The Enterprise Risk Management (“ERM”) function is responsible for providing TASConnect’s Board and Management with a comprehensive and independent assessment of the risk exposure of the Company, effectiveness of the risk mitigation and management activities, and summary of the risk limits and utilisation. These activities effectively create an oversight function that provides a second line of defense to all other risk and control functions of the Company.
STRATEGY AND STRATEGIC RISK MANAGEMENT
TASConnect adopts the following principles to direct its risk management. The principles are reinforced by the Company’s risk culture, to identify and assess current and future risks, discuss these risks, and take prompt actions.
TASConnect will strive to balance the relationship between growth, risk and return. While there is often a tendency to focus on additional mechanisms for reducing risk, there may be opportunities to accept greater risks so long as the additional risk levels are understood and managed.
TASConnect’s ERM process begins with the statement of risk appetite (“RA”) and the setting of strategic, financial, and other business objectives during the planning and budgeting process. These objectives cascade through to lines of business, as appropriate. Management will assess if there is an effective alignment of the proposed long-term strategic objectives with the risk appetite approved by the Board. The strategic plan also includes a risk dimension through evaluation of forecasts and scenarios and outlines appropriate risk mitigation strategies. These objectives cascade through to lines of business, as appropriate.
- Balancing risk and return – TASConnect is required to manage risks within its approved Risk Appetite and maintain a low probability of an unexpected loss event that would materially undermine the confidence of its clients, external stakeholders, and investors;
- Conduct of business – TASConnect is required to demonstrate strong conduct, to be mindful of the reputational consequences of inappropriate conduct; and to achieve fair outcomes for clients, investors, and the markets in which TASConnect operates, while abiding by the spirit and letter of applicable laws and regulations;
- Responsibility and accountability – risk taking activities are disciplined, transparent, controlled and focused, particularly within its authorities;
- Anticipation – TASConnect seeks to consider future material risks to learn lessons from events that have produced adverse outcomes, and to increase awareness of known risks; and
- Competitive advantage – TASConnect seeks to achieve competitive advantage through efficient and effective risk management.
As a key to maintaining an acceptable level of risk in light of the financial and strategic objectives of the Company, TASConnect will function within the approved risk appetite and limits of the Board. To support this framework, the ERM functions sets and enforces limit triggers and escalation policies that are consistent with the Board-approved risk appetite.
TASConnect’s risk appetite is the approved boundary for the risk that TASConnect is willing to undertake. It is set within the risk capacity which is defined as the maximum level of risk that TASConnect can assume, given its current capabilities and resources, before breaching constraints determined by capital and liquidity requirements, internal operating environment, or otherwise failing to meet the expectations of regulatory authorities and law enforcement agencies.
2.CONDUCT RISK MANAGEMENT
It is important for TASConnect to manage Conduct Risk in order to deliver positive outcomes to investors, shareholders, counterparties, employees, markets, and competition, and provide all employees with a fair and safe working environment that is free from discrimination, exploitation, bullying, harassment, or inappropriate language.
TASConnect will be responsible for ensuring that the employees identify, mitigate, and monitor Conduct Risk.
TASConnect must demonstrate that Conduct Risk is considered when making material strategic decisions that may impact clients, investors, shareholders, counterparties, employees, markets, and competition.
3.THREE (3) LINES OF DEFENCE
The primary responsibility for the ERM function is to ensure it is conducting its monitoring and oversight role adequately across all risk types.
TASConnect’s processes must implement a maker-checker model with roles and responsibilities outlined below:
Table 1: Risk Management Activities
|The business or function engaged in or supporting revenue generating activities who own and manage the risks in these activities.
|The control functions independent of the First Line that provide oversight and challenge of risk management.
|The internal audit function provides independent assurance on the effectiveness of controls that support First Line’s risk management of business activities, and the processes maintained by the Second Line.
4.REPORTING AND BREACH HANDLING PROCESS
4.1 For escalation-level breaches, the business (First Line) is to inform the ERM function and the respective Risk Framework Owner (“RFO”) to agree on treatment plans. The escalation-level breach together with the treatment plans must be tabled at the ERC for tracking until completion of the treatment plans and the RA Metric is no longer in breach.
4.2 For RA breaches, the business (First Line) is to inform the ERM function and respective RFO as soon as possible. This will be considered as a Material Event and requires further escalations in accordance.
4.3 Treatment plans for a RA breach are to be formulated within 72 hours of breach discovery. The treatment plans must be endorsed by the RFO and SCV RFO and approved by the Board. Treatment plans must be presented to the next ERC and the Board and must be tracked by these governance bodies until closure.
TASConnect’s risk profile provides a complete and forward-looking profile of the elevated inherent risks that TASConnect is exposed to. It contains the following elements:
- A Process Universe that outlines the key operational elements and processes to deliver the client experience for the service/product offered by TASConnect.
- Inherent risk assessment conducted by the First Line (Process Owners) to identify and assess the inherent risks at each stage of the Process Universe. The Second Line (RFO/SME) approves the said risk assessment performed by the First Line.
- Controls are designed and installed to mitigate the inherent risks. First Line monitors the effectiveness of the controls through Key Control Indicators (“KCIs”) and/or Control Sample Tests (“CSTs”) to provide early warning of potential problems. This approach is an ongoing exercise to reflect on the latest risk exposure of TASConnect.
- Residual risks are assessed by the First Line (Process Owner) taking into account the design and operating effectiveness of controls implemented. The Second Line (RFO/SME) approves the residual risk assessment performed by the First Line (Process Owners).
6.RISK GOVERNANCE AND OVERSIGHT
This ERM framework is a unifying framework that is consistent with, and supported by, the Company’s values of integrity, team, service excellence, and winning. This ERM philosophy directs all of the TASConnect’s ERM activities and enables management to clearly understand the tradeoffs between risk and return in decision making.
Risk will be measured, either qualitatively or quantitatively, relative to specific performance measures associated with the objectives, whether financial, operational or otherwise, to be actionable. By using the same, or a congruent, unit of measure established for their objectives, the results are more meaningful to management and reduce the need for the development of separate measures. In doing so, ERM becomes embedded into management processes.
Effective ERM requires appropriate and timely information that supports management decisions.
6.1 First and Second Line staff to undertake regular horizon scanning to identify and monitor the impact of emerging risks to learn lessons from events that have produced adverse outcomes, and to raise awareness of known risks.
6.2 Risk management reports will contain risk information that allows TASConnect to appropriately identify, monitor and report on material risks.
6.3 Management must promptly escalate the following Material Events:
- any breaches,
- any events or issues,
- any residual risks, and
- any other issue.