APRA proposes amendments to its “final” harmonised and enhanced risk management requirements


On 8 May 2014, APRA released a letter to all CEOs of authorised deposit-taking (ADI) institutions, general insurers and life companies to clarify its intent with respect to certain specific risk management matters in relation to:

  • APRA Prudential Standard CPS 220 Risk Management (CPS 220); and
  • draft APRA Prudential Practice Guide CPG 220 Risk Management (CPG 220).

The matters being refined relate to the:

  • use of the word “ensure” in the context of a board’s risk management framework and the role played by the board;
  • three lines of defence risk management model consisting of management, a Board Risk Committee and a Board Audit Committee; and
  • inclusion of a concept of materiality for the purposes of a board’s risk management declaration.


As previously advised, on 31 January 2014, APRA released a package to harmonise and enhance risk management practices and requirements across the industry including ADIs, general and life insurers, authorised non-operating holding companies as well as Level 2 and Level 3 groups. 

The package followed proposals released by APRA in early 2013 seeking to continue its focus on good governance practices by:

  • harmonising risk management requirements through consolidation of risk management requirements that apply to ADIs, general and life insurers, authorised non-operating holding companies and Level 2 and Level 3 groups; and
  • bolstering risk management governance requirements to reflect APRA’s heightened expectations.

Written submissions on the proposed CPG 220 were due by 28 March 2014 and while APRA will release a formal response to those submissions in due course, it has released a letter in the interim to propose refinements with respect to certain matters that have been raised in many of those submissions. 


In the letter, APRA proposes refinements to clarify its intent in relation to the following three areas:

Current requirement / guidance

Proposed refinement

Role of the Board – use of the word “ensure”

CPS 220 identifies it is the Board’s key responsibility to “ensure” that it establishes and maintains a sound risk management framework.  Submissions sought clarification on APRA’s intent in relation to the term “ensure” given potential limitations on what the Board is able to ensure and potential legal risks if courts or other regulators interpreted the term inconsistently to APRA’s intent. 

Originally in its response paper to submissions received on the CPS 220 consultation paper released in May 2013, APRA commented it would not change CPS 220 and commented that the Board, being ultimately responsible for the APRA-regulated institution, is expected to meet its responsibilities for risk governance by taking both active and reactive steps so that, to the best of its knowledge and having made appropriate enquiries, it meets those responsibilities.  Due to ongoing concerns raised in the recent submissions to APRA, the letter states that APRA proposes to clarify its intent by inserting a definition of “ensure” into each of its general definition standards.  The proposed definition is said to be consistent with APRA’s ongoing approach in relation to board and governance matters and is:

Ensure: when used in relation to a responsibility of the board, means to take all reasonable steps and make all appropriate enquiries so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed. 

Three lines of defence

The proposed CPG 220 outlines APRA’s expectations on using a three lines of defence risk management model to facilitate effective risk governance.  The model distinguishes the role of management and the board segregating the risk governance structure into the following lines of defence:

  • First line of defence: business management who assume ownership of the day to day risks.
  • Second line of defence: Board Risk Committee that is functionally independent from the first line of defence.
  • Third line of defence: Board Audit Committee that performs an independent assurance and internal audit function.

APRA proposes to consider appropriate amendments to CPG 220 (and if necessary CPS 220) in order to reflect concerns about APRA’s apparent expectations in relation to the three lines of defence model.

Risk management declaration – materiality reference

CPS 220 requires the Board to provide APRA with a risk management declaration on an annual basis.

APRA proposes to amend the risk management declaration in CPS 220 to include the concept of materiality for the Board declaration.


APRA will take into consideration any comments on the proposed refinements described above before finalising its response to the submissions on the proposed CPG 220 in due course.  Any comments on the proposed refinements should be emailed to APRA by 30 May 2014.

CPS 220 and revised CPS 510 will take effect from 1 January 2015.

We are available to provide you with further information or guidance about APRA’s package of enhanced risk management requirements.

Please contact a team member listed to the right for further information.

The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

Related Content


Michael Chaaya

Partner. Sydney
+61 2 9210 6627


Joanne Dwyer

Special Counsel. Brisbane
+61 7 3228 9375


Christine Maher

Consultant. Brisbane
+61 7 3228 9413