APRA foxed by risk management rumble
Should the standard at the heart of the current controversy related to the NAB-EY risk management framework review be changed by APRA?This is a critical issue to contemplate because the parliamentary committee looking into audit regulation, which has just had its theatrical season extended for an additional six months by parliament, has various people make noises about APRA's risk management standard and how firms deal with it.Let's just recap the issue briefly. Controversy arose in August 2019 when news reports surfaced about the leaking of material regarding a review done by EY of NAB's risk management framework required under CPS 220, which relates to risk management standards.The leaks exposed that there had been further discussions by former NAB chairman Ken Henry about products that may pose future remediation risks, while Andrew Thorburn, the former chief executive officer, thought there should be meetings to workshop whether there were risks that bank had not previously thought about.EY is neither the entity that built the risk management framework nor does it work underneath the framework on a daily basis so it complied with the standard. Back to the problem at hand!APRA must decide whether it believes there is a problem to solve here. Journalists believe there is an issue, as do some politicians, but APRA may decide it needs to do nothing in relation to its prudential standard because the intention of the standard is clear irrespective of the noise levels and concerns rising on the issue. There are three possible alternatives if APRA believes that its guidance needs tightening because of the nature of coverage related to CPS 220 and perception that conflicts might exist in the context of risk management framework reviews.The first is that APRA could ban external audit firms from doing the triennial review of a client for which they do the external audit of financial statements with other conditions related to operational independence staying in the prudential standard. This would mean a bank could still tender the review out but the external audit firm would be ineligible. A second option is that APRA have a ' cab rank' process whereby it appoints the reviewing firm based on the situation that exists. That has fee setting implications that would need to be confronted by the regulator, a bank and a potential reviewing firm.Then there is the possibility that APRA gets tooled up and does the damn reviews itself so that the regulator examines these processes and produces a report every three years on specific ADIs and their risk management frameworks.There are a series of options that can be considered by the regulator but the regulator must decide whether it believes that there is guidance to be amended.One other factor must be considered in this context, however, and that is the interplay between the APRA guidance and the ethical standard of the accounting profession, which is the document that those with appropriate subject matter expertise and an intention for informed analysis would be examining for answers to any problems they