Risk Management Policy and Procedures
1. Risk Management Policy 1
2. updates 1
3. Risk management documentation 2
4. Ongoing process 2
4.1 Review Processes 2
4.2 Establish the context 3
4.3 Identify Risks 3
4.4 Risk Analysis 5
4.5 Risk Evaluation 6
4.6 Risk Treatment 6
4.7 Monitoring and Review 6
4.8 Communication and Consultation 6
4.9 Insurance Broker Fraud 6
5. Financial Crime Compliance 7
5.1 Introduction 7
5.2 PURPOSE 7
6. Bribery 7
6.1 Introduction 7
6.2 Bribery Risk Assessment 7
6.3 Bribery Guidance for Staff 10
7. ANTI MONEY LAUNDERING (AML) 10
7.1 Introduction 10
7.2 Lloyds Binders 11
7.3 Suspicious Activities 11
8. INTERNATIONAL SANCTIONS 13
8.1 Introduction 13
8.2 Obligations 13
Risk Management Policy and Procedures
1. Risk Management Policy
1.1.1 Our Risk Management Policy spells out the way in which the business will manage the risks that we face.
1.1.2 A risk is the chance of something happening that will have a detrimental impact upon business objectives and goals. It is usually measured in terms of consequences and likelihood.
1.1.3 Risk Management is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. The outcome should be that the business suffers no significant unpleasant surprises.
1.1.4 Risk management is recognised as an integral part of good management practice. An effective Risk Management program is also a mandatory requirement for businesses that are licensed under the Corporations Act. ASIC have issued guidance on this issue in RG104 (RG104 - Licensing - Meeting The General Requirements).
1.1.5 The Corporations Act requires an Australian Financial Services Licensee to have appropriate risk management in place to manage the possible financial loss suffered by a Licensee that would negatively impact their ability to provide their services fairly and efficiently.
1.1.6 The major risks that could cause such losses are specifically addressed within the Risk Identification Table.
1.1.7 This policy has the full support of the board and senior management and is seen as a key component in ensuring our long-term success and viability.
1.1.8 The effective management of risks reduces the likelihood of major disruptions to the plans of the business and increases the chances of the business achieving its goals.
1.1.9 All major or catastrophic risks, whether they be physical, financial, economic, legal etc are to be included within the formal risk management program.
1.1.10 A formal risk management assessment of the business will be conducted in conjunction with and integrated into the annual Business Planning process.
1.1.11 Apart from the annual formal review identification, assessment and management of risks will form part of all major decision making processes within the business.
1.1.12 The Responsible Manager(s) is ultimately responsible for managing risks to the business and ensuring the effective application of our Risk Management Policy and Procedures.
1.1.13 In some situations it may be necessary to call on the support of outside bodies to help in the risk management process and such an approach is strongly recommended when required.
1.1.14 These Risk Management Policy and Procedures have been developed in conjunction with the Australian Standard 4360-2004 (AS NZS 4360-2004 Risk Management)
1.1.15 All staff and Authorised Representatives must be familiar with and comply with this Policy and Procedure, understand the importance the business places on the effective operation of our Policies and Procedures and are encouraged to look for improvements to our procedures.
2. updates
2.1.1 These Policy and Procedures are updated on a regular basis. Any material changes to these Policy and Procedures will be advised by management either via Email or at our regular Staff meetings.
2.1.2 This entire document and associated forms etc are kept on the shared drive of the computer network. As such we do not recommend that a hard copy of the manual be maintained. All information can be immediately accessed on the computer network and will be guaranteed to be up to date at all times.
2.1.3 When you see an opportunity to improve a procedure kindly make the suggestion known to your manager/supervisor as we all have a responsibility to improve our standards, individually and as a Company.
3. Risk management documentation
3.1.1 The risk management process will be based on the following documentation:
· An annual review and update of the risk management program included in the annual Business Plan process including any Action Plans arising out of the review
· The maintenance of a Risk Identification Table (Risk Identification Table).
· Provision of a Risk Management PowerPoint presentation to all new staff (Risk Management Overview).
4. Ongoing process
4.1 Review Processes
4.1.1 The Risk Management Officer (RMO) is responsible for the day to day and ongoing operation and effectiveness of our Risk Management Policy and Procedures. The person allocated this responsibility is identified in our Organisation Chart with the letters RMO. The RMO works in conjunction with our Compliance Officer identified in our Organisation Chart with the letters CO to ensure operational compliance with the key obligations outlined in this Policy and Procedure.
4.1.2 The RMO is responsible for implementing effective Financial Crime procedures. The Compliance Officer is responsible for monitoring compliance with those procedures and reporting to the Board. The Compliance Officer reports to the Board at least annually and at any such time as a matter of material concern arises (including in respect of any material breach of these Policies and Procedures.).
4.1.3 The Risk Management Policy and Procedures will be reviewed annually or after any major or catastrophic loss or near loss impacting on the business. Other review triggers include any claim made against the business by third parties, and significant failures impacting similar players within the industry.
4.1.4 As a key component of the annual business planning process a full risk management review will be conducted by the business. This will necessarily involve senior management together with input from staff where relevant.
4.1.5 The Risk Management review includes the following steps as per the schematic below:
a) Establishing the context in which the review will take place.
b) Identifying risks
c) Analyse risks
d) Evaluate risks
e) Treat risks
f) Monitor and Review
g) Communicate and consult
4.2 Establish the context
4.2.1 In reviewing the approach to risk it is important that we have a set of rules that guide us in the assessment of risks and which risks the business is and is not prepared to take.
4.2.2 The following risks are considered unacceptable to the business under any circumstances. Any activities or omissions that would:
a) Lead to illegal, socially irresponsible or morally deficient behaviour.
b) Result in a breach or loss of our AFS Licence or that of our Principal.
c) Result in our client’s interests not being adequately protected.
d) Result in a client making a successful claim against the business.
e) Result in a breach of any relevant industry or business code to which we adhere
f) Other unacceptable risks specifically identified in the annual Business Plan.
4.2.3 All businesses are necessarily involved in the management and acceptance of risks as part of conducting business. Our approach to business risk, given our role within the Financial Services industry is to take a conservative and prudent approach to risk and risk acceptance or assumption. We therefore adopt a risk adverse approach when looking at how to manage risks.
4.2.4 It is expected that the business would not enter into or continue with operations that involved risks that were likely or certain in terms of probability and major or catastrophic in terms of consequence.
4.3 Identify Risks
4.3.1 The process of risk identification is key to risk management. Only those risks that are identified can be managed.
4.3.2 In identifying risks the following generic causes of risk should be included in the process.
a) Commercial and legal relationships
b) Economic circumstances
c) Human behaviour
d) Natural events
e) Political circumstances
f) Technology and technical issues
g) Management activities and controls
h) Individual activities
4.3.3 In identifying risks the program takes into account all areas of the business that the risks may affect including financial, social, political etc.
4.3.4 The following specific risks are identified as potentially involving major or catastrophic impacts and applying to all businesses within the Financial Services sector and therefore need to be included in the process.
a) Loss of AFS Licence due to breach.
b) Loss of Responsible Manager.
c) Loss of computer access.
d) Loss of computer data.
e) Loss of supplier support.
f) Damage to our public reputation and standing.
g) Failure of product supplier.
h) Significant property damage.
i) Claims made by third parties.
j) Client ownership.
k) Major client/ product supplier exposures.
l) Failure of outsourcing arrangements
m) Financing/cash flow shortfalls
n) Actions of representatives
o) Adequate staffing resources
p) Loss of business reputation within the industry.
4.3.5 It is expected that additional risks will be added to this list as part of the annual review from time to time.
4.3.6 The stakeholders impacted by risks to the business also need to be considered in this process. Specific stakeholders in relation to a Financial Services business include:
a) The Australian Securities and Investments Commission
b) Retail clients of the business
c) Wholesale clients of the business.
d) Staff
e) Shareholders
f) Product Suppliers.
g) Office of the Australian Information Commissioner (OAIC).
4.3.7 The impact of a risk on a business can vary dependent on its nature. The following is a general list of impact types that need to be considered in the process.
a) Financial
b) Service Levels
c) Legal
d) Operational
e) Human
f) Physical
4.4 Risk Analysis
4.4.1 This process separates the minor acceptable risks from the major risks and to provide guidance to assist in the evaluation and treatment of risks.
4.4.2 This will usually involve an assessment of the chance of a risk occurring and factoring in the likely impact that the occurrence will have. The higher the chance and the larger the impact the more serious threat that the risk presents to the business.
4.4.3 Each risk identified in the step above will be allocated a probability and impact comment based on the following table.
Consequence/Impact / LikelihoodInsignificant / Rare
Minor / Unlikely
Moderate / Possible
Major / Likely
Catastrophe / Almost Certain
Risks identified will then be allocated a Risk Analysis weighting as follows:
Insignificant / Minor / Moderate / Major / Catastrophe
Rare / L / L / L / M / H
Unlikely / L / L / M / H / H
Possible / L / M / M / H / E
Likely / M / M / H / E / E
Almost Certain / M / H / E / E / E
E: Extreme, immediate action; H: High risk, senior management attention; M Moderate, Allocate responsibility; L Low Routine processes.
4.4.4 Only risks of that fall within the Extreme and High-Risk Analysis categories must be included in the Risk Identification Table. Lower level risks can be included in the Table however no specific risk treatment is required. Lower level risks are to be managed via the usual day to day management of the business.
4.5 Risk Evaluation
4.5.1 This involves comparing the level of risk found during the analysis process with previously established risk criteria.
4.5.2 The outcome of this process should be a prioritised list of risks for further action.
4.6 Risk Treatment
4.6.1 This involves firstly the identification of the options available for the treatment or minimisation etc of the risk such as avoidance, aversion, transfer, and retention.
4.6.2 The second step involves the implementation of the treatments identified above.
4.6.3 Any changes in systems procedures etc requiring significant business planning and co-ordination will be included in the Implementation Section of the formal Business Plan. Actions that can be taken immediately to manage a risk will be documented within the Risk Identification Table.
4.7 Monitoring and Review
4.7.1 It is necessary to monitor risks, the effectiveness of the risk treatment plan, strategies and the management system that is set up to control the implementation.
4.7.2 This will be achieved by the inclusion of the risk management review function within the annual business planning process.
4.8 Communication and Consultation
4.8.1 Given the size of the business and the resources available to it the level of communication and consultation involved within the risk management procedures will be limited to staff, external suppliers where necessary, other internal stakeholders and board members.
4.8.2 However the risk management program can be shared with other interested parties upon request and approval by senior management.
4.9 Insurance Broker Fraud
4.9.1 Insurance brokers, due to the significant amount of funds that are held in and that pass through their trust accounts, face a major exposure to fraud and misappropriation of relatively large sums of money by staff and other people handling and accounting for these funds. This risk has increased over the past year with the onset of the financial woes facing the economy and many individuals (read employees).
4.9.2 Some red flags that should raise our interest in fraud include: staff living beyond their needs, staff with known significant gambling habits, staff requesting early payment of wages/benefits etc.
4.9.3 We should also be aware that EFT payment fraud is increasing significantly. Some accounts payable staff have seen how easy it is to substitute their own bank account details into a list of payments ready for authorisation. The authorising officer, presented with a long list of payments, has no way of knowing if the bank account numbers are correct.
4.9.4 We have therefore implemented a Broker Fraud Checklist Broker Fraud Checklist to help us self assess how well our business controls the risk of fraud.
5. Financial Crime Compliance
5.1 Introduction
5.1.1 We are committed to the highest standards of compliance with financial crime legislation and seek to follow best practice where we are able. This Financial Crime Compliance Section reflects this commitment and has the full support of our Board of Directors. This commitment is in relation to our own legal and regulatory obligations.