ASIC has released a new Consultation Paper CP 263 on Risk management systems of responsible managers which provides guidance which is potentially relevant to other non-APRA regulated licensees as well.  Copies of the CP and the draft Regulatory Guide can be found here.


In March 2013, ASIC published Consultation Paper: Risk management systems of responsible entities (CP 204), which sought feedback on proposals to introduce more targeted requirements for risk management systems of responsible entities. The proposals were to be imposed by way of guidance and a class order modifying s 912A(1)(h).  However, ASIC did not implement any of the proposals as ASIC was awaiting the outcome of the 2014 Financial System Inquiry.  ASIC has decided to consult further on their proposed guidance, taking into account feedback received in response to CP 204.  There is currently no detailed guidance on what is required for responsible entities to comply with the obligation to maintain adequate risk management systems under s 912A(1)(h) of the Corporations Act.

Consultation Paper 263  – Overview of the proposed guidance on risk management systems

The proposed guidance does not impose new obligations on responsible entities but gives more detailed guidance on how they may comply with their current obligations under s 912(1)(h) of the Corporations Act to maintain adequate risk management systems.

ASIC's proposed guidance outlines that it expects responsible entities to have:

  • overarching risk management systems in place;
  • processes for identifying and assessing risks; and
  • processes for managing risks.

ASIC proposes to release the attached draft Regulatory Guide to help responsible entities comply with their obligation under s 912A(1)(h).

The guidance is for responsible entities and is also relevant to AFS licensees authorised to operate a scheme but not currently operating schemes, investor directed portfolio service (IDPS) and managed discretionary account (MDA) operators, and entities operating unregistered managed investment schemes.

For a period of 12 months from the date of release of the guidance, ASIC proposes to take a constructive and conciliatory approach to any breaches if the responsible entity demonstrates they are taking steps to ensure compliance.

Submissions are due for comment by 1 September 2016.

Differences between proposed guidance and CP 204

In response to feedback received in response to CP 204, ASIC does not propose to supplement the guidance with an ASIC instrument (class order modifying S 912A(1)(h) imposing more prescriptive requirements.  ASIC believes risk management is an area where there are a number of ways that the requirements could be met, taking into account the nature, scale and complexity of the particular business and schemes operated. ASIC considers that flexibility is required to accommodate this and to enable responsible entities to respond to any changes in market conditions.

Other key differences to the approach that ASIC outlined in CP 204 are:

  • adopting more consistency with the APRA requirements where appropriate;
  • including an expectation for a liquidity risk management process to be maintained;
  • clarifying that risks need to be managed by responsible entities at both the responsible entity level and the scheme level;
  • including references to international guidance where appropriate; and
  • providing some additional guidance in the regulatory guide on relevant risks and risk management strategies (e.g. cyber security, fraud risk and liquidity risk).