risk and control self assessment (rcsa) guide

For internal use only – not for distribution outside Macquarie without prior consent of Policy owner

Risk and Control Self Assessment (RCSA) Guide

Operational Risk and Compliance

Type of Document:

Guide

Version: 1.0

Last updated: 25 February 2016

Owner: RMG Operational Risk and RMG Compliance

MGL.0010.0003.0753


of 30

Contents

1. Introduction ..................................................................................................... 3

1.1 Objective of this document .............................................................................. 3

1.2 Governance of the RCSA Framework ............................................................ 3

2. General ........................................................................................................... 3

2.1 Application ....................................................................................................... 3

2.2 Review of this guide ........................................................................................ 3

2.3 Associated policies and related documents .................................................... 3

2.4 Definition of Roles ........................................................................................... 3

3. RCSA .............................................................................................................. 4

3.1 Objectives of RCSA ........................................................................................ 4

3.2 RCSA quality standards .................................................................................. 4

3.3 RCSA process ................................................................................................. 5

3.4 RCSA Process – Live RCSA .......................................................................... 9

4. Roles and responsibilities ............................................................................... 9

4.1 BORMs, GBLs and BACs role in RCSA ......................................................... 9

4.2 RMG role in RCSA .......................................................................................... 9

4.3 Internal Audit ................................................................................................. 10

APPENDIX A: MATERIAL RISK AND CONTROL DEFINITIONS .......................... 11

APPENDIX B: RISK AND CONTROL RATINGS .................................................... 16

APPENDIX C: FACTORS FOR CONSIDERATION WHEN ASSESSING COMPLIANCE

INHERENT RISKS. ................................................................................................. 19

APPENDIX D: POTENTIAL DATA INPUTS ............................................................ 26

APPENDIX E: USE OF SCENARIOS IN RCSAS ................................................... 27

APPENDIX F: RCSA SUMMARY: WHAT WORKS AND WHAT DOES NOT WORK? 28

APPENDIX G: RCSA OPENPAGES USER GUIDE ............................................... 29

MGL.0010.0003.0754


of 30

1. Introduction

1.1 Objective of this document This document provides a broad outline of the Risk and Control Self Assessment (RCSA) requirements from start to

finish and outlines roles and responsibilities in executing these requirements.

1.2 Governance of the RCSA Framework Risk Management Group (RMG) Operational Risk (Op Risk) and RMG Compliance (Compliance) are jointly responsible

for reviewing the RCSA policy and this guidance. Any questions on this guidance should be directed to RMG Op Risk

or Compliance Regulatory Assurance, as appropriate.

1.3 Background

The RCSA is a combined operational and compliance risk assessment replacing the ORSA and CRA (defined below).

The RCSA provides senior management with visibility over the Compliance and Operational risk and control profile and

the resulting actions to mitigate identified risks.

The Operational Risk Self Assessment (ORSA) is well established and it identifies and assesses operational risks. It

also records the assessed performance of the controls in place to mitigate those risks. Where the control is found to be

less than effective, corrective action plans are developed to address the gap or deficiency.

The Compliance Risk Assessments (CRA) were first introduced in 2013 as a Compliance tool for assessing Compliance

risks that impact the business and assessing the Compliance controls that address those risks for the purpose of

Compliance planning and resourcing. There are 14 defined Compliance risks, this is made up of 11 Compliance risks

and 3 Financial Crime risks.

Conduct risks are examined throughout the RCSA by ensuring risks are assessed by reference to potential negative

impacts on clients, counterparties or the fair and effective operation of the markets, arising from improper, unlawful or

unethical behaviour or action.

The Financial Crime Compliance (FCC) risk assessments are conducted separately in an established process by the

FCC team, who have specialised knowledge in this field. The results are incorporated in the Compliance Risk

Assessment.

2. General

2.1 Application This document is applicable to Macquarie Group (the Group).

2.2 Review of this guide This guide will be reviewed annually by RMG Op Risk and Compliance.

2.3 Associated policies and related documents This guide should be read in conjunction with other relevant documents:

RCSA Policy

Issues and actions guide (Actions guidance)

2.4 Definition of Roles Businesses are accountable for the effective management of Operational Risk. BORMs support the businesses to

implement the framework developed and overseen by RMG Op Risk.

Compliance risk is actively managed by the Business overseen by RMG Compliance, with specialised knowledge in

the Business Aligned Compliance (BAC) teams, supported by Global Business Leads (GBL) and the wider centralised

Compliance teams, including FCC.

MGL.0010.0003.0755


of 30

The RCSA is a joint responsibility between BAC and BORMs to facilitate the Business assessment of the respective

Compliance and Operational risks and controls in their businesses. The risk profile is evidenced by recording the

details in OpenPages and through documenting the overview in an RCSA Summary.

The RCSA framework and oversight of this activity is provided by Regulatory Assurance and RMG Op Risk.

3. RCSA

3.1 Objectives of RCSA RCSA is a tool to enable Macquarie to:

Identify and assess the operational and compliance risks, including conduct risks, that exist in the

business;

Identify and assess the controls in place to mitigate those risks; and

Document actions for any control weaknesses and prioritise and manage those risks on a consistent

basis.

The primary purpose of RCSAs is to facilitate management of risks effectively and efficiently by senior management

within the businesses.

RCSAs are also used by RMG to inform the overall risk profile of the Group and as an input to developing and prioritising

programmes of work and resourcing.

RCSAs may also be provided to internal audit, external audit, regulators, other relevant competent authorities or other

stakeholders.

RCSAs are used to assist in identifying and quantifying operational risk scenarios in the operational risk capital model.

The RCSA is further used to support representations made as to the effectiveness of controls in the:

Management Representation Letters for the purposes of the half and full year financial reports;

Annual representations made to the Board and APRA by the CEO; and

Representations by the CEO and CFO as to the efficiency and effectiveness of internal controls over

financial reporting for compliance with ASX Corporate Governance Guidelines.

3.2 RCSA quality standards RMG has set the following quality standards in reviewing RCSAs:

Live RCSA – RCSAs in OpenPages should materially reflect the risk profile of the business at all times.

Risks and critical controls (as defined in section 3.3) in OpenPages and their evaluations (Effective,

Needs Improvement or Ineffective) should reflect all known material information (e.g. material business

developments involving new product approvals, approved incidents, results of completed control

assurance, other testing and audit). RMG Operational Risk and Compliance will monitor this on a regular

basis. Refer to section 3.4 for additional guidance.

End to end view - Business RCSAs should cover controls in the business and controls within support

functions. Controls in support functions that are deemed critical for business should be raised in the

support area RCSA against the relevant risk in the support area. Business RCSAs should consider those

critical controls in support area RCSAs and their impact on the relevant risk in the business RCSA.

Businesses must evidence their end-to-end considerations. This may be done in Open Pages by linking

to the support area critical controls however other evidence may also be acceptable.

Completeness - All material risks (see Appendix A for definitions) and critical and key controls mitigating

them, together with issues and actions relating to critical controls not identified as “Effective” must be

adequately identified and documented in OpenPages.

– Coverage and granularity – All material businesses, products and jurisdictions must be

adequately covered by RCSAs. It is expected that Businesses will adopt Divisional RCSAs

and Support Areas will adopt RCSAs in line with the Business that they support. In addition

RCSAs may be required to be completed by jurisdiction or legal entity for regulatory purposes.

MGL.0010.0003.0756


of 30

– For example in CFM, RCSAs should be prepared for CFM Energy Markets, CFM

Credit Markets, etc., rather than 1 CFM RCSA. Within these divisions, there may also

need to be regional or legal entity regulatory analysis.

– For COG Technology it means preparing RCSAs for COG Technology (BFS), COG

Technology (MSG), rather than 1 COG Technology RCSA.

– Compliance risks in support areas may be assessed at a higher level, where each of

the risks and controls ratings are the same for all the support groups covered.

– It is not necessary for compliance and operational risk analysis to adopt the same level of

granularity. However, the RCSA must be undertaken in a way that results in a single risk

profile for the business and that all operational and compliance risks are assessed.

Reasonableness of control and risk assessments – ratings should be reasonable and a level a

conservatism should be applied given all available information.

Appropriateness of remedial actions – All critical controls rated “Needs Improvement” or “Ineffective”

should have actions identified to remediate the control weakness or documented risk acceptance. Action

due dates should be appropriate given the risk exposure arising from the control weakness. Please refer

to the Actions Guidance document on Macnet.

In addition to the quality standards above, RCSAs must meet the following basic requirements:

Risks, controls, issues and actions are described clearly and concisely;

All defined compliance risks and material operational risks have been assessed for every RCSA;

Critical controls that are rated “Needs Improvement” or “Ineffective” are linked to appropriate issues and

actions or have documented risk acceptance;

All the required fields for risks, controls, issues and actions in OpenPages are appropriately populated.

See Appendix G for RCSA documentation requirements in OpenPages;

All submitted RCSAs have been reviewed by the BORM, GBL and the RCSA owner;

RCSAs are submitted on time; and

RCSA Summary has been discussed and agreed with the Business Head.

3.3 RCSA process To perform an RCSA, the following suggested process should be followed.

Identify Business Universe

Ensure all business groups in all jurisdictions are captured in the RCSAs and consider any material changes to the

Business (e.g. new businesses, restructuring or change of location). All material businesses, products and

jurisdictions must be adequately covered by RCSAs. It is expected that Businesses will adopt Divisional RCSAs and

Support Areas will adopt RCSAs in line with the Businesses that they support. In addition RCSAs may be required to

be completed by jurisdiction or legal entity for regulatory purposes.

Data inputs

To prepare for the RCSA, gather information from various data sources. At a minimum this should include: business

objectives and strategy, key business processes, material changes in the business (NPAs), regulatory change, focus

or enforcement, incidents, control assurance review results, regulatory assurance review results and audit/exam

results. Additional data sources are listed in Appendix D.

Identify material risks facing the business

Operational Risk Compliance

Start with survival threatening risks and then work

down the severity of impact.

All Compliance risks listed in Appendix A must be

assessed for the Business regardless of severity.

MGL.0010.0003.0757


of 30


Identification should include risks whether or not

they are under the control of the Business Unit

(e.g. a third party vendor failure is still a risk to the

business).

It is important to identify all material risks to the

business, not all possible risks.

After first analysis similar risks should be

combined.

At a minimum the parent risks and their

descriptions in Appendix A should be considered,

though only material inherent risks need to be

recorded.

There are compliance risks in all businesses and

whilst there will be many that are not applicable to

support functions, the Inherent risk assessment

should still be undertaken. Note that this may be

undertaken at a different level of granularity to the

Operational risk assessment.

Where the Compliance risk covers multiple risks

within a business, these can be described and

assessed at a more granular level under the same

parent risk in addition to the overall parent risk

which is required. This enables a business to

tailor their risks specifically, whilst retaining

consistency. For details on how to record these,

refer to the RCSA OpenPages User Guide.

Where a business has other material legal,

compliance or conduct risks these should be

recorded under the ‘Other Legal and Compliance’

parent risk.

Assess the inherent risk rating

Assess the risk’s impact and likelihood in the absence of controls using the 5-scale rating matrices in Appendix B. The

Inherent impact and Inherent likelihood ratings will automatically calculate the overall Inherent risk.

At this stage controls mitigating these risks should not be considered. You can assume that people have the same

morals and that laws, the police, government still exist.


It is expected that, at this stage, most of the

operational risks identified should have a high

inherent risk rating.

If risks are low inherently, they may be immaterial

to the business and therefore it may be

appropriate to remove them from the RCSA.

Compliance risks (listed in Appendix A) are

assessed consistently across Macquarie by using

the factors and guidance that can be found in

Appendix C in conjunction with the ratings

guidance in Appendix B

There is currently no rating available in

OpenPages for ‘Not Applicable’, therefore where

the risk is assessed as not applicable, due to the

nature of the business and activities undertaken,

Inherent risk and Residual risk should be entered

as ‘Very Low’, with a comment to reflect why it is

not applicable. This will evidence that each

Compliance risk has been considered in relation to

each business and will facilitate Compliance

analysis across businesses.

Identify controls

For material operational and compliance risks, identify critical and key controls that currently exist to manage that risk.

Definition: a Control is a process, device or practice that acts to mitigate the likelihood and/or impact of a risk.

Critical controls are preventative or detective controls that are crucial to the effective management of

risk. These controls are so crucial that they require regular proactive assurance. The failure of a critical

control could:

— Result in an unexpected material loss;

MGL.0010.0003.0758


of 30

— Result in a material internal / external fraud;

— Materially impact the ability to comply with regulatory or legislative requirements, leading to regulatory

investigations or censures;

— Materially impact Macquarie’s reputation; and/or

— Result in a significant Work, Health, Safety and Environmental (WHS&E) incident.

Key controls are controls that are important but not crucial to the effective management of operational or

compliance risks, the breakdown of which attract senior management interest.

Non Key controls are any other controls that contribute to the prevention or detection of errors or fraud.

The breakdown of such controls would not directly lead to material errors or losses.

Note that RMG does not require non key controls to be evaluated through the RCSA. The requirement is to identify

critical and key controls. Controls that are designed to mitigate inherently Low risks are not required to be identified in

RCSAs.

Assess control effectiveness

Assess both the control design and the control performance (in accordance with the rating table in Appendix B).

OpenPages will automatically calculate the overall control effectiveness rating based on the control design and control

performance ratings.

When assessing controls, the following should also be taken into account:

Results of any assurance work performed over design and performance of the critical controls;

Systems on which the control relies have been considered (e.g. Access is segregated, data is secure);

Data quality risk (completeness, accuracy, timeliness, etc, of the data underlying the business controls);

Actions associated with controls have been appropriately addressed (e.g. any high open actions)

A level of conservatism has been applied to a control rating; and

Materiality of control breakdowns (e.g. incidents) has been considered. Materiality must be set at an

RCSA level.

Note: For any control where a rating of ‘Needs Improvement’ or ‘Ineffective’ is risk accepted, the rating cannot

be changed to ‘Effective’ just because of the risk acceptance decision. Risk acceptance decisions should not

impact control ratings.

Assess residual risk

The objective is to assess the level of risk after the effect of controls is considered. The residual risk should be

assessed using the Risk impact and likelihood matrices in Appendix B. This is based on judgement after taking into

consideration the collective set of controls identified to mitigate the risk. For example, a set of controls that mitigate all

risks and that is overall graded as ‘Effective’ should mitigate the risk and reduce the corresponding Residual impact

and/or Residual likelihood.

Identify remedial actions

Actions for critical controls rated ‘Ineffective’ or ‘Needs Improvement’ must be agreed and documented in OpenPages,

with an action owner and due date for completion. Please refer to Issues and actions guide for additional guidance.

RCSA Workshop

The purpose of the RCSA workshop is to facilitate the Business to self-assess risks, controls and actions with advice

from GBLs, BACs, and BORMs as subject matter experts. Prior to the RCSA workshop, analysis should be conducted

on key data inputs, which can be summarised and presented to workshop participants as appropriate. A list of these

key data inputs is given in Appendix D.

In addition to RCSA Workshops other inputs to RCSAs may include,

Scenarios

Qualitative reviews

MGL.0010.0003.0759


of 30

Questionnaires

Refer to Appendix E for further information on the use of scenarios in RCSAs.

There are two key roles required to run a successful workshop:

Facilitators - responsible for ensuring that the workshop stays on track to achieve the objectives of the session, by

considering the key risks and assisting the business participants to articulate the key risk events. Typically, there

should be two facilitators – one as subject matter expert for operational risks (BORM) and one as subject matter

expert for compliance risks (BAC).

Scribe – is responsible for capturing the output of the discussion. In particular the risks (including causes and effects),

controls, control deficiencies or control enhancements. If participants mention or identify control weakness then these

should be captured appropriately. The Scribe aids the facilitator in ensuring that conversation in the session remains

focused and that risk events are clarified. Any issues that cannot be resolved during the workshop should be noted by

the Scribe and addressed subsequently. The Scribe role can be undertaken by the BORM or BAC (i.e. there is no

requirement for this to be an independent person).

RCSA Summary

The RCSA Summary is intended to be an overview of the business risk profile.

The RCSA Summary should provide a transparent overview, of the risk profile of the business or support function,

including emerging risks and it should form a conclusion as to the risk profile and ongoing appropriateness of the control

environment, including any known and emerging control weaknesses and identified actions.

The following points should be included in the RCSA Summary, where relevant;

Outline the key changes that have taken place in the business (e.g. acquisitions, new products, new

locations, new systems, new processes, restructures, significant growth, significant changes in the

profile of the client base) and external developments affecting the risk profile, such as regulatory change,

focus or enforcement. Include whether given the significance of the change there is a need for a New

Business and Product Approval (NPA) refresh for the relevant business/product.

Describe at a high level the impact these changes are having on the business, emerging issues, and the

risks and the control environment (e.g. transaction volumes, deal sizes, incidents, audit issues).

Identify any risks outside of risk tolerance.

Discuss significant themes highlighted by support functions.

Provide an update on Control Assurance.

Describe key projects in the business (including status update and key milestones). Comment on the

effectiveness of the governance structure and the impact on the control environment.

Other areas of focus prescribed by RMG.

Draw your conclusion on the risk profile and appropriateness of the control environment.

The RCSA Summary should be a concise document.

The RCSA Summary should be refreshed and submitted to RMG on a six monthly basis. It is expected that the half

year summary is prepared based on the BORMs’ and GBLs’ working knowledge of the business. However, the extent

of the process is at the BORMs’ and GBLs’ discretion (e.g. whether to have workshops with the Business) with RMG

guidance.

Refer to Appendix F for the list of examples of what works and what does not work.

Review and Challenge

The RCSA results are subject to review by the following, to ensure the quality standards set out above have been

adhered to:

Regulatory Assurance and RMG Op Risk - to ensure completeness of coverage and appropriateness of

ratings;

Centralised Compliance functions (i.e. Training, M&S, FCC) – to assess appropriateness of ratings in

their specialised areas;

MGL.0010.0003.0760


of 30

Regional Head of Compliance – to assess appropriateness of ratings across the businesses within their

respective region.

Review and Challenge is coordinated by RMG Op Risk and Regulatory Assurance and the results of the final review

and challenge are communicated to the BORM and GBL for final submission (or resubmission) in OpenPages.

3.4 RCSA Process – Live RCSA

Businesses should update their risk profiles in OpenPages when material changes in their risk profile occur. This

involves:

Reflecting internal and external material changes (e.g. significant new product approvals, changes in the

regulatory environment) that would materially impact the risk profile;

Linking medium and high issues relating to the following in OpenPages to relevant risks and/or critical

controls and reassess the ratings

o medium and high incidents,

o output from control assurance work, and

o audit findings (including internal and external reviews);

Updating material risks and critical controls and respective ratings based on insights from management

supervision; and

Keeping issues and actions up to date (due dates, responsible person, etc).

Each year an RCSA snapshot will be taken to evidence the final RCSA. During the course of the year, the data may

be updated based on the requirements above. A full reassessment of the risks and controls must be undertaken and

submitted annually.

When providing risk assessment data to an external party such as a regulator – be aware that the live data has not

been through the approval process and it will typically be more appropriate to communicate the most recently

approved snapshot.

4. Roles and responsibilities

4.1 BORMs, GBLs and BACs role in RCSA BORMs and GBLs supported by BACs share ownership of the RCSA process. BORMs and GBLs supported by

BACs will collaborate to deliver the RCSA, including the preparation, workshop facilitation, ensuring complete and

accurate identification and assessment of risks and controls, updating the RCSA in Open Pages and delivering the

RCSA Summary.

Businesses should engage their RMG Op Risk Lead Directors and Regulatory Assurance throughout the RCSA

process (discussion of RCSA approach, participation in business workshops, discussions with Senior Management

and review draft RCSA Summary).

GBLs liaise with the BORMs to coordinate the process with their respective BACs and BORMs and review the results

to ensure the risks, controls and actions have been reflected consistently across the business.

4.2 RMG role in RCSA RMG Op Risk and Regulatory Assurance review RCSA quality and provide feedback to GBLs, BACs and BORMs.

On an annual basis, RMG Op Risk and Regulatory Assurance assess the reasonableness of the RCSA conclusions

and have discretion to determine RCSA ratings. RMG Op Risk and Regulatory Assurance consider various risk data

available to RMG (e.g. new product approvals, audits, incidents, control assurance results and external events)

ensuring minimum standards are met including the following:

Ensuring there is appropriate coverage of the business universe from an operational and compliance

risk perspective;

Optional participation in RCSA workshops and discussions with Senior Management;

MGL.0010.0003.0761


of 30

Reviewing and challenging the results of the RCSA, including assessing the appropriateness of risk

ratings;

Reviewing the RCSA Summary to ensure risks are appropriately represented;

Identifying themes across the Group; and

Identifying systemic risks or common actions where a centralised approach to control enhancement may

be more efficient and effective.

Operational risk themes identified in the RCSA process are summarised and reported to the Board Risk Committee

every six months.

From time to time, RMG perform hindsight reviews on RCSAs. A significant incident or audit finding, which can

reasonably be expected to have been identified through control assurance and RCSA processes, may prompt such a

review.

The review involves the analysis of RCSA information in OpenPages. In cases, where known control gaps or

weaknesses were not transparently identified in OpenPages, discussions take place with relevant BORMs and BACs

on why this was the case. Based on those discussions a capital penalty may be applied by RMG Op Risk.

Financial Crime Compliance (FCC) team has an oversight role in relation to the financial crime risks (anti-money

laundering, sanctions, anti-bribery and corruption risks) throughout the RCSA process. FCC assesses FCC risks and

coordinates with BACs to ensure an appropriate level of discussion of FCC risks in the RCSA workshop. FCC could

participate in RCSA workshops directly if deemed appropriate between the BAC and the relevant FCC contact. The

Global FCC team will consolidate FCC results out of the RCSA documentation in Open Pages to determine an

appropriate program of work.

Centralised Compliance functions (i.e. Training and M&S) review and challenge the results for their respective

function to ensure they have been assessed consistently and accurately across businesses. Any changes are fed

back to BAC prior to review by Regional Head of Compliance. Results are utilised by each function to determine an

appropriate program of work.

Regional Heads of Compliance review the results for their respective region. Any amendments are fed back to BAC

for inclusion in the final submission in OpenPages.

Regulatory Assurance and RMG Op Risk review the RCSA policy and guidance annually.

4.3 Internal Audit Through the normal audit cycle, Internal Audit may review and critically assess the risk and control information in RCSAs. This could include testing and validation of control effectiveness. Specifically for the RCSA, Internal Audit may check the accuracy and completeness of documentation. Due to differences in approach and resources, Internal Audit conclusions on RCSA quality for any business may differ from those of RMG Op Risk and Compliance.

MGL.0010.0003.0762


of 30

Appendix A: Material risk and control definitions

Material risk definition

Material risk is defined as a risk that has been assessed as inherently High or Very High. Risks that are rated as Low

or Very Low are not deemed to be material. For definitions of ratings see Appendix B.

Parent risk categories and parent risks

Asset Risk Business Disruption

Risk

Client and Product

Risk

Financial Managemen

t Risk

Information Technology

Risk

Legal and Compliance

Risk People Risk

Theft and Fraud

Transaction Risk

Error on cash or securities movements

Business Disruption

Inappropriate advice or

Mis-selling

Credit Risk Management

Projects, Programs &

Portfolio Management

Environmental Damage

Employee Mis-

management

Theft and Fraud

Trade

Execution

Error

Loss or damage to physical assets

Inadequate third party

service

Model or valuation

error

Hedging Error

IT Operations

Other Legal and

Compliance risk

Inadequate staff or skills

Unauthorised Activity

Transaction

Processing

Error

Poor customer

management

Inaccurate external reporting

Architecture standards

Tax error People

Safety Risk

Product Flaws

Inaccurate internal

reporting

Change Management

Licensing

Liquidity and funding risk

IT Governance

Fitness and Propriety

Market risk management

Records and Data

Management

Communications with Clients

Conflicts of Interest

Customers’ Interests

Market Conduct

Clients’ Assets

Regulatory Reporting

Data Protection /

Privacy

Record Keeping

Outsourcing

Anti-Money Laundering

Sanctions

Anti-Bribery & Corruption

MGL.0010.0003.0763


of 30

Compliance Risks

RMG Compliance has developed a list of fourteen Compliance Risks which are included in Open Pages as Parent Risks.

Not all parent risks will apply to all businesses – but in each case an assessment should be undertaken and documented.

If the risk is not applicable it should be reflected as ‘Very Low’ inherent risk with a comment explaining that it is not

applicable. Note ‘Not Applicable’ is not currently available as an option in OpenPages.

Parent Risk Definition

1. Licensing The Group may lose its licences or be subject to license restrictions as a result of failing to

manage licensing and registration obligations which may arise from the Group’s activities and/or

jurisdictions of operation.

2. Fitness and Propriety The Group may fail to demonstrate the integrity and competence required of staff in their roles

including both internal and external obligations.

3. Communications with Clients The Group may fail to pay due regard to the information requirements for its clients, or to

communicate information to them in a way which is clear, fair and not misleading.

4. Conflicts of Interest The Group may fail to manage perceived or actual conflicts of interest, including confidentiality

obligations, both between itself (the firm and its staff) and customers and between a customer

and another client.

5. Customers' Interests The Group may fail to pay due regard to the interests of its customers by undertaking activities

which involve products or services unsuitable or inappropriate, or which otherwise involves

improper, unlawful or unethical conduct that creates a negative impact on its clients or

counterparties.

6. Market Conduct The Group may fail to observe proper standards of market conduct by failing to prevent any of

the following: insider dealing, improper disclosure or misuse of information, market

manipulation, and misleading behaviour – or otherwise involves improper, unlawful or unethical

conduct that has a negative impact on the fair and effective operation of the markets in which

the Group operates.

7. Clients' Assets The Group may fail to arrange adequate protection for clients' assets when it is responsible for

them.

8. Regulatory Reporting The Group may fail to satisfy regulatory and exchange reporting requirements arising in the

course of the services it provides.

9. Data Protection / Privacy The Group may fail to protect customer personal data in the course of the services it provides.

10. Record Keeping The Group may fail to meet regulatory and exchange record keeping obligations, including

responding to requests for information in a timely manner.

11. Outsourcing The Group may fail to meet local regulatory and exchange requirements in respect of its

outsourcing, off-shoring and agency arrangements.

12. Anti-Money Laundering The Group may be used to facilitate money laundering.

13. Sanctions The Group may directly or indirectly facilitate a breach of sanctions legislation/regulation.

14. Anti-Bribery & Corruption The Group may be used to facilitate bribery and corruption and/or breach Bribery and

Corruption legislation.

MGL.0010.0003.0764


of 30

Operational Risks

Parent Risk Parent Risk Description and Examples

Error on cash or securities

movements

Includes incorrect or late payments and settlements, payments made to incorrect party, failure to

receive payment. Excludes fraud.

Loss or damage to physical

assets

Losses from damage to physical assets owned by Macquarie. Includes losses due to fire, flood,

earthquake, vandalism.

Business disruption Losses due to systems, data or premises unavailability. Includes losses resulting from software or

hardware outages, telecommunications and utility outages/disruptions, businesses not being able to

recover within expected timeframes.

Inadequate third party service Includes losses arising from mis-performance or failure of third party service provider, lack of oversight,

inappropriate SLA, over-reliance on third parties. Excludes oversight over JVs.

Inappropriate advice or mis-

selling

Includes losses arising from poor advice given to client, negligence or unintentional failure to act in the

best interests of the clients, failure of fiduciary duty, failure to disclose all relevant information, disputes

over performance of advisory activities.

Model or valuation error Includes incorrect assumptions and formulas in spreadsheets and system calculations/valuations. May

include unit pricing errors (depending on the cause).

Poor customer management Includes losses due to poor customer service, incorrect statements sent to clients, customer

complaints.

Product flaws Includes losses due to inadequate or inappropriate product development, product design, product

quality, product complexity. Excludes mis-selling and model/valuation errors.

Credit risk management Includes losses due to errors or breakdowns in the credit risk management process. Includes collateral

management, incorrect or failed margining, breach of credit limit, failure to obtain credit approvals.

Hedging error Includes losses as a result of inadequate hedging, including flaws or errors in the hedge calculation or

model, delays in placing the hedge, or a lack of understanding of the exposure.

Inaccurate external reporting Includes losses due to errors in external financial or management reporting. Excludes tax returns (Tax

Error).

Inaccurate internal reporting Includes losses due to errors in internal financial/management reports, or inadequate financial risk

management processes.

Liquidity and funding risk Includes losses due to breakdown or failure in liquidity and funding risk management, failure to

maintain sufficient liquid financial resources to meet near term liabilities as and when they fall due.

Market risk management Includes losses due to errors or breakdowns in market risk processes leading to losses arising from

changes in market prices or volatility. Includes errors or breakdowns in interest rate risk management

leading to losses due to adverse changes in the level, shape and volatility of yield curves. Excludes

Hedging errors.

Projects, Programs & Portfolios

Management

Includes losses resulting from poor governance or management of projects, programs or portfolios,

poor organisational change management, inadequate project risk management or poorly defined

business requirements.

IT Operations Includes losses resulting from ineffective IT Operations, inadequate management / monitoring of

system performance, obsolete technology, poor documentation of operational procedures, inadequate

backup / retention of data or poor configuration management.

Architecture Standards Includes losses due to ineffective management and / or governance of enterprise architecture.

Change Management Includes losses resulting from ineffective management of changes, such as inadequate definition /

review / testing / approval of changes, ineffective release management or change implementation.

IT Governance Includes losses resulting from poor governance or management of the IT strategy, function, processes

or environment. Examples include non-compliance with obligations, inadequate technology oversight

forums and committees, ineffective business ownership and oversight over technology, inappropriate

MGL.0010.0003.0765


of 30

Parent Risk Parent Risk Description and Examples

IT strategy or organisational structure, inappropriately defined / reviewed IT policies and standards, or

ineffective risk management of the technology environment.

Environmental damage Includes losses due to environmental damage caused by Macquarie, e.g. marine or environmental

damage.

Other Legal and Compliance risk Includes losses due to breach of contract, lack of enforceability of legal documents, incorrect legal

disclaimers, mis-statements, documentation errors, breach of client mandate. Includes fines, penalties

and punitive damages by regulators. Includes breach of internal policies. Excludes Tax.

Tax error Includes losses due to lack of understanding of tax regulations, errors in tax calculations, fines,

penalties, or punitive damages from tax regulators.

Employee mismanagement Includes losses due to inappropriate treatment of employees, compensation, benefits, termination

issues, equal opportunity issues, harassment, discrimination, victimisation, concerns & complaints and

other inappropriate workplace behaviour. Excludes People safety risk.

Inadequate staff or skills Includes losses due to inadequately trained/skilled employees, appropriate pre-employment checks not

carried out, loss of key person, lack of succession planning and/or cross training.

People safety risk Includes losses incurred as a result of not providing a safe environment for employees, contractors and

third parties, such as breaching health and safety regulations, general liability, workers compensation,

civil action, employee recompense. Includes the application of the WH&S framework to subsidiary

companies and affiliates (e.g. Funds).

Theft and fraud Includes losses due to internal employees undertaking fraudulent activities and losses due to

fraudulent acts by a third party. Includes physical security breach, hacking, theft of information, bribes,

extortion, embezzlement, collusion, disbursement to inappropriate accounts, improper expense claims,

forgery, client misrepresentation, misappropriation of funds. Excludes Unauthorised Trading.

Unauthorised activity Includes losses due to unauthorised trading, inappropriate or unauthorised access to our IT assets,

access to sensitive data, physical security breach.

Trade execution error Includes losses arising from fat finger errors, mis-matched trades, and buy instead of sell trades.

Transaction processing error Includes losses or errors due to failures in the transaction process. Excludes Error on cash or

securities movements, Trade execution error. May include unit pricing errors (depending on the cause).

MGL.0010.0003.0766


of 30

Control areas

Control Area Control Area Description

Finance & Accounting controls Relates to controls in the accounting process, including identification, measurement and reporting of

financial information.

Operational Reconciliations Relates to business reconciliations outside of normal Finance reconciliations. E.g. Daily securities

reconciliations, data integrity reconciliations by Market Operations.

Board & executive management

oversight Relates to Board & Executive Committees executing their oversight & management responsibilities.

Business continuity management Relates to disaster recovery, business continuity, management of unusual or overload activity levels,

building maintenance etc.

IT change management Relates to IT changes and controls within IT Change Management process (e.g. UAT, Rollback etc).

Compliance Relates to controls to ensure compliance with legal & regulatory requirements.

Compliance - Advice Compliance owned control - Includes Compliance Procedures, Policies, Processes and Manuals

Compliance - Training Compliance owned control - Includes online, instructor-led, adhoc communications and awareness

messages that relate to Compliance topics

Compliance - Monitoring Compliance owned control - Includes Regulatory Assurance reviews, Compliance Testing and

Monitoring & Surveillance activities

Culture, training & development Relates to the shared values & practices of employees, training & career development, and the

delivery of learning to improve skills and knowledge or performance.

Customer management Relates to managing customers including, pre-sales customer due-diligence and post sale service and

relationship management activities.

Management supervision Relates to the management of information used for managerial decision making such as use of

intelligence & benchmarking data, monitoring of outstanding items or breaches etc.

Management of systems Relates to the availability and performance of systems.

Third party oversight and

management Relates to the management of third party service providers.

Payment processing controls Relates to the authorisation, execution & recording of payments and other settlement processes.

People planning, selection &

succession

Relates to HR processes including recruitment & termination, promotion & remuneration, performance

management and succession planning.

Product & business approval Relates to the due diligence, review & approval of new products, businesses or clients, as well as

major organisation changes and business restructures.

Risk management Relates to managing risk exposures in terms of identifying, assessing, monitoring & reporting on risks,

& actions taken to mitigate them.

Safeguarding of information &

physical assets

Relates to the security of information in any media format such as written, electronic etc, and the

security of physical assets for fixed assets, intangibles, physical commodities (e.g. oil) in transit etc.

Transaction or trade processing

controls

Relates to the authorisation, execution, recording and confirmation of transactions. Excludes

transaction settlement.

User access management &

segregation controls Relates to the management of user access and segregation of duties.

MGL.0010.0003.0767


of 30

Appendix B: Risk and control ratings

Risk impact rating

Rating Scale 1 - Very Low 2 - Low 3 - Medium 4 - High 5 – Very High

Financial

Direct loss or cost of up to 0.5 to 1% of Annual Budget / Revenue Target.

Direct loss or cost of up to 1 to 5% of Annual Budget / Revenue Target

Reduction in business opportunities from key clients


Zero return on investment

Potential loss of key business opportunities


Negative return on investment

Loss of key business opportunities

Direct loss or cost of greater than 30% of Annual Budget / Revenue Target

Sustained negative return on investment

Significant loss of key business opportunities

Reputational

and Regulatory

Technical/ administrative, isolated breaches which are not required to be reported to the regulator.

No action from the regulator

No impact on regulatory relationship

No media coverage, no brand damage, no client impact

Minor regulatory breach which may require to be reported to the regulator.

Potential impact on regulatory relationship

Remediated in normal course of business if required

Media coverage unlikely

Low client impact

Material regulatory breach which will require reporting to the regulator.

Incidental regulatory fine or non-public action possible

Some remediation effort possible

Some impact to regulatory relationship

Some negative media possible

Loss or damage to clients and complaints from some clients or significant client(s) possible

Some client redress possible

Material regulatory breach with regulatory fine and public censure possible

Some remediation effort and cost likely.

Adverse impact on local regulatory relationships and possible effect on other regulators

Some critical coverage in major / national media

Likely to result in loss of clients and consequent loss of revenue

Some client compensation likely

Some damage to brand

Serious systemic or material regulatory breach with significant regulatory fine and public censure likely

Significant cost and remediation effort.

Adverse impact on global regulatory relationships.

Loss or restriction of licence and constraints on business opportunities

Concerted, widespread or recurrent critical or hostile coverage in international media.

Likely to result in loss of a large number of clients or very significant clients and consequent loss of revenue

Significant client compensation likely

Long term damage to brand

When assessing the impact consider the potential negative impact on clients, counterparties or the fair and effective operations of markets arising from improper, unlawful or unethical behaviour or action

Internal

Events that are absorbed into normal activity

Low staff turnover

An event which can be absorbed, but management effort is required to minimise the impact

Some staff morale problems

Poor reputation as an employer

A key employee leaves

A significant event which can be managed under normal circumstances

Some key executives leave the company

Bank is not perceived as an employer of choice

A critical event which can be managed with escalation and significant management effort.

Large number of key executives / directors leave the company

An event that Management is not able to impact by increased management

Note that Compliance risks are assessed on the basis of impact from a Reputational and Regulatory perspective only. Operational risks are assessed on the basis of impact from all of the categories above.

MGL.0010.0003.0768


of 30

Risk Likelihood ratings

Rating Category Likelihood

5 Very High Occurs more than 5 times per year

4 High Occurs up to 5 times per year

3 Medium Occurs once during the year

2 Low Unlikely in next year

1 Very Low Unlikely in next 5 years

In assessing the Impact and Likelihood of Compliance risks, at a minimum, the factors set out in Appendix C

should be considered.

Impact vs Likelihood Matrix

The matrix below shows:

Inherent Impact vs Inherent Likelihood = Calculated Inherent Risk

Lik

elih

ood

5 - Very High Medium High High Very High Very High

4 - High Low Medium High Very High Very High

3 - Medium Low Medium Medium High High

2 - Low Very Low Very Low Medium Medium High

1 - Very Low Very Low Very Low Low Medium Medium

1 - Very Low 2 - Low 3 - Medium 4 - High 5 - Very High

Impact

This matrix is built into OpenPages and will populate the Inherent and Residual risk automatically, dependent on the

Impact and Likelihood values entered.

Control Assessment ratings

The table below shows the definitions for Control Design ratings and for Control Performance ratings.

Control Design rating Guidance

Effective The control meets the design objectives and mitigates the risks.

Needs Improvement The control is designed to mitigate some but not all aspects of the risk

Ineffective The control is poorly designed and does not meet its objectives or mitigate

the risks.

Control Performance rating Guidance

Effective The control operates as designed.

Needs Improvement The control is normally operational but has occasional breakdowns

Ineffective The control breakdowns are systemic in nature.

MGL.0010.0003.0769


of 30

Control Effectiveness Matrix

The matrix below shows:

Control Design * Control Performance = Control Effectiveness

Con

tro

l D

esig

n

Ineffective Ineffective Ineffective Ineffective

Needs Improvement Needs Improvement Needs Improvement Ineffective

Effective Effective Needs Improvement Ineffective

Effective Needs Improvement Ineffective

Control Performance

This matrix is built into OpenPages and will populate the Control Effectiveness rating automatically, dependent on the

Control Design and Control Performance values entered.

Residual Risk Matrix

In assessing the residual risk, the impact and likelihood matrices above should be used. It is likely that effective

controls would reduce the impact or likelihood of the risk. For example, effective controls over a high inherent risk may

reduce the residual risk to low, as can be seen in the example table below. The table should be used as a guide only –

the actual residual risk rating should be assessed based on the impact and likelihood tables above.

The below example matrix shows:

Inherent Risk * Overall Control Effectiveness profile is an example of the impact of controls on inherent risk in order to

determine Residual Risk

Inh

ere

nt

Ris

k 5 - Very High Medium High Very High

4 - High Low Medium High

3 - Medium Very Low Low Medium

2 - Low N/A N/A N/A

1 - Very Low N/A N/A N/A

Effective Needs Improvement Ineffective

Overall Control Effectiveness profile

Note that Controls are not required to be documented where the Inherent risk is Low or Very Low. There is

also no requirement to populate Residual risk in these cases.

MGL.0010.0003.0770


of 30

Appendix C: Factors for consideration when assessing compliance inherent risks.

The table below sets out the factors to be considered when assessing each Compliance Risk. The results of this

assessment should be populated in the ‘Reason for Inherent Risk Rating’ field in OpenPages.

At a minimum, the ‘Reason for Inherent Risk Rating’ field should be populated with a comment against each of the

factors for that risk. These factor comments provide information on the requirements, complexity of the business and

applicability of that risk to that business, which together support the determination for inherent impact and inherent

likelihood ratings.

The table below gives guidance by listing the type of questions that should be considered when commenting on the

factors. This list is not exhaustive, but intended as a prompt.

Some factors will be more applicable than others. The combined weighting of the factors should be taken into account

when determining the inherent risk. For example, the greater the complexity, the higher the impact and/or likelihood

rating.

Where possible the factor comments should be supported by data available from Macquarie systems – suggested

data inputs for each risk are given in the table.

Risk Category

Factors for Consideration

Factor Weighting

Factor Questions (including but NOT limited to)

Likelihood or Impact

Additional Data inputs:

Licensing Entity licensing Required/ Number

Does the business require a licence/registration/ permission/exemption in order to conduct business?

Impact Licenses Legal entities Regulators Exchanges Regulatory Interactions NPAs Customer jurisdiction Authorisations Applicable to all risks: Regulatory Change Tracker Regulatory Focus Tracker Fines & Sanctions Database

Which legal entities are they/how many? Impact

Are there any joint ventures with licensing/registration considerations?

Likelihood

Renewal requirements? Likelihood

Exchange memberships

Required/ Number

Does the business require exchange memberships/registration to conduct business?

Impact

Which exchanges are they/how many? Impact


Staff Registrations

Number & Complexity

Are there individual (staff) registration requirements associated with these legal entities/exchange memberships?

Impact

What proportion of staff does this apply to? Likelihood

How complex are the registration obligations for staff? Dual hatting?

Likelihood


Cross Border Marketing

Complexity What cross-jurisdictional activities does the business do that have additional licensing requirements?

Impact

How widespread is cross border marketing (both in to jurisdiction and outbound)?

Likelihood

Client/Customer Types

Sophistication What types of clients does the business deal with? (e.g. Institutional vs. Retail)

Impact

Are there any additional permissioning/registration requirements due to the nature of the clients? (e.g. Governmental/Municipality)

Impact

Jurisdiction/ Offices/ Locations

Complexity What are the jurisdictions of operation, activity, product source and client location?

Impact

How many jurisdictions, how complex are the permissioning requirements, if known?

Impact

Products/ Services

Number What are the products or services in this business? How many?

Impact

Are there any additional licensing/registration obligations due to the nature of the product/service?

Impact

Regulatory Change & Enforcement

Change Has there been any change in the regulatory environment since the last assessment?

Impact

Is there any regulatory change scheduled to be implemented before the next assessment?

Impact

MGL.0010.0003.0771


of 30

Risk Category


Factor Weighting




Has there been any regulatory focus in this area (such as a regulator stating in a business plan that they will be conducting a review)?

Likelihood

Has there been any enforcement in this area to any peers in the market?

Likelihood

Have there been any enforcement or external findings (from a regulator, competent authority, external audit or negative media) directed at Macquarie in this risk area?

Likelihood

Fitness and Propriety

Organisational structure

Complexity How complex is the business? (e.g. matrix management) Impact Organisation charts Audit findings closed late Compliance Incidents Compliance issues and overdue actions Regulatory Interactions Integrity Office reports /investigations Authorisations Staff list Staff turnover Staff screening

Are there multiple legal entities? Impact

Is it a large business? Impact

Is it clear how the business organises itself; e.g. with organisational charts, job descriptions/segregation of duties, flows of information (MI)?

Impact

Regulatory Supervision

Criticality Is the business subject to specific regulatory obligations in relation to Supervision?

Impact

Remote Management

Reliance Are management based locally or remotely? Likelihood

To what extent do the business interact with remote management? (e.g. Meetings, MI, face-to-face)

Likelihood

Is there evidence of escalation of potential issues to remote management?

Likelihood

Staff Screening Requirements What is the level of staff screening undertaken for staff in this business?

Likelihood

Are there additional requirements due to staff registrations? Impact

Ongoing screening required (e.g. HR and/or Regulatory)? Likelihood

Personal Compliance & Training

Number What is the level of personal compliance for this business? Impact

What is the overall breach profile for the business/how many compliance incidents have been recorded?

Likelihood

Staff Turnover Change What is the level of staff turnover and criticality of that turnover? (e.g. senior people replaced by junior people?)

Likelihood

Regulatory implications (e.g. designated Branch Office Manager/AML/COO/CCO resigns)?

Impact



Impact


Impact


Likelihood


Likelihood


Likelihood

Communications with Clients

Communication Media

Number How many and what types of communication media are used? (e.g. Phone, email, web, letter, face-to-face)

Impact Marketing/Advertising records Customer jurisdiction

Social Media Macquarie approved channels Likelihood

Are there any regulatory obligations due to the types of communication?

Impact

Cross Border Communications

Criticality Number

What jurisdictions and how many are we communicating to (to clients)?

Impact

Are there additional regulatory communications obligations due to the location(s)?

Impact

Are there additional language requirements due to the location(s) of clients?

Likelihood

MGL.0010.0003.0772


of 30

Risk Category


Factor Weighting





Sophistication What is the level of sophistication of the clients (e.g. Institutional vs. Retail)

Impact

Do they have specific communication needs? (e.g. Statements, confirmations, risk warnings, disclaimers, disclosures)

Likelihood

Third Parties/ Distributors

Usage Number

How many third parties or distributors are used to communicate with underlying clients?

Likelihood

Are there additional obligations? Impact

Product requirements

Complexity Are there any additional communications obligations resulting from the type or complexity of the product?

Impact

Does the business provide advice? Impact

Are there ongoing communications obligations related to the products? (e.g. Statements, confirmations, product disclosures, voice recording, prospectus)

Likelihood

Marketing & Solicitation Restrictions

Restrictions Where marketing or solicitation conducted, are there any restrictions or requirements that apply? (e.g. cold calling rules, email mail-shots, financial promotions rules (UK)/Communications with the Public rules (US))

Impact



Impact


Impact


Likelihood


Likelihood


Likelihood

Conflicts of Interest

Fiduciary Duties Requirement Is there a fiduciary duty to the client? Impact External directorships Outside business interests PA Dealing accounts Research Workflow Embargo reports G&E reports/ Register Conflicts register

To what extent is the business undertaking activity that is subject to fiduciary duties for the client?

Likelihood

Are there significant regulatory impacts regarding fiduciary standards?

Impact

To what extent does this create a potential conflict of interest?

Likelihood

Inducements Commonality What levels of inducements are offered or accepted by the business? None/minimal/average/high

Likelihood

Commission Sharing Arrangements

Commonality To what extent does the business engage in commission sharing arrangements?

Likelihood

Confidential Information

Access To what extent does the business have access to MNPI (Material Non Public Information)?

Impact

Does the business do pre-soundings, IPO’s, Nomad/Sponsor roles, private side business?

Impact

Does the business have Client Confidential information (not technically MNPI, but still confidential)?

Impact

Access to any other type of client information/firm information? (not possible to be n/a)

Likelihood

Principal vs. Client

Prop To what extent does the business engage in both principal and client trading?

Impact

Related Party Transactions

Intercompany Does this business engage in related party transactions with other groups within Macquarie or intra group?

Impact

Are any staff nominee directors involved in RPTs? Likelihood

Fair Allocation Difficulty Do rules around Fair Allocation apply to this business? Impact

MGL.0010.0003.0773


of 30

Risk Category


Factor Weighting




Personal Conflicts

Number What level of Personal Conflicts are known about? Are there any known OBAs or External Directorships that may have potential conflicts if not monitored??

Likelihood

What level of Personal Account Dealing is done by staff in this business?

Impact

What level of excessive Personal Account Dealing done by staff has been identified?

Likelihood



Impact


Impact


Likelihood


Likelihood


Likelihood

Customers’ Interests


Sophistication What types of clients does the business deal with? (e.g. Governments Municipalities)

Impact Complaints Customer classification

What is the level of sophistication? (e.g. Institutional vs. Retail)

Impact

Are there additional requirements with respect to the interests of the customer due to the nature (or jurisdiction) of the clients?

Likelihood

Products/ Services

Number Are there obligations due to the nature of the product or service with respect to the interests of the customer?

Impact

Are the products complex? Impact

Are the products bespoke? Impact

Does the business provide advice to the customer? Impact

Do suitability and or appropriateness rules apply? Likelihood

Third Parties/ Distributors

Commonality To what extent is reliance placed on third parties or distributors to consider the best interests of the customer?

Impact

Fiduciary Duties Requirement Is there a fiduciary duty to the client? Impact

To what extent is the business undertaking activity that is subject to fiduciary duties for the client?

Likelihood

Are there significant regulatory impacts regarding fiduciary standards?

Impact

Best Execution Difficulty Do rules around best execution apply to this business? Impact

What is the volume of transactions that are subject to best execution?

Likelihood

Fair Allocation Difficulty Do rules around Fair Allocation apply to this business? Impact



Impact


Impact


Likelihood


Likelihood


Likelihood

MGL.0010.0003.0774


of 30

Risk Category


Factor Weighting




Market Conduct

Inside information

Access To what extent does the business have access to MNPI (Material Non Public Information)?

Impact Trading records Exception reports Cancel/corrects Surveillance results

Does the business do pre-soundings, IPO's, Nomad/Sponsor roles, private side business?

Impact

Does the business have Client Confidential information (not technically MNPI, but still confidential)?

Impact

Access to any other type of client information/firm information? (not possible to be n/a)

Likelihood

Market Share Size Where the business trades, what proportion of the market share is undertaken by this business?

Impact

What is the volume traded versus total market volume? Likelihood

If significant, are there any additional regulatory requirements/scrutiny?

Impact

Regulated Products

Number How many of the products/activities are regulated? Impact

Do exchange or market rules apply to these products? (Benchmarks? Price submission? Short selling? Spot commodities? Investment Recommendations? Emissions?)

Impact

Additional requirements due to complexity of products/ activities? (e.g. Buyback, stabilisation)

Likelihood

Proprietary Trading

Usage Are proprietary and/or principal trading undertaken? Impact

Is any algorithmic or high frequency trading undertaken? Impact

What is the level of proprietary vs. client activity? (e.g. risk of front running)

Impact

Market Making Usage To what extent does the business Market Make? Impact

What is the volume of Market Making transactions? Likelihood



Impact


Impact


Likelihood


Likelihood


Likelihood

Clients' Assets

Client Money Exposure Does the business hold Client Money or Client Assets through the course of the business or activity that it undertakes?

Impact Regulatory findings

Are there segregation of assets requirements? Impact

Are there additional obligations for greater volumes of client money/assets?

Likelihood

What level of client money/assets is held on a regular basis? Likelihood

Products/ Services

Number Does the product/service have any client money regulatory obligations in the event that client money or assets are held?

Impact

Custody Exposure Does the business undertake Custody on behalf of clients? Impact

Are there segregation requirements? Impact


Change

Has there been any change in the regulatory environment since the last assessment?

Impact


Impact


Likelihood

MGL.0010.0003.0775


of 30

Risk Category


Factor Weighting





Likelihood


Likelihood

Regulatory Reporting

Reporting Obligations

Complexity What are the regulatory reporting obligations for this business? (e.g. Trade Reporting, Transaction Reporting, Substantial Shareholder Reporting, Short Position Reporting, Takeover Code Reporting, Complaints Reporting, Breach Reporting, Large Trader Reporting)

Impact

What volume of reporting is required? Likelihood

Data Integrity Quality What quality of data is required to be reported? Impact

Data Collation Process

Automation What is the complexity of the process for collating the data? (e.g. automated push of a button vs. manual spreadsheet)

Impact

Time Criticality Timing What is the time criticality of the reporting? - (e.g. within an hour of the trade?)

Impact

Does this give time for a review period prior to sending the report?

Likelihood

What is the frequency(ies) of reporting obligations? Likelihood



Impact


Impact


Likelihood


Likelihood


Likelihood

Data Protection / Privacy


Number What types of clients does the business deal with (Corporates vs. Individuals)?

Impact High risk countries for DP Customer jurisdiction

Are there data protection or privacy requirements for those customers?

Likelihood

Customer Data Types

Number What type of customer data is held for those clients that would constitute personal data?

Impact

Cross-jurisdictional Interaction

Complexity To what extent is the data stored or transferred cross-border?

Impact

How many jurisdictions and how complex are the rules? Impact

Licence/ Exchange Obligations

Complexity Any specific requirements from a financial regulator/exchange relating to protecting personal data?

Impact

Safekeeping & Destruction

Complexity How is the personal data held? (e.g. database/manual spreadsheet/physical)

Impact

Are there safekeeping and destruction requirements? Likelihood

System Access Users What is the extent of the access to the personal data? (e.g. All staff vs limited access to the system/file)

Likelihood



Impact


Impact


Likelihood


Likelihood

MGL.0010.0003.0776


of 30

Risk Category


Factor Weighting





Likelihood

Record Keeping

Regulator/ Exchange Obligations

Complexity What is the extent of regulatory or exchange record keeping obligations that apply to this business?

Impact

Data Format Number What format is the data recorded in? Impact

How many types of data are there? (e.g. voice recording, hard copy, soft copy, email, social media, chat rooms, approved channels, video, advertising, websites)

Likelihood

Ease of Access/Retrieval

Access What is the level of complexity of the systems/data format and the ease of retrieval?

Likelihood

Are there regulatory requirements regarding the timeliness of access/retrieval?

Impact

Safekeeping & Destruction

Complexity Is there a complex retention schedule or destruction schedule, based on the number of products, clients, jurisdictions, activity and therefore no of schedules?

Impact


Change


Impact


Impact


Likelihood


Likelihood


Likelihood

Outsourcing Outsourcing Restrictions

Complexity How onerous and complex are any outsourcing restrictions that apply to this business?

Likelihood

What is the criticality of the outsourced activity(ies)? Impact

Off-shoring Restrictions

Complexity How onerous and complex are any off-shoring restrictions that apply to this business?

Impact

Agency Arrangements

Usage To what extent does the business have agency arrangements in place which may impact this business?

Likelihood

Service Providers

Number To what extent is there reliance on third party service providers in relation to any of the compliance risks?

Impact


Change


Impact


Impact


Likelihood


Likelihood


Likelihood

Anti-Money Laundering / Sanctions / Anti-Bribery & Corruption

The FCC team conducts annual risk assessments for each of these 3 risks, based on a data-driven set of factors

Refer to FCC Business Unit Risk Assessments (BURA) for further details. [Placeholder here for link to the BURA document which provides details of the criteria used to assess the FCC risks. BURA document currently being refreshed for 2016]. For the purposes of the RCSA, the resulting material inherent risks, control ratings and residual risks will be provided by the FCC team.

MGL.0010.0003.0777


of 30

Appendix D: Potential Data inputs

The table below shows the source for potential inputs that can be used to support the assessment of the risks.

Source Name of Input

DAS New product and business approvals

Open Pages

Regulators

Legal Entities

Licences

Exchanges

Regulatory Interactions

Op Risk and Compliance Incidents

Audit Issues and Actions

Op Risk and Compliance Issues and Actions

Control assurance review results

SharePoint

Regulatory Change Tracker

Regulatory Focus Tracker

Fines & Sanctions Database

External Directorships and OBAs

Gifts & Entertainment Register

Globe

Customer Classification

Customer Jurisdiction (sales location or reporting entity)

Product

MyCompliance Authorisations

MyLearning Training list

Compliance

Conflict Checks and Escalations

Personal Account Dealing accounts

Staff screening

Macnet Organisation charts

Human Resources

Staff list (Number of staff and Staff locations),

Starter and Leaver Report (Staff Turnover)

Data Privacy (DP) High Risk countries for DP

Media and industry associates Industry developments

ORX External loss events

Senior Management Management information indicating business changes eg. Growth, profitability

MGL.0010.0003.0778


of 30

Appendix E: Use of scenarios in RCSAs

The risk scenarios are designed to estimate Macquarie’s operational risk capital requirements. The list of scenarios

categories is available in Appendix 6 from the Incident Management and reporting guide.

Introduction An additional approach to conducting a conventional workshop is to use a scenario or situation that has occurred

elsewhere to assist in identifying and/or quantifying risks. This may include:

1. External events – RMG subscribe to an external event database which may be useful in identifying losses incurred by other institutions.

2. Internal Events – RMG may be able to provide information on relevant internal losses.

3. Fictitious Events – It is also possible to design an appropriate fictitious event.

Purpose This approach serves a number of purposes:

Identification of emerging or new risks to be considered in an RCSA;

Confirmation that the control environment will ensure that “it won’t happen here”;

Provides an understanding of how our control environment, and the risk framework, help protect us against ‘big’ events; and

Gives participants an understanding of the role they play in maintaining the control environment.

Pros and Cons Engaging and different to a standard workshop.

Useful to validate particular risks.

Probably not appropriate for a first time assessment.

Difficult to validate an entire RCSA.

Methodology The scenario should be explained to the participants and then discussed. The following questions may be useful

prompters:

Understanding The Scenario

What were the key causes of the event?

What controls failed that might have prevented the event?

What would you recommend they do to prevent this from happening again?

Identifying Its Relevancy

How might the scenario be applicable to us?

What controls do we have in place to prevent this scenario?

What gives us confidence that our controls will work?

Identifying Actions

What practically could we do to ensure this scenario doesn’t happen to us?

Where do we have weaknesses in our control environment that might allow this to affect us?

Fictitious Scenarios

Alternatively it may be engaging to ask participants to create a scenario themselves. The BORM and BAC should

provide some background information and then set the participants the task to identify all the steps in the scenario.

For example:

Fraud – How would you commit a fraud against the bank and get away with it?

Business Interruption – How could you stop your business area from operating?

It is important that enough guidance is given on the background and the scope of this task to enable participants to

come up with a response.

MGL.0010.0003.0779

http://macnet.internal.macquarie.com/dafiles/macnet/central/clients-business-risk/managing-our-risk/static-file/incident-management-and-reporting-guide.pdf?v=9


of 30

Appendix F: RCSA Summary: what works and what does not work?

What works well? What doesn’t work?

Top down analysis with conclusion.

Example:

“After the acquisition of ABC Financial in Johannesburg the business has been

working on integration. Many system security issues were identified last month in

the integration process. In addition, some weaknesses have been flagged around

segregation of duties in support functions. Dispensations are being obtained for IT

Security gaps, and business has addressed the segregation of duties issue by

moving some back office functions to Sydney. The business continues to assess

back office controls ‘Effective’ but in our view this will put significant resourcing

pressure in coming months on support teams in Sydney.”

Bottom up analysis of changes in risk ratings

Example:

“Risk B’s residual rating has increased from 4 to 6 due to

higher level of audit issues.”

OR

“Our top 10 risks are now A, B, C, D, E, F, G, H, I, J. Out

of these E is a new top 10 risk and K has fallen off the

list.

Where BORM/BAC is aware of known or emerging control gaps, a transparent

calling out of those issues

Example:

“Recently a payment process was moved from New York to Sydney. While there

have been no payment related incidents, we are concerned that there may have

been gaps in the handover process. The BORM has reprioritised Control

Assurance tasks and is planning to review the payment controls in Sydney by

June 2011.”

Not calling out known or emerging issues

Example:

“There have been no losses relating to payment process

post handover. The process continues to work well.”

A summary of significant projects/initiatives with explanations of why they are in

place

Example:

“A new ABC system implementation has been initiated to address current

weaknesses around managing daily P&L process for this business.”

Listing projects with no explanation of the driver

Example:

“A new ABC system implementation has been initiated.”

A listing/summary of BORM’s own actions only.

Examples:

“BORM is overseeing project ABC”.

BORM will redesign the process

Reporting on the RCSA process by exception, i.e. only where the policy was not

followed

Example:

“Because the new back office system implementation has taken over most of the

BORM’s time, we agreed with RMG that submitting the RCSA for this business

would be delayed by 5 days. All other divisions’ RCSAs fully met the policy

requirements”.

A detailed description of the RCSA process

Example:

“We started the RCSA process in February, met with all

division heads, and discussed their businesses through

RCSA workshops. We covered external and internal

losses, and as a result, raised the residual risk rating for

XYZ risk, and changed the effectiveness of KLM control.”

An update on Control Assurance

Example:

“3 out of 12 Critical Controls were tested (ABC, DEF, GHI). 1 issue found relating

to the design of ABC control. Business head committed to resolve by June 2011.”

A general statement about Control Assurance

Example:

“Control Assurance is on track”

Commentary and conclusion on significant themes in Finance, IT, other support

area RCSAs. If business RCSA contradicts support area’s RCSA, an explanation

as to why it is the case and the BORM’s/BAC’s own conclusions.

Example:

“IT have assessed User Access Review (UAR) controls as Ineffective due to

delays in implementing a system solution for UARs. We conclude that, while the

manual UAR’s are neither scalable nor efficient, they remain Effective.”

Disagreeing with support area RCSA assessments, with

no proper explanation.

Example:

“Finance have assessed Balance Sheet Reconciliation

control as ‘Needs Improvement’. From business

perspective this control is Effective.”

MGL.0010.0003.0780


of 30

Appendix G: RCSA OpenPages User Guide

The following are fields that are required to be completed in OpenPages:

Risks:

Risk Name – A brief title for a risk.

o For operational risks, the title should be specific to each business. Using generic Parent Risk

names (see Appendix A) is not appropriate. Control breakdowns (e.g. failure of reconciliation to

pick up errors) should be avoided, unless the RCSA belongs to a control function (e.g. Market

Operations may have a risk called failure of confirmations to detect an error, but the relevant

CFM risk would be Trade Error, or Trade Booking Error, or Unauthorised Trading);

o For compliance risks the risk name matches the parent risk name; these should be pulled from

the risk library. Note: It is possible to record additional risks under the compliance parent risk

when a more granular and specific description is required, in which case the risk name should

be specific to the risk it describes. This is in addition to the overall parent risk which is required.

Risk Description – A more detailed risk description. Various causes could be listed here. Note that there

is a prescribed Risk Description for compliance risks per Appendix A;

Risk Source – Flags whether it’s a Library or a Business Risk;

Risk Status – Identifier of whether a risk is Active or Deleted;

Parent Risk Category & Parent Risk – A high level risk theme developed by RMG Op Risk and

Compliance for Macquarie wide analysis. Note that detailed compliance risks and controls should be

categorised under the defined compliance risks. It is not necessary to re-record the compliance risks

under the Operational Risk “Other Legal and Compliance” parent risk. See Appendix A;

Inherent Risk Impact Rating – The impact of the risk eventuating, with no controls in place. See

Appendix B;

Inherent Risk Likelihood Rating – The likelihood that the risk will eventuate with no controls in place. See

Appendix B;

Residual Risk Impact Rating – The impact of the risk eventuating, with controls in place. See Appendix

B;

Residual Risk Likelihood Rating – The likelihood that the risk will eventuate with controls in place. See

Appendix B;

Reason for Inherent Risk Rating – Detailed answers to factor questions explaining the inherent risk

assessment. Refer to Appendix C for factor questions and further guidance. Note this field is mandatory

only for the defined compliance risks.

Controls:

Control Name – A brief title for a control. The title should be specific to each business. Using generic

Control Areas (see Appendix A) is not appropriate;

Control Description – A more detailed control description. Control objective should also be described

here in more detail;

Control Source – Flags whether it’s a Library or a Business control;

Control Status – Identifier of whether a control is Active or Deleted;

Control Type – Flags whether it is an operational risk or compliance control;

Control Area – A high level control theme developed by RMG for Macquarie wide analysis. See

Appendix A;

Control Weighting – Flags controls as Critical, Key or Non-key;

How does management know it’s working – Description of mechanisms in place that allow management

to answer whether the critical control is working or not. E.g. exception reporting.

MGL.0010.0003.0781


of 30

Issues (where applicable):

Audit Issue – This field is for RMG Internal Audit use only;

Issue Source – Flags whether it’s a Library or a Business Issue;

Issue Title – A brief heading for an issue;

Issue Description – A more detailed explanation of an issue. The issue is a control deficiency or gap;

Issue Type – Flags whether it is an operational risk or compliance issue;

Issue Status – Identifier of the stage of the issue lifecycle (e.g. Open, Closed);

Issue Priority – The significance of the issue. Refer to the Action Guide.

Publish Status – The issue status (i.e. draft or published). This field should be set to “published” for it to

appear on dashboards and reports.

Actions (where applicable):

Audit Action – This field is for RMG Internal Audit use only;

Action Title – A brief heading for an action;

Action Description – A detailed description of the action to resolve the issue;

Action Owner – Employee responsible for performing the action;

Action Type – Flags whether it is an operational risk or compliance action, or both;

Business Status – Identifies action status – Not Started, In Progress, Implemented, or No Longer

Applicable;

Publish Status – The action status (i.e. draft or published). This field should be set to “published” for it to

appear on dashboards and reports;

Due Date – The date by which the action needs to be completed. Refer to the Action Guide.

Action Priority – The significance of the action. Refer to the Action Guide.

MGL.0010.0003.0782

risk and control self assessment (rcsa) guide

Documents