting of the credit risk appetite and management strategy. A prudent Board would also set clear expectations for the timely escalation of credit risk issues by senior management, including findings from internal and external credit risk reviews.
While the Board may obtain advice on credit risk issues from Board committees, external advisers and senior management, it is important that the Board does not accept recommendations without due scrutiny and challenge.
A prudent Board would be alert to pressures on credit standards that could emerge, particularly as competition intensifies or market conditions shift. Ambitious lending growth plans, such as above system targets, can create pressures on credit standards.
It is prudent for the Board to also be alert to emerging signs of credit deterioration, and to hold senior management to account for timely action. This could include having appropriate checks in place to maintain an independent perspective on credit quality and lending practices across the credit portfolio.

Credit administration

Credit risk grading
Risk grades are useful in tracking the quality of the credit portfolio and help in identifying necessary changes to the credit risk management strategy. Good practice is for the Board and senior management to receive regular reports on trends in risk grades to support their oversight of the credit portfolio.

Controls over credit risk

Reviews of credit risk management processes
APS 220 requires an ADI to establish a system of independent, regular reviews of credit risk management processes and practices, with the results communicated directly to the Board and senior management.
It is good practice for internal reviews of credit risk to be conducted by personnel that are independent from the business function. This provides a more objective assessment. Internal reviews can be used to evaluate the overall credit administration process, determine the accuracy of internal credit risk grades (where applicable), and confirm whether policies are being followed in practice. It is good practice for the credit review function to report directly to either the Board, the Risk or Audit committee, or senior management without lending authority, such as senior management within the risk control function.
APG 223

Risk management framework
Consistent with Prudential Standard CPS 220 Risk Management (CPS 220), where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore represents a risk that may have a material impact on the ADI, it would be prudent for the Board of directors (the Board) and senior management to specifically address residential mortgage lending in its risk management framework, in particular in the risk appetite statement, risk management strategy and business plans.

APRA’s expectations of an ADI Board for residential mortgage lending
Where residential mortgage lending forms a material proportion of an ADI’s lending portfolio and therefore a risk that may have a material impact on the ADI, APRA expects that the Board would take reasonable steps to satisfy itself as to the level of risk in the ADI’s residential mortgage lending portfolio and the effectiveness of its risk management framework. This would, at the very least, include:
specifically addressing residential mortgage lending in the ADI’s risk appetite, risk management strategy and business plans;
seeking assurances from senior management that the approved risk appetite is communicated to relevant persons involved in residential mortgage lending and is appropriately reflected in the ADI’s policies and procedures; and
seeking assurances from senior management that there is a robust management information system in place that:
tracks material risks against risk appetite;
provides periodic reporting on compliance with policies and procedures, reasons for significant breaches or material deviations and updates on actions being taken to rectify breaches or deviations; and
provides accurate, timely and relevant information on the performance and risk profile of the residential mortgage lending portfolio.

Oversight and review
Typically, senior management is responsible for monitoring compliance with material policies, procedures and risk limits and reporting material breaches or overrides to the Board. Further, where risk limits are routinely breached or policies and procedures overridden, senior management and the Board could consider whether this is indicative of a less prudent lending culture than that reflected in its risk appetite and what steps could be necessary to remedy any identified deficiency.
In order to establish robust oversight, the Board and senior management would receive regular, concise and meaningful assessment of actual risks relative to the ADI’s risk appetite and of the operation and effectiveness of internal controls. The information would be provided in a timely manner to facilitate early corrective action.
A prudent ADI would have controls in relation to its residential mortgage portfolio that have appropriate regard to the level of risk within the portfolio. Portfolios that have higher inherent risk, for example where the portfolio is usually operating at the higher end of risk limits, would typically be accompanied by stronger controls, including:
increased monitoring and more granular reporting to the Board and senior management;
Consistent with CPS 220, the aspects of the risk management framework that apply to the residential mortgage lending portfolio would be subject to a comprehensive review by an operationally independent and competent person at least every three years. The person would report the results of reviews to the Board, providing an independent and objective evaluation of the appropriateness, adequacy and effectiveness of the risk management framework with respect to the portfolio.

Management information systems
Further, a prudent ADI would have analytical capability that allows it to monitor, analyse and report key metrics against risk appetite and to assess the residential mortgage portfolio at both the individual loan level and portfolio level. The data, when collectively presented to the Board and senior management, would enable an accurate and meaningful assessment of the residential mortgage portfolio. A history of low defaults does not justify under-investment in management information systems.

Remuneration
Prudential Standard CPS 510 Governance (CPS 510) requires the Board-approved ADI remuneration policy to be aligned with prudent risk-taking. CPS 510 requires the remuneration policy to apply to responsible persons, risk and financial control personnel and all other persons whose activities may affect the financial soundness of the regulated institution.  Where the residential mortgage lending portfolio is material, a prudent ADI would apply its remuneration policy to the persons involved in residential mortgage lending. This would include remuneration of third parties, particularly mortgage broker firms, when they are responsible for origination of a material proportion of the residential mortgage loan portfolio. For the avoidance of doubt, the ADI remuneration policy is intended to capture an ADI’s engagement with its brokers, not how a broking firm pays its staff. Alternatively, the ADI may address such remuneration arrangements within its risk management framework with appropriate senior management or Board oversight.

Loan origination
When an ADI is increasing its residential mortgage lending rapidly or at a rate materially faster than its competitors, either across the portfolio or in particular segments or geographical areas, a prudent Board would seek explanation as to why this is the case. Rapid relative growth could be due to an unintended deterioration in the ADI’s loan origination practices, in which case APRA expects that an ADI’s risk management framework would facilitate rapid and effective measures to mitigate any consequences.

Overrides
Good practice is for regular override reporting to be provided to senior management and to the Board. Such reporting would include:
delinquency rates for residential mortgage loans approved as overrides and exceptions;
tracking against risk tolerance limits for overrides;
reasons for overrides; and
distribution of overrides across business units, products, locations, third-party originators and, where relevant, ADI officers associated with a disproportionate number of overrides.

Loan-to-valuation ratios
A prudent ADI would monitor exposures by LVR bands over time. Significant increases in high LVR lending would typically be a trigger for senior management to review risk targets and internal controls over high LVR lending, with Board oversight. APRA has not formally defined ‘high LVR lending’, but experience shows that LVRs above 90 per cent (including capitalised LMI premium or other fees) clearly expose an ADI to a higher risk of loss.

Hardship loans and collections
An ADI following good practice would include a carefully considered collections strategy in its credit risk management framework for residential mortgage lending. The framework could include:
appropriate reporting to senior management and the Board on delinquencies, including recoveries and cost of collections.

Stress testing
Results from portfolio stress tests enable the Board and senior management to review an ADI’s risk appetite, capital adequacy and relevant strategic business decisions in both current and potential environments. For example, stress tests might identify vulnerabilities in certain product or borrower segments that would prompt an ADI to tighten its loan origination criteria or lower risk appetite limits on those products.
Stress testing arrangements include well-documented policies and procedures governing the stress testing program, including timely communication of the stress test results to the Board, senior management and other relevant staff. When reporting results, sufficient information would be provided to enable the Board and senior management to understand and challenge stress test assumptions and conclusions. This includes quantitative information on the scenario, results, capital impact, key assumptions and recommended actions arising from the stress tests. 
 

Prudential Standard

The role of the Board of a Level 3 Head
The Board of a Level 3 Head must:
approve the aggregate risk exposures policy for the Level 3 group;
ensure that adequate systems and controls are in place to identify, measure, aggregate, manage, monitor and report on material risk exposures in the Level 3 group in a timely manner and that those systems and controls are documented;
engage in oversight, which may be via a board committee, of the approach to the identification, measurement, management and monitoring of aggregate risk exposures and compliance with the aggregate risk exposures policy, which includes receiving regular reviews of material aggregate risk exposures of the Level 3 group; and
review the aggregate risk exposures policy at least annually to ensure that this policy remains adequate and appropriate for identifying, measuring, aggregating, managing and monitoring the Level 3 group’s risk exposures.

Notification requirements
A Level 3 Head must submit to APRA a copy of its aggregate risk exposures policy as soon as practicable, and no more than 10 business days, after Board approval.
Related Guidance
3PG 221

Introduction
The Board of a Level 3 Head (the Board) is responsible for the effective management of material risks posed to the Level 3 group. The Board is best positioned to have a holistic view of the risks posed to the group, and oversee controls to ensure that the group does not assume risks beyond its risk appetite.
Material aggregate risks include those that could have a material impact, both financial and operational, on the Level 3 group or on a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material aggregate risk, and that this would vary according to the group’s risk profile. Where an institution is considered to have business operations that are material to the Level 3 group, a material external risk to that institution would normally constitute a material aggregate risk exposure for the group.
The materiality of an aggregate risk exposure depends on the size, nature and complexity of the exposure to the group. Where a material aggregate risk exposure is identified, the Board would also need to understand the material drivers of this risk. For instance, decision-makers may need to understand whether the aggregate risk exposure is comprised of a high number of small exposures or a low number of material individual risk exposures.
A Level 3 Head’s governance arrangements, risk data aggregation capabilities and reporting would reflect how the Board makes decisions and oversees aggregate risk exposures. APRA expects that risk aggregation capabilities and risk reporting are relevant, appropriate for the intended purpose and meet business specifications (i.e. fit-for– purpose) for the needs of the Board and other decision-makers in the Level 3 group.

Governance and aggregate risk exposures policy
The Board is responsible for determining the appropriate level of aggregate risk exposures. The policy would be expected to outline the governance arrangements for procedures, systems and controls that are in place for the appropriate management of exposures. The Board is required to approve this policy but can delegate implementation of policy and oversight of exposures to a board committee, such as the Board Risk Committee.
3PS 221 requires the aggregate risk exposures policy to include exposure limits that are commensurate with the Level 3 group’s capital strength, risk appetite, risk profile, and the size, business mix and complexity of the group. A Board may consider how exposures of the Level 3 group interact to change the aggregate risk of the group. For instance, an exposure to an overseas counterparty would be considered as part of a limit to that counterparty and to the relevant geographical location. APRA expects that the Level 3 Head would have processes to confirm that the classifications of risks facilitate an appropriate assessment of the risk profile and to ensure the group does not assume more risk than its risk appetite.
APRA expects the Board and senior management of the Level 3 group to understand the limitations and assumptions relating to material aggregated risk exposures. A Level 3 Head is expected to use stress testing and scenario analysis to assess the adequacy of its aggregation capabilities and risk reporting. The results of these assessments would feed into the Board’s awareness of aggregate risk exposures and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits. In addition, these assessments would highlight any limitations with aggregation capabilities and risk reporting in periods of stress.

Aggregate risk data capabilities
APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management. Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have the data necessary for appropriate risk aggregation and that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation.

Risk reporting
APRA expects a Level 3 Head to have access to and commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision-makers. APRA expects reporting on material aggregate risk exposures to be presented to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of aggregate risks can change quickly, the frequency of reporting would be expected to increase.
The reporting of aggregate risk exposures to the Board would have sufficient breadth to provide the Board with a holistic view of the aggregate risk exposure profile of the Level 3 group. APRA expects that the Board would request reports for more detail on individual exposures or particular risk categories, accompanied by meetings with relevant senior management. Reporting would support the Board in understanding, and the senior management of the Level 3 group in understanding and tracking, aggregate risk exposures against the group’s risk appetite and capital strength.

Prudential Standard

The role of the Board of a Level 3 Head
The Board of a Level 3 Head must:
approve the ITE policy for the Level 3 group;
ensure that adequate systems and controls are in place to identify, measure, manage, monitor and report on material ITEs in the Level 3 group in a timely manner and that those systems and controls are documented;
engage in oversight, which may be via a board committee, of the approach to the identification, measurement, management and monitoring of ITEs and compliance with the ITE policy, which includes receiving regular reviews of which ITEs are deemed to be material to the operations of the Level 3 group; and
review the ITE policy at least annually, to ensure that this policy remains adequate and appropriate for identifying, measuring, managing and monitoring material risks in relation to ITEs.
If a prudentially regulated institution in the Level 3 group proposes to accept terms and conditions, in dealing with Level 3 institutions in the group, that are not consistent with terms and conditions that would be negotiated on an arms-length basis in such a dealing, those terms and conditions must first be approved by the Board of the Level 3 Head with justification fully and clearly documented.
Related Guidance
3PG 222

Introduction
Intra-group transactions and exposures (ITEs) expose Level 3 institutions in a Level 3 group to contagion risks. Where an institution is facing financial or operational stress, this may affect other institutions within the group with material ITEs to that institution. Therefore, the Board of a Level 3 Head (the Board) needs to understand the material ITEs within the group and manage the associated risks prudently. ITEs that can pose a risk of contagion would include, for example:
equity investments;
loan or funding arrangements;
reinsurance arrangements;
guarantees or indemnities; and
operational risks from intra-group service provision.
Material ITEs include those that would have a potential to have a material impact, both financial and operational, on the Level 3 group or a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material ITE, and that this would vary according to the group’s risk profile.Where an institution is considered to have business operations that are material to the Level 3 group, a material ITE to that institution would constitute a material ITE for the group.
The materiality of an ITE depends on the size, nature and complexity of the exposure to the group. Where a material ITE is identified, the Board would also need to understand the material drivers of this risk. For instance, decision makers may need to understand whether the ITE is comprised of a high number of low risk intra-group arrangements or a low number of material individual risk exposures.
A Level 3 Head’s governance arrangements, data capabilities, and reporting in relation to ITEs would reflect how the Board makes decisions and oversees material ITEs. APRA expects data capabilities and ITE risk reporting to be relevant and appropriate for the intended purpose and to meet business specifications (i.e. fit-for–purpose) for the needs of the Board and other decision makers in the Level 3 group.

Governance and ITE policy
APRA expects the Board to have a holistic view of material ITEs within the group and establish a framework to monitor and control the associated risks. The Board would consider the group’s critical business operations and assess the potential impact of a stress on these operations to the group.
APRA expects a Level 3 Head to use stress testing and scenario analysis to assess the adequacy of its data capabilities and risk reporting on ITEs. The results of these assessments would feed into the Board’s awareness of material ITEs and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits.
The risks associated with ITEs could be magnified where the transactions with related parties have not been conducted on an armslength basis or on equivalent terms and conditions given to third parties. APRA expects a Level 3 Head to have processes and controls to mitigate such risks. In accordance with 3PS 222, the Board is required to approve these non-arm’s length transactions.

Intra-group data capabilities
APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management. Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have data on material ITEs and expects that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation.

Risk reporting
Good practice is that risk reporting is accurate, comprehensive, clear and useful, and can be provided to decision makers on a timely basis. Risk reporting would be based on risk data and be presented in a manner that is clear, concise, and useful to the intended recipient. A Level 3 Head would determine respective risk reporting requirements that best suit the needs of its Board and senior management of the Level 3 group given the size, business mix and complexity of the group.
APRA expects a Level 3 Head to have access to commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision makers. APRA expects reporting on the group’s material ITEs to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of risk can change quickly, the frequency of reporting would be expected to increase in such circumstances.
The reporting of material ITEs to the Board would have sufficient breadth to provide the Board with a coordinated view of the roles and relationships between subsidiaries to one another and to the Level 3 Head. This coordinated view would assist the Board in understanding, and senior management of the Level 3 group in understanding and tracking, how ITEs affect the risk profile of prudentially regulated institutions within the group.
APRA expects that the Board would request reports on material individual ITEs or the ITEs to particular institutions, accompanied by meetings with relevant senior management. Reporting would support the Board in understanding, and the Level 3 group’s senior management in understanding and tracking, of ITEs against the group’s risk appetite and capital strength.

Market Risk

Financial Resilience

Financial Resilience standards require entities to maintain adequate financial resources to withstand stresses. They include requirements such as maintaining capital and liquidity. 

Capital

Prudential Standard

Responsibility for capital management
The Board of an ADI must ensure that the ADI maintains a level and quality of capital commensurate with the type, amount and concentration of risks to which the ADI is exposed from its activities. In doing so, the Board must have regard to any prospective changes in the ADI’s risk profile and capital holdings.
An ADI that is a member of a group may be exposed to risks, including reputational and contagion risk, through its association with other members of the group. Problems arising in other group members may compromise the financial and operational position of the ADI. The Board, in determining the capital adequacy of the ADI at Level 1, must have regard to:
risks posed to the ADI by other members of the group, including the impact on the ability of the ADI to raise funding and additional capital should the need arise;
obligations, both direct and indirect, arising from the ADI’s association with group members that could give rise to a call on the capital of the ADI; and
the ability to freely transfer capital (including situations where the group is under financial or other forms of stress) from members of the group to recapitalise the ADI or other members of the group. This includes consideration of:
the integration of business operations within the group;
the importance of members of the group to the group;
the impact of cross-border jurisdictional issues;
differences in legislative and regulatory requirements that may apply to group members; and
the impact of taxation and other factors on the ability to realise investments in, or transfer surplus capital from, group members.

Internal Capital Adequacy Assessment Process
An ADI must have an Internal Capital Adequacy Assessment Process (ICAAP) that must be:
adequately documented, with the documentation made available to APRA on request; and
approved by the ADI’s Board initially, and when significant changes are made.
The ICAAP report submitted to APRA by the ADI must be accompanied by a declaration approved by the Board and signed by the CEO stating whether:
capital management has been undertaken by the ADI in accordance with the ICAAP over the period and, if not, a description of, and explanation for, deviations;
the ADI has assessed the capital targets contained in its ICAAP to be adequate given the size, business mix and complexity of its operations and, at Level 2, given the location of operations of group members and the complexity of the group structure; and
the information included in the ICAAP report is accurate in all material respects.
Related Guidance
CPG 110

Part A – Internal Capital Adequacy Assessment Process

Board ownership of the ICAAP
Under the capital standards, the Board of a regulated institution has primary responsibility for the capital management of that institution. This obligation goes beyond the need to ensure compliance with regulatory capital requirements and requires the Board to ensure that each regulated institution holds capital resources commensurate with its risk profile.
Consistent with that overarching responsibility, the capital standards require each regulated institution to have an ICAAP that has been approved by its Board.
While the ICAAP may be developed by the regulated institution’s senior management with input from relevant areas and experts across the organisation (including the Appointed Actuary where relevant), the capital standards require the Board to be actively engaged in the development and finalisation of the ICAAP and the oversight of its implementation on an ongoing basis.
APRA expects the Board to robustly challenge the assumptions and methodologies behind the ICAAP and the associated documentation. APRA expects the Board to understand and to be able to explain the key aspects of the ICAAP and why it is considered appropriate for the institution.

Risk appetite and risk management framework
The Board is responsible for the risk appetite of a regulated institution and for ensuring that the institution has an appropriate risk management framework. Risk appetite is a fundamental part of both risk management and capital management.

Requirements for the ICAAP

Proportionality
Under the capital standards, the ICAAP of a regulated institution must be appropriate for its size, business mix and complexity. Each institution’s ICAAP will be tailored to the circumstances of the institution. For more complex institutions, appropriately sophisticated processes are expected; for simpler institutions with limited product offerings and simple investment structures, simplified approaches may suffice. The complexity or otherwise of an institution’s ICAAP will be expected to reflect the Board’s and senior management’s view of the institution’s functional complexity.

Group ICAAP considerations
Under the capital standards, a regulated institution may make use of a group ICAAP or components of that ICAAP. In doing so, the Board of each regulated institution in the group is still required to ensure that the ICAAP is appropriate and meets the requirements of the capital standards in relation to the institution.

Documenting the ICAAP
A regulated institution’s ICAAP will include a range of processes and systems for assessing capital requirements relative to the risks to which the institution is exposed, setting target capital levels, projecting and monitoring the capital position, taking action if capital levels fall below target levels, and reporting on the process and its outcomes to the Board. These underlying processes will ordinarily be documented in various policies and procedural documents.

Setting the target levels of capital
APRA expects that the Board will satisfy itself that the capital targets are in line with the risk appetite. This will include consideration of the Board’s appetite for potential breaches of regulatory capital requirements.

Trigger levels and related actions to manage the capital position
To avert capital falling below target operating levels and, in the most severe case, breaching regulatory requirements, an institution is required under the capital standards to have capital triggers in place. These triggers are intended to serve as early warning indicators and thereby provide the Board and senior management with time to rectify problems and restore capital while the institution continues to operate.

Stress testing
The capital standards require a regulated institution to include stress testing and scenario analysis in its ICAAP. Stress testing and scenario analysis can assist in the formulation of capital targets and trigger levels by:
being readily understandable to the Board and senior management.

Review of the ICAAP
It will be appropriate to consider a range of factors in reviewing the ICAAP, including:
the consistency of the ICAAP outcomes with the risk appetite of the Board and the risk capacity of the entity;
APRA expects that a regulated institution will have in place processes to report the outcomes of the review to the Board and senior management, as well as processes to assess and respond to any recommendations for change arising out of the review.

ICAAP summary statement
An ICAAP summary statement is a high-level document that describes and summarises the capital assessment and management processes of the regulated institution. It serves as a roadmap to the ICAAP that allows the Board and APRA to understand the capital management processes of the institution. APRA anticipates that the ICAAP summary statement will refer to other policies and procedures, but will be relatively self-contained.
APG 110

Introduction
APS 110 sets out APRA’s requirements for capital adequacy for ADIs. Under APS 110, ADIs must maintain adequate capital for the risks associated with their activities. The ultimate responsibility for the prudent management of capital rests with the ADI’s Board.

Chapter 1 - Capital management

Use of regulatory capital buffers in stress
An ADI that is operating with capital ratios in the regulatory capital buffer range, or that expects to do so, would agree a capital restoration path back out of the range with APRA. To support this, a prudent ADI would provide capital projections, based on a range of scenarios and approved by the Board, to APRA.

Capital distributions
A prudent ADI would, however, adopt a cautious approach to capital distributions during a period of stress even if it is operating above these levels. The Board of a prudent ADI would typically consider moderating dividend payout ratios, and considering the use of dividend reinvestment plans and other capital management initiatives to reinforce capital positions.

Prudential Standard

Governance and oversight
All material aspects of an ADI’s rating and estimation processes must be approved by the ADI’s Board, or relevant Board committee, and senior management. Those parties must possess a general understanding of the ADI’s rating systems and a detailed understanding of the associated management reports. Senior management must notify the Board, or Board committee, of material changes or exceptions from established policies that could have a material impact on the ADI’s rating systems.
Internal ratings must be an essential part of the reporting to the Board and senior management. Reporting must include:
risk profile by grade;
migration across borrower grades;
quantitative estimates of the relevant parameters for each borrower grade and, where relevant, facility grade; and
comparison of realised default rates (and, where relevant, realised LGD and EAD rates) against expectations.
Reporting frequencies may vary with the significance and type of information and the level of the recipients.
An ADI must have documented policies that detail sound development, validation, implementation, governance and control processes. These policies must:
be approved and actively discussed by the ADI’s Board or a delegated committee;
Related Guidance
APG 113

Chapter 1 - Governance and oversight
APS 113 (paragraphs 20-23) details requirements relating to the role of the Board in the governance and oversight of an ADI’s rating systems and risk estimates. Information provided to the Board for this purpose should be sufficient to enable directors to actively discuss and confirm, at least annually, the continuing appropriateness, effectiveness and integrity of the rating systems and risk estimates. Such information would generally include reporting from risk management as well as internal audit.

Attachment D - Initial IRB approval

General expectations for IRB approval
APRA expects an ADI seeking approval to use an IRB approach for regulatory capital purposes to demonstrate that the:
use of risk-based capital and associated risk-adjusted performance measurement permeates the management of its business; and
Board and senior management are willing and able to incorporate the quantification of risk into management processes and decision-making.

Prudential Standard

Attachment A - Governance and the trading book policy statement and prudent valuation practices

Board and senior management responsibilities
An ADI’s Board of directors (Board) is responsible for approving strategies and policies with respect to market risk and ensuring that senior management takes the steps necessary to monitor and control these risks.
In particular, the Board, or a Board committee, must ensure that the ADI has in place adequate systems to identify, measure and manage market risk, including identifying responsibilities, providing adequate separation of duties and avoiding conflicts of interest. An ADI must inform APRA of all significant changes in these systems and in its market risk profile and must ensure that market risk capital requirements are met on a continuous basis and that intra-day exposures are not excessive.

Attachment C - The internal model approach
The Board, or a Board committee, and senior management of an ADI must be actively involved in the risk control process and must treat risk control as an essential aspect of the business, to which significant resources need to be devoted. The daily reports prepared by the independent risk control unit must be reviewed by a level of management with sufficient seniority and authority to enforce both reductions of positions taken by individual traders and reductions in the ADI’s overall risk exposure.
An ADI must have a routine and robust program of stress testing as a supplement to the risk analysis based on the day-to-day output of the risk measurement model. The results of stress testing exercises must be used in the internal assessment of capital adequacy and reflected in the policies and limits set by management and the Board, or Board committee. The results of stress testing must be routinely communicated to senior management and, periodically, to the ADI’s Board, or a Board committee.

Stress testing
An ADI must ensure that the results of the stress tests are reviewed periodically by senior management and reflected in the policies and limits set by management and the Board, or Board committee.

Prudential Standard

Requirements for all ADIs
An ADI’s senior management must regularly (at least semi-annually) report its IRRBB exposure to its Board or Board committee.

IRRBB management framework
clearly articulated responsibilities of, and reporting relationships to, the Board and where applicable, the Board committee; and
accountabilities for monitoring an ADI’s exposures against limits, approving variation on limits, and responding to and escalating any breaches of IRRBB limits to the Board and/or senior management as appropriate.

Responsibilities of the Board of directors

Responsibilities of senior management
Where an ADI assumes a maturity profile for shareholders’ equity, its senior management must set and approve a strategy consistent with the IRRBB risk appetite set by the Board, including the scope of any delegated powers to materially vary from that maturity profile.
Senior management must ensure that reporting to the Board or Board Committee enables the Board or Board committee to satisfy itself that IRRBB is appropriately managed. The reporting will at a minimum, include:
balance sheet management strategy (including maturity profile for shareholders’ equity) with appropriate risk metrics that measure this strategy;
material changes to the ADI’s profile or exceptions from established policies that could have an impact on the operation of the risk management framework for IRRBB, including the IRRBB capital charge; and
significant assumptions of the measurement system and how those assumptions affect any significant IRRBB hedging strategies the ADI undertakes.
An ADI’s policies and limits for IRRBB must reflect the results of stress testing exercises. Senior management must regularly communicate these results to the ADI’s Board or Board committee.

Internal reporting of IRRBB exposures
An ADI must have in place a process for ensuring that the ADI’s Board, or Board committee, and senior management are able to respond appropriately to the information contained in IRRBB management reports. This process must include escalation procedures for key IRRBB issues to facilitate appropriate action between formal reporting cycles.

Independent review of risk management framework for IRRBB
For an ADI with an approved IRRBB model, such reviews must take place at the time of IRRBB model approval and thereafter at least once every three years and when a material change is made to the IRRBB management framework. A summary of the results of the review must be provided to the Board or Board committee. An ADI must provide a report on the review to APRA within three months of its completion.

Prudential Standard

Interest rate risk in the banking book management framework
An ADI with internal model approval must have in place an IRRBB management framework that is sufficiently robust to facilitate quantitative estimates of its IRRBB capital requirement that are sound, relevant and verifiable. APRA must be satisfied that the ADI’s IRRBB management framework is suitably rigorous and consistent with the complexity of its business. Where industry risk modelling practices evolve and improve over time, the ADI must consider these developments in assessing its own practices. Furthermore, the IRRBB measurement system must play an integral role in the ADI’s risk management and decision-making processes and meet the requirements detailed in Attachment A. An ADI must also comply with the requirements relating to the Board of directors (Board) and senior management responsibilities in that Attachment.

Attachment A - Governance and the interest rate risk in the banking book management framework

Responsibilities of the Board of directors and senior management
An ADI’s Board is responsible for the overall IRRBB profile of the ADI and its IRRBB management framework. Accordingly, the Board must make clear its appetite for this risk, including IRRBB exposure limits. The Board or a Board committee must be actively involved in the oversight of the ADI’s approach to managing and measuring IRRBB.
An ADI’s IRRBB management framework must be approved by the Board, or a Board committee. In the latter case, the committee must have clearly defined responsibilities, thresholds for reporting to the Board and performance obligations. The approved framework must clearly articulate respective responsibilities and reporting relationships.
Senior management must, in conjunction with the IRRBB management function referred to in paragraph 6 of this Attachment, develop appropriate policies relating to the risk management framework. Management is responsible for translating these policies into specific procedures and processes to facilitate implementation and verification within the ADI’s business operations. Senior management must provide notice to the Board, or Board committee, of material changes or exceptions from established policies that could have an impact on the operation of the IRRBB management framework, including the IRRBB capital requirement.

Internal reporting of interest rate risk in the banking book exposures
An ADI must implement a process to regularly monitor its IRRBB profile. To support the proactive management of this risk, there must be regular reporting of relevant information to the Board, or Board committee, and senior management.
An ADI must have in place a process for ensuring that the ADI’s Board, or Board committee, and senior management are able to respond appropriately to the information contained in IRRBB management reports. This process must include escalation procedures for key IRRBB issues to facilitate appropriate action between formal reporting cycles.

Attachment B - Quantitative standards for measuring the capital requirement

Stress testing
An ADI’s policies and limits must reflect the results of stress-testing exercises and these results must be communicated to relevant senior management and the ADI’s Board, or Board committee, on a regular basis.
Related Guidance
APG 117

Interest rate risk in the banking book management framework
Attachment A to APS 117 states that an ADI’s Board of directors, or committee thereof, must review on a regular basis IRRBB management reports and satisfy itself that this risk is being appropriately managed. As good practice, APRA envisages that such reviews would occur on at least a quarterly basis.

Prudential Standard

Requirements for an SPV
In a securitisation, an must not:
allow any of the ADI’s directors, officers or employees to sit on the Board of an SPV, or on the Board of a trustee of an SPV, unless the Board has at least four members. The ADI, however, may be represented by one director on a Board of four to six directors and by no more than two directors on a Board of seven or more directors;
act, or allow any of its directors, officers or employees to act, in any circumstances as a trustee of an SPV, or in any similar role. The trustee must not be part of the group, as defined in Australian Accounting Standards, to which the ADI belongs; or
Related Guidance
APG 120

Chapter 4 — Implicit support and other risks

Implicit support
APS 120 requires that an ADI must not provide, or knowingly allow the perception to arise that it will provide, support to a securitisation in excess of the ADI’s explicit contractual obligations. To do so would be to provide implicit support. In addition, the Board of directors and senior management must put policies and procedures in place that outline how the ADI will ensure it is not providing implicit support for a securitisation.

Quantitative and qualitative limits on securitisation activity
APS 120 provides that, in certain circumstances, APRA may impose quantitative or qualitative limits on an ADI’s securitisation activities. Such restrictions could include:
  • prohibiting an ADI from undertaking further securitisation activity until the Board of directors and senior management of the ADI can establish they have an appropriate understanding of the ADI's securitisation structures, activities and exposures;

Liquidity

Prudential Standard

Board and senior management responsibilities
An ADI’s Board of directors (Board) is ultimately responsible for the sound and prudent management of the liquidity risk of the ADI. An ADI must maintain a liquidity risk management framework commensurate with the level and extent of liquidity risk to which the ADI is exposed from its activities. In relation to a foreign ADI, the responsibilities of the Board in this Prudential Standard are to be fulfilled by the senior officer outside Australia.
The liquidity risk management framework must include, at a minimum:
a statement of the ADI’s liquidity risk tolerance, approved by the Board;
the liquidity management strategy and policy of the ADI, approved by the Board;
the ADI’s operating standards (e.g. in the form of policies, procedures and controls) for identifying, measuring, monitoring and controlling its liquidity risk in accordance with its liquidity risk tolerance;
the ADI’s funding strategy, approved by the Board; and
a contingency funding plan.
The Board must ensure that:
senior management and other relevant personnel have the necessary experience to manage liquidity risk; and
the ADI’s liquidity risk management framework and liquidity risk management practices are documented and reviewed at least annually.
The Board must review regular reports on the liquidity position of the ADI and, where necessary, information on new or emerging liquidity risks.
An ADI’s senior management must, at a minimum:
develop a liquidity management strategy, policies and processes in accordance with the Board-approved liquidity tolerance;
establish a set of reporting criteria specifying the scope, manner and frequency of reporting for various recipients (such as the Board, senior management and the asset/liability committee) including the parties responsible for preparing the reports;
continuously review information on the ADI’s liquidity developments and report to the Board on a regular basis.
Senior management and the Board must be able to demonstrate a thorough understanding of the links between funding liquidity risk (the risk that an ADI may not be able to meet its financial obligations as they fall due) and market liquidity risk (the risk that liquidity in financial markets, such as the market for debt securities, may reduce significantly), as well as how other risks, including credit, market, operational and reputation risks, affect the ADI’s overall liquidity risk management strategy.

Liquidity risk management framework
In setting the liquidity risk tolerance, the Board and senior management must ensure that the risk tolerance allows the ADI to effectively manage its liquidity position in such a way that it is able to withstand a prolonged period of stress.
An ADI must have adequate policies, procedures and controls in place to ensure that the Board and senior management are informed immediately of new and emerging liquidity concerns. These include increasing funding costs or concentrations, increases in any funding requirements, the lack of availability of alternative sources of liquidity, material and/or persistent breaches of limits, a significant decline in the cushion of unencumbered liquid assets or changes in external market conditions that could signal future difficulties.

Management of liquidity risk
An ADI must have a reliable management information system that provides the Board, senior management and other appropriate personnel with timely and forward-looking information on the liquidity position of the ADI.

Funding strategy
The funding strategy must be reviewed and approved by the Board, at least annually, and supported by robust assumptions in line with the ADI’s liquidity management strategy and business objectives.

Contingency funding plan
An ADI’s contingency funding plan must be reviewed and tested, at least annually, to ensure its effectiveness and operational feasibility. An ADI’s Board must review and approve the contingency funding plan, at least annually, or more often as changing business or market circumstances require.

Stress testing
An LCR ADI’s stress test scenarios and related assumptions must be well documented and reviewed together with the stress test results. Stress test results and vulnerabilities and any resulting actions must be reported to, and discussed with, the Board and APRA. Results of the stress tests must be integrated into the ADI’s strategic planning process and its day-to-day risk management practices. The results of the stress tests must be explicitly considered in the setting of internal limits.

Attachment A - Liquidity coverage ratio

Use of alternative liquid asset treatment for LCR
In the case of unforeseen changes in circumstances, an ADI may apply to APRA, at any time, for a change in the amount of its CLF to be recognised for LCR purposes by submitting an updated Board-approved funding and liquidity plan.

Prudential Standard

Board and senior management responsibilities
An ADI’s Board of directors (Board) is ultimately responsible for the sound and prudent management of the liquidity risk of the ADI. An ADI must maintain a liquidity risk management framework commensurate with the level and extent of liquidity risk to which the ADI is exposed from its activities. In relation to a foreign ADI, the responsibilities of the Board in this Prudential Standard are to be fulfilled by the senior officer outside Australia.
The liquidity risk management framework must include, at a minimum:
a statement of the ADI’s liquidity risk tolerance, approved by the Board;
the liquidity management strategy and policy of the ADI, approved by the Board;
the ADI’s operating standards (e.g. in the form of policies, procedures and controls) for identifying, measuring, monitoring and controlling its liquidity risk in accordance with its liquidity risk tolerance;
the ADI’s funding strategy, approved by the Board; and
a contingency funding plan.
The Board must ensure that:
senior management and other relevant personnel have the necessary experience to manage liquidity risk; and
the ADI’s liquidity risk management framework and liquidity risk management practices are documented and reviewed at least annually.
The Board must review regular reports on the liquidity position of the ADI and, where necessary, information on new or emerging liquidity risks.
An ADI’s senior management must, at a minimum:
develop a liquidity management strategy, policies and processes in accordance with the Board-approved liquidity tolerance;
establish a set of reporting criteria specifying the scope, manner and frequency of reporting for various recipients (such as the Board, senior management and the asset/liability committee) including the parties responsible for preparing the reports;
continuously review information on the ADI’s liquidity developments and report to the Board on a regular basis.
Senior management and the Board must be able to demonstrate a thorough understanding of the links between funding liquidity risk (the risk that an ADI may not be able to meet its financial obligations as they fall due) and market liquidity risk (the risk that liquidity in financial markets, such as the market for debt securities, may reduce significantly), as well as how other risks, including credit, market, operational and reputation risks, affect the ADI’s overall liquidity risk management strategy.

Liquidity risk management framework
In setting the liquidity risk tolerance, the Board and senior management must ensure that the risk tolerance allows the ADI to effectively manage its liquidity position in such a way that it is able to withstand a prolonged period of stress.
An ADI must have adequate policies, procedures and controls in place to ensure that the Board and senior management are informed immediately of new and emerging liquidity concerns. These include increasing funding costs or concentrations, increases in any funding requirements, the lack of availability of alternative sources of liquidity, material and/or persistent breaches of limits, a significant decline in the cushion of unencumbered liquid assets or changes in external market conditions that could signal future difficulties.

Management of liquidity risk
An ADI must have a reliable management information system that provides the Board, senior management and other appropriate personnel with timely and forward-looking information on the liquidity position of the ADI.

Funding strategy
The funding strategy must be reviewed and approved by the Board, at least annually, and supported by robust assumptions in line with the ADI’s liquidity management strategy and business objectives.

Contingency funding plan
An ADI’s contingency funding plan must be reviewed and tested, at least annually, to ensure its effectiveness and operational feasibility. An ADI’s Board must review and approve the contingency funding plan, at least annually, or more often as changing business or market circumstances require.

Stress testing
An LCR ADI’s stress test scenarios and related assumptions must be well documented and reviewed together with the stress test results. Stress test results and vulnerabilities and any resulting actions must be reported to, and discussed with, the Board and APRA. Results of the stress tests must be integrated into the ADI’s strategic planning process and its day-to-day risk management practices. The results of the stress tests must be explicitly considered in the setting of internal limits.

Attachment A - Liquidity coverage ratio

Use of alternative liquid asset treatment for LCR
In the case of unforeseen changes in circumstances, an ADI may apply to APRA, at any time, for a change in the amount of its CLF to be recognised for LCR purposes by submitting an updated Board‑approved funding and liquidity plan.
Related Guidance
APG 210

Chapter 1 – Liquidity risk management

Liquidity risk appetite and tolerance
An ADI’s liquidity risk tolerance defines the level of liquidity risk that the ADI is willing to assume. APS 210 requires that the liquidity risk tolerance be set by the Board and that it is documented and appropriate for an ADI’s operations and strategy and its role in the financial system.
The Board-approved risk appetite statement will normally include an articulation of liquidity risk appetite and identify its liquidity risk tolerance.
An ADI is expected to take into account its business objectives and strategic direction with the aim of achieving certain budgetary and financial performance outcomes. Critical to this process is the Board’s risk tolerance, which informs the acceptability of risks, including liquidity risk, associated with planned business activities. The risk tolerance will generally also reflect the ADI’s financial condition and funding capacity as well as its role in the financial system.

Funding strategy
The Board-approved funding strategy will generally include both qualitative and quantitative items, key outcomes and the strategies that will be used to achieve the outcomes. The funding strategy would combine expected funding outcomes with sensitivity analysis. The strategy would include the base-case balance sheet projection, consistent with an ADI’s medium-term business plan, that represents the ADI’s best estimate of its future funding needs and sources, as well as key sensitivities in the base case.

Other

Prudential Standard

Responsibility for capital adequacy
The Board of Directors (Board) of a PPF provider must ensure that the PPF provider maintains an appropriate level of capital commensurate with the level and extent of risks to which the PPF provider is exposed from its activities. To this end, the PPF provider must:
have adequate systems and procedures in place to identify, measure, monitor and manage the risks arising from its activities to ensure that capital is held at a level consistent with the PPF provider’s risk profile; and
maintain and implement a capital management plan, consistent with the overall business plan, for managing its capital levels on an ongoing basis. The plan must set out:
the PPF provider’s strategy for maintaining capital resources over time, for example, by outlining its capital needs for supporting the degree of risks involved in the PPF provider’s business, how the required level of capital is to be met, as well as the means available for sourcing additional capital where required; and
actions and procedures for monitoring the PPF provider’s compliance with minimum capital adequacy requirements, including the setting of trigger ratios to alert management of, and avert, potential breaches to the minimum capital required by APRA.

Operational risk
The Board and senior management of a PPF provider must develop, implement and maintain a risk management framework to address operational risk that is appropriate to the size, complexity and business mix of the PPF provider.

Recovery and Resolution

Recovery and Resolution standards require entities to strengthen crisis preparedness. They include requirements such as resolution, recovery and exit planning. 

Recovery

Resolution