APRA Prudential Standard GPS 220 Risk Management – An Overview and Summary of Requirements

• By: Staff Editor
• Date: June 14, 2013

1. General insurer and Level 2 insurance group rests with the Board of directors
2. Category C insurer with the senior officer outside Australia with delegated authority from the Board.

• A regulated institution should always have a risk management framework to manage the risks arising from its business.
• The Risk Management Framework should provide a reasonable assurance that the risks are prudently and soundly managed according to the size, business mix and complexity of the regulated institution's operations.
• The risk management framework should include:

1. A written ‘Risk Management Strategy’ (RMS) that complies with this Prudential Standard and is approved by the Board
2. Risk management policies and procedures to identify, assess, monitor, report on and mitigate all material risks, financial and non-financial, likely to be faced by the regulated institution
3. A review process to ensure that the risk management framework remains effective
4. Clearly defined managerial responsibilities and controls

• The Risk Management Framework should undergo effective and comprehensive review by operationally independent, appropriately trained and competent staff at suitable time intervals.
• The review of risk management framework should include an evaluation of the:

1. Risk management function
2. RMS
3. Internal control system

• A regulated institution should have a Risk Management Function which should:

1. Be appropriate to the nature, scale and diversity of its operations
2. Be sufficiently resourced
3. Have the necessary authority to conduct its activities in an effective and independent manner

• The risk management function should assist the Board, any Board committee and senior management in developing and maintaining the risk management framework.

• A regulated institution should always maintain a Business Plan approved by the Board prior to its adoption and at any time it is revised during its operational cycle.
• The above rule does not apply to a run-off insurerif it maintains at all times a run-off plan.
• It  should be a three-year rolling plan
• It should be reviewed at least annually.
• A regulated institution should submit to the APRA:

1. A Business Plan after each annual review
2. Any revised Business Plan within 10 business daysof Board approval.

• A run-off insurer should at all times maintain a runoff plan
• The run-off plan should be approved by the Board prior to its adoption and at any time it is amended during its operational cycle
• The run-off insurer’s run-off plan should be a three-year rolling plan and the runoff insurer must review it at least annually
• The run-off insurer should submit to APRA

1. A run-off plan after each annual review
2. Any amended run-off plan within 10 business days of Board approval

• A run-off plan should include the following:

1. Business overview
2. Details of the run-off insurer’s recent experience
3. Assessment of the expected future claims run-off experience on a rolling three-year basis

• The RMS is a high level, strategic document intended to describe the key elements of the risk management framework.
• The RMS should be reviewed at least annually
• The RMS should take into account any material changes to the operations of a regulated institution. Such RMS should be approved by the Board and submitted to APRA within 10 business days.
• A regulated institution should not intentionally deviate from its RMS
• In case of institutional, operational or other developments relating to the regulated institution’s operations that significantly affect its risk profile:

1. APRA should be notified immediately
2. Amendment should be made to the risk management framework
3. RMS should take account of the change

• RMS should:

1. Outline the risk governance relationship between the Board, Board committees and senior management
2. Describe the process for identifying and assessing risks
3. Describe the process for establishing mitigation and control mechanisms for individual risks
4. Describe the process for monitoring and reporting risk issues
5. Describe the approach to ensuring relevant staff have an awareness of risk issues and instilling an appropriate risk culture
6. Identify the persons with managerial responsibility for the risk management framework, and set out their roles and responsibilities
7. Describe the process by which the risk management framework is reviewed, and outline the broad coverage for these reviews
8. Provide an overview of the mechanisms in place for monitoring and ensuring continual compliance with the Prudential Capital Requirement (PCR)
9. Provide an overview of the processes and controls in place for ensuring compliance with all prudential requirements

• If the regulated institution is part of an Australian or global corporate group, or is a Category C insurer, RMS should:

1. Include a summary of the group policy objectives and strategies
2. State whether the local RMS is derived wholly or partially from the group risk management arrangements
3. Summarize the linkages and significant differences between the local RMS and group risk management arrangements
4. Outline the process for monitoring by, or reporting to, the parent entity or head office.
5. Provide a summary of the key procedures, the frequency of reporting and the approach to reviews
6. Where any element of the risk management framework is controlled by another entity in the group, or by head office, it should describe how this arrangement works
7.  Where a regulated institution is either part of a global insurance group with the head office outside of Australia or a Category C insurer, a summary of the home regulator’s supervisory arrangements regarding risk management should be included
8. Cover both the Australian operations and the risks arising from the overseas operations of the regulated institution that could impact on the Australian operations of the regulated institution.

• A regulated institution should have an Internal Capital Adequacy Assessment Process (ICAAP).
• An ICAAP involves an integrated approach to capital and risk management for a regulated institution
• Risk management framework and ICAAP should be consistent with one another.
• A regulated institution should not duplicate content between its ICAAP summary statement or report and its RMS.

• The Board should provide a Risk Management Declaration signed by two directors to APRA
• The Risk Management Declaration must be submitted to APRA on, or before, the day that the insurer’s yearly statutory accounts or Level 2 insurance group’s annual accounts are required to be submitted to APRA
• The requirements for the Risk Management Declaration
• The qualified Risk Management Declaration should include a description of any material deviation from the regulated institution’s obligations, and the steps taken to remedy those breaches.

• A regulated institution should provide the APRA a Financial Information Declaration signed by the chief executive officer (CEO) and the chief financial officer (CFO)
• The Financial Information Declaration should be submitted to APRA on, or before, the day that the insurer’s yearly statutory accounts or Level 2 insurance group’s annual accounts are required to be submitted to APRA
• The qualified Declaration should include a description of the cause and circumstances of the qualification, and steps taken to remedy the problem.

• A regulated institution conducting insurance businessoutside Australia should notify APRA in writing, if:

1. Its right to conduct business in that jurisdiction has ceased
2. Its right to conduct insurance business has been limited by a law of the jurisdiction in which the business is being conducted
3. Its right to conduct insurance business has been materially affected under a law of the jurisdiction in which the business is being conducted
4. Its right to conduct insurance bu siness has been withdrawn.

• This notification should be provided within 10 business days of the event occurring for an insurer and within one month of the event occurring for a Level 2 insurance group.

Additional Resources

Read the APRA Prudential Standard GPS 220 Risk Management in full.