ASIC RG 259: Risk Management … It's Finally Here



facebook Twitter LinkedIn RSS

ASIC has been doing some spring cleaning over the past year or so, working through a back catalogue of reforms which were put on hold around the time of the Financial Services Inquiry.  For those of you who can recall, the need to introduce greater regulatory infrastructure around risk management of Responsible Entities (REs) first arose back in 2012; a regulatory hangover from the Trio scandal. Back then, ASIC sought to introduce a class order outlining a number of requirements for RE's to fulfill their risk management obligations.

We know there were a few sceptics out there about ASIC's focus on risk management, and you would be forgiven for this, for there has been a lot of talk and very little action in that space. However, the risk management and asset management industries are high priorities in ASIC’s strategic agenda and after a few false starts following the release of Consultation Paper 263 and draft regulatory guide: Risk management systems of responsible entities in July 2016 (ASIC indicated this would be released in November 2016, then January 2017) it's finally here: RG 259: Risk Management systems of responsible entities.

Who does RG 259 apply to?

Clearly, REs but ASIC still suggests within RG 259 that this RG is also relevant to:

  • Dual regulated entities (registrable superannuation entity (RSE) licensee, regulated by APRA, that also operates schemes);
  • AFS licensees not currently operating a scheme;
  • MDA and IDPS operators; and
  • Entities operating an unregistered managed investment scheme.

When does RG 259 apply?

Now. It starts right now. ASIC has indicated that it will take a 'facilitative approach' to any breaches of the guidance in RG 259 for a period of 12 months if the licensee can show that it is taking steps to bring its risk management systems into compliance with the guidance. Note that the wording has been changed here from the previous 'constructive and conciliatory approach'.


RG 259 can be summarised in 4 areas as illustrated below and further detail of key issues can be found here.



RG 259: What is New?

For those who have been following the RE risk management discussion (and making early steps to implement ASIC's guidelines to date) there are only a few key changes; since the release of the draft RG in July 2016, which are outlined below.

Board Review 

Previously there was an expectation that the RE board or its delegate reviews (at least annually) whether the risk management systems have been complied with. This review expectation is still there, but the board (or delegate) expectation has been removed.

The annual review expectation remains, however, and ASIC considers (at RG 259.38) that the RE's senior management has a specific role in ensuring that this review is undertaken, the risk systems are current, relevant, effective, complied with and that they remain appropriate to the business and schemes operated.  ASIC has also made it clear (at RG 259.98) that there is regular reporting and escalation of risk issues to the board, risk committee and compliance committee as appropriate. The annual Independent Review, which was good practice guidance, has been removed but the three year review remains within the good practice guidance.

Guidance beyond ASIC and Australia

ASIC expects REs and fund managers to apply international guidance, and not just standards, when developing risk management systems. This now includes the Financial Services Board (FSB) Policy Recommendations to Address Structural Vulnerabilities from Asset Management Activities when considering liquidity risk management processes. 

Corporate Governance 

When developing risk management systems, ASIC has added some emphasis to the notion that sound corporate governance and management oversight are essential parts of any effective risk management system.  RG 259.30 expands on this with new governance expectations in the design and documentation of the risk management system, including policies and procedures for ensuring that adequate oversight of the risk systems are implemented (including appropriate reporting) and clearly defined roles and responsibilities are documented - all key components of any ISO 31000 risk program. 

Further, when looking at risk management culture, ASIC has added that an effective risk management culture may include supporting, recognising and/or rewarding employees who demonstrate their commitment to effective risk management.

Risk Appetite Policy or Statement

This expectation remains, but in addressing the risks relevant to the RE's overall strategy to achieve its objectives (and set limits to these risks) ASIC has added that the RE should take into account any differences in the risk profiles of the schemes operated.

Liquidity Risk Management 

This area has possibly seen the most changes with additional guidance on stress testing or scenario analysis at scheme levels, including the use of liquidity management tools and reference to the FSB. At the RE level, ASIC also expects an ongoing assessment of whether the RE is complying with the financial requirements of its AFSL in addition to the liquidity risk controls at a scheme level.

RE and Scheme Risks

Whilst it is clear that ASIC expects a distinction between the material risks at a scheme level and at an RE level, RG 259.78 now makes it clear that REs are not required to keep separate risk registers for the RE and schemes as long as the material risks for the business and each scheme operated are clearly identified and addressed in the registers maintained. 

In relation to scheme risks, ASIC considers it good practice to include procedures for ensuring that material risks identified for the scheme are relevant and managed and that these procedures may be included as an appendix to the compliance plan. For existing schemes, ASIC has indicated that this should be something that is considered as part of a broader review or update of the compliance plan for those REs who do not capture their scheme risks in this format.

Examples of Risks 

The appendix to RG 259 has been updated, particularly some of the risk treatment examples.  One of the main additions here is within Market and Investment risk where a new section on leverage and short selling has been added (risks associated with the use of debt to fund business activities and short selling where there is a change in market conditions).

CompliSpace Workshops

To learn more about RG 259, CompliSpace will be running a series of workshops on Risk Management for Responsible Entities in May. 

How CompliSpace can help

CompliSpace delivers industry specific web-based programs to manage your risk and compliance requirements and activities that can be quickly tailored and configured to suit an organisation’s needs and are kept up-to-date with legal and regulatory changes by our team of specialists.

Our team of compliance professionals and lawyers combine extensive expertise with practical technology-enabled solutions to simplify the complexity of the regulatory environment and allow our clients to focus on allocating resources toward improving financial performance.

Please contact Brooke Benson to discuss your RE Risk Management and AFS licence requirements further.


Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?


Financial Services Updates

Financial Services Updates