APRA’s final harmonised and enhanced risk management requirements


On 31 January 2014, APRA released a package to harmonise and enhance risk management practices and requirements across the industry including authorised deposit-taking (ADI) institutions, general and life insurers as well as Level 2 (single industry) and Level 3 (conglomerate) groups.

The package includes:

  • final APRA Prudential Standard CPS 220 Risk Management (CPS 220);
  • final APRA Prudential Standard CPS 510 Governance (CPS 510);
  • APRA response paper to submissions received on the CPS 220 consultation paper released in May 2013; and
  • draft APRA Prudential Practice Guide CPG 220 Risk Management (CPG 220).


On 9 May 2013, APRA released draft CPS 220, draft updated CPS 510 and an accompanying Discussion Paper – Harmonising Cross-Industry Risk Management Requirements for public consultation. 

The proposal sought to:

  • harmonise risk management requirements by consolidating risk management requirements that apply to ADIs, general and life insurers, authorised non-operating holding companies and Level 2 and Level 3 groups;
  • bolster risk management governance requirements to reflect APRA’s heightened expectations. 

APRA’s consultations on the May 2013 draft package closed in late 2013.

Registrable superannuation entity licensees are not subject to CPS 220 as those licensees are already required to comply with APRA Prudential Standard SPS 220 Risk Management, which contains superannuation-industry requirements.


Significant risk management standards that were introduced in the May 2013 proposals included (but were not limited to):

  • establish designated risk management framework within the APRA-regulated organisation, including appointing a Chief Risk Officer (CRO) who:
    • is independent, and involved in (and provides an effective challenge to) activities and decisions that may materially affect the organisation’s risk profile;
    • has a direct reporting line to the Chief Executive Officer (CEO) and unrestricted access to the Board Risk Committee to be established also under CPS 220;
    • cannot be the CEO, Chief Financial Officer, the Appointed Actuary or the Head of Internal Audit;
  • establish a BRC comprised of non-executive directors that:
    • provides the Board with objective oversight of the implementation and operation of the risk management framework;
    • may be composed of the same people as the Board Audit Committee (BAC), while the committees must operate under a different charter; and
    • conduct regular reviews of and make recommendations to the  Board on the Remuneration Policy to be established under CPS 510;
  • establish a BAC which is to:
    • assist the Board by providing an objective non-executive review of the effectiveness of the financial reporting and risk management framework;
    • provide prior endorsement for the appointment or removal of the institution’s external auditors and Heads of Internal Audit;
  • meet risk management standards on a group level with the following flow-on changes to APRA’s approach to group risk management:
    • where individual Boards within a group are satisfied the required risk management standards are met, the Board of the Head of a Level 2 or Level 3 group will be able to complete the risk management attestation on the group’s behalf;
    • the Head of the group must develop and maintain processes to coordinate, identify, measure, evaluate, report and control or mitigate all material risks across the group and also capture material risks from any non-APRA regulated institutions within the group; and
    • the Head of the group must develop and maintain a Board-approved liquidity management policy.

Many submissions received by APRA related to concerns about resourcing constraints in having an operationally independent CRO and queries about the separation between the BRC and BAC.  APRA has retained all significant requirements that were proposed in the draft prudential standards and has not changed its stance in relation to its proposals.


Draft CPG 220 is intended to provide practical guidance to APRA-regulated institutions in complying with their obligations under CPS 220 (but do not have the force of law). 

APRA’s key expectations under draft CPG 220 are summarised below.

Risk management culture

Foster a sound risk management environment with the development of a Code of Conduct, ongoing risk education and processes to ensure behaviour is monitored and managed within risk appetite.

Group risk management

Prior to using the group’s risk management framework, assess the framework against the size, business mix and complexity of the institution’s business operations to ensure the framework is ‘fit for purpose’ and be able to provide a summary of this assessment.

Risk management framework

Have a clearly articulated risk appetite statement that is actively developed and reviewed by the Board and communicated appropriately throughout the business operations to ensure consistent implementation.

Be able to demonstrate how the institution determines materiality of risk categories and identify the key risk drivers.

Express risk tolerance to the extent possible as measurable limits and develop and implement a plan of action to review risks that fall outside the risk tolerance level to reduce that risk to an acceptable tolerance level.

Have sufficient information in the risk management strategy to communicate how the institution identifies, measures, evaluates, monitors, reports and mitigates material risks of its operations.

Through the risk management function, assist the Board and senior management including by providing education and advice and facilitate the development of the desired risk culture.

Appropriately structure the risk management function including for example by placing risk management personnel within business line divisions.


Have an appropriately skilled CRO who has direct access to the CEO and has authority in decision making.

Where an Australian branch operation uses a global CRO, the CRO must have sufficient oversight of risk management in the branch and the branch should be able to demonstrate the CRO can fulfil their role as CRO to the Australian institution.


It is not expected risk management would be outsource as a matter of common practice.

Monitoring and reporting

Establish, maintain and document effective Management Information Systems and implement controls to ensure data in the systems is current and accurate.

Annual reviews may explore particular elements of the risk management framework in depth and on a rotational basis so long as all elements of the framework are subject to annual review at least every three years.

The three year comprehensive review is to provide a holistic, institution-wide view of the risk management framework comparing the institution’s current practice against better practice.

Risk management declaration

The two directors who sign the declaration should obtain reasonable assurance and independent advice (where necessary) on the matters upon which the directors make the declaration.

Where a group’s Board decides that a qualification in the declaration for a Level 1 institution does not result in a group declaration qualification, the reason should be articulated.

APRA notification

Any notification to APRA about material changes to the institution’s risk profile or business operations as required under CPS 220 would be made within 10 business days of the Board becoming aware of the current or proposed material change.


CPS 220 and revised CPS 510 will take effect from 1 January 2015.  Written Submissions on the proposed CPG 220 were due by 28 March 2014 and APRA has indicated it expects to finalise the prudential practice guide in the first half of 2014.

We are available to provide you with further information or guidance about APRA’s package of enhanced risk management requirements.

Please contact a team member listed to the right for further information.


The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

Related Content


Michael Chaaya

Partner. Sydney
+61 2 9210 6627


Joanne Dwyer

Special Counsel. Brisbane
+61 7 3228 9375


Christine Maher

Consultant. Brisbane
+61 7 3228 9413