The Risk Management Function

Chapter 45 of the Stage 2 Key Code and Advanced Handbook examines the risk management function beginning with APRA’s requirements for the second line of defence risk management function. There follows other functions and responsibilities of the second line of defence including second line of defence variables, risk identification variables and monitoring variables. We then examine the Westpac second line of defence monitoring variables, second line of defence skills, capabilities and stature and the Westpac Reassessment on second line frameworks, controls and standards. We continue with APRA’s failings in operational and compliance risk policies, frameworks and management, the Westpac common risk and control language, Westpac’s process to regularly review, assess and test controls and Westpac’s identification of new, emerging and heightened risks. We conclude this section of the Chapter with risk reporting of the second line risk management function. Section 45.2 examines the Enterprise Risk Management (ERM) framework and shortcomings in ERM practice. Section 45.3 reviews resources for risk management. Section 45.4 then moves to examine risk identification, monitoring and control with an introduction to internal controls. Section 45.5 is an introduction to communication of risk including principles for identification, escalation/communication and disclosure of risk: at customer level; at the first-line of defence business unit level; at the second line of defence risk management function level; at whistleblower level; and at the board level reporting to shareholders and the external market/stakeholders. Section 45.6 examines escalation of risk information upwards through ‘red flags’ including reporting lines of the CRO. There follows discussion of the failure of ‘red flags’ as a failure in board’s oversight of risk management, failure by senior management to escalate ‘red flags’ or information upwards to the board and failure by the second-line risk management function to escalate ‘red flags’ or information upwards to the board including communication in corporate hierarchies with unitary boards. The latter includes two steps – the second-line ‘red flag’ functions and second-line principles for communication of risk. Section 45.10 reviews the APRA and Westpac Review Team 2018 identification of failures to escalate ‘red flags’ from staff including APRA issue identification, escalation and resolution and Westpac issues and incidents identified by Westpac employees. Section 45.11 examines APRA and the Westpac Review Team 2018 identification of failures to escalate ‘red flags’ from customers including: Westpac customer complaints; Westpac identification of systemic customer complaints; Westpac customer complaint reporting; Westpac escalation of customer complaints; and Westpac identification of vulnerable customers. In Sect. 45.12 we review APRA and the Westpac Review Team 2018 identification of failures to escalate ‘red flags’ from regulators and whistleblowers. Section 45.13 reviews the APRA identification of failures in financial objectives and prioritisation. There follows in Sect. 45.14 a discussion of compliance as part of the second line of defence including the effectiveness of the compliance function. Chapter 45 concludes in 45.15 with APRA’s identification of failings in accountability and responsibility including: the approach to governance variables for failings in accountability and responsibility; the governance variables themselves for failings in accountability and responsibility; and APRA’s recommendations for accountability.