Risk and Control Self Assessment (RCSA) Guide

MGL.0010.0004.
0001
Risk and Control Self Assessment

(RCSA) Guide
Operational Risk and Compliance
Type of Guide
Document:
Version: 2.3
Last updated: 22 December 2017
Owner: RMG Operational Risk and RMG Compliance
For internal use only – not for distribution outside Macquarie without prior consent of Policy owner
MGL.0010.0004.0002
Risk and Control Self Assessment (RCSA) Guide
Table of Contents
1. About this document.................................................................................................. 3
1.1 Objective and application ................................................................................ 3
1.2 Ownership of the RCSA Framework ............................................................... 3
1.3 Definitions ....................................................................................................... 3
1.4 Associated policies and related documents .................................................... 3
2. Overview of RCSA .................................................................................................... 4
2.1 Definition ......................................................................................................... 4
2.2 Objectives of RCSA ........................................................................................ 4
2.3 RCSA quality standards .................................................................................. 4
2.4 Live RCSA ....................................................................................................... 5
3. RCSA review process ............................................................................................... 6
3.1 Coverage ......................................................................................................... 6
3.2 Inputs .............................................................................................................. 6
3.3 RCSA workshop .............................................................................................. 6
3.4 Identify risks facing the business .................................................................... 7
3.5 Assess the inherent risk rating ........................................................................ 7
3.6 Identify new controls or changes to controls ................................................... 7
3.7 Assess control effectiveness ........................................................................... 8
3.8 Assess residual risk ........................................................................................ 8
3.9 Identify issues and remedial actions ............................................................... 8
4. RCSA summary......................................................................................................... 9
5. Review and challenge ............................................................................................... 9
6. Final submission in OpenPages .............................................................................. 10
7. Roles and responsibilities........................................................................................ 10
7.1 Business and support functions .................................................................... 10
7.2 BORMs, GBLs and BACs ............................................................................. 10
7.3 RMG .............................................................................................................. 10
Appendix A: Material risk and control definitions ............................................................... 12
Appendix B: Risk and control ratings ................................................................................ 17
Appendix C: Factors for consideration when assessing compliance inherent risks. ......... 20
Appendix D: Conduct Risk in the RCSA ............................................................................ 27
Appendix E: Potential data inputs...................................................................................... 28
Appendix F: Tips on the RCSA summary.......................................................................... 29
Appendix G: RCSA OpenPages user guide ...................................................................... 30
Page 2 of 31
MGL.0010.0004.0003
1. About this document

1.1 Objective and application
This document outlines the Risk and Control Self Assessment (RCSA) process, minimum requirements and the roles
and responsibilities in executing these requirements, and should be read in conjunction with the Risk and Control Self
Assessment Policy. The policy outlines the RCSA objectives, scope, content and high level process.
This guide is applicable to Macquarie Group (the Group) and all businesses and support functions.
1.2 Ownership of the RCSA Framework

Risk Management Group (RMG) Operational Risk (Op Risk) and RMG Compliance (Compliance) are jointly responsible
for reviewing the RCSA policy and this guide. This guide will be reviewed annually by RMG Op Risk and Compliance
jointly.
Any questions on this guidance should be directed to Carmina Clarke or Venetia Tanqueray.
1.3 Definitions
In this document:
 Macquarie Group means Macquarie Group Ltd and all its subsidiaries
 Business means each business group in Macquarie i.e. BFS, CAF, MacCap, MAM and CGM
 Support functions refers to COG, FMG and RMG
 BORM is the Business Operational Risk Manager
 BAC is Business Aligned Compliance
 GBL is the Global Business Lead for Compliance
 FCC is Financial Crime Compliance
 OpenPages is the Macquarie wide Governance, Risk and Compliance system
1.4 Associated policies and related documents

This guide should be read in conjunction with other relevant documents:
 Risk and Control Self Assessment Policy
 Issues and Actions Guide
 Breach Incident and Escalation Policy
 Risk Acceptance Guidance
 Global Office Framework
Page 3 of 31
MGL.0010.0004.0004
2. Overview of RCSA
2.1 Definition
The RCSA is a combined operational and compliance risk assessment which replaces the Operational Risk Self
Assessment (ORSA) and Compliance Risk Assessment (CRA). The RCSA provides senior management with visibility
over the compliance and operational risk and control profile and the resulting actions to mitigate identified risks. The risk
profile is evidenced by recording the details in a live register in OpenPages, and through documenting the overview in
an annual RCSA Summary.
2.2 Objectives of RCSA

The primary objective of the RCSA is to facilitate management of risks effectively and efficiently by businesses and
support functions. RCSAs enable Macquarie to:
 Identify and assess the operational and compliance risks, including conduct risks, that exist in the Group;
 Identify and assess the controls in place to mitigate those risks; and
 Document actions for any control weaknesses and prioritise those actions according to the risk they pose to the
Group.
RCSAs are also used to:
 Articulate the overall risk profile of the Group and as an input to developing and prioritising programmes of work
and resourcing
 Assist in identifying and quantifying operational risk scenarios in the operational risk capital model
 Support representations made as to the effectiveness of controls in:
o Management Representation Letters for the purposes of the half and full year financial reports;
o Annual representations made to the Board and APRA by the CEO; and
o Representations by the CEO and CFO as to the efficiency and effectiveness of internal controls over financial
reporting for compliance with ASX Corporate Governance Guidelines.
RCSAs may also be provided to internal audit, external audit, regulators, other relevant competent authorities or
stakeholders.
Conduct risks are examined throughout the RCSA by ensuring risks are assessed by reference to potential negative
impacts on clients, counterparties or the fair and effective operation of the markets, arising from improper, unlawful or
unethical behaviour or action.
2.3 RCSA quality standards

The RCSA in OpenPages contains key information about Macquarie’s risk profile which may be used in reports and
analysis for various audiences including the Board. Accordingly the following quality standards are applicable to all
RCSAs to ensure the information is complete, accurate and timely. The BORMs, BACs and GBLs are jointly responsible
for ensuring that RCSAs meet the minimum quality standards.
RMG has set the following quality standards for RCSAs:
Standard Quality requirements
Coverage and granularity All businesses, support functions, products and jurisdictions must be adequately
covered by RCSAs
 It is not necessary for compliance and operational risk analysis to be documented
in OpenPages at the same level of granularity. However, the RCSA must be
undertaken in a way that ensures the material risks are reflected in a combined
RCSA Summary.
Page 4 of 31
MGL.0010.0004.0005
Standard Quality requirements
 It is expected that businesses will adopt Divisional RCSAs and support functions
will adopt RCSAs in line with the business that they support for operational risk
purposes
o For example in CGM, RCSAs should be prepared for CGM Energy Markets,
CGM Credit Markets, etc., rather than 1 CGM RCSA.
o For COG Technology it means preparing RCSAs for COG Technology
(BFS), COG Technology (CGM), rather than 1 COG Technology RCSA.
 RCSAs that cover compliance risks are required to be completed at least by region
and in some cases by jurisdiction or regulated legal entity to ensure country-specific
risks are appropriately captured.
End to end view Businesses must evidence their end-to-end considerations. Business RCSAs should
cover controls in the business and within support functions.
 Controls in support functions that are critical for businesses should be raised in the
support function RCSA against the relevant risk in the support function.
 Business RCSAs should consider those critical controls in support function RCSAs
and their impact on the relevant risk in the business RCSA. This may be done in
OpenPages by associating the support function critical controls however other
evidence may also be acceptable.
Completeness RCSAs must be complete and meet the following requirements:
 All defined compliance risks and material operational risks have been assessed for
every RCSA;
 Critical and key controls are identified and assessed for all documented operational
risks and compliance risks that are rated Medium, High or Very High inherently;
 Critical controls that are rated “Needs Improvement” or “Ineffective” are linked to
appropriate issues and actions unless there is documented risk acceptance;
 Risks, controls, issues and actions are described clearly and concisely;
 All the required fields for risks, controls, issues and actions in OpenPages are
appropriately populated. See Appendix G for RCSA documentation requirements
in OpenPages; and
 Location and any regulated legal entities are associated to each compliance RCSA
in OpenPages to facilitate reporting.
Reasonableness Control and risk assessment ratings should be reasonable and a level a conservatism
should be applied given all available information.
 Consideration of data inputs should be evident, such as New Business
and Product Approval (NPAs), regulatory change, focus or enforcement,
incidents, assurance results and audit findings.
 Ensure ratings are consistent with Appendix B.
 The reason given for compliance inherent risk ratings should explain the factors
that lead to the risk rating. The factors are set out in Appendix C.
Live RCSA RCSAs in OpenPages should materially reflect the risk profile of the business at all
times. Refer to section 2.4 for additional guidance.
Annual RCSA review A full review of the RCSA should be undertaken annually, with appropriate input from
the business or support function, appropriate approval and submission of the RCSA
Summary and OpenPages detail on time.
Page 5 of 31
MGL.0010.0004.0006
2.4 Live RCSA

Businesses and support functions should update their risk profiles in OpenPages when material changes in their risk
profile occur. This involves reflecting on or changing the risk and control assessment as a result of one, or a combination,
of the following:
 Internal and external material changes (e.g. significant new product approvals, changes in the regulatory
environment);
 High and medium issues arising from:
o incidents in OpenPages;
o output from assurance work;
o audit findings (including internal and external reviews);
 Insights from management supervision; and
 Changes in the status of issues and actions.
Each year an RCSA snapshot will be taken to evidence the final RCSA. During the course of the year, the data may be
updated based on the requirements above. A full reassessment of the risks and controls must be undertaken and
submitted annually.
3. RCSA review process

RCSAs are updated and reported to RMG at least annually. They can also be undertaken when material changes to the
risk profile occur. RCSA reviews should be coordinated to include the business, BORMs, BACs and GBLs in the
assessment of the risk profile. An RCSA review consists of the following steps:
3.1 Coverage
Ensure all businesses and support functions in all jurisdictions are captured in the RCSAs taking into account any
material changes (e.g. new businesses, restructuring or change of location).
If RCSAs need to be restructured in OpenPages or new ones are required contact your RMG Op Risk Lead Director or
RMG Regulatory Assurance contact and the RMG Op Risk system team (mailto:[email protected]). Please
note that larger more complex changes will require a lead time of at least three months to be implemented in OpenPages.
3.2 Inputs
The purpose of the RCSA review is to facilitate the businesses and support functions to selfassess risks, controls and
actions with advice from GBLs, BACs and BORMs as subject matter experts, input from control owners and support
functions for an end-to-end view, and inclusion of wider RMG teams as appropriate for the RCSA.
There are many sources of information from various data sources which can be used in the review. At a minimum this
should include: business objectives and strategy, key business processes, material changes in the business (NPAs),
regulatory change, focus or enforcement, incidents, control assurance review results, compliance assurance review
results and audit/exam results.
Additional data sources and inputs are listed in Appendix E. RMG Op Risk scenario analysis can also be used.
3.3 RCSA workshop

The purpose of an RCSA workshop is for the business or support function to engage with relevant stakeholders and
ensure that a robust discussion is held to identify and assess risks facing the business or support function, assess the
adequacy of the control environment and determine actions to improve the risk profile. The results of the workshops
should be reflected in the RCSA.
Page 6 of 31
MGL.0010.0004.0007
3.4 Identify risks facing the business

Parent risks are defined in Appendix A.
Operational Risk Compliance
All Compliance risks listed in Appendix A must be

assessed for each business and support function and
Start with survival threatening risks and then work down recorded in the RCSA regardless of severity.
the severity of impact. Where the Compliance parent risk covers multiple risks
Identification should include risks whether or not they within a business (e.g. Market Conduct covers Insider
are under the control of the Business Unit (e.g. a third Trading, Market Manipulation, Collusion/Competition
party vendor failure is still a risk to the business). and Market Rules), these can be described and
assessed at a more granular level under the same
It is important to identify all material risks to the parent risk in addition to the overall parent risk which is
business, not all possible risks. required. This enables a business or support function to
After first analysis similar risks should be combined. tailor their risks specifically, whilst retaining consistency.
At a minimum the parent risks and their descriptions in For details on how to record these, refer to Appendix G.
Appendix A should be considered, though only material Where a business or support function has other material
inherent risks need to be recorded. legal or conduct risks, these should be recorded under
the ‘Other Legal and Compliance’ parent risk, to be
assessed in accordance with operational risks.
3.5 Assess the inherent risk rating

Assess the risk’s impact and likelihood in the absence of controls using the 5-scale rating matrices in Appendix B. The
inherent impact and inherent likelihood ratings in OpenPages will automatically calculate the overall inherent risk.
At this stage controls mitigating these risks should not be considered.
Operational Risk Compliance
Compliance parent risks (listed in Appendix A) are

assessed consistently across Macquarie by using the
factors and guidance in Appendix C and the ratings
It is expected that, at this stage, most of the operational guidance in Appendix B.
risks identified should have a high inherent risk rating. There is currently no rating available in OpenPages for
If risks are low inherently, they may be immaterial to the ‘not applicable’, therefore where the risk is assessed as
business and therefore it may be appropriate to remove not applicable, due to the nature of the activities
them from the RCSA. undertaken, inherent risk and residual risk should be
entered as ‘very low’, with a comment to reflect why it is
not applicable. This will evidence that each Compliance
risk has been considered in relation to each business
and will facilitate Compliance analysis across
businesses.
3.6 Identify new controls or changes to controls

For all documented operational risks and compliance risks that are rated medium, high or very high inherently, identify
critical and key controls that currently exist to manage that risk.
A control is a process, device or practice that acts to mitigate the likelihood and/or impact of a risk. We have three control
weightings – critical, key and non-key.
A control is critical if it is the primary mechanism or one of the minimum set of controls for a given process, when
designed and operating effectively, brings Macquarie’s material risk to within risk appetite.
Page 7 of 31
MGL.0010.0004.0008
In addition, a control must be designated as critical if its design or performance failure could result in an unexpected loss
of AU$10 million or greater in a given year.
Controls may also be considered critical due to the potential for adverse non-financial impacts resulting from their
operational failure, including but not limited to:
 material or systemic non-compliance with financial reporting, regulatory or legislative requirements;
 inability to maintain continuity of critical business functions;
 significant Workplace, Health, Safety & Environmental (WHS&E) incident; and/or
 significant adverse impacts to Macquarie’s reputation.
When assessing the criticality of controls, business specific risks should be considered. All key stakeholders are to
provide input into the Critical Controls listing at the Control Assurance Forums.
For further guidance on criticality of controls refer to RMG Operational Risk Lead Directors and RMG Compliance to
ensure a consistent assessment across Macquarie.
Key controls are controls that are important but not crucial in the effective management of risks, the breakdown of which
attracts senior management interest.
Non key controls are any other controls that contribute to the prevention or detection of errors or fraud. The breakdown
of such controls would not directly lead to material errors or losses. RMG does not require non key controls to be
evaluated in the RCSA.
Controls are not required to be identified and documented in RCSAs against compliance risks that have been assessed
as inherently low or very low (or not applicable).
Controls that are managed or performed by Compliance are recorded as Control type ‘Compliance’ with three possible
Control areas of advice, training or monitoring. Not all advice, training and monitoring activities undertaken by
Compliance constitute a control for the purposes of the RCSA. Controls managed or performed by anyone other than
Compliance are recorded as Control type ‘Operational Risk’ with multiple Control areas, which are high level themes
designed by RMG to enable analysis. Further guidance is provided in Appendix G.
3.7 Assess control effectiveness

In accordance with the rating table in Appendix B, assess the control design to determine whether the control meets its
objectives in mitigating risk and the control performance to determine whether the control is operating as designed.
OpenPages will automatically calculate the overall control effectiveness rating based on the control design and control
performance ratings.
When assessing controls, the following should also be taken into account:
 Results of any assurance work performed over design and performance of controls;
 Systems on which the control relies (e.g. Access is segregated, data is secure);
 Data quality risk (completeness, accuracy, timeliness, etc., of the data underlying the business controls);
 Actions associated with controls have been appropriately addressed (e.g. any high open actions);
 Materiality of control breakdowns (e.g. incidents) has been considered; and
 Risk acceptance decisions are disregarded as they have no impact on control ratings.
3.8 Assess residual risk

The objective is to assess the level of risk after the effect of controls is considered. The residual risk should be assessed
using the risk impact and likelihood matrices in Appendix B. This is based on all available information as noted in Section
3.2 and the effectiveness of the associated controls. For example, a set of controls that is overall rated as ‘effective’
should mitigate the corresponding risk and reduce the residual impact and/or residual likelihood.
3.9 Identify issues and remedial actions

Actions should be raised where the residual risk is material (high and very high residual risk) and/or where required
control improvements are identified and agreed. Any exceptions require a formal risk acceptance.
As part of the minimum standard checks, RMG has a greater focus on actions created for critical controls rated
‘ineffective’ or ‘needs improvement’. These actions must be entered into OpenPages with an action owner and due date
Page 8 of 31
MGL.0010.0004.0009
for completion. Please refer to the Issues and Actions Guide and Risk Acceptance Process Guidance for additional
guidance.
4. RCSA summary
Following an RCSA review, the businesses and support functions should have an updated view of their risks and
controls. The RCSA Summary is prepared as an overview of the risk profile of the business or support function and is
typically undertaken globally at Group or Division level.
The RCSA Summary should provide a transparent overview of the risk profile of the business or support function,
including emerging risks.It should form a conclusion as to the operational risk and compliance risk profile and the ongoing
appropriateness of the control environment, including any known and emerging control weaknesses and identified
actions.
The following points should be included in the RCSA Summary where relevant:
 The key changes that have taken place in the business (e.g. acquisitions, new products, new locations, new
systems, new processes, restructures, significant growth and significant changes in the profile of the client base).
 External developments affecting the risk profile, such as regulatory change, focus or enforcement. These include
whether given the significance of the change there is a need for a NPA refresh for the relevant business/product.
 Describe at a high level the impact these changes are having on the business, emerging issues, the risks and the
control environment (e.g. transaction volumes, deal sizes, incidents and audit issues).
 Identify any risks outside of risk tolerance.
 Identify risk acceptances and provide a summary of the current material acceptances.
 Provide a summary of the key conduct risks facing the business and how effectively they are being managed and
mitigated (refer to Appendix D for further guidance).
 Businesses and support functions should include significant themes highlighted by their support functions.
 Provide an update on assurance conducted over the risk and control environment.
 Confirm how the Global Office Framework (GOF) requirements are met, including commentary on how this is
considered in the risk assessments and highlight any issues identified through this activity. This should include a
list of all non-hub offices and their risk ratings and visitation schedule as applicable. The GOF requires businesses
to visit all non-hub offices on a regular basis to assess the effectiveness of the Risk Management Framework,
culture and critical controls. Please refer to the GOF for further detail.
 Identify the key actions that are taken to maintain and/or improve the risk culture. There is a risk culture assessment
tool available that can facilitate identifying the risk culture actions that the businesses and support functions should
take.
 Describe key projects in the business (including status update and key milestones). Comment on the effectiveness
of the governance structure and the impact on the control environment.
 Other areas of focus prescribed by RMG.
 Draw a conclusion on the risk profile and appropriateness of the control environment.
The RCSA Summary should be a concise document.
The RCSA Summary should be refreshed and provided to RMG at a minimum on an annual basis. It is expected that
these summaries are prepared based on the BORMs’ and BACs’ working knowledge of the business, however, for the
half-year RCSA reviews, the extent of the process is at the BORMs’ and GBLs’ discretion (e.g. whether to have
workshops with the Business) with RMG guidance and will largely depend on material changes to the business and / or
the risk profile during that period.
Refer to Appendix F for the list of examples of what works and what does not work.
5. Review and challenge

Page 9 of 31
MGL.0010.0004.0010
The RCSA results are subject to review to ensure they reflect the risk profile and that the quality standards set out above
have been adhered to.
 Regulatory Assurance ensures completeness of coverage and appropriateness of ratings for compliance risks;
 RMG Op Risk ensures completeness of coverage and assess appropriateness of ratings for operational risks
across the businesses and support functions
RCSA results for compliance risks are subject to approval
 Regional Head of Compliance assesses the appropriateness of ratings for compliance risks across the businesses
and support functions within their respective region.
Review and challenge is coordinated by RMG Op Risk and Regulatory Assurance and the combined results are
communicated to the BORM, BAC and GBL.
6. Final submission in OpenPages

Once the review and challenge has been conducted the RCSA details are submitted in OpenPages.
7. Roles and responsibilities

7.1 Businesses and support functions
The businesses own the risks in their business and the support functions own the risks in their support function. They
are respectively accountable for the effective management of both their operational risk and compliance risk. There
should be input and sufficient review of the risk and control profile from appropriate stakeholders within the businesses
and support functions into the RCSA review to enable the assessment to be completed.
7.2 BORMs, GBLs and BACs

BORMs and BACs share responsibility for the RCSA process. BORMs support the businesses and support functions
to implement the operational risk management framework. BAC teams have specialised knowledge in relation to
compliance risks in the businesses and support functions they are aligned to.
BORMs and BACs collaborate to deliver the RCSA, including:
 appropriate RCSA coverage of all businesses and support functions in their remit;
 complete and accurate identification and assessment of risks and controls;
 identification of issues and appropriate remedial actions;
 ensuring material changes to the risks, controls, associated issues and actions are updated in real-time in
OpenPages;
 joint facilitation of the RCSA Workshop, where applicable; and
 joint preparation and submission of the RCSA Summary.
BORMs and BACs should engage their RMG Op Risk Lead Directors and Regulatory Assurance throughout the RCSA
process.
GBLs liaise with the BORMs to coordinate the process with their respective BACs and BORMs. GBLs also calibrate
their respective compliance risks by reviewing the results to ensure the risks, controls and actions have been reflected
consistently across the business.
7.3 RMG
RMG Op Risk and Regulatory Assurance have ownership of the RCSA framework; provide ongoing support in the
form of training and advice to BORMs, BACs and the business and review RCSA quality and provide feedback to GBLs,
BACs and BORMs.
On an annual basis, RMG Op Risk assesses the process that has been undertaken, assesses the reasonableness of
the RCSA conclusions for operational risks and considers various risk data available to RMG (e.g. new product
Page 10 of 31
MGL.0010.0004.0011
approvals, audits, incidents, control assurance results and external events) ensuring RCSA minimum standards are met
including:
 Optional participation in RCSA workshops to observe the process and discussions with senior management;
 Reviewing and challenging the results of the RCSA and the summary, including assessing the appropriateness of
risk ratings;
 Identifying themes across the Group; and
 Identifying systemic risks or common actions where a centralised approach to control enhancement may be more
efficient and effective.
Operational risk themes identified in the RCSA process are summarised and reported to the Board Risk Committee
every six months.
From time to time, RMG perform reviews on RCSAs. A significant incident or audit finding, which can reasonably be
expected to have been identified through assurance and RCSA processes, may prompt such a review.
The review involves the analysis of RCSA information in OpenPages. In cases, where known control gaps or
weaknesses were not transparently identified in OpenPages, discussions take place with relevant businesses or support
functions on why this was the case. Based on those discussions a capital penalty may be applied by RMG Op Risk.
RMG Operational Risk Frameworks team and Regulatory Assurance review and challenge the results of the RCSA
to ensure the minimum quality standards have been met including: completeness of coverage and appropriateness of
ratings. RCSA Summaries are reviewed to ensure they appropriately represent the compliance risk and control profile
detailed in OpenPages.
Financial Crime Compliance (FCC) team has an oversight role in relation to the financial crime risks (money
laundering, sanctions and bribery & corruption risks) throughout the RCSA process. FCC assesses FCC risks and
coordinates with BACs to ensure an appropriate level of discussion of FCC risks in the RCSA workshop. FCC could
participate in RCSA workshops directly if deemed appropriate between the BAC and the relevant FCC contact. The
Global FCC team will consolidate FCC results out of the RCSA documentation in OpenPages to determine an
appropriate program of work. Regional FCC Heads agree with the business and support functions the output and actions
from the RCSA and this is consolidated in a global heat map and action plan.
Functional Compliance teams (e.g. Training and M&S) own many of the Compliance controls in the RCSA and are
responsible for creating them in the Compliance control library, determining name, description and control owner,
assigning ratings to them and mapping the controls to the risks and groups that they apply to. BACs will challenge the
ratings on the controls directly with the Functional Compliance team. Results of the RCSA are utilised by each function
to determine an appropriate program of work.
RMG Conduct Risk and Policy team is responsible for reviewing and challenging the RCSA from a conduct risk
perspective and for reporting Macquarie’s conduct risk profile to the Board Governance and Compliance Committee as
required.
Regional Heads of Compliance review and approve the results for their respective region, including review of the
ratings to ensure they are appropriate. RCSAs for compliance risks are required to be approved by the Regional Head
of Compliance prior to final submission in OpenPages. Regional Heads of Compliance also calibrate across the regions
to ensure the results are appropriate from a global perspective.
Page 11 of 31
MGL.0010.0004.0012
Appendix A: Material risk and control definitions

Material risk definition
Material risk is defined as a risk that has been assessed as inherently high or very high. Risks that are rated as low or
very low are not deemed to be material. For definitions of ratings see Appendix B.
Parent risk categories and parent risks
Business Client and Financial Information Legal and

Theft and Transaction
Asset Risk Disruption Product Managemen Technology Compliance People Risk
Fraud Risk
Risk Risk t Risk Risk Risk
Projects,
Error on cash Inappropriate Employee Trade
Business Credit Risk Programs & Environment Theft and
or securities advice or Mis- Mis- Execution
Disruption Management Portfolio al Damage Fraud
movements selling management
Management Error
Loss or Other Legal

Inadequate Model or Transaction
damage to Hedging and Inadequate Unauthorised
third party valuation IT Operations Processing
physical Error Compliance staff or skills Activity
service error
assets risk Error
Poor Inaccurate
Architecture People
customer external Tax error
standards Safety Risk
management reporting
Inaccurate
Product Change
internal Licensing
Flaws Management
reporting
Liquidity and IT Fitness and

funding risk Governance Propriety
Records and Communicati

Market risk
Data ons with
management
Management Clients
Conflicts of
Interest
Customers’
Interests
Market
Conduct
Clients’
Assets
Regulatory
Reporting
Data
Protection /
Privacy
Record
Keeping
Outsourcing
Money
Laundering
Sanctions
Bribery &
Corruption
Page 12 of 31
MGL.0010.0004.0013
Compliance Risks
RMG Compliance has developed a list of Compliance Risks which are included in OpenPages as Parent Risks. For all
businesses and support functions an assessment should be undertaken using the factors set out in Appendix C and
documented. If the risk is assessed as not applicable it should be reflected as ‘Very Low’ inherent risk with a comment
explaining why it is not applicable, given that ‘Not Applicable’ is not currently available as an option in OpenPages.
Parent Risk Definition
Licensing The Group may lose its licences or be subject to license restrictions as a result of failing to manage
licensing and registration obligations which may arise from the Group’s activities and/or
jurisdictions of operation.
Fitness and Propriety The Group may fail to demonstrate the integrity and competence required of staff in their roles
including both internal and external obligations.
Communications with Clients The Group may fail to pay due regard to the information requirements for its clients, or to
communicate information to them in a way which is clear, fair and not misleading.
Conflicts of Interest The Group may fail to manage perceived or actual conflicts of interest, including confidentiality
obligations, both between itself (the firm and its staff) and customers and between a customer
and another client.
Customers' Interests The Group may fail to pay due regard to the interests of its customers by undertaking activities
which involve products or services unsuitable or inappropriate, or which otherwise involves
improper, unlawful or unethical conduct that creates a negative impact on its clients or
counterparties.
Market Conduct The Group may fail to observe proper standards of market conduct by failing to prevent any of the
following: insider dealing, improper disclosure or misuse of information, market manipulation, and
misleading behaviour – or otherwise involves improper, unlawful or unethical conduct that has a
negative impact on the fair and effective operation of the markets in which the Group operates.
Clients' Assets The Group may fail to arrange adequate protection for clients' assets when it is responsible for
them.
Regulatory Reporting The Group may fail to satisfy regulatory and exchange reporting requirements arising in the
course of the services it provides.
Record Keeping The Group may fail to meet regulatory and exchange record keeping obligations, including
responding to requests for information in a timely manner.
Outsourcing The Group may fail to meet local regulatory and exchange requirements in respect of its
outsourcing, off-shoring and agency arrangements.
Money Laundering The Group may be used to facilitate money laundering.
Sanctions The Group may directly or indirectly facilitate a breach of sanctions legislation/regulation.
Bribery & Corruption The Group may be used to facilitate bribery and corruption and/or breach Bribery and Corruption
legislation.
Page 13 of 31
MGL.0010.0004.0014
Operational Risks
Parent Risk Parent Risk Description and Examples
Error on cash or securities Includes incorrect or late payments and settlements, payments made to incorrect party, failure to receive
movements payment. Excludes fraud.
Loss or damage to physical assets Losses from damage to physical assets owned by Macquarie. Includes losses due to fire, flood,
earthquake, vandalism.
Business disruption Losses due to systems, data or premises unavailability. Includes losses resulting from software or
hardware outages, telecommunications and utility outages/disruptions, businesses not being able to
recover within expected timeframes.
Inadequate third party service Includes losses arising from mis-performance or failure of third party service provider, lack of oversight,
inappropriate SLA, over-reliance on third parties. Excludes oversight over JVs.
Inappropriate advice or mis-selling Includes losses arising from poor advice given to client, negligence or unintentional failure to act in the
best interests of the clients, failure of fiduciary duty, failure to disclose all relevant information, disputes
over performance of advisory activities.
Model or valuation error Includes incorrect assumptions and formulas in spreadsheets and system calculations/valuations. May
include unit pricing errors (depending on the cause).
Poor customer management Includes losses due to poor customer service, incorrect statements sent to clients, customer complaints.
Product flaws Includes losses due to inadequate or inappropriate product development, product design, product
quality, product complexity. Excludes mis-selling and model/valuation errors.
Credit risk management Includes losses due to errors or breakdowns in the credit risk management process. Includes collateral
management, incorrect or failed margining, breach of credit limit, failure to obtain credit approvals.
Hedging error Includes losses as a result of inadequate hedging, including flaws or errors in the hedge calculation or
model, delays in placing the hedge, or a lack of understanding of the exposure.
Inaccurate external reporting Includes losses due to errors in external financial or management reporting. Excludes tax returns (Tax
Error).
Inaccurate internal reporting Includes losses due to errors in internal financial/management reports, or inadequate financial risk
management processes.
Liquidity and funding risk Includes losses due to breakdown or failure in liquidity and funding risk management, failure to maintain
sufficient liquid financial resources to meet near term liabilities as and when they fall due.
Market risk management Includes losses due to errors or breakdowns in market risk processes leading to losses arising from
changes in market prices or volatility. Includes errors or breakdowns in interest rate risk management
leading to losses due to adverse changes in the level, shape and volatility of yield curves. Excludes
Hedging errors.
Projects, Programs & Portfolios Includes losses resulting from poor governance or management of projects, programs or portfolios, poor
Management organisational change management, inadequate project risk management or poorly defined business
requirements.
IT Operations Includes losses resulting from ineffective IT Operations, inadequate management / monitoring of system
performance, obsolete technology, poor documentation of operational procedures, inadequate backup /
retention of data or poor configuration management.
Architecture Standards Includes losses due to ineffective management and / or governance of enterprise architecture.
Change Management Includes losses resulting from ineffective management of changes, such as inadequate definition / review
/ testing / approval of changes, ineffective release management or change implementation.
IT Governance Includes losses resulting from poor governance or management of the IT strategy, function, processes
or environment. Examples include non-compliance with obligations, inadequate technology oversight
forums and committees, ineffective business ownership and oversight over technology, inappropriate IT
Page 14 of 31
MGL.0010.0004.0015
Parent Risk Parent Risk Description and Examples
strategy or organisational structure, inappropriately defined / reviewed IT policies and standards, or

ineffective risk management of the technology environment.
Records and Data Management Includes losses due to poor records management practices or mismanagement of data.
Environmental damage Includes losses due to environmental damage caused by Macquarie, e.g. marine or environmental
damage.
Other Legal and Compliance risk Includes losses due to breach of contract, lack of enforceability of legal documents, incorrect legal
disclaimers, mis-statements, documentation errors, breach of client mandate. Includes fines, penalties
and punitive damages by regulators. Includes breach of internal policies. Excludes Tax.
Tax error Includes losses due to lack of understanding of tax regulations, errors in tax calculations, fines, penalties,
or punitive damages from tax regulators.
Data Protection / Privacy The Group may fail to protect customer personal data in the course of the services it provides.
Employee mismanagement Includes losses due to inappropriate treatment of employees, compensation, benefits, termination
issues, equal opportunity issues, harassment, discrimination, victimisation, concerns & complaints and
other inappropriate workplace behaviour. Excludes People safety risk.
Inadequate staff or skills Includes losses due to inadequately trained/skilled employees, appropriate pre-employment checks not
carried out, loss of key person, lack of succession planning and/or cross training.
People safety risk Includes losses incurred as a result of not providing a safe environment for employees, contractors and
third parties, such as breaching health and safety regulations, general liability, workers compensation,
civil action, employee recompense. Includes the application of the WH&S framework to subsidiary
companies and affiliates (e.g. Funds).
Theft and fraud Includes losses due to internal employees undertaking fraudulent activities and losses due to fraudulent
acts by a third party. Includes physical security breach, hacking, theft of information, bribes, extortion,
embezzlement, collusion, disbursement to inappropriate accounts, improper expense claims, forgery,
client misrepresentation, and misappropriation of funds. Excludes Unauthorised Trading.
Unauthorised activity Includes losses due to unauthorised trading, inappropriate or unauthorised access to our IT assets,
access to sensitive data, physical security breach.
Trade execution error Includes losses arising from fat finger errors, mis-matched trades, and buy instead of sell trades.
Transaction processing error Includes losses or errors due to failures in the transaction process. Excludes Error on cash or securities
movements, Trade execution error. May include unit pricing errors (depending on the cause).
Control areas
Control area is used to categorise the theme of control and to enable analysis.
Control Area Control Area Description
Relates to controls in the accounting process, including identification, measurement and reporting of
Finance & Accounting controls
financial information.
Relates to business reconciliations outside of normal Finance reconciliations. E.g. Daily securities
Operational Reconciliations
reconciliations, data integrity reconciliations by Market Operations.
Board & executive management

Relates to Board & Executive Committees executing their oversight & management responsibilities.
oversight
Relates to disaster recovery, business continuity, management of unusual or overload activity levels,
Business continuity management
building maintenance etc.
IT change management Relates to IT changes and controls within IT Change Management process (e.g. UAT, Rollback etc).
Page 15 of 31
MGL.0010.0004.0016
Control Area Control Area Description
Compliance Relates to controls to ensure compliance with legal & regulatory requirements.
Compliance - Advice Compliance owned control - Includes Compliance Procedures, Policies, Processes and Manuals
Compliance owned control - Includes online, instructor-led, adhoc communications and awareness
Compliance - Training
messages that relate to Compliance topics
Compliance owned control - Includes Regulatory Assurance reviews, Compliance Testing and
Compliance - Monitoring
Monitoring & Surveillance activities
Relates to the shared values & practices of employees, training & career development, and the delivery
Culture, training & development
of learning to improve skills and knowledge or performance.
Relates to managing customers including, pre-sales customer due-diligence and post sale service and
Customer management
relationship management activities.
Relates to the management of information used for managerial decision making such as use of
Management supervision
intelligence & benchmarking data, monitoring of outstanding items or breaches etc.
Management of systems Relates to the availability and performance of systems.
Third party oversight and

Relates to the management of third party service providers.
management
Payment processing controls Relates to the authorisation, execution & recording of payments and other settlement processes.
People planning, selection & Relates to HR processes including recruitment & termination, promotion & remuneration, performance
succession management and succession planning.
Relates to the due diligence, review & approval of new products, businesses or clients, as well as major
Product & business approval
organisation changes and business restructures.
Relates to managing risk exposures in terms of identifying, assessing, monitoring & reporting on risks,
Risk management
& actions taken to mitigate them.
Safeguarding of information & Relates to the security of information in any media format such as written, electronic etc, and the security
physical assets of physical assets for fixed assets, intangibles, physical commodities (e.g. oil) in transit etc.
Transaction or trade processing Relates to the authorisation, execution, recording and confirmation of transactions. Excludes transaction
controls settlement.
User access management &

Relates to the management of user access and segregation of duties.
segregation controls
Page 16 of 31
MGL.0010.0004.0017
Appendix B: Risk and control ratings

Risk impact rating
Rating Scale 1 - Very Low 2 - Low 3 - Medium 4 - High 5 – Very High

 Direct loss or cost of  Direct loss or cost of  Direct loss or cost of  Direct loss or cost of  Direct loss or cost of
up to 0.5 to 1% of up to 1 to 5% of up to 5 to 15% of up to 15 to 30% of greater than 30% of
Annual Budget / Annual Budget / Annual Budget / Annual Budget / Annual Budget /
Revenue Target. Revenue Target Revenue Target Revenue Target Revenue Target
 Reduction in  Zero return on  Negative return on  Sustained negative
Financial business investment investment return on
opportunities from  Potential loss of key  Loss of key investment
key clients business business  Significant loss of
opportunities opportunities key business
opportunities
 Technical/  Minor regulatory  Material regulatory  Material regulatory  Serious systemic or
administrative, breach which may breach which will breach with material regulatory
isolated breaches require to be require reporting to regulatory fine and breach with
which are not reported to the the regulator public censure significant
required to be regulator  Incidental regulatory possible regulatory fine and
reported to the  Potential impact on fine or non-public  Some remediation public censure likely
regulator. regulatory action possible effort and cost likely  Significant cost and
 No action from the relationship  Some remediation  Adverse impact on remediation effort.
regulator  Remediated in effort possible local regulatory  Adverse impact on
 No impact on normal course of  Some impact to relationships and global regulatory
regulatory business if required regulatory possible effect on relationships.
relationship  Media coverage relationship other regulators  Loss or restriction of
 No media coverage, unlikely  Some negative  Some critical licence and
no brand damage,  Low client impact media possible coverage in major / constraints on
no client impact  Loss or damage to national media business
clients and  Likely to result in opportunities
Reputational
complaints from loss of clients and  Concerted,
and Regulatory some clients or consequent loss of widespread or
significant client(s) revenue recurrent critical or
possible  Some client hostile coverage in
 Some client redress compensation likely international media.
possible  Some damage to  Likely to result in
brand loss of a large
number of clients or
very significant
clients and
consequent loss of
revenue
 Significant client
compensation likely
 Long term damage
to brand
 When assessing the impact consider the potential negative impact on clients, counterparties or the fair and effective operations
of markets arising from improper, unlawful or unethical behaviour or action
 Events that are  Low staff turnover  Poor reputation as  Some key  Large number of
absorbed into  An event which can an employer executives leave the key executives /
normal activity be absorbed, but  A key employee company directors leave the
management effort leaves  Bank is not company
is required to  A significant event perceived as an  An event that
minimise the impact which can be employer of choice Management is not
Internal  Some staff morale managed under  A critical event able to impact by
problems normal which can be increased
circumstances managed with management
escalation and
significant
management effort.
Note that Compliance risks are assessed on the basis of impact from a Reputational, Regulatory and Conduct
perspective only. Operational risks are assessed on the basis of impact from all of the perspectives above.
Page 17 of 31
MGL.0010.0004.0018
Risk Likelihood ratings
Rating Category Likelihood
5 Very High Occurs more than 5 times per year
4 High Occurs up to 5 times per year
3 Medium Occurs once during the year
2 Low Unlikely in next year
1 Very Low Unlikely in next 5 years
In assessing the Impact and Likelihood of inherent Compliance risks, at a minimum, the factors set out in Appendix C
should be considered.
Impact vs Likelihood Matrix

The matrix below shows:
Inherent Impact vs Inherent Likelihood = Calculated Inherent Risk
5 - Very High Medium High High Very High Very High
Likelihood
4 - High Low Medium High Very High Very High

3 - Medium Low Medium Medium High High
2 - Low Very Low Low Medium Medium High
1 - Very Low Very Low Very Low Low Medium Medium
1 - Very Low 2 - Low 3 - Medium 4 - High 5 - Very High
Impact
This matrix is built into OpenPages and will populate the Inherent and Residual risk automatically, dependent on the
Impact and Likelihood values entered.
Control Assessment ratings

The table below shows the definitions for Control Design ratings and for Control Performance ratings.
Control Design rating Guidance
Effective The control meets the design objectives and mitigates the risks.
Needs Improvement The control is designed to mitigate some but not all aspects of the risk
Ineffective The control is poorly designed and does not meet its objectives or mitigate the risks.
Control Performance rating Guidance
Effective The control operates as designed.
Needs Improvement The control is normally operational but has occasional breakdowns
Ineffective The control breakdowns are systemic in nature.
Page 18 of 31
MGL.0010.0004.0019
Control Effectiveness Matrix

The matrix below shows:
Control Design * Control Performance = Control Effectiveness
Ineffective Ineffective Ineffective Ineffective
Control
Design
Needs Improvement Needs Improvement Needs Improvement Ineffective

Effective Effective Needs Improvement Ineffective
Effective Needs Improvement Ineffective
Control Performance
This matrix is built into OpenPages and will populate the Control Effectiveness rating automatically, dependent on the
Control Design and Control Performance values entered.
Residual Risk Matrix - Guide

In assessing the residual risk, the impact and likelihood matrices above should be used. It is likely that effective controls
would reduce the impact or likelihood of the inherent risk. For example, effective controls over a high inherent risk may
reduce the residual risk to low, as can be seen in the example table below. The table should be used as a guide only –
the actual residual risk rating should be assessed based on the impact and likelihood tables above.
The below example matrix shows:
Inherent Risk * Overall Control Effectiveness profile is an example of the impact of controls on inherent risk in order to
determine Residual Risk
5 - Very High Medium High Very High
Inherent Risk
4 - High Low Medium High

3 - Medium Very Low Low Medium
2 - Low Very Low Very Low Very Low
1 - Very Low Very Low Very Low Very Low
Effective Needs Improvement Ineffective
Overall Control Effectiveness profile

Note that controls are not required to be documented for Compliance risks where the inherent risk is low or very low.
However OpenPages still requires residual risk to be populated in these cases.
Page 19 of 31
MGL.0010.0004.0020
Appendix C: Factors for consideration when assessing compliance

inherent risks.
The table below sets out the factors to be considered when assessing each compliance risk. The results of this
assessment should be populated in the ‘Reason for Inherent Risk Rating’ field in OpenPages.
At a minimum, the ‘Reason for Inherent Risk Rating’ field should be populated with a comment against each of the
factors for that risk. These factor comments provide information on the requirements, complexity of the business and
applicability of that risk to that business, which together support the determination for inherent impact and inherent
likelihood ratings.
The table below gives guidance by listing the type of questions that should be considered when commenting on the
factors. This list is not exhaustive, but intended as a prompt.
Some factors will be more applicable than others. The combined weighting of the factors should be taken into account
when determining the inherent risk. For example, the greater the complexity, the higher the impact and/or likelihood
rating.
Where possible the factor comments should be supported by data available from Macquarie systems – suggested data
inputs for each risk are given in the table.
Factors for Factor Factor Questions Likelihood Additional

Risk Category
Consideration Weighting (including but NOT limited to) or Impact Data inputs:
Licensing Entity licensing Required/  Does the business require a licence/registration/ Impact Licenses
Number permission/exemption in order to conduct business? Legal entities
Regulators
 Which legal entities are they/how many? Impact
Exchanges
 Are there any joint ventures with licensing/registration Likelihood Regulatory
considerations? Interactions
 Renewal requirements? Likelihood NPAs
Customer
Exchange Required/  Does the business require exchange Impact jurisdiction
memberships Number memberships/registration to conduct business? Authorisations
 Which exchanges are they/how many? Impact
Applicable to all
 Renewal requirements? Likelihood
risks:
Staff Number &  Are there individual (staff) registration requirements Impact Regulatory
Registrations Complexity associated with these legal entities/exchange Change Tracker
memberships? Regulatory
 What proportion of staff does this apply to? Likelihood Focus Tracker
Fines &
 How complex are the registration obligations for staff? Likelihood Sanctions
Dual hatting? Database
 Renewal requirements? Likelihood
Cross Border Complexity  What cross-jurisdictional activities does the business do Impact
Marketing that have additional licensing requirements?
 How widespread is cross border marketing (both in to Likelihood
jurisdiction and outbound)?
Client/Customer Sophistication  What types of clients does the business deal with? (e.g. Impact
Types Institutional vs. Retail)
 Are there any additional permissioning/registration Impact
requirements due to the nature of the clients? (e.g.
Governmental/Municipality)
Jurisdiction/ Complexity  What are the jurisdictions of operation, activity, product Impact
Offices/ source and client location?
Locations
 How many jurisdictions, how complex are the Impact
permissioning requirements, if known?
Products/ Number  What are the products or services in this business? How Impact
Services many?
 Are there any additional licensing/registration obligations Impact
due to the nature of the product/service?
Regulatory Change  Has there been any change in the regulatory environment Impact
Change & since the last assessment?
Enforcement
 Is there any regulatory change scheduled to be Impact
implemented before the next assessment?
Page 20 of 31
MGL.0010.0004.0021

Risk Category
 Has there been any regulatory focus in this area (such as Likelihood
a regulator stating in a business plan that they will be
conducting a review)?
 Has there been any enforcement in this area to any peers Likelihood
in the market?
 Have there been any enforcement or external findings Likelihood
(from a regulator, competent authority, external audit or
negative media) directed at Macquarie in this risk area?
Fitness and Organisational Complexity  How complex is the business? (e.g. matrix management) Impact Organisation
Propriety structure charts
 Are there multiple legal entities? Is it a large business? Impact
Audit findings
 What is the business strategy? Are there perverse Impact closed late
incentives? Compliance
 Is it clear how the business organises itself; e.g. with Impact Incidents
organisational charts, job descriptions/segregation of Compliance
duties, flows of information (MI)? issues and
overdue actions
Regulatory Criticality  Is the business subject to specific regulatory obligations Impact Regulatory
Supervision in relation to Supervision? Interactions
Remote Reliance  Are management based locally or remotely? Likelihood Integrity Office
Management reports
 To what extent do the business interact with remote Likelihood /investigations
management? (e.g. Meetings, MI, face-to-face) Authorisations
 Is there evidence of escalation of potential issues to Likelihood Staff list
remote management? Staff turnover
Staff screening
Staff Screening Requirements  What is the level of staff screening undertaken for staff in Likelihood
this business?
 Are there additional requirements due to staff Impact
registrations?
 Ongoing screening required (e.g. HR and/or Likelihood
Regulatory)?
Personal Number  What is the level of personal compliance breaches/HR Impact
Compliance & issues for this business?
Training
 What is the overall breach profile for the business/how Likelihood
many compliance incidents have been recorded?
 What behaviours exist in the business that may indicate Impact
unlawful, improper or unethical behaviour?
Staff Turnover Change  What is the level of staff turnover and criticality of that Likelihood
turnover? (e.g. senior people replaced by junior people?)
 Regulatory implications (e.g. designated Branch Office Impact
Manager/AML/COO/CCO resigns)?
Enforcement
in the market?
Communicati Communication Number  How many and what types of communication media are Impact Marketing/Adve
ons with Media used? (e.g. Phone, email, web, letter, face-to-face) rtising records
Clients Customer
 Social Media Macquarie approved channels Likelihood
jurisdiction
 Are there any regulatory obligations due to the types of Impact
communication?
Cross Border Criticality  What jurisdictions and how many are we communicating Impact
Communications Number to (to clients)?
 Are there additional regulatory communications Impact
obligations due to the location(s)?
Page 21 of 31
MGL.0010.0004.0022

Risk Category
 Are there additional language requirements due to the Likelihood

location(s) of clients?
Client/Customer Sophistication  What is the level of sophistication of the clients (e.g. Impact
Types Institutional vs. Retail)
 Do they have specific communication needs? (e.g. Likelihood
Statements, confirmations, risk warnings, disclaimers,
disclosures)
 What are the potential negative outcomes for clients? Impact
Third Parties/ Usage Number  How many third parties or distributors are used to Likelihood
Distributors communicate with underlying clients?
 Are there additional obligations? Impact
Product Complexity  Are there any additional communications obligations Impact
requirements resulting from the type or complexity of the product?
 Does the business provide advice? Impact
 Are there ongoing communications obligations related to Likelihood
the products? (e.g. Statements, confirmations, product
disclosures, voice recording, prospectus)
Marketing & Restrictions  Where marketing or solicitation conducted, are there any Impact
Solicitation restrictions or requirements that apply? (e.g. cold calling
Restrictions rules, email mail-shots, financial promotions rules
(UK)/Communications with the Public rules (US))
Enforcement
in the market?
Conflicts of Fiduciary Duties Requirement  Is there a fiduciary duty to the client? Impact External
Interest directorships
 To what extent is the business undertaking activity that is Likelihood
Outside
subject to fiduciary duties for the client?
business
 Are there significant regulatory impacts regarding Impact interests
fiduciary standards? PA Dealing
 To what extent does this create a potential conflict of Likelihood accounts
interest? Research
Workflow
 What are the potential negative outcomes for Impact Embargo
clients/counterparties? reports
Inducements Commonality  What levels of inducements are offered or accepted by Likelihood G&E reports/
the business? None/minimal/average/high Register
Conflicts
Commission Commonality  To what extent does the business engage in commission Likelihood
register
Sharing sharing arrangements?
Arrangements
Confidential Access  To what extent does the business have access to MNPI Impact
Information (Material Non Public Information)?
 Does the business do pre-soundings, IPO’s, Impact
Nomad/Sponsor roles, private side business?
 Does the business have Client Confidential information Impact
(not technically MNPI, but still confidential)?
 Access to any other type of client information/firm Likelihood
information? (not possible to be n/a)
Principal vs. Prop  To what extent does the business engage in both Impact
Client principal and client trading?
Related Party Intercompany  Does this business engage in related party transactions Impact
Transactions with other groups within Macquarie or intra group?
Page 22 of 31
MGL.0010.0004.0023

Risk Category
 Are any staff nominee directors involved in RPTs? Likelihood

Fair Allocation Difficulty  Do rules around Fair Allocation apply to this business? Impact
Personal Number  What level of Personal Conflicts are known about? Are Likelihood
Conflicts there any known OBAs or External Directorships that
may have potential conflicts if not monitored??
 What level of Personal Account Dealing is done by staff Impact
in this business?
 What level of excessive Personal Account Dealing done Likelihood
by staff has been identified?
Enforcement
in the market?
Customers’ Client/Customer Sophistication  What types of clients does the business deal with? (e.g. Impact Complaints
Interests Types Governments Municipalities) Customer
classification
 What is the level of sophistication? (e.g. Institutional vs. Impact
Retail)
 Are there additional requirements with respect to the Likelihood
interests of the customer due to the nature (or jurisdiction)
of the clients?
 What are the potential negative outcomes for Impact
clients/counterparties?
Products/ Number  Are there obligations due to the nature of the product or Impact
Services service with respect to the interests of the customer?
 Are the products complex? Impact
 Are the products bespoke? Impact
 Does the business provide advice to the customer? Impact
 Do suitability and or appropriateness rules apply? Likelihood
Third Parties/ Commonality  To what extent is reliance placed on third parties or Impact
Distributors distributors to consider the best interests of the
customer?
Fiduciary Duties Requirement  Is there a fiduciary duty to the client? Impact
 To what extent is the business undertaking activity that is Likelihood
subject to fiduciary duties for the client?
 Are there significant regulatory impacts regarding Impact
fiduciary standards?
Best Execution Difficulty  Do rules around best execution apply to this business? Impact
 What is the volume of transactions that are subject to best Likelihood
execution?
Fair Allocation Difficulty  Do rules around Fair Allocation apply to this business? Impact
Enforcement
in the market?
Page 23 of 31
MGL.0010.0004.0024

Risk Category

Market Inside Access  To what extent does the business have access to MNPI Impact Trading records
Conduct information (Material Non Public Information)? Exception
reports
 Does the business do pre-soundings, IPO's, Impact
Cancel/corrects
Nomad/Sponsor roles, private side business?
Surveillance
 Does the business have Client Confidential information Impact results
(not technically MNPI, but still confidential)?
 Access to any other type of client information/firm Likelihood
information? (not possible to be n/a)
Market Share Size  Where the business trades, what proportion of the market Impact
share is undertaken by this business?
 What is the volume traded versus total market volume? Likelihood
 If significant, are there any additional regulatory Impact
requirements/scrutiny?
Regulated Number  How many of the products/activities are regulated? Impact
Products
 Do exchange or market rules apply to these products? Impact
(Benchmarks? Price submission? Short selling? Spot
commodities? Investment Recommendations?
Emissions?)
 Additional requirements due to complexity of products/ Likelihood
activities? (e.g. Buyback, stabilisation)
 What are the potential negative outcomes for markets Impact
and their participants?
Proprietary Usage  Are proprietary and/or principal trading undertaken? Impact
Trading
 Is any algorithmic or high frequency trading undertaken? Impact
 What is the level of proprietary vs. client activity? (e.g. Impact
risk of front running)
Market Making Usage  To what extent does the business Market Make? Impact
 What is the volume of Market Making transactions? Likelihood
Enforcement
in the market?
Clients' Client Money Exposure  Does the business hold Client Money or Client Assets Impact Regulatory
Assets through the course of the business or activity that it findings
undertakes?
 Are there segregation of assets requirements? Impact
 Are there additional obligations for greater volumes of Likelihood
client money/assets?
 What level of client money/assets is held on a regular Likelihood
basis?
Products/ Number  Does the product/service have any client money Impact
Services regulatory obligations in the event that client money or
assets are held?
Custody Exposure  Does the business undertake Custody on behalf of Impact
clients?
 Are there segregation requirements? Impact
Change  Has there been any change in the regulatory environment Impact
since the last assessment?
Page 24 of 31
MGL.0010.0004.0025

Risk Category
Regulatory  Is there any regulatory change scheduled to be Impact

Change & implemented before the next assessment?
Enforcement
in the market?
Regulatory Reporting Complexity  What are the regulatory reporting obligations for this Impact
Reporting Obligations business? (e.g. Trade Reporting, Transaction Reporting,
Substantial Shareholder Reporting, Short Position
Reporting, Takeover Code Reporting, Complaints
Reporting, Breach Reporting, Large Trader Reporting)
 What volume of reporting is required? Likelihood
Data Integrity Quality  What quality of data is required to be reported? Impact
Data Collation Automation  What is the complexity of the process for collating the Impact
Process data? (e.g. automated push of a button vs. manual
spreadsheet)
Time Criticality Timing  What is the time criticality of the reporting? - (e.g. within Impact
an hour of the trade?)
 Does this give time for a review period prior to sending Likelihood
the report?
 What is the frequency(ies) of reporting obligations? Likelihood
Enforcement
in the market?
Record Regulator/ Complexity  What is the extent of regulatory or exchange record Impact
Keeping Exchange keeping obligations that apply to this business?
Obligations
Data Format Number  What format is the data recorded in? Impact
 How many types of data are there? (e.g. voice recording, Likelihood
hard copy, soft copy, email, social media, chat rooms,
approved channels, video, advertising, websites)
Ease of Access  What is the level of complexity of the systems/data format Likelihood
Access/Retrieval and the ease of retrieval?
 Are there regulatory requirements regarding the Impact
timeliness of access/retrieval?
Safekeeping & Complexity  Is there a complex retention schedule or destruction Impact
Destruction schedule, based on the number of products, clients,
jurisdictions, activity and therefore no of schedules?
Enforcement
in the market?
Page 25 of 31
MGL.0010.0004.0026

Risk Category

Outsourcing Outsourcing Complexity  How onerous and complex are any outsourcing Likelihood
Restrictions restrictions that apply to this business?
 What is the criticality of the outsourced activity(ies)? Impact
Off-shoring Complexity  How onerous and complex are any off-shoring Impact
Restrictions restrictions that apply to this business?
Agency Usage  To what extent does the business have agency Likelihood
Arrangements arrangements in place which may impact this business?
Service Number  To what extent is there reliance on third party service Impact
Providers providers in relation to any of the compliance risks?
Enforcement
in the market?
Money The FCC team conducts annual Refer to FCC Business Unit Risk Assessments (BURA) for further details.
Laundering / risk assessments for each of these [Placeholder here for link to the BURA document which provides details of the criteria used to
Sanctions / 3 risks, based on a data-driven set assess the FCC risks. BURA document currently being refreshed for 2018].
Bribery & of factors For the purposes of the RCSA, the resulting material inherent risks, control ratings and residual
Corruption risks will be provided by the FCC team.
Page 26 of 31
MGL.0010.0004.0027
Appendix D: Conduct Risk in the RCSA

Objective and Outcome
Conduct risk continues to be a key area of focus for the industry and regulators. It is expected through the RCSA
process and workshops that operational and compliance risks are assessed for their impact on clients, counterparties
and the fair and effective operation of the markets, arising from improper, unlawful or unethical behaviour or action,
which can be inadvertent or deliberate. BORM and BAC should attend the conduct risk discussion(s) with the
business.
As a reminder, our definition of Conduct Risk is:

“The improper, unlawful, or unethical behaviour or action that may have a negative impact on Macquarie’s
clients or counterparties or the fair and effective operation of the markets in which Macquarie operates.
Conduct risk may arise inadvertently or deliberately in any of our activities or businesses, both retail and
wholesale.”
It is important to remember that conduct risk can arise as a result of organisational factors (as well as behavioural
factors) that may result in poor outcomes for our clients, counterparties and markets: including organisational
governance, incentive arrangements and operational process design and execution.
The outcome of the RCSA workshops should be the identification of the key conduct risks in the business and the
identification and assessment of controls in place to mitigate the risks. The outcome of the conduct risk
assessment must be documented in the RCSA Summary.
Examples of conduct risks that may arise in businesses and support areas include:
 Use of disreputable collection agencies that may cause undue harm/distress to clients in hardship
 Inappropriate change management controls in relation to systems that adversely impact clients and/or markets
 Transaction execution error, leading to failure to meet client instructions
 Inadequate due-diligence leading to unsuitable product design for target customer base
 Commission structure directly linked to sales strategies, that may have unintended consequences
 Inappropriate relationships (e.g.: excessive gifts or entertainment, or outside business relationships) with client
or counterparties that can adversely impact our other clients or counterparties.
For further guidance and support please contact the RMG Compliance Conduct Risk team .
How to document your assessment of conduct risk in OpenPages

The key conduct risks in each business should be captured in OpenPages, in accordance with the standard RCSA
process. The existing parent risks that are likely to be relevant for conduct risks are listed in the table below. Where
the primary impact of an operational or compliance risk is the potential for poor clients, counterparties and markets
outcomes (e.g. conduct risk), please select the most appropriate parent risk from the list below and document the
reasons for your inherent and residual risk rating.
 Inappropriate advice or mis-selling  Market  Inadequate staff or skills  Money Laundering
 Poor customer management conduct  Employee  Sanctions
 Communications with clients mismanagement  Bribery &
 Conflicts of interests  Fitness and propriety Corruption
 Customers’ interests
 Product flaws
Page 27 of 31
MGL.0010.0004.0028
Appendix E: Potential data inputs

The table below shows the source for potential inputs that can be used to support the assessment of the risks.
Source Name of Input

DAS New product and business approvals
OpenPages Regulators
Legal Entities
Licences
Exchanges
Regulatory Interactions
Op Risk and Compliance Incidents
Audit Issues and Actions
Op Risk and Compliance Issues and Actions
Assurance review results
SharePoint Regulatory Change Tracker
Regulatory Focus Tracker
Fines & Sanctions Database
Globe / Siebel Customer Classification
Customer Jurisdiction (sales location or reporting entity)
Product
PTA External Directorships and OBAs
Personal Account Dealing accounts
Gifts & Entertainment Register
MyLearning Training list
Compliance Conflict Checks and Escalations
Staff screening
Macnet Organisation charts
Human Resources Staff list (Number of staff and Staff locations),
Starter and Leaver Report (Staff Turnover)
Data Privacy (DP) High Risk countries for DP
Media and industry associates Industry developments
ORX External loss events
Senior Management Management information indicating business changes e.g. Growth, profitability
Page 28 of 31
MGL.0010.0004.0029
Appendix F: Tips on the RCSA summary

What works well? What doesn’t work?
Top down analysis with conclusion. Bottom up analysis of changes in risk ratings
Example: Example:
“After the acquisition of ABC Financial in Johannesburg the business has been “Risk B’s residual rating has increased from 4 to 6 due to
working on integration. Many system security issues were identified last month in higher level of audit issues.”
the integration process. In addition, some weaknesses have been flagged around
OR
segregation of duties in support functions. Dispensations are being obtained for IT
Security gaps, and business has addressed the segregation of duties issue by “Our top 10 risks are now A, B, C, D, E, F, G, H, I, J. Out
moving some back office functions to Sydney. The business continues to assess of these E is a new top 10 risk and K has fallen off the list.
back office controls ‘Effective’ but in our view this will put significant resourcing
pressure in coming months on support teams in Sydney.”
Where BORM/BAC is aware of known or emerging control gaps, a transparent Not calling out known or emerging issues
calling out of those issues
Example:
Example:
“Recently a payment process was moved from New York to Sydney. While there
“There have been no losses relating to payment process
have been no payment related incidents, we are concerned that there may have
post-handover. The process continues to work well.”
been gaps in the handover process. The BORM has reprioritised Control Assurance
tasks and is planning to review the payment controls in Sydney by June 2011.”
A summary of significant projects/initiatives with explanations of why they are in Listing projects with no explanation of the driver
place
Example:
Example:
“A new ABC system implementation has been initiated.”
“A new ABC system implementation has been initiated to address current
A listing/summary of BORM’s own actions only.
weaknesses around managing daily P&L process for this business.”
Examples:
 “BORM is overseeing project ABC”.
 BORM will redesign the process
Reporting on the RCSA process by exception, i.e. only where the policy was not A detailed description of the RCSA process
followed
Example:
Example:
“We started the RCSA process in February, met with all
“Because the new back office system implementation has taken over most of the division heads, and discussed their businesses through
BORM’s time, we agreed with RMG that submitting the RCSA for this business RCSA workshops. We covered external and internal
would be delayed by 5 days. All other divisions’ RCSAs fully met the policy losses, and as a result, raised the residual risk rating for
requirements”. XYZ risk, and changed the effectiveness of KLM control.”
An update on Control Assurance A general statement about Control Assurance
Example: Example:
“3 out of 12 Critical Controls were tested (ABC, DEF, GHI). 1 issue found relating “Control Assurance is on track”
to the design of ABC control. Business head committed to resolve by June 2011.”
Commentary and conclusion on significant themes in Finance, IT, other support Disagreeing with support area RCSA assessments, with
area RCSAs. If business RCSA contradicts support area’s RCSA, an explanation no proper explanation.
as to why it is the case and the BORM’s/BAC’s own conclusions.
Example:
Example:
“Finance have assessed Balance Sheet Reconciliation
“IT have assessed User Access Review (UAR) controls as Ineffective due to delays control as ‘Needs Improvement’. From business
in implementing a system solution for UARs. We conclude that, while the manual perspective this control is Effective.”
UAR’s are neither scalable nor efficient, they remain Effective.”
Page 29 of 31
MGL.0010.0004.0030
Appendix G: RCSA OpenPages user guide

BORMs, BACs and GBLs requesting assistance with using OpenPages should contact Carmina Clarke for Operational
Risk and Venetia Tanqueray for Compliance as your first point of contact.
The following are fields that are required to be completed in OpenPages:
Risks:
 Risk Name – A brief title for a risk.
o For operational risks, the title should be specific to each business. Using generic Parent Risk names (see
Appendix A) is not appropriate. Control breakdowns (e.g. failure of reconciliation to pick up errors) should be
avoided, unless the RCSA belongs to a control function (e.g. Market Operations may have a risk called failure
of confirmations to detect an error, but the relevant CGM risk would be Trade Error, or Trade Booking Error,
or Unauthorised Trading);
o For compliance risks the risk name matches the parent risk name; these should be pulled from the risk library.
Note: It is possible to record additional risks under the compliance parent risk when a more granular and
specific description is required, in which case the risk name should be specific to the risk it describes. This is
in addition to the overall parent risk which is required.
 Risk Description – A more detailed risk description. Various causes could be listed here. Note that there is a
prescribed Risk Description for compliance risks per Appendix A;
 Risk Source – Flags whether it’s a Library or a Business Risk;
 Risk Status – Identifier of whether a risk is Active or Deleted;
 Parent Risk Category & Parent Risk – A high level risk theme developed by RMG Op Risk and Compliance for
Macquarie wide analysis. Note that detailed compliance risks and controls should be categorised under the defined
compliance risks. It is not necessary to re-record the compliance risks under the Operational Risk “Other Legal and
Compliance” parent risk. See Appendix A;
 Risk Owner – The most appropriate person in the business or support function who owns the risk;
 Inherent Risk Impact Rating – The impact of the risk eventuating, with no controls in place. See Appendix B;
 Inherent Risk Likelihood Rating – The likelihood that the risk will eventuate with no controls in place. See Appendix
B;
 Residual Risk Impact Rating – The impact of the risk eventuating, with controls in place. See Appendix B;
 Residual Risk Likelihood Rating – The likelihood that the risk will eventuate with controls in place. See Appendix B;
 Reason for Inherent Risk Rating – Detailed answers to factor questions explaining the inherent risk assessment.
Refer to Appendix C for factor questions and further guidance. Note this field is mandatory only for the defined
compliance risks.
 Reason for Residual Risk Rating – to be used to comment on the residual risk, particularly where the Residual Risk
Matrix Guide in Appendix B has not been followed. Not a mandatory field.
Controls:
 Control Name – A brief title for a control. The title should be specific to each business. Using generic Control Areas
(see Appendix A) is not appropriate;
 Control Description – A more detailed control description. Control objective should also be described here in more
detail;
 Control Source – Flags whether it’s a Library or a Business control;
 Control Status – Identifier of whether a control is Active or Deleted;
 Control Type – Flags whether it is an operational risk or compliance control. Note compliance controls are owned
and operated by RMG Compliance. All other controls are operational risk controls
 Control Area – A high level control theme developed by RMG for Macquarie wide analysis. See Appendix A;
 Control Weighting – Flags controls as Critical, Key or Non-key;
Page 30 of 31
MGL.0010.0004.0031
 Control Design – How effective the design of the control is to mitigate the risk. See Appendix B;
 Control Performance – How effective the performance of the control is against the design objectives. See Appendix
B.
 Reason for control effectiveness rating – Description of control gap or weakness required where a control is rated
as Needs Improvement or Ineffective. Description of potential enhancements or additions that could be made to
the control where a control is rated as Effective;
 How does management know it’s working – Description of mechanisms in place that allow management to answer
whether the critical control is working or not. E.g. exception reporting, assurance undertaken. Mandatory field for
critical controls.
Issues (where applicable):

 Audit Issue – This field is for RMG Internal Audit use only;
 Issue Source – Flags whether it’s a Library or a Business Issue;
 Issue Title – A brief heading for an issue;
 Issue Description – A more detailed explanation of an issue. The issue is a control deficiency or gap;
 Issue Type – Flags whether it is an operational risk or compliance issue;
 Issue Status – Identifier of the stage of the issue lifecycle (e.g. Open, Closed);
 Issue Priority – The significance of the issue. Refer to the Issues and Action Guide.
 Publish Status – The issue status (i.e. draft or published). This field should be set to “published” for it to appear on
dashboards and reports.
Actions (where applicable):
 Audit Action – This field is for RMG Internal Audit use only;
 Action Title – A brief heading for an action;
 Action Description – A detailed description of the action to resolve the issue;
 Action Owner – Employee responsible for performing the action;
 Action Type – Flags whether it is an operational risk or compliance action, or both;
 Business Status – Identifies action status – Not Started, In Progress, Implemented, or No Longer Applicable;
 Publish Status – The action status (i.e. draft or published). This field should be set to “published” for it to appear on
dashboards and reports;
 Due Date – The date by which the action needs to be completed. Refer to the Issues and Actions Guide.
 Action Priority – The significance of the action. Refer to the Issues and Actions Guide.
Page 31 of 31

Risk and Control Self Assessment (RCSA) Guide

Uploaded by

Copyright:

Available Formats

Risk and Control Self Assessment (RCSA) Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk and Control Self Assessment (RCSA) Guide

Uploaded by

Copyright:

Available Formats

MGL.0010.0004.