Risk Management

OVERVIEW AND GOVERNANCE

The NTMA’s approach to risk management is based on the “three lines of defence” model and is designed to support the delivery of its mandates by proactively managing the risks that arise in the course of the NTMA pursuing its strategic objectives.

The Agency sets the Risk Management Policy and Framework and the Risk Appetite Framework. The Audit and Risk Committee assists the Agency in the oversight of the risk management framework including monitoring adherence to risk governance and risk appetite and ensuring risks are properly identified, assessed, managed and reported.

An executive Enterprise Risk Management Committee (ERMC) oversees the implementation of the NTMA’s overall risk appetite and senior management’s establishment of appropriate systems to ensure enterprise risks are effectively identified, measured, monitored, controlled and reported. The ERMC is responsible for ensuring that material risks across the NTMA are reported in a consistent and integrated manner to the Audit and Risk Committee.

POLICY AND FRAMEWORK

The Risk Management Policy and Framework defines the standards for risk management across the organisation and sets out the arrangements by which this is achieved. These include the objectives, policy, framework, responsibilities and processes that support the effective and integrated management of risk, consistent with the Agency’s agreed risk appetite. The NTMA has defined its risk appetite for each of its key risk categories and measures risk exposures through the use of key risk indicators.

The Risk Management Policy and Framework and Risk Appetite Framework are reviewed annually to ensure that they remain relevant and up to date.

RISK ASSESSMENT

The risk assessment processes are designed to ensure that the NTMA manages its risk within its agreed risk appetite, that material risks are identified, and that management of risk is monitored within clearly defined and delineated roles and responsibilities.

Each individual business unit is required to self-assess and review its risks and record them in risk registers. The review:

  • Identifies or re-confirms and classifies the risks to the business;
  • Assesses the inherent risk impact and likelihood;
  • Identifies proposed treatments and controls; allocates owners for any agreed action plans; and
  • Reports on the implementing of measures and controls to address the residual risks.

Business units present their risk registers to the ERMC and the Audit and Risk Committee at least annually.

Three Lines of Defence Model

PRINCIPAL RISKS

The ERMC performs a formal strategic risk assessment twice annually, the purpose of which is to identify the principal risks from an NTMA-wide perspective. The principal risks are then assessed by the Audit and Risk Committee and the Agency.

Principal Risks
Risk Risk Description Risk Mitigation Measures
Economic, Geopolitical
and Market
Risk		 Extreme economic conditions, market volatility and unpredictable geopolitical landscape could adversely impact the NTMA. Possible consequences include problems with access to funding or investment opportunities, deterioration of debt sustainability, increased debt service costs or unfavourable investment returns.
  • Active market, counterparty credit and liquidity risk management, governed by policies that are reviewed and approved annually by the Audit and Risk Committee and/or the Agency.
  • Ongoing monitoring and reporting of market and macro-economic trends and implications, and of key market and liquidity risk indicators.
  • Pre-emptive, preventative or corrective actions are taken as required.
Investment Risk The NTMA is responsible for making investments as part of its mandate. These include both direct investments and commitments to third party investment managers. Adverse economic and market conditions, poor investment decisions, or poor management of pre and post investment processes, could lead to significant financial and/or reputational damage.
  • ISIF Investment Strategy approved by the Agency, on the recommendation of the Investment Committee.
  • All new ISIF Irish Portfolio investments are subject to second line review prior to approval by the Investment Committee and/or Agency as appropriate.
  • All ISIF Global Portfolio investments are in line with the Global Portfolio Transition Strategy approved by the Agency, on the recommendation of the Investment Committee.
  • Ongoing reviews, monitoring and reporting of the ISIF Irish Portfolio, and of the ISIF Global Portfolio, including key investment risk indicators reported to Investment Committee, Audit and Risk Committee and to the Agency.
Stakeholder Risk The NTMA has a wide and diverse stakeholder group, including Government Ministers and Departments, the public, market and investment counterparties. Given that its primary business objectives are principally mandated by legislation and ministerial guidelines, failure to engage with, and/or manage stakeholder expectations, could impact its ability to achieve its objectives.
  • A managed programme of strategic engagement with all key stakeholders, including those in Government, the wider State sector, and other key stakeholders such as the public, market and investment counterparties.
Behavioural Risk Ethical employee behaviour is critical in maintaining the NTMA’s reputation. Failure to conduct our activities in a trustworthy, compliant, and transparent manner could affect the delivery of the NTMA’s mandates, negatively impacting its reputation.
  • Promotion of a culture of ethical behaviour and compliance amongst employees, supported by key policies such as the Code of Practice on Confidentiality and Professional Conduct and the Protected Disclosures Policy.
  • Promulgation of the Code of Practice for the Governance of State Bodies.
  • Key internal controls and anti-fraud measures in place such as authorisation limits and segregation of duties.
  • Training programmes on key compliance risks are delivered to all employees on a regular basis.
  • Regular monitoring, reporting and oversight of behavioural risk.
  • Audits: risk-based internal audits and external audits by Comptroller and Auditor General.
Operational Risk Operational risk is inherent in all the NTMA’s activities. The NTMA considers risks relating to transaction processing and reporting, information technology, data protection and security, cyber-attack, and business continuity to be its key operational risks. In particular, cyber threats have the potential to significantly disrupt core operations and/or damage the NTMA brand.
  • Risk and control assessment processes ensure control measures are adequate to address operational risks.
  • Defined processes and procedures, supported by employee training.
  • Continuous monitoring of IT systems’ security, supported by expert external advice on emerging trends and cyber threats.
  • Dedicated oversight committees for monitoring and reporting of operational risks.
  • An active business continuity management programme, with regular testing of plans and scenarios.
Third Party Risk The NTMA relies on a number of critical third parties in order to deliver its mandates. Failure of the NTMA to oversee and manage critical third parties, or failure by the third party to deliver on the terms of the contract or service agreement, or act in a manner consistent with the NTMA’s requirements, could lead to financial and/or reputational damage.
  • Defined third party risk management processes and tools.
  • Ongoing monitoring, reporting and oversight of critical third party performance.
Change Risk Projects and initiatives such as regulatory and mandate changes, implementing new IT systems and moving premises, involve a changing operational risk environment and operational risk exposure. Lack of a strategic, coordinated and comprehensive approach to managing change could lead to significant business disruption, financial loss or reputational damage.
  • Project boards are established for all key strategic projects and programmes of the NTMA, with regular reporting on project status and key project risk indicators.
  • Appropriate allocation of resources to key projects.
  • New products and processes are assessed by the Products and Processes Committee.
People and Culture Risk The NTMA conducts a range of specialised activities on behalf of the State. Failure to recruit, retain and develop a sufficiently skilled and experienced workforce, or maintain a culture of openness and self-leadership may negatively impact its ability to execute its mandates.
  • The NTMA deploys/operates a structured recruitment and selection process.
  • A range of HR policies and procedures help to ensure best practice in HR management.
  • Extensive learning and development programme in place, including continuing professional development (CPD) and education supports.
  • Promotion of a culture of self-leadership and encouragement of openness and transparency in monitoring and reporting risks, supported by policies and reporting procedures.

There may be other risks and uncertainties that are not yet considered material or not yet known to the Agency and the principal risks may change to accommodate such developments.