Risk Management, Culture & Governance

Agenda  What is risk management?  A framework for risk management  Establishing a good risk culture  Getting risk a seat at the table  Providing the right risk information to stakeholders  ERM – what does the “E” stand for?

What is a risk? “The effect of uncertainty on objectives”. ISO 31000: 2009 Risk Management “Those things that may stop you meeting your objectives”. Susan Crago What is risk management? Risk Management = Objectives and Outcomes Management

LIKELIHOOD (The probability of the risk materialising in the next 12 months) LEVEL PROBABILITY RANGE Almost Certain (Level 5)80% - 100%Low MediumHigh Likely (Level 4)60% - 80%Low MediumHigh Possible (Level 3)40% - 60%Low Medium High Unlikely (Level 2)20% – 40%Low Medium Rare (Level 1)0% – 20%Low Medium (Level 1) (Level 2) (Level 3) (Level 4) (Level 5) CONSEQUENCE (assess as once off or accumulation of risks) What risk management is not!

Establish Context IdentifyAssessAction Monitor and Review Escalate, Communicate and Consult A framework for risk management

Establish Context A framework for risk management Identify What is our strategy and objectives? What issues have we experienced? What risks are we currently managing? What is going on in the external environment? What are the risks that could stop us meet objectives? What would cause those risks to occur? What controls do we currently have in place? Assess How likely is it that this risk will occur? If it does occur what will be the consequence? How effective are the controls to manage this risk?

A framework for risk management Prioritisation What will we do about the risk? Nothing or something? If something what is the best action to take? Action Monitor and Review Who needs to make the decision about this risk? Who needs to take any actions on this risk? Who needs to be aware of this risk? Escalate, Communicate and Consult Are we on track with managing this risk? Has something changed so we need to review this risk?

The sales pitch Value Proposition…. 1. Making informed decisions supports prioritisation and transparency of decision making 2. Meeting business unit objectives alignment to the business strategy and objectives highlights areas of potential focus 3. Preparing for the unexpected identifying uncertainties fewer shocks and unwelcome surprises

Good risk culture ??

Impacts of poor risk culture

Establishing a good risk culture

‘Values and culture drive people to do the right thing even when no one is looking … Although value and culture cannot always be measured quantitatively, they impact governance in powerful ways.’ John F Laker - APRA Chairman (27 February 2013) Establishing a good risk culture

Getting risk a seat at the table 3 lines of defence Own and manage risks Risk management embedded in processes Promote a strong risk culture Business Units (including Executive, Managers and All Staff) First Line of Defence Independent advice, oversight and monitoring Advocate a risk culture and raise awareness of Risk Establishment of Risk Management Framework Independent Risk Function Second Line of Defence Independent appraisal of the control infrastructure Oversight of the Risk Management Framework Internal Audit Third Line of Defence

Getting risk a seat at the table

Bendigo & Adelaide Bank Group’s Vision: “We aim to be Australia’s leading customer- connected banking group.”

Providing the right risk information to stakeholders “... integral to the effectiveness of risk governance, concerns the flow of information to the board. The lack of timely, relevant and comprehensive risk information [is] often a critical weakness.” John F Laker - APRA Chairman (27 February 2013)

Good risk governance Clear risk appetite and tolerances Escalation of new key risks Monitoring of actions for key risks Monitoring of testing of key controls Consistent across risk types Providing the right risk information to stakeholders

ERM – what does the “E” stand for?  Effective?  Efficient?  Engaging?  Enterprise?

Questions?