2012/13 Assessment of ASX Clearing and Settlement Facilities B2.1 ASX Settlement

Standard 3: Framework for the Comprehensive Management of Risks

A securities settlement facility should have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational and other risks.

Rating: Observed

ASX maintains an Enterprise Risk Management Policy that sets out its framework for managing the full range of strategic, legal, financial and operational risks faced by ASX Settlement. This high-level framework is supported by more granular policies (currently being refreshed) and a governance structure to oversee ASX Settlement's risk management activities (SSF Standard 3.1). ASX Settlement's risk management framework does not place financial obligations on participants, but provides incentives to participants to control the risks that they bring to the SSF (SSF Standards3.2, 3.3). As part of its risk management framework, ASX Settlement reviews risks associated with interdependencies with other entities on an ongoing basis, and in relation to new initiatives, applying appropriate tools to manage these risks (SSF Standard 3.4).

The Bank notes the following steps that ASX Settlement should take to strengthen its observance of SSF Standard 3:

  • In order to meet the requirements of SSF Standard 3.5, which comes into effect on 31 March 2014, prepare an appropriate recovery plan based on addressing identified scenarios that may threaten ASX Settlement's ability to provide its critical services as a going concern. This plan should be consistent with forthcoming CPSS-IOSCO guidance on recovery planning.

Based on this information, and noting that SSF Standard 3.5 is not yet in force, the Bank's assessment is that ASX Settlement has observed the requirements of SSF Standard 3 during the 2012/13 Assessment period. ASX Settlement's risk management framework is described in further detail under the following sub-standards.

3.1 A securities settlement facility should have risk management policies, procedures and systems that enable it to identify, measure, monitor and manage the range of risks that arise in or are borne by the securities settlement facility. This risk management framework should be subject to periodic review.

Identification of risk

ASX's high-level framework for risk management is outlined in its Enterprise Risk Management Policy. This policy divides risks identified by ASX into two broad groupings: strategic risks and operational risks. Operational risks are further categorised into financial risks, legal and regulatory risks, and technological and operational risks. Specific risks identified by ASX are described within these broad categories. For each identified risk, ASX judges how likely it is the risk event will occur within the next 12 months and the potential impact. Reputational and participant impacts are considered along with the financial, operational and regulatory impacts of risks.

Comprehensive risk policies, procedures and controls

ASX's Enterprise Risk Management Policy has been developed with reference to the international standard ISO 31000 Risk Management – Principles and Guidelines on Implementation (see SSF Standard 2.6).[1] At a high level, the ASX Enterprise Risk Management Policy outlines: the overall risk environment in the ASX Group; the objectives of risk management policies; the process by which risks are identified and assessed; the controls in place to detect and mitigate risks; and how risks are monitored and communicated. ASX's stated tolerance for financial, operational, legal and regulatory risks is ‘very low’.

ASX uses Key Risk Indicators to measure levels of risk in the organisation and categorise risk levels according to a scale: satisfactory; within risk tolerance but requiring action to further control the level of risk; exceeding ASX's risk tolerance.

The Enterprise Risk Management Policy also assigns specific risk responsibilities across the ASX Group, including to the ASX Limited Board of Directors, the Audit and Risk Committee, the Enterprise Risk Management Committee, the General Manager, Enterprise Risk and managers of individual business units. Managers of each business unit are responsible for identifying and monitoring risks relevant to their unit's activities, as well as for designing and implementing risk management policies and controls to manage identified risks. Business unit managers assess the appropriateness and operational effectiveness of these controls twice a year; these assessments are reviewed by Internal Audit and the Enterprise Risk Management Committee. The CS Boards (see ‘ASX Group Structure’ in Appendix B) have oversight of risk policies relating to settlement activities.

Internal controls

ASX's risk management policies are generally reviewed formally every 18 months to 3 years, although more frequent reviews may occur depending on changes to technology, business drivers or legal requirements. Reviews are conducted by specific working groups and committees. Final approval of reviews for more significant policies is the responsibility of the Enterprise Risk Management Committee. Under the Enterprise Risk Management Policy, ASX's business units are required to update a risk profile every six months, which identifies relevant risks and sets out planned actions to respond to those risks (see SSF Standard 3.1).

Risk management arrangements are also subject to periodic review by Internal Audit. Such audits provide assurance that the risk management framework continues to be effective. Risk management arrangements may also be subject to review by external experts from time to time. The last such review of the Enterprise Risk Management Policy was undertaken by PWC in 2011.

To date, the Enterprise Risk Management Policy has been reviewed by the Audit and Risk Committee approximately every three years, with the committee informed of material changes in the interim. A review occurred in August and future reviews will then move to a two year cycle.

3.2 A securities settlement facility should ensure that financial and other obligations imposed on participants under its risk management framework are proportional to the scale and nature of individual participants' activities.

ASX Settlement does not place financial obligations on its participants. ASX Settlement is not a participant or guarantor to any transaction submitted for settlement through ASX Settlement and is not directly exposed to credit or liquidity risk. The DvP model 3 settlement process does not expose participants to credit risk (see SSF Standard 10.2). Fees levied on participants that fail to meet their securities delivery obligations are proportional to the value of the failed obligations. Operational and other participation requirements placed on participants are discussed under SSF Standards 14.6 and 15.2.

3.3 A securities settlement facility should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the securities settlement facility.

ASX Settlement may apply sanctions to, or place additional requirements on, participants that fail to comply with its Operating Rules. Participants may ultimately be required to seek alternative settlement arrangements.

3.4 A securities settlement facility should regularly review the material risks it bears from and poses to other entities (such as other FMIs, money settlement agents, liquidity providers and service providers) as a result of interdependencies, and develop appropriate risk management tools to address these risks.

ASX Settlement reviews the material risks that it bears from and poses to other entities in the context of its ongoing review of enterprise risks (such as the six-monthly update of business unit risk profiles, see SSF Standard 3.1), and its processes for identifying risks associated with new activities. For the latter, ASX undertakes risk assessments when undertaking an expansion of its activities or in the event of material changes to its business. Risk assessments are built into ASX's project management framework (see SSF Standards 12.1 and 14.4).

For instance, ASX Settlement has identified risks to its operational activities arising from participants' increased usage of third-party vendors for back-office systems, and participants outsourcing their back-office processing offshore. ASX Settlement has also identified interdependencies with service providers. ASX Settlement's response to these interdependencies is outlined in SSF Standard 14.5.

Interdependencies with ASX Clear for the settlement of novated transactions are managed within the context of ASX Group's broader risk management framework.

3.5 A securities settlement facility should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. A securities settlement facility should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, a securities settlement facility should also provide relevant authorities with the information needed for purposes of resolution planning.

SSF Standard 3.5 comes into effect on 31 March 2014.

ASX Settlement has begun work to develop its recovery plans and intends to further articulate these plans following the release of final CPSS-IOSCO guidance on recovery planning, expected in late 2013.

Footnote

ISO is an international standard-setting body and ISO 31000 is considered to be relevant guidance for enterprise risk management. The ISO 31000 standard has been reproduced by Standards Australia and Standards New Zealand as AS/NZS 31000. [1]