2012/13 Assessment of ASX Clearing and Settlement Facilities B2.2: Austraclear

Standard 3: Framework for the Comprehensive Management of Risks

A securities settlement facility should have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational and other risks.

Rating: Observed

ASX maintains an Enterprise Risk Management Policy that sets out its framework for managing the full range of strategic, legal, financial and operational risks faced by Austraclear. This high-level framework is supported by more granular policies (currently being refreshed) and a governance structure to oversee Austraclear's risk management activities (SSF Standard 3.1). Austraclear's risk management framework does not place financial obligations on participants, but provides incentives to participants, such as additional operational requirements for collateral managers, to control the risks that they bring to the SSF (SSF Standards 3.2, 3.3). As part of its risk management framework, Austraclear reviews risks associated with interdependencies with other entities on an ongoing basis, and in relation to new initiatives, applying appropriate tools to manage these risks (SSF Standard 3.4).

The Bank notes the following steps that Austraclear should take to strengthen its observance of SSF Standard 3:

  • In order to meet the requirements of SSF Standard 3.5, which comes into effect on 31 March 2014, prepare an appropriate recovery plan based on addressing identified scenarios that may threaten Austraclear's ability to provide its critical services as a going concern. This plan should be consistent with forthcoming CPSS-IOSCO guidance on recovery planning.

Based on this information, and noting that SSF Standard 3.5 is not yet in force, the Bank's assessment is that Austraclear has observed the requirements of SSF Standard 3 during the 2012/13 Assessment period. Austraclear's risk management framework is described in further detail under the following sub-standards.

3.1 A securities settlement facility should have risk management policies, procedures and systems that enable it to identify, measure, monitor and manage the range of risks that arise in or are borne by the securities settlement facility. This risk management framework should be subject to periodic review.

Identification of risk

ASX's high-level framework for risk management is outlined in its Enterprise Risk Management Policy. This policy divides risks identified by ASX into two broad groupings: strategic risks and operational risks. Operational risks are further categorised into financial risks, legal and regulatory risks, and technological and operational risks. Specific risks identified by ASX are described within these broad categories. For each identified risk, ASX judges how likely it is the risk event will occur within the next 12 months and the potential impact. Reputational and participant impacts are considered along with the financial, operational and regulatory impacts of risks.

Comprehensive risk policies, procedures and controls

ASX's Enterprise Risk Management Policy has been developed with reference to the international standard ISO 31000 Risk Management – Principles and Guidelines (see SSF Standard 2.6).[1] At a high level, the ASX Enterprise Risk Management Policy outlines: the overall risk environment in the ASX Group; the objectives of risk management policies; the process by which risks are identified and assessed; the controls in place to detect and mitigate risks; and how risks are monitored and communicated. ASX's stated tolerance for financial, operational, legal and regulatory risks is ‘very low’.

ASX uses Key Risk Indicators to measure levels of risk in the organisation and categorise risk levels according to a scale: satisfactory; within risk tolerance but requiring action to further control the level of risk; exceeding ASX's risk tolerance.

The Enterprise Risk Management Policy also assigns specific risk responsibilities across the ASX Group, including to the ASX Limited Board of Directors, the Audit and Risk Committee, the Enterprise Risk Management Committee, the General Manager, Enterprise Risk and managers of individual business units. Managers of each business unit are responsible for identifying and monitoring risks relevant to their unit's activities, as well as for designing and implementing risk management policies and controls to manage identified risks. Business unit managers assess the appropriateness and operational effectiveness of these controls twice a year; these assessments are reviewed by Internal Audit and the Enterprise Risk Management Committee. The CS Boards (see ‘ASX Group Structure’ in Appendix B) have oversight of risk policies relating to settlement activities.

Internal controls

ASX's risk management policies are generally reviewed formally every 18 months to 3 years, although more frequent reviews may occur depending on changes to technology, business drivers or legal requirements. Reviews are conducted by specific working groups and committees. Final approval of reviews for more significant policies is the responsibility of the Enterprise Risk Management Committee. Under the Enterprise Risk Management Policy, ASX's business units are required to update a risk profile every six months, which identifies relevant risks and sets out planned actions to respond to those risks (see SSF Standard 3.1).

Risk management arrangements are also subject to periodic review by Internal Audit. Such audits provide assurance that the risk management framework continues to be effective. Risk management arrangements may also be subject to review by external experts from time to time. The last such review of the Enterprise Risk Management Policy was undertaken by PWC in 2011.

To date, the Enterprise Risk Management Policy has been reviewed by the Audit and Risk Committee approximately every three years, with the committee informed of material changes in the interim. A review occurred in August and future reviews will then move to a two year cycle.

3.2 A securities settlement facility should ensure that financial and other obligations imposed on participants under its risk management framework are proportional to the scale and nature of individual participants' activities.

Austraclear does not place financial obligations on its participants. Austraclear is not a participant or guarantor to any transaction submitted for settlement through Austraclear and is not directly exposed to credit or liquidity risk. The delivery-versus-payment (DvP) model 1 settlement process does not expose participants to credit risk (see SSF Standard 10.2). Transactions that are not settled successfully on the day that they are submitted are removed from the settlement queue at close of business without penalty. Operational and other participation requirements placed on participants are discussed under SSF Standards 14.6 and 15.2.

3.3 A securities settlement facility should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the securities settlement facility.

Austraclear may apply sanctions to, or place additional requirements on, participants that fail to comply with its Regulations. Participants may ultimately be required to seek alternative settlement arrangements.

3.4 A securities settlement facility should regularly review the material risks it bears from and poses to other entities (such as other FMIs, money settlement agents, liquidity providers and service providers) as a result of interdependencies, and develop appropriate risk management tools to address these risks.

Austraclear reviews the material risks that it bears from and poses to other entities in the context of its ongoing review of enterprise risks (such as the six-monthly update of business unit risk profiles, see SSF Standard 3.1), and its processes for identifying risks associated with new activities. For the latter, ASX undertakes risk assessments when undertaking an expansion of its activities or in the event of material changes to its business. Risk assessments are built into ASX's project management framework (see SSF Standards 12.1 and 14.4).

For instance, ASX has identified potential risks to its operational activities arising from participants outsourcing their back-office processing offshore. Austraclear has also identified interdependencies with service providers, notably Clearstream Banking S.A. (Clearstream) for key components of the ASX Collateral service. Austraclear's response to these interdependencies is outlined in SSF Standard 14.5.

Interdependencies with ASX Clear and ASX Clear (Futures) for the settlement of margin and other payment obligations are managed within the context of ASX Group's broader risk management framework.

3.5 A securities settlement facility should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. A securities settlement facility should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, a securities settlement facility should also provide relevant authorities with the information needed for purposes of resolution planning.

SSF Standard 3.5 comes into effect on 31 March 2014.

Austraclear has begun work to develop its recovery plans and intends to further articulate these plans following the release of final CPSS-IOSCO guidance on recovery planning, expected in late 2013.

Footnote

ISO is an international standard-setting body and ISO 31000 is considered to be relevant guidance for enterprise risk management. The ISO 31000 standard has been reproduced by Standards Australia and Standards New Zealand as AS/NZS 31000. [1]