ASIC releases guidance on risk management systems of responsible entities

ASIC today released Regulatory Guide RG 259 Risk Management systems of responsible entities to provide additional guidance to responsible entities on our expectations for compliance with their existing obligation under the Corporations Act 2001 (Corporations Act) to maintain adequate risk management systems.

The guide is aimed at ensuring that the risk management systems of responsible entities, including minimum procedures and practices, are adaptable to changing market conditions and remain effective in identifying and managing risks on an ongoing basis.

The guidance promotes the early identification and management of risks by responsible entities to help avoid the adverse consequences that may affect investors. There have been a number of collapses of responsible entities which resulted in significant losses to investors and where we consider inadequate risk management systems to have played a role.

The guide outlines our expectations for responsible entities to have:

  • overarching risk management systems in place;
  • processes for identifying and assessing risks; and
  • processes for managing risks.

We have also included in the guide some additional good practice guidance. This guidance is not mandatory for responsible entities. It outlines measures that responsible entities can adopt to enhance their risk management systems and operate at a level above their statutory obligations.

The release of the guidance follows our extensive consultation under Consultation Paper 263 Risk management systems of responsible entities: Further proposals (CP 263) and Consultation Paper 204 Risk management systems of responsible entities (CP 204). We have also consulted informally with a selection of industry stakeholders on our proposals. We thank the people, businesses and associations that took the time to provide comments on our proposals.

We note that responsible entities that are Registrable Superannuation Entity licensees are also subject to the Australian Prudential Regulation Authority’s (APRA) requirements on risk management. Our guidance is intended to act in unison with APRA’s requirements. The guidance has also been prepared in consultation with APRA to ensure consistency in our policy position.

As responsible entities are subject to the ongoing obligation to maintain adequate risk management systems, we have not provided any formal transition period for compliance with the guidance.

Our intention is to take a constructive and facilitative approach to any breaches of the guidance for a period of 12 months from today, if a responsible entity can show that it is taking steps to bring its risk management system into compliance with the guidance.


Responsible entities, as Australian financial services (AFS) licence holders, have an ongoing obligation under s912A(1)(h) of the Corporations Act to have adequate risk management systems.

Until now, there has been no detailed guidance on what is required for responsible entities to comply with this obligation.

In July 2016, we released CP 263 seeking feedback on our proposals to release additional guidance for responsible entities on our expectations for compliance with s912A(1)(h). CP 263 built upon the prior proposals outlined in CP 204 released in 2013.

We received 5 responses to CP 263 (including 3 from industry bodies). Further information on the feedback ASIC received on CP 263 is available in Report 517 Response to submissions on CP 263 Risk management systems of responsible entities: Further proposals.


© Australian Securities & Investments Commission. Reproduced with permission.