Assessment of ASX Clearing and Settlement Facilities 3. Review of ASX's Technology Governance and Operational Risk and Control Framework

3.1 Background and Overview

During the previous assessment period, ASX experienced two significant operational disruptions. On 19 September 2016, there was a major disruption to the operation of ASX's equity trading system (ASX Trade), which prevented trades from being executed for most of the day. The second incident, following a power outage on 15 February 2017, resulted in the unavailability of Austraclear for around half an hour and impacted ASX's ability to recover its CHESS system for several weeks if there had been a disruption to its primary site. ASX also experienced a series of other less significant operational incidents across its trading and CS facilities during that period. Although the Bank does not play a direct role in the regulation of ASX's trading facilities, ASX manages operational risk on a whole of group basis.

Following these operational disruptions, ASX commissioned an independent external review of ASX's technology governance, and operational risk and control framework (the Review) at the instigation of the Bank and ASIC, covering ASX's licensed markets and CS facilities. Its scope covered ASX's technology governance, and operational risk practices and control mechanisms, with an objective to identify any gaps compared to global better practice and recommend how these be addressed. The Review was conducted by KPMG, utilising consultants with expertise in operational risk management and governance. The Review involved a detailed examination of documentation, supplemented by interviews with a number of ASX staff.

Both the Bank and ASIC engaged closely with both ASX and KPMG throughout the Review process, and continue to engage with ASX in its response to the Review findings. This reflects the critical importance of governance and operational risk management in the two agencies' respective mandates: the Bank's focus has been on the implications for systemic risk arising from the ASX CS facilities' operations; ASIC's focus has been on the implications for the fair and effective provision of services by the CS facilities and the fair, orderly and transparent operation of ASX's licensed markets. ASIC plans to publish a report on ASX's technology governance and operational risk management standards, building on the findings of the Review.

The Review identified 36 recommendations to address gaps identified in ASX's risk management and technology strategy, governance practices, risk measurement and monitoring, knowledge management and resource management. These findings are described in more detail in section 3.2. 21 of the Review's recommendations were classified as ‘strategic’ recommendations that would be more resource-intensive and take longer to fully address.

ASX has been supportive of the Review and has accepted all 36 recommendations. In response, ASX has developed a three-year program to address findings from the Review: ‘Building Stronger Foundations in Risk, Technology and Incident Management’ (Building Stronger Foundations). The Building Stronger Foundations program also incorporates existing ASX initiatives and projects that had been identified by ASX prior to the Review. The key elements of the Building Stronger Foundations program relevant to each of the Review findings are discussed in section 3.2, and further details on the governance and operationalisation of the program are set out in section 3.3. At the end of the assessment period ASX had completed implementation of one of the Review recommendations and had addressed 29 per cent of the underlying deliverables in the broader Building Stronger Foundations program.

3.2 Key Review Findings

The Review benchmarked ASX's technology governance and operational risk management practices against industry standards and better practice among peer FMIs and the broader financial services industry. The Review was completed in December 2017 and its findings highlighted a number of shortcomings that are relevant to the Bank's assessment of the ASX CS facilities observance of the FSS, in particular standards relating to Governance (CCP and SSF Standard 2) and Operational Risk (CCP Standard 16 and SSF Standard 14). These shortcomings relate to ASX's risk management and technology strategy, governance practices, operational risk measurement and monitoring, knowledge management and resource management. The Review also acknowledged that ASX management had already identified some of the issues set out in the findings, particularly ones relating to governance and ERM, and had already commenced initiatives to address the findings. Where relevant, these are noted below.

The Bank has closely examined the findings of the Review to understand the extent of any areas in which the ASX CS facilities fall short of the very high expectations for governance and operational risk management set out in the FSS. The high standard to which ASX is held reflects the key role that its CS facilities play in managing systemic risk in the Australian financial system. The Bank has concluded that there are a number of findings highlighted in the Review that ASX must address in order to fully observe the FSS relating to governance and operational risk; these findings are noted below and reflected in the recommendations set out in section 3.3. The Bank acknowledges that ASX has engaged constructively with the Review process and has accepted all of the recommendations set out in the report.

Strategy and culture

The Review noted that ASX had not kept pace with a step change in the role of ERM across the industry in recent years. This had been identified by ASX prior to the Review, and had led to the recruitment of a new CRO with a greater focus on ERM. Under the new CRO, ASX had developed a three-year plan to strengthen its ERM capabilities which was finalised shortly before the Review was completed (see section 2.3.2). While the Review acknowledged that progress had been made, its findings emphasised that ASX's risk management and IT strategies need to be set out in greater detail and more thoroughly embedded in ASX's culture. As an example, the Review found that ASX's risk appetite statement required additional detail on risk tolerance levels in order for management to effectively implement consideration of the risk appetite into day-to-day operations. Addressing weaknesses in ASX's risk appetite framework was also identified as a key element of its three-year ERM plan.

The Review also found a lack of evidence of formal consideration of risk in the strategy setting process, recommending that ASX formally consider risk in key processes such as strategic planning and performance management. ASX has included actions in the Building Stronger Foundations program that address each of these findings, including to develop a more detailed risk appetite statement, to embed the inclusion of ERM goals in individual performance management processes, and develop a communication plan to emphasise the importance of risk management across the organisation. The last of these steps was implemented before the end of the assessment period, with work underway to address other actions.

The Review found that ASX's three lines of defence model for risk management and, in particular, the risk management and compliance functions for operations and technology had been under-resourced and lacked clarity regarding roles and responsibilities for risk activities across the organisation.^[15] ASX has commenced work, also identified in its three-year ERM plan, to strengthen and mature its first and second line risk management, securing Board funding approval for additional head count and commencing recruitment for these roles. While a number of additional roles have already been filled (particularly in the first line), additional hiring and training of staff is likely to continue through to 2019 as the first and second line risk management functions are further developed and new risk management processes are embedded by ASX.

ASX's IT strategy was another area for improvement identified by the Review. Historically, the focus of the IT strategy has been on individual projects rather than an overarching vision of the IT function that identifies the business objectives it is designed to address and the capability needed to meet those objectives. In part, this is related to the lack of a true end-to-end view of ASX's IT architecture (i.e. its enterprise architecture). Consequently, the Review recommended that ASX define a technology strategy and roadmap, and clarify the role of enterprise architecture within strategic planning. The previous IT strategy was already under review by ASX's new CIO, who had joined in September 2017. The ASX Limited Board approved an updated IT strategy and five-year plan in June 2018, and is continuing work to implement this strategy and develop its enterprise architecture approach.

While the Bank views ASX's work to address each of the above findings as significant in bringing ASX in line with better practice, there are two areas in particular in which further progress is required to bring ASX into full observance with the FSS:

• more clearly defining ASX's risk appetite and embed this in business processes and decision-making throughout the organisation (CCP and SSF Standard 2.6)
• clarifying responsibilities under ASX's three lines of defence model, improving first line risk ownership and increasing resourcing for the second line risk function (CCP and SSF Standard 2.2).

Governance

A key finding of the Review with respect to governance of technology and operational risk was that information provided to executive and board forums was typically at a summarised level that did not always provide the Board or executives with the information required to make strategic or risk management decisions, or to oversee delegated decision-making. The Review also found that there was limited formal sharing of risk information across relevant boards and committees; instead ASX relied on common membership across these forums. The risk of this approach is that it creates reliance on key individuals and undermines the role of the committees themselves in the decision-making process. The Review acknowledged that ASX had already taken steps to address some of these concerns, in particular through its restructure of management committees (see section 2.4.2). Management have also developed education modules and a communication strategy to improve staff awareness of the appropriate level and governance forums for decision making.

In addition to steps already underway, as part of the Building Stronger Foundations program, ASX has undertaken to enhance key governance reports with greater detail, continue its review of governance structures, and provide appropriate governance to support new initiatives introduced as part of the broader program – for example, establishing a design authority to govern the new enterprise architecture when this has been developed.

The Bank views effective governance arrangements as critical in ensuring that appropriate decisions are made in ASX's technology investments and operational risk management, and will closely monitor ASX's plans to enhance its governance arrangements to understand whether these will deliver outcomes consistent with the expectations set out in the FSS.

Operational risk measurement and monitoring

The Review indicated that one of the reasons for the limited analysis of information provided to executive and board forums was the limitations of ASX's systems to measure and monitor operational risks. These limitations impeded the aggregation of risk information, and led to inconsistencies in the monitoring of risk across the organisation. Constraints on ASX's ability to capture a full range of data and a lack of forward-looking key risk indicators also limited ASX's ability to generate strategic insights for more effective risk management.

In response, ASX has committed to substantially improving risk measurement and monitoring through the implementation of new systems and functionality. A key element of this will be the implementation of a Governance, Risk and Compliance system, which will enable ASX to capture and consolidate risk data for reporting. ASX also plans to upgrade its IT service management tools to better support incident, change and problem management functionality in line with industry best practice, as well as to implement a communications tool to support crisis management. A vendor selection process is underway for these systems. Collectively, the new systems will allow ASX to generate greater strategic insights through the ability to analyse data more effectively, support the business in its risk, regulatory, audit and assurance tasks, and improve incident management and crisis management communication. ASX will also be reviewing the way in which it presents risk and compliance data, in particular through enhancing its key risk indicators, and developing a risk assurance monitoring and reporting ‘dashboard’.

The Bank views a frequent and accurate process to measure and monitor key risks as essential for a CS facility to ensure that its risk profile remains within its risk appetite and consistent with the standards established under the FSS. In order to fully observe these standards, it is important that ASX implement its plans to:

• consolidate and develop a consistent enterprise-wide view of systems, policies, procedures and controls to identify, monitor and manage operational risks (CCP Standard 16.1 and SSF Standard 14.1)
• improve systems and processes supporting change management and incident management (CCP Standard 16.2 and SSF Standard 14.2).

Knowledge management

The Review observed that there is heavy reliance on expert individuals within ASX, which has the potential to impede effective response to incidents, efficient IT operations and change management. This was attributed to knowledge repositories and tools that were not structured to support efficient IT operations and changes, as well as an inconsistent approach to the documentation of processes, procedures and controls. In response, ASX will undertake an exercise to create a holistic view of all policies, processes, procedures and controls to enable more effective assessment and management of risk, and include knowledge management functionality within its upgraded IT service management tool. This will also support the establishment of a formal technology risk and controls register, and in turn will establish a single source of truth resulting in improved information management and reduced key person risk.

An effective knowledge management process is important for sustainably managing risks and responding to incidents as an institution, even if key individuals are unavailable. In order for ASX to fully observe the FSS, the Bank notes that ASX should enhance knowledge management and embed additional resource in order to reduce reliance on key individuals (CCP Standard 16.4 and SSF Standard 14.4).

Resource management

The Review also found that ASX's tendency to manage projects and operations within silos affects its ability to manage its resources effectively. This was compounded by a lack of clarity regarding the delineation of responsibilities within IT. In response, ASX is carrying out a review of the organisational structure of IT, which is intended to clarify roles and responsibilities and develop stable teams across key operations domains. The Bank views this as particularly important given the central role of technology to the operations of the ASX CS facilities, as well as the number of significant projects currently underway (including the replacements of CHESS and ASX's CORE database).

3.3 Conclusions, Recommendations and Next Steps

In light of the findings discussed in section 3.2, the Bank's assessment is that each of the ASX CS facilities broadly observes the standard on Governance (CCP and SSF Standard 2) and partly observes the standard on Operational Risk (CCP Standard 16 and SSF Standard 14). This assessment takes into account that ASX has already implemented a number of significant steps to improve its governance arrangements, in particular the restructuring of its management committees (section 2.4.2). While ASX has made some progress in addressing areas for improvement in its operational risk management identified in the Review or as part of its own three-year ERM plan, fully addressing the areas in which the Bank has identified less than full observance of the FSS is reliant on longer-term initiatives. These include investment in new systems and the embedding of structural and cultural change.

Next steps

Ultimate responsibility for the delivery of the Building Stronger Foundations program lies with the ASX Limited Board, which has delegated day-to-day oversight of the program to an Executive Steering Group (ESG). The ESG is chaired by the CRO and is comprised of other key executives across the group, including the CEO, COO and CIO. The ESG meets monthly to monitor the implementation of the program and the Board, and Audit and Risk Committee receive progress updates at each of their meetings. The Building Stronger Foundations program involves significant investment in new systems and staff, which the Board has committed to prioritising in funding decisions. The resourcing requirements of the program are also on the standing agenda for the ESG, which is seeking to quarantine program resources from demand from other high priority projects within ASX. ASX has also reviewed the level of general business risk capital at the CS facilities, to ensure that this provides appropriate cover for operational risks while the Review findings are being addressed.

Both the Bank and ASIC will receive regular updates following each ESG meeting, and will have additional engagement with members of the Board to understand how the Board is overseeing the implementation of the program. ASX has also engaged KPMG to verify the progress made in implementing actions in June and December 2018 and June 2019. The first of these progress reviews confirmed that ASX had met its closure criteria on one recommendation and 29 per cent of underlying deliverables.

Footnote

Under the three lines of defence model, the first line is risk management within the business functions themselves; the second line is an independent risk management and compliance function that develops risk management policy and oversees risk management in the first line; and the third line is independent assurance (i.e. internal and external audit). [15]