2015/16 Assessment of ASX Clearing and Settlement Facilities A2.1 ASX Settlement Standard 3: Framework for the comprehensive management of risks

A securities settlement facility should have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational and other risks.

ASX maintains an Enterprise Risk Management Policy that sets out its framework for managing the full range of strategic, legal, financial and operational risks faced by ASX Settlement. This high-level framework is supported by more granular policies and a governance structure to oversee ASX Settlement's risk management activities (SSF Standard 3.1). ASX Settlement's risk management framework does not place financial obligations on participants, but provides incentives to participants to control the risks that they bring to the SSF (SSF Standards 3.2, 3.3). As part of its risk management framework, ASX Settlement reviews on an ongoing basis risks associated with interdependencies with other entities and, in relation to new initiatives, applies appropriate tools to manage these risks (SSF Standard 3.4). ASX Settlement has implemented enhancements to its recovery arrangements in line with CPMI-IOSCO guidance on recovery planning (SSF Standard 3.5).

ASX Settlement's risk management framework is described in further detail under the following sub-standards.

3.1 A securities settlement facility should have risk management policies, procedures and systems that enable it to identify, measure, monitor and manage the range of risks that arise in or are borne by the securities settlement facility. This risk management framework should be subject to periodic review.

Identification of risk

ASX's high-level framework for risk management is described in its Enterprise Risk Management Policy. This policy divides risks identified by ASX into two broad categories: strategic risks and operational risks. Operational risks are further categorised into financial risks, legal and regulatory risks, and technological and operational risks. Specific risks identified by ASX are described within these broad categories. For each identified risk, ASX judges how likely it is the risk event will occur within the next 12 months and the potential impact. Reputational and participant impacts are considered along with the financial, operational and regulatory impacts of risks.

Comprehensive risk policies, procedures and controls

ASX's Enterprise Risk Management Policy has been developed with reference to the international standard ISO 31000 Risk Management – Principles and Guidelines (see SSF Standard 2.6).^[10] At a high level, the ASX Enterprise Risk Management Policy outlines: the overall risk environment in the ASX Group; the objectives of risk management policies; the process by which risks are identified and assessed; the controls in place to detect and mitigate risks; and how risks are monitored and communicated. ASX's stated tolerance for financial, operational, legal and regulatory risks is ‘very low’.

ASX uses key risk indicators to measure levels of risk in the organisation and categorise risk levels according to a scale: satisfactory; within risk tolerance but requiring action to further control the level of risk; or exceeding ASX's risk tolerance.

The Enterprise Risk Management Policy also assigns specific risk responsibilities across the ASX Group, including to the ASX Limited Board of Directors, the Audit and Risk Committee, the ERMC, the General Manager, Enterprise Risk and managers of individual departments. Managers of each department are responsible for identifying and monitoring risks relevant to their department's activities, as well as for designing and implementing risk management policies and controls to manage identified risks. Department managers assess the appropriateness and operational effectiveness of these controls twice a year; these assessments are reviewed by the ERMC.

ASX has a formal Settlement Risk Policy Framework that is aligned with the FSS. The Framework sets out a comprehensive set of settlement-related risk policies to support the risk management approach of ASX's SSFs, including ASX Settlement. These policies govern more detailed internal standards, which in turn govern specific procedures for the management of settlement-related risks. The structure of policies, standards and procedures reflects the requirements of the FSS.

A number of boards and internal committees oversee settlement risk management policy, including:

• The CS Boards. Each CS facility has a board (see SSF Standard 2.3 and ‘ASX Group Structure’ in Appendix A), which shares members with the other ASX CS facilities, has oversight of the Settlement Risk Policy Framework, and is responsible for any significant amendments. Policies and designated key standards under the Framework are governed by the CS Boards.
• The SRPC. The SRPC reviews and approves clearing risk policies and standards prior to submission to the CS Boards. The SRPC is chaired by the GE, Operations and includes the ASX Group Legal Counsel, General Manager of Post Trade and Issuer Services Operations, the General Manager of Participants Compliance and the Executive General Manager of Derivatives and OTC Markets. It will meet as needed when settlement risk policy matters arise.
• The CALCO. CALCO is constituted to ensure the structural integrity and efficient use of the liquidity, on- and off-balance sheet assets, liabilities and capital resources of the ASX Group. CALCO advises on changes to settlement risk policies related to capital, liquidity and balance sheet management. CALCO is chaired by the CRO and comprises senior managers and executives from Finance, Risk and Internal Audit. CALCO generally meets on a quarterly basis.
• The SROCC. SROCC is chaired by the GE, Operations and is made up of senior managers and executives from the settlement operations and compliance areas of ASX. The Committee acts as an information-sharing and discussion body for the purpose of enhancing ASX's ability to identify, assess and reduce systemic, operational or compliance risk, and manage settlement risk. The SROCC currently meets on a monthly basis.
• The PIRC. The PIRC is responsible for coordinating ASX's response to a settlement participant incident, and provides input into policy determinations and settings as necessary in response to such incidents. The PIRC is chaired by the GE, Operations, and is made up of senior staff from the operational, risk management, compliance and legal departments. Meetings of the PIRC are convened as required to address an actual or potential participant incident.

Information and control systems

Since ASX Settlement does not assume credit or liquidity risk as principal (see SSF Standards 4 and 6), it does not require information and control systems to monitor these risks. ASX Settlement nevertheless employs information systems that provide participants with information regarding their money and securities settlement obligations. This information assists participants in managing their funding and delivery obligations and risks (see SSF Standard 6.2).

Internal controls

ASX's documented risk management policies and standards specify requirements for periodic formal reviews, although more frequent reviews may occur depending on changes to technology, business drivers or legal requirements. Reviews are conducted by specific working groups and committees. Final approval of reviews for enterprise-wide policies and standards is the responsibility of the ERMC. Under the Enterprise Risk Management Policy, ASX's departments are required to update a risk profile every six months, which identifies relevant risks and sets out planned actions to respond to those risks.

Risk management arrangements are also subject to periodic review by Internal Audit. Such audits provide assurance that the risk management framework continues to be effective. Risk management arrangements may also be subject to review by external experts from time to time. An external review of ASX's enterprise risk framework was conducted during the Assessment period.

The Enterprise Risk Management Policy is reviewed by the Audit and Risk Committee on a two-year cycle, with the most recent review taking place in August 2015.

3.2 A securities settlement facility should ensure that financial and other obligations imposed on participants under its risk management framework are proportional to the scale and nature of individual participants' activities.

ASX Settlement does not place financial obligations on its participants. ASX Settlement is not a participant or guarantor to any transaction submitted for settlement through ASX Settlement and is not directly exposed to credit or liquidity risk. The DvP Model 3 settlement process does not expose participants to credit risk (see SSF Standard 10.2). Fees levied on participants that fail to meet their securities delivery obligations are proportional to the value of the failed obligations. Operational and other participation requirements placed on participants are discussed under SSF Standards 14.6 and 15.2.

3.3 A securities settlement facility should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the securities settlement facility.

ASX Settlement may apply sanctions to, or place additional requirements on, participants that fail to comply with its Operating Rules. Participants may ultimately be required to seek alternative settlement arrangements.

3.4 A securities settlement facility should regularly review the material risks it bears from and poses to other entities (such as other FMIs, money settlement agents, liquidity providers and service providers) as a result of interdependencies, and develop appropriate risk management tools to address these risks.

ASX Settlement reviews the material risks that it bears from and poses to other entities in the context of its ongoing review of enterprise risks (such as the six-monthly update of department risk profiles; see SSF Standard 3.1), and its processes for identifying risks associated with new activities. In the case of new products and services, ASX undertakes risk assessments when undertaking an expansion of its activities or in the event of material changes to its business. Risk assessments are built into ASX's project management framework (see SSF Standards 12.1 and 14.4).

For instance, over the past few years, ASX Settlement has monitored and managed risks to its operational activities arising from participants' increased usage of third-party vendors for back-office systems, and participants outsourcing their back-office processing offshore. ASX Settlement has also monitored and managed risks arising from interdependencies with service providers. ASX Settlement's response to these interdependencies is outlined in SSF Standard 14.5.

Interdependencies with ASX Clear for the settlement of novated transactions are managed within the context of ASX Group's broader risk management framework (see SSF Standard 17).

3.5 A securities settlement facility should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. A securities settlement facility should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, a securities settlement facility should also provide relevant authorities with the information needed for purposes of resolution planning.

In October 2015, ASX Settlement implemented enhanced recovery planning arrangements, developed with reference to the CPMI-IOSCO guidance on recovery planning. ASX Settlement's enhanced recovery approach establishes arrangements to address addressing non default-related losses via business risk capital arrangements (see SSF Standard 12.3).

Recovery plan

During the Assessment period, ASX has taken steps to update the documentation of its Recovery Plans. The update reflects the expanded set of recovery tools introduced in October 2015, as well as the new replenishment arrangements. Alongside this update, ASX has developed some information management tools to support decision making in a recovery scenario. ASX has also integrated the testing and review of the Recovery Plan into its broader framework for testing and review of risk and default management policies and processes.

The Recovery Plan identifies scenarios that could threaten the ASX CS facilities' ongoing provision of critical clearing services, describes events that would trigger the activation of the Recovery Plan, and sets out how ASX would respond to such scenarios. It also describes the suite of tools available to the CS facilities in recovery and details the governance arrangements both for the use of these tools and for review of the recovery planning framework.

Footnote

ISO is an international standard-setting body and ISO 31000 is considered to be relevant guidance for enterprise risk management. The ISO 31000 standard has been reproduced by Standards Australia and Standards New Zealand as AS/NZS 31000. [10]