ASIC expects Credit Licensees to predict future events that may impact (positively or negatively) on business activities and to take appropriate actions to address the impact of these events. Under s47 of the NCCP Act, this Risk Management Programme is required as one of the General Conduct Obligations for Credit Licensees.

Risk management forms an important part of corporate governance and should be closely linked with your Compliance Programme. For every business risk identified, there is a corresponding compliance obligation designed to either control or treat the risk. For example, the timely response to a complaint to avoid further issues including legal action.

Every business is different, with varying resources and its own goals and objectives. As a result, there is no one size fits all solution for risk management. You need to determine what internal and external factors could have a significant impact on your business, the likelihood that the impact will occur and the resultant situation.

Where a risk is deemed unacceptable to the business, implementing management controls to mitigate these events can help prevent catastrophic outcomes. Risks that may have a limited affect on the business and are considered acceptable, or where the cost of ongoing preventative measures exceeds that of the cost of response after the fact, still need to be detailed in your programme to ensure resources are allocated as required.

An effective Risk Management Programme should include how the business identifies key business risks, analyses these risks and implements appropriate management controls. Australian Credit Licensees need to demonstrate their compliance by reviewing the effectiveness of their Risk Management Programme regularly.

For more information, please call QED Risk Services on 1300 817 662.