Risk Management
Overview and Governance
The NTMA’s approach to risk management is based on the “three lines of defence” model and is designed to support the delivery of its mandates by proactively managing the risks that arise in the course of the NTMA pursuing its strategic objectives. During 2016, the NTMA continued to develop its risk management programme, including its second-line investment risk management function and expanded and enhanced its risk monitoring and reporting.
The Agency sets the Risk Management Policy and Framework and the Risk Appetite Framework. The Audit and Risk Committee assists the Agency in the oversight of the risk management framework including monitoring adherence to risk governance and risk appetite and ensuring risks are properly identified, assessed, managed and reported.
An executive Enterprise Risk Management Committee (ERMC) oversees the implementation of the NTMA’s overall risk appetite and senior management’s establishment of appropriate systems to ensure enterprise risks are effectively identified, measured, monitored, controlled and reported. The ERMC is responsible for ensuring that material risks across the NTMA are reported in a consistent and integrated manner to the Audit and Risk Committee.
Policy and Framework
The Risk Management Policy and Framework defines the standards for risk management across the organisation and sets out the arrangements by which this is achieved. These include the objectives, policy, framework, responsibilities and processes that support the effective and integrated management of risk, consistent with the Agency’s agreed risk appetite. The NTMA has defined its risk appetite for each of its key risk categories and measures risk exposures through the use of key risk indicators.
The Risk Management Policy and Framework and Risk Appetite Framework are reviewed annually to ensure that they remain relevant and up to date.
Risk Assessment
The risk assessment processes are designed to ensure that the NTMA manages its risk within its agreed risk appetite, that material risks are identified, and that management of risk is monitored within clearly defined and delineated roles and responsibilities.
Each individual business unit is required to self-assess and review their risks and record them in risk registers. The review:
- Identifies or re-confirms and classifies the risks to the business.
- Assesses the inherent risk impact and likelihood.
- Identifies proposed treatments and controls; allocates owners for any agreed action plans.
- Reports on the implementing of measures and controls to address the residual risks.
All business units present their risk registers to the ERMC and Audit and Risk Committee at least annually.
Principal Risks
The ERMC performs a strategic risk assessment twice annually, the purpose of which is to identify the principal risks from an NTMA-wide perspective. The principal risks are then assessed by the Audit and Risk Committee and the Agency.
Principal Risks
| Risk | Risk Description |
|---|---|
| Economic, Geopolitical and Market Risk | Extreme economic conditions, unpredictable political landscape and market volatility could adversely impact the NTMA. Possible consequences include problems with access to funding or investment opportunities, deterioration of debt sustainability, increased debt service costs or unfavourable investment returns. |
| Investment Risk | The NTMA is responsible for making investments as part of its mandate. These include both direct investments and commitments to third party investment managers. Poor investment decisions or management of pre and post investment processes could lead to significant financial and/or reputational damage. |
| Stakeholder Risk | The NTMA has a wide and diverse stakeholder group, including Government Ministers and Departments, market counterparties and investment partners. Given that its primary business objectives are principally mandated by legislation and ministerial guidelines, failure to engage with, and/or manage stakeholder expectations in the context of competing priorities, could impact its ability to achieve its objectives. |
| Behavioural Risk | Unethical behaviours, lack of transparency or accountability could affect the delivery of the NTMA’s mandates, negatively impacting its reputation. |
| Operational Risk | Operational risk is inherent in all the NTMA’s activities. The NTMA considers risks relating to transaction processing, information technology, data security, cyber-attack, fraud, and business continuity to be its key operational risks. |
| Third Party Risk | The NTMA relies on a number of third party suppliers in order to deliver its mandates. Failure of the NTMA to oversee and manage third parties, or failure by the third party to deliver or act in a manner consistent with the NTMA’s requirements, could lead to financial and/or reputational damage. |
| Change Risk | The NTMA is undergoing extensive change in a number of areas, which includes moving premises and implementing significant new IT systems. Lack of a strategic, coordinated and comprehensive approach to managing change could lead to significant business disruption, financial loss or reputational damage. |
| People and Culture Risk | People The NTMA conducts a range of specialised activities on behalf of the State. Failure to recruit, retain and develop a sufficiently skilled and experienced workforce may negatively impact its ability to execute its mandates. Culture A culture that allows the NTMA’s people to openly discuss and act on the organisation’s current and future risks is essential. Any erosion of that culture may impact negatively on the NTMA’s people and its ability to achieve its strategic goals. |
There may be other risks and uncertainties that are not yet considered material or not yet known to the Agency and the principal risks may change to accommodate such developments.