3PG 221 Aggregate Risk Exposures

The Board of a Level 3 Head (the Board) is responsible for the effective management of material risks posed to the Level 3 group. The Board is best positioned to have a holistic view of the risks posed to the group, and oversee controls to ensure that the group does not assume risks beyond its risk appetite.

3PS 221 requires a Level 3 Head to establish and maintain an aggregate risk exposures policy. The policy is a part of the group’s risk management framework and supports the ability to identify, measure, aggregate, manage and report on material aggregate risk exposures. An aggregate risk exposure refers to risks external to the Level 3 group that have the potential to result in losses for the Level 3 group, and can arise from the external exposures to prudentially regulated and nonprudentially regulated institutions. Risk data aggregation capabilities and risk reporting practices support the Board in making appropriate risk-based decisions in normal times and in periods of stress.

Material aggregate risks include those that could have a material impact, both financial and operational, on the Level 3 group or on a prudentially regulated institution in the group. APRA expects that the Board would determine what it considers to be a material aggregate risk, and that this would vary according to the group’s risk profile. Where an institution is considered to have business operations that are material to the Level 3 group, a material external risk to that institution would normally constitute a material aggregate risk exposure for the group.

The materiality of an aggregate risk exposure depends on the size, nature and complexity of the exposure to the group. Where a material aggregate risk exposure is identified, the Board would also need to understand the material drivers of this risk. For instance, decision-makers may need to understand whether the aggregate risk exposure is comprised of a high number of small exposures or a low number of material individual risk exposures.

A Level 3 Head’s governance arrangements, risk data aggregation capabilities and reporting would reflect how the Board makes decisions and oversees aggregate risk exposures. APRA expects that risk aggregation capabilities and risk reporting are relevant, appropriate for the intended purpose and meet business specifications (i.e. fit-for– purpose) for the needs of the Board and other decision-makers in the Level 3 group.

Where the Level 3 group holds external exposures on behalf of a third party, with the associated risk being borne by the third party, APRA would not consider this a risk exposure to the Level 3 group. There may be particular risks associated with those business operations, such as operational risk, and APRA expects that a Level 3 Head would consider the appropriateness of capturing these risks in its aggregate risk exposures policy.

The Board is responsible for determining the appropriate level of aggregate risk exposures. The policy would be expected to outline the governance arrangements for procedures, systems and controls that are in place for the appropriate management of exposures. The Board is required to approve this policy but can delegate implementation of policy and oversight of exposures to a board committee, such as the Board Risk Committee.

The aggregate risk exposures policy and related processes would be expected to be integrated with the group’s risk management framework. In particular, APRA expects that aggregate exposure limits would be incorporated in the group risk appetite statement.[1] 

A Level 3 Head would consider the establishment of standard definitions of risk across the group, where appropriate. The development of a risk taxonomy can assist the communication of risk issues across a Level 3 group, enhancing the Level 3 Head’s ability to understand and manage the risk profile of the group.

3PS 221 requires the aggregate risk exposures policy to include exposure limits that are commensurate with the Level 3 group’s capital strength, risk appetite, risk profile, and the size, business mix and complexity of the group. A Board may consider how exposures of the Level 3 group interact to change the aggregate risk of the group. For instance, an exposure to an overseas counterparty would be considered as part of a limit to that counterparty and to the relevant geographical location. APRA expects that the Level 3 Head would have processes to confirm that the classifications of risks facilitate an appropriate assessment of the risk profile and to ensure the group does not assume more risk than its risk appetite.

3PS 221 requires the aggregate risk exposures policy to outline the roles and responsibilities of the Board, its board committees, and senior management of the Level 3 group. APRA expects a Level 3 Head would also consider the role of the group’s risk management function in supporting the management of material aggregate risk exposures.

APRA expects the Board and senior management of the Level 3 group to understand the limitations and assumptions relating to material aggregated risk exposures. A Level 3 Head is expected to use stress testing and scenario analysis to assess the adequacy of its aggregation capabilities and risk reporting. The results of these assessments would feed into the Board’s awareness of aggregate risk exposures and would prompt consideration as to the Board’s appetite for these exposures and the appropriateness of limits. In addition, these assessments would highlight any limitations with aggregation capabilities and risk reporting in periods of stress.

Governance arrangements would include organisational structures to support information flow between Level 3 institutions and the Level 3 Head. These organisational structures would align with the risk management framework to confirm that the identification and management of aggregate risk exposures is not impeded.

APRA expects aggregate risk data to be of sufficient quality[2] to enable the effective management of a Level 3 group’s risk profile and support risk-based decision-making. APRA expects Level 3 Heads to coordinate the aggregation of risks to a level that is useful and meaningful for decision-makers. A Level 3 group should have the capability to aggregate risk in a timely manner.

Decision-makers may require timely access to documentation and other information on all aspects of the business to form judgements as to the nature and extent of aggregate exposures. For instance, where the group has a credit exposure to a counterparty, a decision-maker would consider the appropriateness of also having an insurance exposure to the collateral supporting that credit exposure.

APRA expects Level 3 Heads to be able to disaggregate the constituent elements of an aggregate risk exposure. Being able to understand the elements of an aggregate risk exposure provides insight into the true nature of the risk and how it interacts with other risks to the organisation. The ability to sort, merge or break down sets of data would reflect a robust data framework that enables the aggregation of exposure and risk measures across business lines, prompt reporting of limit breaches and forward-looking scenario analysis and stress testing.

The needs of decision-makers should drive improvements in data aggregation capabilities. APRA expects that requests for improvements are appropriately documented, assessed and appropriately escalated so that risk data capabilities continue to best serve the needs of decision-makers.[3] 

APRA expects a Level 3 group to have practices and procedures to identify data deficiencies and, where necessary, implement an improvement program so that data management does not impede effective risk management. Where there is a deficiency in data quality, APRA expects the Board to allocate sufficient oversight and resources for rectification. APRA expects that a Level 3 group would already have the data necessary for appropriate risk aggregation and that this data would not be encumbered by unnecessary barriers to retrieval, or rely on onerous manual adjustments for collation.

Good practice is that risk reporting is accurate, comprehensive, clear and useful, and can be provided to decision-makers on a timely basis. Risk reporting would be based on adequate aggregate risk data capabilities and be presented in a manner that is clear, concise and useful to the intended recipient. A Level 3 Head would determine respective risk reporting requirements that best suit the needs of its Board and the group’s senior management given the size, business mix and complexity of the group.

APRA expects a Level 3 Head to have access to and commission both regular and flexible ad hoc reporting. The frequency of risk reporting depends on the needs of decision-makers. APRA expects reporting on material aggregate risk exposures to be presented to the Board at least quarterly. In periods of stress, given the speed of decision-making likely to be needed and that the nature of aggregate risks can change quickly, the frequency of reporting would be expected to increase.

The amount of detail presented in reports would reflect the needs of decision-makers to fulfil their roles and responsibilities. APRA expects risk reporting to vary between business lines, divisions and institutions within the group. Where appropriate, risk reporting would include assumptions on whether a risk is material on an individual or aggregate basis.

When determining what information to include in reporting, decision-makers would consider whether an appropriate balance between accuracy and information that is available has been achieved. A report may still satisfy a decision-maker’s needs even if the data is merely indicative or is subject to a margin of error or other relevant conditions. However, a comprehensive report may not meet the user’s needs if it is not timely. Reporting would inform the decision-maker of the degree to which data is relevant, appropriate for the intended purpose and meets business specifications.