Under APS 310 (pdf), within 4 months of its annual balance date, a mutual ("non-disclosing") ADI should provide APRA with a risk management “declaration” from the chief executive, endorsed by the board.

The “declaration” should attest that, for the past financial year:
(a) the board and management have identified the key risks facing the ADI;
(b) the board and management have established systems to monitor and manage those risks including, where appropriate, by setting and requiring adherence to a series of prudent limits, and by adequate and timely reporting processes;
(c) these risk management systems are operating effectively and are adequate having regard to the risks they are designed to control; and
(d) the risk management systems descriptions provided to APRA are accurate and current.

But what is the basis for the CEO making such a declaration or for the board’s endorsement?

Unless the ADI has a risk management system and a compliance framework in place which are reviewed and tested each year the CEO cannot say that they are operating effectively. What independent reviews and tests do you have in place?

And if the review report contains qualifications then the declaration should contain the same qualifications (similar to those given by auditors in FS71).