The international standard for risk management defines risk as the ‘effect of uncertainty on objectives’ and risk management as ‘coordinated activities to direct and control an organization with regard to risk’: see International Standard ISO 31000:2018 Risk management: Principles and guidelines.
If you’ve been concentrating on ticking compliance boxes it’s likely that you don’t have enough time to identify and manage the regulatory risks in your business and to keep up with changes.
You need to move beyond thinking an obligations register is risk management.
Evidence at the Financial Services Royal Commission hearings so far has made it clear that principles-based rules (eg to treat customers fairly) are harder for financial services providers to manage than specific rules and obligations (eg preparing and giving disclosure documents).
In APRA’s CBA Prudential Inquiry Report the Inquiry Panel concluded that financial services providers need to look beyond black letter rules-based compliance and consider operational and conduct risk.
The report said CBA had to move beyond “can we?” and ask “should we” engage in an activity or sell a product in the first place.
In CBA’s case, the Panel determined there was inadequate oversight of non-financial risks and it needed to be proactive in dealing with risks rather than reactive.
The Report discussed the differences between regulatory risk, operations risk and conduct risk.
Under the Banking Executive Accountability Regime directors and senior executives will each need to comply with accountability obligations to:
(i) act with honesty and integrity, and with due skill, care and diligence;
(ii) deal with APRA in an open, constructive and co-operative way; and
(iii) take reasonable steps to prevent matters from arising that would adversely affect the prudential standing or reputation of the organisation.
This will involve a new approach to regulatory compliance and managing risks and change.
I have just published a 30 minute video on managing regulatory risk looking at issues arising from the Royal Commission, BEAR and APRA’s CBA report.
