Overview and Governance
The NTMA’s approach to risk management is designed to support the delivery of its mandates by proactively managing the risks that arise in the course of the NTMA pursuing its strategic objectives. In 2015 the NTMA completed the roll-out of the new risk governance structure established in 2014 which is based on the ‘three lines of defence’ model, and appointed a Chief Risk Officer (CRO). An assessment of the organisation’s strategic risks was conducted and a number of key policies, including the revised Risk Management Policy and Framework and the Risk Appetite Framework, were put in place.
The Agency has established a Risk Committee to assist it in the oversight of the risk management framework. The Risk Committee sets standards for the accurate and timely monitoring of critical risks and reviews reports on any material breaches of risk limits and the adequacy of any proposed action.
An executive Enterprise Risk Management Committee (ERMC), comprising members of the NTMA senior management team oversees the implementation of the NTMA’s overall risk appetite and senior management’s establishment of appropriate systems to ensure enterprise risks are effectively identified, measured, monitored, controlled and reported. It is responsible for ensuring that material risks across the NTMA are reported in a consistent and integrated manner to the Risk Committee.
A number of specialist risk committees report to the ERMC, including the Operational Risk and Control Committee, the Market and Liquidity Risk Committee and the Counterparty Credit Risk Committee.
Policy and Framework
The NTMA Risk Management Policy and Framework defines the standards for risk management across the enterprise and sets out the arrangements by which this is achieved. These include the objectives, policy, framework, responsibilities and processes that support the effective and integrated management of risk, consistent with the Agency’s agreed risk appetite. The NTMA has defined its risk appetite for each of its key risk categories and measures risk exposures through the use of key risk indicators. The Risk Management Policy and Framework is reviewed on an annual basis to ensure that it remains relevant and up to date.
Three Lines of Defence Model
Risk Management and other Control Functions
The risk assessment processes are designed to ensure that the NTMA manages its risk within its agreed risk appetite, that material risks are identified and that management of risk is monitored within clearly defined and delineated roles and responsibilities.
Each individual business unit is required to self-assess and review their risks and record them in risk registers. The review:
- Identifies or re-confirms the risks to the business.
- Assesses the inherent risk impact and likelihood.
- Identifies proposed treatments and controls; allocates owners for any agreed actions plans.
- Reports on the implementation of measures and controls to address the residual risks.
All business units present their risk registers to the ERMC and Risk Committee at least annually. The ERMC performs a “top-down”, strategic risk assessment twice annually, the purpose of which is to identify and agree the main risks from an NTMA-wide perspective.
Business continuity is an integral part of the risk management framework, building organisational resilience and allowing the NTMA to continue operating following a disruptive event. The business continuity management programme’s main elements include business continuity plans based on impact analyses and on-going tests of continuity arrangements.
The principal risks faced by the NTMA were identified in the bi-annual strategic risk assessments conducted in 2015. There may be other risks and uncertainties that are not yet considered material or not yet known to the NTMA and the principal risks may change to accommodate such developments.
|Economic and Market Risk||Extreme economic conditions and market volatility could adversely impact the NTMA. For example, uncertainties over the UK’s relationship with the EU, or risks to the stability of the EU itself, could have extreme consequences for the Irish economy. Possible consequences include problems with access to funding or investment opportunities, deterioration of debt sustainability, increased debt service costs and poor returns.|
|People Risk||The NTMA conducts a range of specialised activities on behalf of the State. Failure to recruit and retain a sufficiently skilled and experienced workforce may negatively impact its ability to execute its mandates.|
|Operational and Business Continuity Risk||Operational risk is inherent in all the NTMA’s activities. The NTMA considers transaction processing, cyber risk, fraud risk, business continuity risk and business unit start-up risk to be its key operational risks.|
|Stakeholder Risk||The NTMA’s business objectives are principally mandated by legislation and ministerial guidelines. Policy changes may result in new or revised mandates that could impact the NTMA’s ability to achieve its objectives.|
|Investment Risk||The NTMA is responsible for making external investments as part of its mandate. These include both direct investments and commitments to third party investment managers. Poor investment management could lead to significant financial and/or reputational damage.|
|Third Party Risk||The NTMA relies on a number of third party suppliers in order to deliver its mandates. Failure of the NTMA to oversee and manage third parties, or failure by the third party to deliver or act in a manner consistent with the NTMA’s requirements, could lead to financial and/or reputational damage.|