Risk Management Framework

Our governance_banner.png

Our Risk Management Framework (Framework) explains our core principles and the types of risk that we face. The Framework forms the basis of the Risk Appetite Statement and the Risk Control Matrix. The Framework is a high-level public document and is disclosed in the Annual Report and on our website.

Our Risk Appetite Statement (RAS) is not a public document as it describes in detail the way our risk appetite and tolerance (qualitative and quantitative limits) are established and subsequently controlled. Risk appetite is a fundamental part of both risk management and capital management. Our approach to risk management and capital management is based around assessing the level of, and appetite for risk, and ensuring that the level and quality of capital is appropriate for that risk profile.

Similarly, the Risk Control Matrix (RCM) is not a public document as it sets out each of the risks we face along with mitigants we have in place and the people responsible for managing these risks. It also includes management’s ratings regarding the likelihood and consequences of each risk. By assigning practical responsibilities to team members and management, the RCM engenders a culture of risk awareness. Risks are classified depending on their nature: strategic, reputation, credit/country, market and operational/financial.

Core Principles

Our Risk management is built on a foundation that includes:

  • an awareness and commitment to a single purpose, common principles and Code of Conduct and Conflicts of Interest policies that are reviewed and renewed periodically;
  • a suite of policies and procedures which are supplemented by supportive systems and processes;
  • human resources practices intended to recruit, develop and retain employees with the required specialist skills;
  • delegation of responsibility and accountability for outcomes;
  • control processes including detailed management reporting, a system of independent review and Board oversight;
  • an operational philosophy that seeks to anticipate and mitigate risks before they occur and that reflects on the lessons learned when problems arise; and
  • embedding risk awareness in culture and practices through learning and development.

Roles and responsibilities

The Board is ultimately responsible for setting our risk appetite and tolerances. The Board Audit Committee is responsible for overseeing all aspects of risk management and internal control. This includes compliance activity, the audit program, the appropriateness of financial reporting and performance reporting and the adequacy of accounting policies and procedures.

The Executive and Senior Leadership Team are responsible for implementing the Board approved risk management strategy and developing policies, processes, procedures and controls for identifying and managing risks in all areas of activity.

To assist with risk management, there are several committees that perform specific functions:

  • the Executive Committee, chaired by the Managing Director & Chief Executive Officer, examines all aspects of our business with a focus on operational risks and incident reporting.
  • the Credit Committee, chaired by the Chief Credit Officer, examines credit policy and practices, and potential large exposures.
  • the Risk and Compliance Committee, chaired by the Chief Risk Officer, examines, monitors and regulates compliance risks.
  • the Treasury Risk Review Committee, chaired by the Treasurer, examines treasury activities, limits, noteworthy transactions and current issues.
  • the Work Health and Safety Committee, chaired by the Chief Operating Officer, examines all risks in the workplace (including in an agile environment)
  • the Business Continuity Planning Steering Committee, chaired by the Chief Operating Officer, coordinates crisis management and business continuity planning.

The Board has engaged an independent internal audit service provider to review risk management and internal controls. Deloitte report to the Board via the BARC and the Executive team. They have full access to staff and information when conducting their reviews.

The Australian National Audit Office (ANAO) and their appointed agent review our financial statements independently.

The Chief Risk Officer is responsible for the management of this Framework including its regular review and renewal. The review process entails extensive consultation with internal and external stakeholders to ensure consistency.

Types of risk

We maintain a comprehensive list of risks that we manage across the business. This list results from internal consultation within the management team and is reviewed regularly. Risks fall into the following categories:

  • Strategic risk – the risk to income, expenses and capital or to product offerings as a result of ineffective corporate planning, specific government policy, trade policy, dividend policy or other legislative implications or poor decision-making or implementation of those decisions.
  • Reputational risk – the risk of deterioration in our reputation from our actions or arising from adverse publicity regarding our business practices, whether true or not.
  • Credit and country risk – the risk that counterparties will default on obligations resulting in an expected or actual financial loss.
  • Market risk – the risk of any fluctuation in the value of a portfolio resulting from adverse changes in market prices and parameters including interest rates and exchange rates.
  • Operational and financial risk – the risk of loss resulting from inadequate or failed internal operational or financial processes and systems, the actions of people (human risk) or from external events.

Summary of Risks

Strategic risk

The framework within which strategic risk is managed is as follows:

  • The Board approves our Corporate Plan. The Corporate Plan outlines the key business strategies and objectives identified from the Strategic Planning cycle. The Corporate Plan focuses on key performance indicators (both quantitative and qualitative) and outlines financial projections over a four-year period for the Commercial Account. Performance indicators are not formally set for the National Interest Account as these transactions are subject to a decision by the Minister. The Corporate Plan is a public document and once approved by the Board, is sent to the Minister.
  • The Board approves our Annual Report. The Annual Report, including the Annual Performance Statement, brings together our financial performance and achievements against planned performance outlined in the Corporate Plan. The Annual Report is a public document and once approved by the Board, is sent to the Minister for tabling in Parliament.
  • Credit and market risk appetite are agreed by the Board at least annually after a review of the business environment and consideration of key risks.
  • The Board reviews strategies and performance in key functional areas, including when providing services to other Commonwealth entities or departments, on a periodic basis.
  • Regular dialogue with the Government at Board and Executive level to address government policy, trade policy or other legislative implications.
  • Management reports financial outcomes monthly and our position against high-level key performance indicators quarterly.
  • Independent internal auditing and reporting to the Executive and Senior Leadership Team, the BARC and the Board.
  • Independently audited financial reports are prepared annually.

Reputational risk

The framework within which reputational risk is managed is as follows:

  • The Corporate Responsibility Policy outlines engagement with key stakeholders and includes a Policy and Procedure for Environmental and Social Review of Transactions.
  • OECD mandated commitments on Export Credits such as the Arrangement on Officially Supported Export Credits; the Action Statement on Bribery and Officially Supported Export Credits; and the Common Approaches on Export Credits and the Environment.
  • The EFIC Act, Code of Conduct and Conflict of Interest policies under which employees are required, for example, to respect the confidentiality of information concerning Export Finance Australia and its clients.
  • The PGPA Act, which is a principles-based framework with rules and guidance, helps establish a coherent approach to the use and management of public resources.
  • Detailed policies and procedures are reviewed by the Risk and Compliance Committee and submitted for approval to the BARC and Board including in relation to AML/CTF and Fraud.
  • Detailed Service Level Agreements (SLAs) that clearly specify the role and responsibilities when Export Finance Australia is providing services to other Commonwealth entities or departments.
  • Mandatory annual compliance training is undertaken by all employees.
  • Independent internal auditing and reporting to the Executive and Senior Leadership Team, the BARC and the Board.

Credit and country risk

The framework within which credit and country risk is managed is as follows:

  • The Board approves our Credit Policy. The Credit Policy sets out the framework for the management of credit risk within Export Finance Australia.
  • the Credit Committee, chaired by the Chief Credit Officer, examines credit policy and practices, and potential large exposures.
  • A delegation framework ensures larger exposures are reviewed by the Executive and Senior Leadership Team, the Board and Government representatives (as appropriate).
  • Given the higher risk nature of the portfolio, intensive client account management is performed throughout the life of an exposure. Systems have been developed to support client account management.
  • Management reporting to the Board includes:
    • a credit report (at each meeting)
    • country commentary (at each meeting) and a comprehensive review of all countries (annually)
    • portfolio stress testing (at least annually)
    • exceptional cases (reported as they arise).
  • Independent internal auditing and reporting to the Executive and Senior Leadership Team, the BARC and the Board.

Market Risk

The framework within which market risk is managed is as follows:

  • A Treasury Policy and the Credit Policy set out the framework for the management of our market risk.
  • The Board and Government provide parameters within which activity can take place.
  • The Treasury Risk Review Committee, chaired by the Treasurer, meets periodically to review factors affecting the portfolio, discuss upcoming transactions and related issues.
  • A delegation framework ensures involvement of the Executive, Senior Leadership Team and the Board in significant market risk management decisions.
  • Systems support treasury operations within the parameters set by the Board, the Government and the delegation structure.
  • Management reporting includes Treasury reporting quarterly to the BARC and regularly to the Board including the reporting of exceptional matters as they arise.
  • Independent internal auditing and reporting to the Executive and Senior Leadership Team, the BARC and the Board.

Operational and financial risk

The framework within which operational and financial risk is managed is as follows:

  • The full range of operational and financial risks that we must manage has been identified and is updated annually in the context of the Corporation’s corporate planning. The Executive and Senior Leadership Team is involved in the update.
  • Specific policies and procedures and other control responses are in place to deal with each identified risk.
  • Fortnightly Executive team and regular management meetings facilitate ongoing oversight of key risks.
  • Regular meetings with Government agencies or departments on services provided under a legislative requirement and or through detailed SLAs.
  • Employees are required to report customer complaints and incidents to their immediate manager, or alternatively to any member of the Executive or Senior Leadership Team, as they arise. Any incidents and follow up actions are regularly reported to the Board.
  • Employees are required to report compliance breaches to their immediate manager, or alternatively to any member of the Executive or Senior Leadership Team as they arise. Annually each member of the Senior Leadership Team makes a compliance declaration for actions within their area of responsibility and each member of the Executive makes a compliance declaration to the BARC.
  • Semi-annual written representation letters in relation to the financial accounts are signed by the Managing Director & Chief Executive Officer and Chief Financial Officer and tabled at the BARC and Board.
  • External auditing by the ANAO or their representatives and reporting to the Executive and Senior Leadership Team, the BARC and the Board.

Review

The Risk Management Framework is reviewed annually.