Our risk approach
Every day AMP monitors and manages risks to deliver sustainable growth, protect our business and our customers’, shareholders’ and employees’ interests, and meet our legal and regulatory obligations.
Risk is inherent in our business and industry. As such, we take measured risks to achieve AMP’s vision of ‘helping people own tomorrow’ and deliver sustainable value to our shareholders. Effective risk management supports informed decision-making and aids in capitalising on business opportunities to support achievement of strategic objectives. The board and management consider effective risk management to be fundamental to AMP’s long-term sustainability and reputation. In addition, the board and management believe effective risk management requires a risk-aware culture amongst all employees, which in turn promotes risk-informed decision-making.
How we manage risk
The enterprise risk management (ERM) framework provides the foundation for how risks are managed across AMP. There are five key elements of the ERM framework as below: governance, risk strategy and appetite, the risk management process (encompassing how AMP identifies, measures, monitors and optimises risk), systems and data, and people and culture.
Board and risk committees
The AMP Limited Board is ultimately responsible for the ERM framework and oversight of its operation by AMP’s management. In particular, the board is responsible for setting AMP’s risk appetite, the strategic plan and risk management strategy. It also monitors policies and business practices to align achievement of strategic objectives with AMP’s risk appetite and with applicable laws and regulations. The Risk Committee and board review the ERM framework at least annually to satisfy themselves that it continues to be sound.
The board’s oversight, review and monitoring of the effectiveness of risk management at AMP are supported by board committees and management committees. The Risk Committee oversees the implementation and operation of AMP’s ERM framework and the risk culture within AMP. The Audit Committee assists by providing an objective non-executive review of the effectiveness of the ERM framework.
AMP also has management committees to assist in overseeing risk management. The Group Risk and Compliance Committee guides the implementation of risk management practices, processes and systems, and oversees all material risk exposures and risk decisions facing AMP. The Group Asset and Liability Committee oversees financial risks across AMP in relation to capital and financing, and the risk appetite as it relates to financial risk and shareholder capital.
Three lines of defence
We have a ‘three lines of defence’ approach to risk management accountability:
Line 1 – management is responsible for identifying, assessing, monitoring and managing material risks in the business. Business unit teams are responsible for decision-making and the execution of day-to-day business, while managing risk and the resulting profit and loss in line with the board’s risk appetite and strategy.
Line 2 – the Enterprise Risk Management team, led by the CRO, is responsible for designing, implementing and monitoring the practices and processes to identify, assess, monitor and manage material risks, and providing advice and oversight on material business decisions. The team also provides objective advice and challenge to the first line’s decisions and provides assurance to the board that the risk profile is aligned with the board’s expectations.
Line 3 – the Internal Audit team provides independent and objective assurance to the board on the operational effectiveness of risk management across the business and the effectiveness of our control processes.
The ‘three lines of defence’ approach is designed to provide assurance to management and the board that risks are identified, managed and reported effectively. Further information about the operation of this approach is outlined below.
Line 1: Management and employees within the business
Management and employees within the first line are responsible for driving a risk-aware culture, and owning and managing risks within their day-to-day business areas. With support and oversight from the Enterprise Risk Management team and CRO, business unit teams develop and implement processes that meet the requirements of the framework, and monitor and review the business environment to identify, understand, escalate and report on risks, issues, incidents and changes in the business unit. In addition to these activities, management and employees within the business are responsible for the timely reporting and escalation of relevant information to senior management, committees and boards.
Line 2: CRO and the Enterprise Risk Management team
The CRO heads up Enterprise Risk Management, which is independent to the business function, reports to the CEO, and has unrestricted access to the various boards and committees. The CRO has primary responsibility for the design and establishment of the ERM framework and oversight of the first line’s implementation and operation of the framework. If there are material breaches or deviations from the ERM framework or the ERM framework did not adequately address a material risk, the CRO, on behalf of the board, will notify APRA and a qualification will be included in the board’s annual risk management declaration to APRA with a description of the cause and circumstances and steps taken, or proposed to be taken, to remedy the problem.
Line 3: Internal Audit & External Audit
Our Internal Audit team provides the board and management with an independent and objective evaluation of the adequacy and effectiveness of the controls over the risks for AMP and its subsidiaries. The team calls on support and advice from external experts as required.
To maintain independence, the Internal Audit team does not have responsibility for any of our business or risk management processes or practices. The Director of Internal Audit has a reporting line to the Chairman of the Audit Committee and regularly meets with the committee without management present. The Audit Committee assesses the adequacy, performance and independence of the Internal Audit function annually and was satisfied with the results of this assessment in 2017. An independent quality assurance review of the effectiveness of the Internal Audit team, and its compliance with international internal audit standards, is undertaken periodically, with the next review expected to be completed, by a third party, in 2018.
AMP has appointed Ernst & Young (EY) as the company’s external auditor with the lead auditor rotating every five years unless special circumstances require this to be extended for additional years. Our Audit Committee has adopted a charter of audit independence, which sets out a framework to assist in maintaining the independence of EY as a result of its business dealings with AMP.
At each AGM, shareholders are given the opportunity to ask the lead auditor questions relevant to the conduct of the audit, the preparation and content of the auditor’s report, the accounting policies adopted by AMP in relation to the preparation of the financial statements, and the independence of the auditor in relation to the conduct of the audit.
The risk appetite statement articulates the AMP Limited Board’s expectations of the amount and nature of risk AMP is willing to accept in the pursuit of its strategic objectives. The risk appetite statement covers the major impacts of material risk types relevant to AMP, and can be used to influence risk and reward trade-off decisions and support AMP’s desired risk culture.
The major impacts of risk are classified into four dimensions: earnings stability, capital adequacy, liquidity, and reputation, as outlined in the table below. These four impact dimensions have been established to enable a consistent way for AMP to identify, measure and manage material risk types and are used to limit risk taking across business activities. They are the mechanism for APRA-regulated and major AMP entities to set their risk appetite and the qualitative and quantitative metrics to monitor and report performance against the risk appetite statement limits.
|Capital adequacy||This reflects AMP’s level of protection/buffer against significant losses in tail events that could leadto insolvency/default or emergency balance sheet restitution|
|Earnings stability||This constrains excessive volatility of earnings and guards against surprises that lower the predictability of returns to shareholders|
|Liquidity||This reflects AMP’s level of protection against a period of prolonged funding stress and ensures the group can meet its cash obligations without having to resort to an asset fire sale|
|Reputation||This reflects the extent to which AMP is willing to accept unexpected failure to meet customer, adviser, shareholder, regulator or employee expectations. This dimension is difficult to quantify but can be a substantial threat to AMP’s overall reputation and long-term value|
AMP’s risk management strategy provides an overview of how the ERM framework addresses material risks at AMP. The risk appetite statement and risk management strategy support the development of AMP’s corporate strategy and are designed to ensure that the impacts of the strategic objectives on the risk profile are within the board’s risk appetite and are effectively managed. The risks arising from setting the corporate strategy and risks to achieving the strategy are also identified and considered in relation to the board’s appetite.
AMP’s risk management process articulates how AMP identifies, measures, monitors and optimises risks. Risk identification is the process of determining which risks could potentially prevent the achievement of AMP’s objectives. Risk assessments are conducted to measure the ‘likelihood’ of the risk occurring and the ‘impact’ it will have on AMP’s business should it occur, taking account of the controls and structures in place to manage risk. Risks are monitored and reported so that any change in AMP’s risk exposures can be identified and managed. Depending on whether the risk is within the risk appetite, actions are taken to either optimise or mitigate the risk.
In an environment where the operating landscape is rapidly shifting, AMP has developed a process to proactively identify and assess emerging risks and opportunities. Emerging risks and opportunities are defined as possible events which may occur but are not yet fully understood and have the potential to significantly impact AMP in the future. Selected emerging risks are chosen for deeper analysis and stress testing to assess the potential likelihood and impact, and to determine appropriate actions if necessary.
Access to robust systems and appropriate data is fundamental for supporting an effective ERM framework. Risk systems capture elements of the risk management process and measure the effectiveness of controls in managing risks. Our systems and databases monitor any changes in the potential impact or likelihood of current or emerging risks, ensuring that risks can be responded to and reported appropriately at all levels of the organisation.
The board and management believe that effective risk management requires a sound risk culture that drives the right behaviours and supports AMP’s values of integrity, help and performance.
AMP’s risk culture framework defines risk culture as AMP’s attitudes, values and behaviours towards risk management. Simply put, it is how we operate on a day-to-day basis. The board oversees and assesses AMP’s risk culture through a combination of qualitative and quantitative metrics which include risk management practices, people and customer measures and people surveys. AMP is committed to improving risk culture to keep pace with regulatory, customer and community expectations. As such, AMP focuses on embedding risk awareness into AMP’s broader culture to integrate risk into decision-making.
AMP also integrates effective risk management into the remuneration framework throughout the organisation. Risk behaviours and controls are a key consideration in the assessment of remuneration outcomes.
In addition to a risk-aware culture, AMP is committed to maintaining an appropriately skilled and staffed ERM function to provide a sufficient line of sight, access and input into key risk decisions. The ERM function also supports AMP by developing the ERM framework, policies and procedures to facilitate a consistent approach to the identification, assessment and management of risks.
Given the nature of our business environment we continue to face challenges that could have an adverse impact on the delivery of our strategy. The most significant business challenges (in no particular order of importance) include, but are not limited to:
Competitor and customer environment
Our strategy is set based on existing and expected business environmental factors including business cycle, technology, customer preferences and competitive landscape. Significant changes in these environmental factors may disrupt AMP’s business operations. For example, a significant change in customer preferences may impact sales volumes, revenue and customer satisfaction.
AMP has programs in place aimed at anticipating and responding to threats and opportunities that arise from changing customer preferences and competitor strategies and capabilities.
Cyber security threats
Cyber risk continues to be a focus area across all industries. We recognise that cyber risk will continue to be a threat in a rapidly changing technological environment and that the magnitude and costs of cybercrime vary depending on the nature of the attack.
AMP is committed to investing in enhancing our cyber security network and we have several detective, preventative and responsive controls to protect our assets and networks. While we are committed to enhancing our cyber security network, we recognise it is inevitable that cyber-attacks will occur. In assessing and mitigating cybercrime, we regularly consider vulnerabilities and potential ways to mitigate failures of people, processes and technology.
AMP’s promise to help people ‘own tomorrow’ requires continuous updating of products, services and customer experiences. Managing continuous change can place significant pressure on employees.
AMP has invested heavily into developing new approaches, models and ways of working to drive efficiency. We recognise that failure to appropriately manage the implementation of these changes can cause disruption to AMP’s business operations. To manage this, AMP has dedicated resources with appropriate skills and expertise who establish change programs and manage the transition.
Business, employee and business partner conduct
The conduct of financial institutions is an area of significant focus. There is a risk that business practices and management, staff or business partner behaviours may not deliver the outcomes desired by AMP or meet the expectations of regulators and customers. An actual or perceived shortcoming in conduct by AMP or its business partners may undermine our reputation and draw increased attention from regulators.
AMP is committed to establishing a culture of help, integrity and performance. Our code of conduct outlines the minimum standards of behaviour and decision-making and our expectations for how we treat our employees, customers, business partners and shareholders.
AMP also works to provide a safe and respectful environment that encourages all staff to be confident and speak out about any potential conduct issues. All employees, contractors and third parties can use the Your Call program to raise concerns including regarding unethical behaviours as a whistleblower. The CRO is AMP’s designated Whistleblower Protection Officer, and has direct access to the CEO and board.
Further to this, we are committed to ensuring the right culture is embedded in our everyday practices, with risk explicitly considered as part of the remuneration framework. The CRO is also given an additional discretion to adjust the bonus pool for significant failures in conduct or risk management.
AMP operates in multiple jurisdictions across the globe. Each one of these jurisdictions has legislative and regulatory requirements that AMP is committed to meeting. These requirements are also subject to reform.
AMP has established internal policies, frameworks and procedures to seek to ensure our domestic and international regulatory obligations are met in each jurisdiction. Processes are also in place to manage the implications of regulatory change on our business performance. AMP has developed a curriculum of mandatory compliance training that all employees must undertake to ensure awareness of their general compliance obligations.
Regulatory and compliance risks, breaches, consultations and general interactions are reported as part of our internal risk and compliance reporting process, and to the relevant regulators as and when required. At any point in time, a number of investigations, consultations and general interactions may be in progress with our key regulators. We actively participate in these interactions and fully cooperate with regulators on such matters.
The Australian financial services industry is currently responding to a Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, established on 14 December 2017. The outcomes of this Royal Commission for AMP and the industry are uncertain at this time. AMP has welcomed the opportunity to contribute to the Royal Commission and supports its intent to provide certainty to the financial system and help restore the community’s trust and confidence in the industry.
AMP has categorised risk in seven material risk types which are monitored, assessed and reported to the board and relevant committees to ensure that risk is managed appropriately. The risk types and definitions are noted below.
|Strategic risk||Risk of loss or foregone value associated with strategic decisions and competitive positioning of the business and our ability to respond in a timely manner to changes in the regulatory, customer or competitive landscape|
|Credit risk||The risk of loss or foregone value due to non-payment of a contractually required payment by a counterparty|
|Market risk||The risk of loss or foregone value due to adverse movements in market prices and investment values. This may be due to economic changes or events that have an impact on large portions of the market|
|Insurance risk||The risk of loss due to adverse developments in morbidity/mortality rates, longevity, expense, and changes to policyholder behaviour|
|Liquidity risk||The risk of loss due to an inability to fund or trade liquidity risk at a given period to meet debt obligations at a reasonable price|
|Concentration risk||The risk of loss due to a series of exposures with the potential to produce large enough losses. It may arise in the form of credit concentration, market correlation, cross risk types, pandemic, which may have been accumulated over time|
|Operational risk||Risk of loss resulting from inadequate or failed internal processes and systems or from external events
Within these risk types, the specific risks that AMP is exposed to are identified, measured, monitored and managed. The impact of these risks is assessed against the four risk dimensions outlined above. Stress and scenario testing is performed periodically to assess the potential impacts and resilience to risk in stressed periods.
Failure to identify or address existing or emerging economic, environmental and social sustainability issues could result in material reputational or financial loss. AMP continuously considers and improves on the ways in which economic, environmental and social sustainability is incorporated into our business operations, and this work is supported by a range of programs, policies and processes including:
– reducing AMP’s impact on the environment, by setting targets and pursuing a range of waste, energy and emission-reduction initiatives at AMP office locations. AMP is reviewing the recommendations of the Financial Stability Board's Taskforce on Climate-Related Financial Disclosures (TCFD), within the context of our existing approach to climate risk.
– integrating environmental, social and governance (ESG) factors into investment decisions and engaging in active ownership practices across asset classes, by AMP’s investment management arm, AMP Capital. This framework is detailed in AMP Capital’s ESG and Responsible Investment Philosophy and includes divestment from tobacco, cluster munitions, landmines, and biological and chemical weapons. AMP Capital also engages with investee companies, encouraging sound decision-making and risk management, appropriate capital allocation, good board composition, fair remuneration and open and honest disclosure.
– supporting and developing our people through a range of development and career opportunities, actively supporting employee wellbeing, providing a range of employee benefits, and promoting inclusion and diversity in our workforce.
– investing in the community through the AMP Foundation – AMP’s philanthropic arm – whose goal is to create a better tomorrow for everyone, especially people facing challenges in accessing education and employment opportunities. The AMP Foundation supports charities that give disadvantaged Australians life-changing learning and work opportunities. It also supports AMP employees and financial advisers to share their time, skills and resources with people in need, and backs amazing Australians who are doing great things in the community through its AMP Tomorrow Fund grants. Through the AMP Scholarships program, the AMP group also helps extraordinary New Zealanders to pursue their dreams.
AMP manages its exposure to economic, environmental and social sustainability risks in accordance with the risk management framework, strategy and processes outlined above.
In accordance with the Corporations Act 2001 (Cth) and the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, before the board approves AMP’s financial statements for each financial year, the CEO and the CFO are required to provide the board with a declaration of their opinion as to whether:
– the financial records for the financial year have been properly maintained
– the financial statements and notes for the financial year comply with the appropriate accounting standards and give a true and fair view of the financial position and performance of the AMP group, and
– their opinion has been formed on the basis of a sound system of risk management and internal control which is operating effectively.
The CEO and the CFO provide a certification in similar terms before the board approves AMP’s half-year financial statements.