Enterprise Risk Management

Last updated 8 February 2023

The Enterprise Risk Management (“ERM”) function is responsible for providing TASConnect’s Board and Management with a comprehensive and independent assessment of the risk exposure of the Company, effectiveness of the risk mitigation and management activities, and summary of the risk limits and utilization. These activities effectively create an oversight function that provides a second line of defense to all other risk and control functions of the Company.


TASConnect adopts the following principles to direct its risk management. The principles are reinforced by the Company’s risk culture, to identify and assess current and future risks, discuss these risks, and take prompt actions.

TASConnect will strive to balance the relationship between growth, risk and return. While there is often a tendency to focus on additional mechanisms for reducing risk, there may be opportunities to accept greater risks so long as the additional risk levels are understood and managed.

TASConnect’s ERM process begins with the statement of risk appetite (“RA”) and the setting of strategic, financial, and other business objectives during the planning and budgeting process. These objectives cascade through to lines of business, as appropriate. Management will assess if There is an effective alignment of the proposed long-term strategic objectives with the risk appetite approved by the Board. The strategic plan also includes a risk dimension through evaluation of forecasts and scenarios and outlines appropriate bus risk mitigation of ca prias ate strategy

      1. Balancing risk and return – TASConnect is required to manage risks within its approved Risk Appetite and maintain a low probability of an unexpected loss event that would materially undermine the confidence of its clients, external stakeholders, and investors;
      2. Conduct of business – TASConnect is required to demonstrate strong conduct, to be mindful of the reputational consequences of inappropriate conduct; and to achieve fair outcomes for clients, investors, and the markets in which TASConnect operates, while abiding by the spirit and letter of applicable laws and regulations;
      3. Responsibility and accountability – risk taking activities are disciplined, transparent, controlled and focused, particularly within its authorities;
      4. Anticipation – TASConnect seeks to consider future material risks to learn lessons from events that have produced adverse outcomes, and to increase awareness of known risks;
      5. Competitive advantage – TASConnect seeks to achieve competitive advantage through efficient and effective risk management.


As a key to maintaining an acceptable level of risk in light of the financial and strategic objectives of the Company, TASConnect will function within the approved risk appetite and limits of the Board. To support this framework, the ERM functions sets and enforces limit triggers and escalation policies that are consistent with the Board-approved risk appetite.

TASConnect’s risk appetite is the approved boundary for the risk that TASConnect is willing to undertake. It is set within the risk capacity which is defined as the maximum level of risk that TASConnect can assume, given its current capabilities and resources, before breaching constraints determined by capital and liquidity requirements, internal operating environment, or otherwise failing to meet the expectations of regulatory authorities and law enforcement agencies.


It is important for TASConnect to manage Conduct Risk in order to deliver positive outcomes to investors, shareholders, counterparties, employees, markets, and competition, and provide all employees with a fair and safe working environment that is free from discrimination, exploitation, bullying, harassment, or inappropriate language.

TASConnect will be responsible for ensuring that the employees identify, mitigate, and monitor Conduct Risk.

TASConnect must demonstrate that Conduct Risk is considered when making material strategic decisions that may impact clients, investors, shareholders, counterparties, employees, markets, and competition.


The primary responsibility for the ERM function is to ensure it is conducting its monitoring and oversight role adequately across all risk types.

TASConnect’s processes must implement a maker-checker model with roles and responsibilities outlined below:

Table 1: Risk Management Activities

role Definition Key Responsibilities
 First Line The business or function engaged in or supporting revenue generating activities who own and manage the risks in these activities.
  1.  Identify and propose the risks required to undertake the revenue generating activities.
  2. Identify, assess, monitor and escalate risks and events to Second Line and the management team.
  3. Set and execute risk remediation plans.
  4. Own and design processes, controls and standards for adhering to Frameworks and Policies set by the Second Line.
  5. Validate and self-assess compliance to Policies and Standards, confirm the quality of validation, and provide evidence-based affirmation to Second Line (where relevant).
  6. Ensure that applicable laws and regulations are being complied with and escalate significant regulatory non-compliance matters and developments to the Second Line and Senior Management.
  7. Promote a healthy risk culture and good conduct. 
Second Line The control functions are independent of the First Line that provide oversight and challenge of risk management.
  1. Review First Line proposals and make decisions to approve or reject as appropriate.
  2. Oversee and challenge First Line risk taking activities.
  3. Own processes for setting Policies and Standards and monitoring compliance to the same.
  4. Own and manage processes for oversight and challenge.
  5. Intervene to curtail business if activities are not in line with RA, there is material non-compliance with policy requirements, or when operational controls do not effectively manage risk.
  6. Identify, assess, monitor and escalate risks and events to the ERC and to the Board.
  7. Review and challenge risk remediation plans set by the First Line to mitigate RA breaches or events.
  8. Ensure there are appropriate controls to comply with applicable laws and regulations. Escalate significant regulatory non-compliance matters and developments to ERC, Board and Management Team.
  9. Promote a healthy risk culture and good conduct.

Third Line

The internal audit function provides independent assurance on the effectiveness of controls that support First Line’s risk management of business activities, and the processes maintained by the Second Line.

  1. Independently assess whether management has identified the key risks in the business and whether these are reported and governed in line with the established risk management processes.
  2. Independently assess the adequacy of the design of controls and their operating effectiveness.


4.1 For escalation-level breaches, the business (First Line) is to inform the ERM function and the respective Risk Framework Owner (“RFO”) to agree on treatment plans. The escalation-level breach together with the treatment plans must be tabled at The ERC for tracking until completion of the treatment plans and the RA Metric is no longer in breach.

4.2 For RA breaches, the business (First Line) is to inform the ERM function and respective RFO as soon as possible. This will be considered as a Material Event and requires further escalations in accordance.

4.3 Treatment plans for a RA breach are to be formulated within 72 hours of breach discovery. The treatment plans must be endorsed by the RFO and SCV RFO and approved by the Board. Treatment plans must be presented to the next ERC and the Board and must be tracked by these governance bodies until closure.


TASConnect’s risk profile provides a complete and forward-looking profile of the elevated inherent risks that TASConnect is exposed to. It contains the following elements:

    1. A Process Universe that outlines the key operational elements and processes to deliver the client experience for the service/product offered by TASConnect.
    2. Inherent risk assessment conducted by the First Line (Process Owners) to identify and assess the inherent risks at each stage of the Process Universe. The Second Line (RFO/SME) approves the said risk assessment performed by the First Line.
    3. Controls are designed and installed to mitigate the inherent risks. First Line monitors the effectiveness of the controls through Key Control Indicators (“KCIs”) and/or Control Sample Tests (“CSTs”) to provide early warning of potential problems.

      This approach is an ongoing exercise to reflect on the latest risk exposure of TASConnect.

      d. Residual risks are assessed by the First Line (Process Owner) taking into account the design and operating effectiveness of controls implemented. The Second Line (RFO/SME) approves the residual risk assessment performed by the First Line (Process Owners).


This ERM framework is a unifying framework that is consistent with, and supported by, the Company’s values of integrity, team, service excellence, and winning. This ERM philosophy directs all of the TASConnect’s ERM activities and enables management to clearly understand the tradeoffs between risk and return in decision making.

Risk will be measured, either qualitatively or quantitatively, relative to specific performance measures associated with the objectives, whether financial, operational or otherwise, to be actionable. By using the same, or a congruent, unit of measure established for their objectives, the results are more meaningful to management and reduce the need for the development of separate measures. In doing so, ERM becomes embedded into management processes.

Effective ERM requires appropriate and timely information that supports management decisions.

6.1  First and Second Line staff to undertake regular horizon scanning to identify and monitor the impact of emerging risks to learn lessons from events that have produced adverse outcomes, and to raise awareness of known risks.

6.2  Risk management reports will contain risk information that allows TASConnect to appropriately identify, monitor and report on material risks.

6.3 Management must promptly escalate the following Material Events:
i) any breaches,
ii) any events or issues,
iii) anyresidualrisks,and iv) any other issue.

Book a demo