2015/16 Assessment of ASX Clearing and Settlement Facilities A2.2 Austraclear Standard 3: Framework for the comprehensive management of risks

A securities settlement facility should have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational and other risks.

ASX maintains an Enterprise Risk Management Policy that sets out its framework for managing the full range of strategic, legal, financial and operational risks faced by Austraclear. This high-level framework is supported by more granular policies and a governance structure to oversee Austraclear's risk management activities (SSF Standard 3.1). Austraclear's risk management framework does not place financial obligations on participants, but provides incentives to participants, such as additional operational requirements for collateral managers, to control the risks that they bring to the SSF (SSF Standards 3.2, 3.3). As part of its risk management framework, Austraclear reviews risks associated with interdependencies with other entities on an ongoing basis and, in relation to new initiatives, applies appropriate tools to manage these risks (SSF Standard 3.4). Austraclear has implemented enhancements to its recovery arrangements in line with CPMI-IOSCO guidance on recovery planning (SSF Standard 3.5).

Austraclear's risk management framework is described in further detail under the following sub-standards.

3.1 A securities settlement facility should have risk management policies, procedures and systems that enable it to identify, measure, monitor and manage the range of risks that arise in or are borne by the securities settlement facility. This risk management framework should be subject to periodic review.

Identification of risk

ASX's high-level framework for risk management is described in its Enterprise Risk Management Policy. This policy divides risks identified by ASX into two broad groupings: strategic risks and operational risks. Operational risks are further categorised into financial risks, legal and regulatory risks, and technological and operational risks. Specific risks identified by ASX are described within these broad categories. For each identified risk, ASX judges how likely it is the risk event will occur within the next 12 months and the potential impact. Reputational and participant impacts are considered along with the financial, operational and regulatory impacts of risks.

Comprehensive risk policies, procedures and controls

ASX's Enterprise Risk Management Policy has been developed with reference to the international standard ISO 31000 Risk Management – Principles and Guidelines (see SSF Standard 2.6).^[7] At a high level, the ASX Enterprise Risk Management Policy outlines: the overall risk environment in the ASX Group; the objectives of risk management policies; the process by which risks are identified and assessed; the controls in place to detect and mitigate risks; and how risks are monitored and communicated. ASX's stated tolerance for financial, operational, legal and regulatory risks is ‘very low’.

ASX uses key risk indicators to measure levels of risk in the organisation and categorise risk levels according to a scale: satisfactory; within risk tolerance but requiring action to further control the level of risk; or exceeding ASX's risk tolerance.

The Enterprise Risk Management Policy also assigns specific risk responsibilities across the ASX Group, including to the ASX Limited Board of Directors, the Audit and Risk Committee, the ERMC, the General Manager, Enterprise Risk and managers of individual departments. Managers of each department are responsible for identifying and monitoring risks relevant to their department's activities, as well as for designing and implementing risk management policies and controls to manage identified risks. Department managers assess the appropriateness and operational effectiveness of these controls twice a year; these assessments are reviewed by the ERMC.

ASX has a formal Settlement Risk Policy Framework that is aligned with the FSS. The Framework sets out a comprehensive set of settlement-related risk policies to support the risk management approach of ASX's SSFs, including Austraclear. These policies govern more detailed internal standards, which in turn govern specific procedures for the management of settlement-related risks. The structure of policies, standards and procedures reflects the requirements of the FSS.

A number of boards and internal committees oversee settlement risk management policy, including:

The CS Boards. Each CS facility has a board (see SSF Standard 2.3 and ‘ASX Group Structure’ in Appendix A), which shares members with the other ASX CS facilities, has oversight of the Settlement Risk Policy Framework, and is responsible for any significant amendments. Policies and designated key standards under the Framework are governed by the CS Boards.
The SRPC. The SRPC reviews and approves clearing risk policies and standards prior to submission to the CS Boards. The SRPC is chaired by the GE, Operations and includes the ASX Group Legal Counsel, General Manager of Post Trade and Issuer Services Operations, the General Manager of Participants Compliance and the Executive General Manager of Derivatives and OTC Markets. It will meet as needed when settlement risk policy matters arise.
The CALCO. CALCO is constituted to ensure the structural integrity and efficient use of the liquidity, on- and off-balance sheet assets, liabilities and capital resources of the ASX Group. CALCO advises on changes to settlement risk policies related to capital, liquidity and balance sheet management. CALCO is chaired by the CRO and comprises senior managers and executives from Finance, Risk and Internal Audit. CALCO generally meets on a quarterly basis.
The SROCC. SROCC is chaired by the GE, Operations and is made up of senior managers and executives from the settlement operations and compliance areas of ASX. The committee acts as an information-sharing and discussion body for the purpose of enhancing ASX's ability to identify, assess and reduce systemic, operational or compliance risk, and manage settlement risk. The SROCC currently meets on a monthly basis.
The PIRC. The PIRC is responsible for coordinating ASX's response to a settlement participant incident, and provides input into policy determinations and settings as necessary in response to such incidents. The PIRC is chaired by the GE, Operations, and is made up of senior staff from the operational, risk management, compliance and legal departments. Meetings of the PIRC are convened as required to address an actual or potential participant incident.

Information and control systems

Since Austraclear does not assume credit or liquidity risk as principal (see SSF Standards 4 and 6), it does not require information and control systems to monitor these risks. Furthermore, Austraclear's use of DvP Model 1 settlement avoids the creation of credit exposures during the settlement process and limits the direct liquidity impact of a participant default on non-defaulting participants. Accordingly, there are no relevant participant settlement and funding flows for Austraclear to measure and monitor (see SSF Standard 6.2).

Internal controls

ASX's documented risk management policies and standards specify requirements for periodic formal review, although more frequent reviews may occur depending on changes to technology, business drivers or legal requirements. Reviews are conducted by specific working groups and committees. Final approval of reviews for enterprise-wide policies and standards is the responsibility of the ERMC. Under the Enterprise Risk Management Policy, ASX's departments are required to update a risk profile every six months, which identifies relevant risks and sets out planned actions to respond to those risks.

Risk management arrangements are also subject to periodic review by Internal Audit. Such audits provide assurance that the risk management framework continues to be effective. Risk management arrangements may also be subject to review by external experts from time to time. An external review of ASX's enterprise risk framework was conducted during the Assessment period.

The Enterprise Risk Management Policy is reviewed by the Audit and Risk Committee on a two-year cycle, with the most recent review taking place in August 2015.

3.2 A securities settlement facility should ensure that financial and other obligations imposed on participants under its risk management framework are proportional to the scale and nature of individual participants' activities.

Austraclear does not place financial obligations on its participants. Austraclear is not a participant or guarantor to any transaction submitted for settlement through Austraclear and is not directly exposed to credit or liquidity risk. The DvP Model 1 settlement process does not expose participants to credit risk (see SSF Standard 10.2). Transactions that are not settled successfully on the day that they are submitted are removed from the settlement queue at close of business without penalty. Operational and other participation requirements placed on participants are discussed under SSF Standards 14.6 and 15.2.

3.3 A securities settlement facility should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the securities settlement facility.

Austraclear may apply sanctions to, or place additional requirements on, participants that fail to comply with its Regulations. Participants may ultimately be required to seek alternative settlement arrangements.

3.4 A securities settlement facility should regularly review the material risks it bears from and poses to other entities (such as other FMIs, money settlement agents, liquidity providers and service providers) as a result of interdependencies, and develop appropriate risk management tools to address these risks.

Austraclear reviews the material risks that it bears from and poses to other entities in the context of its ongoing review of enterprise risks (such as the six-monthly update of department risk profiles; see SSF Standard 3.1), and its processes for identifying risks associated with new activities. In the case of new products and services, ASX undertakes risk assessments when undertaking an expansion of its activities or in the event of material changes to its business. Risk assessments are built into ASX's project management framework (see SSF Standards 12.1 and 14.4).

For instance, over the past few years, Austraclear has monitored and managed potential risks to its operational activities arising from participants outsourcing their back-office processing offshore. Austraclear has also monitored and managed risks arising from interdependencies with service providers, notably Clearstream Banking S.A. (Clearstream) for key components of the ASX Collateral service. Austraclear's response to these interdependencies is outlined in SSF Standard 14.5.

Interdependencies with ASX Clear and ASX Clear (Futures) for the settlement of margin and other payment obligations are managed within the context of ASX Group's broader risk management framework (see SSF Standard 17). Interdependencies with LCH.Clearnet Limited (LCH.C Ltd) for the management of its AUD liquidity requirements are managed in the context of Austraclear's operational risk management framework (see SSF Standards 14 and 17).

3.5 A securities settlement facility should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. A securities settlement facility should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, a securities settlement facility should also provide relevant authorities with the information needed for purposes of resolution planning.

In October 2015, Austraclear implemented enhanced recovery planning arrangements, developed with reference to the CPMI-IOSCO guidance on recovery planning. Austraclear's enhanced recovery approach establishes arrangements to address addressing non default-related losses via business risk capital arrangements (see SSF Standard 12.3).

Recovery plan

During the Assessment period, ASX has taken steps to update the documentation of its Recovery Plans. The update reflects the expanded set of recovery tools introduced in October 2015, as well as the new replenishment arrangements. Alongside this update, ASX has developed some information management tools to support decision making in a recovery scenario. ASX has also integrated the testing and review of the Recovery Plan into its broader framework for testing and review of risk and default management policies and processes.

The Recovery Plan identifies scenarios that could threaten the ASX CS facilities' ongoing provision of critical clearing services, describes events that would trigger the activation of the Recovery Plan, and sets out how ASX would respond to such scenarios. It also describes the suite of tools available to the CS facilities in recovery and details the governance arrangements both for the use of these tools and for review of the recovery planning framework.

Footnote

ISO is an international standard-setting body and ISO 31000 is considered to be relevant guidance for enterprise risk management. The ISO 31000 standard has been reproduced by Standards Australia and Standards New Zealand as AS/NZS 31000. [7]