Assessment of ASX Clearing and Settlement Facilities – September 2024 5. Special Topic – Operational Risk

5.1 Summary and rating

The RBA conducted a detailed review of ASX’s compliance with selected aspects of the Operational Risk FSS and associated guidance.^[8] The assessment identified several deficiencies relating to the complexity and implementation of ASX’s frameworks and operational controls. The rating for all ASX CS facilities has been retained at partly observed. ASX should place high priority on addressing the following matters that could become serious issues of concern if not addressed promptly:

• ASX needs to continue placing high priority on the remediation of ageing assets, and ensuring appropriate frameworks and resources are in place to proactively upgrade or replace assets before they reach end-of-life.
• ASX needs to develop the maturity of its frameworks and capabilities for managing third-party vendor risks and implement consistent vendor management controls and processes.

5.2 Background

This review examined ASX’s overall frameworks and governance for identifying and managing operational risks. It also included detailed assessments in the following key risk areas:

• Technology asset lifecycles. The RBA assessed ASX’s frameworks and practices for managing technology asset lifecycles and remediating assets approaching end-of-life or end-of-support.
• Technology transformation. The RBA noted the findings of an external report on ASX’s project, program and portfolio management (PPPM) capabilities.
• Third-party dependencies. The RBA assessed ASX’s frameworks and practices for managing risks relating to third-party vendors and outsourcing arrangements.
• Cyber resilience. The RBA considered ASX’s approach to cyber resilience and the maturity of its cyber security arrangements.

ASX’s management of operational risks is an ongoing area of focus for the RBA.

5.3 Detailed findings and recommendations

5.3.1 Managing technology asset lifecycles

The FSS require CS facilities to ensure their systems are able to operate with a high degree of security and reliability to support trust in the financial system. While progress has been made on upgrading or replacing some critical systems (see section 3.3), the RBA continues to hold concerns about risks to ASX’s systems arising from the ageing of its technology assets. These concerns extend to ASX’s approach to managing the lifecycle of its technology assets to ensure that systems are remediated before the risks associated with ageing arise. Similar issues relating to ASX’s technology asset lifecycle management were identified by an internal audit completed towards the end of the assessment period.

5.3.1.1 ASX must continue to address risks associated with ageing assets

Software currency and hardware age continued to be key drivers of operational risk. When software reaches end-of-life, vendor support, updates and security patches may cease to be available, raising security and operational concerns. Aged hardware can also lead to problems with system processing and capacity, leading to lower performance, delays and outages. ASX has not experienced a major operational incident in the past few years, but the ageing of assets increases the risk of operational failure. ASX’s risk appetite for such failure is very low. The RBA would consider any significant disruption to critical CS services to be a matter of serious concern.

In response to the RBA’s recommendations in the 2023 ASX Assessment, ASX has developed a Technology Issues Remediation Roadmap to track the remediation of high severity issues relating to aged assets. ASX is also implementing additional short-term controls to mitigate key risks in the interim. These remediation efforts must continue to receive high priority and progress to scheduled timelines. ASX should also ensure that it has sufficient resources to maintain the health of its critical systems and manage key person risks for projects and systems.

ASX has outlined a process for updating the roadmap on a quarterly basis to incorporate any new issues or initiatives that need to be addressed with respect to ageing assets. As part of this process, ASX should consider incorporating reports on critical ageing asset remediation projects that are not currently linked to a high severity issue. This will assist in ensuring that ASX has a holistic view of the effort and resource commitment required to remediate ageing assets. An example of a project that falls into this category is CHESS Replacement Release 2, which is a critical part of the remediation of a CS system. ASX should also consider further ways in which its board reporting can provide a clear view of how the ageing of systems and remediation activities are expected to change the risk status of its critical systems.

5.3.1.2 ASX should establish enterprise-wide frameworks and tools to manage asset lifecycles proactively

In the 2023 ASX Assessment, the RBA recommended that ASX develop a long-term strategy to proactively identify and remediate ageing assets before risks materialise. This will help to ensure that ASX’s technology environment does not further deteriorate even as it focuses on remediation, and that risks associated with aged assets do not recur in the future.

The long-term strategy developed by ASX includes plans for improved prioritisation of asset remediation. It also includes a multi-year move to a platform-based environment, which ASX expects will support its ability to maintain the currency of technology assets.

However, by the end of the assessment period there were no enterprise-wide frameworks, policies or expectations covering current asset lifecycle management. ASX’s ageing asset issue is partly due to the failure to systematically identify and manage risks as assets age. Without an appropriate framework for the identification and management of these risks, the underlying cause remains unaddressed.

ASX has acknowledged the need to develop a central asset lifecycle management policy or framework. The RBA expects ASX to prioritise this development. This policy or framework should ensure that all accountable individuals are aware of their responsibilities. Accountable individuals should also be able to access sufficient resources for the proactive management of assets in a consistent manner across the enterprise. The RBA will closely monitor further development of ASX’s strategy.

Appropriate management of the technology asset lifecycle also relies on the robust documentation of assets. ASX’s underlying tools for documenting and tracking assets through their lifecycle are fragmented. The RBA agrees with ASX’s plans to consolidate and streamline its asset tracking tools.

5.3.2 Project, program and portfolio management

During the assessment period, ASIC (under statutory direction) required ASX to produce a special report, along with an external audit report, into ASX’s project, program and portfolio management (PPPM Reports). Several recommendations for ASX to improve its practices were made in the PPPM Reports. These were further to recommendations from the previous external reviews into the CHESS Replacement project and November 2020 ASX Trade outage.

The RBA expects ASX to address all the recommendations in the PPPM Reports. During the assessment period, ASX began this work. The RBA’s view is that ASX should prioritise recommendations relating to the following: useability of frameworks; the clarity of roles and responsibilities; resource forecasting and allocation; and project assurance.

• ASX should improve the useability of its project framework. The FSS require CS facilities to establish clear policies and procedures to mitigate operational risks. The PPPM Reports found that ASX’s project framework documentation is extensive and spread across multiple formats, which makes it difficult to locate and understand. The RBA’s view is that this increases the chances of project governance and risk management processes not being followed. This, in turn, raises the probability that ASX projects that are critical to supporting financial stability are not delivered appropriately. The RBA expects ASX to prioritise the review’s recommendations to improve the useability and readability of its framework documentation.
• Responsibilities under the PPPM framework should be clearer. The PPPM Reports found that there is inconsistent understanding of portfolio management and change management roles. Project and portfolio decision-making responsibilities are also not well defined and there is limited decision-making authority below the executive level.^[9] This results in an over-reliance on executive decision-making, including in circumstances where lower-level subject matter experts may be more appropriate decision-makers. These findings are inconsistent with the FSS requirements to define clear roles and responsibilities for operational risks. ASX has started taking steps to address the PPPM Reports’ recommendations for clarifying roles and decision-making responsibilities and the RBA expects ASX to complete this work.

• ASX should improve its processes of planning project resourcing. Given the number and complexity of ASX’s technology renewal projects, it is critical that resource requirements are appropriately managed. Resource management failures could significantly delay large technology upgrades or replacement projects, forcing existing outdated systems to remain operating for longer.

  The PPPM Reports found that ASX does not have a structured way of forecasting expected resource requirements for its projects. During the assessment period there was resourcing and scheduling pressure for multiple projects. The RBA expects ASX to consistently implement the external review’s recommendations on project resource forecasting, capacity planning and standardising portfolio management functions. ASX should continuously ensure that its projects are sufficiently resourced.

• ASX should improve its project assurance requirements. A structured approach to projects, with project assurances built in at key stages, is important to ensure that risks are appropriately identified and managed throughout a project. ASX has a risk-based project assurance framework, under which assurance programs are being established for the CHESS Replacement project and ClearStar program. However, assurance and stage-gate reviews are not mandated. The RBA expects ASX to demonstrate consistent and sustained implementation of assurance review and stage-gate requirements for its projects and programs.

The RBA will monitor the completion and sustainable implementation of these recommendations.

5.3.3 Vendor management

CS facilities need to manage their dependencies on third-party providers to ensure their critical operations meet the resilience, security and operational performance requirements of the FSS. An internal audit in 2022 found deficiencies in ASX’s vendor management in relation to the previous CHESS Replacement project. ASX recognised that its vendor management framework is unduly complex and that the knowledge and practices of its staff in this area need to be strengthened. Relevant knowledge and practices include awareness of the framework, transparent and consistent application of the requirements, and maintaining updated relevant documentation. The RBA’s assessment is that ASX needs to place high priority on significantly developing its frameworks and practices to manage vendors. Several specific issues of concern were identified. Some of these were also raised in ASX’s Internal Audit review of vendor management in the previous assessment period.

5.3.3.1 ASX’s third-party vendor policies and responsibilities should be clearer

ASX’s third-party vendor policies are complex and difficult to navigate. The core vendor management policy is long and repetitive, and the overall framework comprises various overlapping documents. For example, the framework contains four different definitions of ‘critical vendors’ to which heightened vendor management requirements apply. The responsibilities of key roles within the framework are also overlapping and not clearly delineated. This is inconsistent with the FSS requirement to clearly allocate responsibility for operational risk management. This creates a risk that vendor and third-party risks are not identified or appropriately monitored and managed.

ASX has started work to improve its vendor policies and frameworks, including the introduction of a new Critical Third-Party Policy at the end of 2023. ASX’s intention is that these changes will create simpler, harmonised documents that are consistent with industry best practice. It is important that ASX achieves this goal. As part of this, the RBA expects ASX to clearly document individual responsibilities.^[10]

5.3.3.2 ASX needs to ensure vendor management processes are consistently applied

The RBA has concerns that several key controls to manage vendor risks are not applied consistently. This reflects the ambiguity of some requirements in ASX’s framework and policies, as well as variation in knowledge, practices and tools across the organisation. The RBA agrees with ASX’s recent and planned efforts to improve capabilities and requirements, and the rollout of the new Critical Third-Party Policy. The RBA also expects ASX to address the following three issues for all key vendors that serve the CS facilities, as a matter of high priority:^[11]

• Vendor risk assessment. Vendor risk assessments should be consistently performed for all key vendors that serve the CS facilities. These should include assessments of the vendor’s strategic alignment with ASX and technical ability to deliver the relevant services. The new Critical Third-Party Policy does require risk assessments, but it does not cover all key vendors that serve the CS facilities. This should be addressed. ASX should also continue to consider how its risk assessment processes for CS facility vendors align with the expectations set out in Annex F of the Principles for Financial Market Infrastructures.^[12]
• Vendor performance management. CS facilities need to ensure that services provided by their vendors meet the resilience, reliability and security requirements of the FSS on an ongoing basis. ASX’s policies require vendor performance monitoring. A key risk indicator for material vendor performance issues is also reported to the ASX boards. However, ASX’s vendor performance monitoring and management is not applied consistently in practice, with tools and processes largely dependent on varying knowledge and practices across the different lines of business.
• Vendor contingency plans. CS facilities need to ensure the continuity of their services and have in place robust arrangements for the substitution of their vendors. ASX’s vendor management framework requires consideration of contingency plans for situations where a vendor is no longer willing or able to provide services. However, this requirement is not consistently implemented. In cases where alternative vendors are not available, ASX was unable to demonstrate that it had formally acknowledged and accepted the risks posed by those circumstances.

5.3.3.3 ASX should actively manage single points of failure arising from vendor dependencies

Vendor concentration increases exposure to the operational and general business risk of a given individual entity and can create single points of failure. This may occur not only in relation to direct service providers but also to sub-contractors (fourth parties). ASX does not have a formal approach for measuring, monitoring and decision-making in relation to vendor concentration. ASX has considered concentration risk in certain vendor selection decisions, but a formal approach would facilitate consistent consideration of this risk.

5.3.4 Cyber resilience

During the assessment period, ASX assessed itself against two cyber standards and refreshed its strategy for the continuous improvement of its cyber resilience. ASX continued to develop its cyber resilience testing and assurance capabilities, to test its preparedness for different cyber risk scenarios. ASX is expected to take a more active role in promoting its ecosystem’s preparedness to respond to and recover from cyber events (e.g. by organising industry-wide tests).^[13]

5.3.5 Overall operational risk management framework

The RBA has found ASX’s operational risk policies to be complex and fragmented. ASX does not have an overarching operational risk framework that provides a comprehensive view of how the various policies related to operational risk interact with each other. This may have contributed to the observed lack of consistent application of some policies across the enterprise. ASX plans to introduce a simple document that covers the key principles and policies for ensuring operational resilience. The RBA encourages ASX to broaden the scope of this document to encompass other areas of operational risk.

Footnotes

Cyber resilience is also assessed against the CPMI-IOSCO (2016), ‘Guidance on Cyber Resilience for Financial Market Infrastructures’, June. [8]

In addition, the PPPM Reports found that ASX should continue work to develop a program management framework. [9]

This includes for integration of the vendor management framework into the project delivery framework in response to a recommendation from the PPPM Reports. [10]

Key vendors include any vendors that provide goods or services that are necessary to support the efficient and secure operation of the CS facilities (irrespective of how they are classified within ASX’s vendor frameworks). This goes beyond ‘critical’ vendor arrangements that, in the event of failure or disruption to supply the goods or services, would result in immediate disruption to ASX’s services. [11]

CPMI-IOSCO (2012), Principles for Financial Market Infrastructures, April. [12]

A more detailed assessment of ASX’s cyber resilience has been confidentially communicated to ASX. [13]