Risk governance and management

Programs managed by NCEs that are classified as SIVs should refer to the following guidance as it applies to investments or the investment portfolio under the program.

SIVs should consider risk and uncertainty concepts as part of their operations.

The Commonwealth Risk Management Policy defines risk as the effect of uncertainty on objectives. An effect is a deviation from the expected positive and/or negative. Examples of risks include strategic, enterprise, operational, project and emerging.

Further guidance is available in RMG-211 Implementing the Commonwealth Risk Management Policy.

In some instances, SIVs may also find it useful to consider the concept of uncertainty as distinct to risk, such as where there are material uncertainties where the probability of occurrence is difficult to predict, and the outcomes are challenging to quantify.

Infrastructure Australia’s Guide to risk and uncertainty analysis sets out some principles around when uncertainties for infrastructure projects should be thought about differently to risk. The principles also have relevance to corporates and their relevance should be assessed.

Risk management framework

Consider best practice when establishing a risk management framework.

The key elements of risk governance and management best practice are to:

maintain a risk management framework that is appropriate to the size, business mix and complexity of the SIV
maintain a board-approved risk appetite statement and, where appropriate, scenario planning for material uncertainties
maintain a board-approved risk management strategy that describes the key elements of the risk management framework that give effect to the approach to managing risk and uncertainty
ensure the board-approved business plan sets out the approach for implementing the strategic objectives of the SIV
maintain adequate resources to implement these expectations.

SIVs should align their risk management frameworks and systems with the ISO 31000 risk management standard, the Commonwealth Risk Management Policy and relevant and appropriately tailored principles from APRA Prudential Standard CPS 220 as best practice where appropriate and taking account any applicable Investment Mandate and legislative requirements.

This alignment includes considering adopting a Three Lines of Defence risk model.

The Three Lines of Defence risk model comprises of:

Line 1 (risk owners): management and staff who manage risks as part of their day-to-day duties, which includes making informed decisions.
Line 2 (review and challenge function): risk management function(s) that typically support the first line of defence with guidance, policies and frameworks to implement risk management into day-to-day processes. The second line is responsible for ongoing maintenance and enhancement of the risk management framework and provides oversight of an entity’s risk profile and the risk management framework.
Line 3 (independent assurance): an independent assurance and advice function advising senior management and the accountable authority on the governance and risk management controls of the organisation. This is typically performed by an audit function.

The extent of the Three Lines of Defence will depend on the size and functions of the SIV. In some cases, a blending of line functions may be appropriate.

Risk oversight

The SIV board is responsible for risk oversight.

The accountable authority of a SIV, which is typically the entity’s board, has a duty to establish systems of risk oversight and management and internal control as per section 16 of the PGPA Act.

Further guidance on this duty is available in RMG-200 Duties of accountable authorities.

In doing so the board must ensure that:

it sets the risk appetite for management to operate within and approves the SIV’s risk appetite statement and risk management framework
a corporate plan or business plan is developed that sets out the approach for implementing the strategic objectives of the SIV
it forms a view of the risk culture, and the extent to which that culture supports the ability of the SIV to operate consistently within its risk appetite and apply any required changes
senior management monitors and manages all material risks consistent with the board-approved strategic objectives, risk appetite statement and policies
the operational structure of the SIV facilitates effective risk management
policies and processes are developed for risk-taking that are consistent with the risk management framework and the established risk appetite
sufficient resources are dedicated to risk management
it recognises the uncertainties, limitations and assumptions attached to measuring each material risk.

Independent and comprehensive reviews

Undertake independent reviews of the risk management framework.

An independent and comprehensive review of the risk management framework covering appropriateness, effectiveness and adequacy should be undertaken at least every three years by operationally independent, appropriately trained and competent persons (this may include external consultants). The exact timing and frequency of these reviews will be dependent on the nature and context of the entity’s operations. The results of these reviews must be reported to the board with any findings notified to responsible ministers.

Categories of risk

Consider key categories of risk.

The risk management framework should address the following categories of risk:

strategic risks: the risk of not achieving strategic objectives as set out in the SIV's enabling legislation, regulation, Investment or Operating Mandates and corporate plans
financial risks: such as market risk, credit risk, counterparty credit risk, liquidity risk, funding risk or other financial risks as relevant to the context the SIV
operational risks: the risk of an unwanted operational event with financial, regulatory, compliance or reputational impact, including climate risk
shared risks: those risks extending beyond a single entity which require a collaborative effort of shared oversight and management, such as risks that may arise during a collaborative endeavour or joint investment. Further guidance on shared risk is available in the Commonwealth Risk Management Policy.

Legal, compliance and reputational risk (both to the SIV itself and the Government) should be considered across the above risk categories.

Risk Appetite Statement

Maintain a comprehensive board approved Risk Appetite Statement aligned with Government settings.

A SIVs Risk Appetite Statement should be consistent with its legislative requirements, Investment Mandate, Statement of Expectations (if issued) and, consider the guidance provided in the Commonwealth Risk Management Policy. The Risk Appetite Statement should contain thresholds, targets, benchmarks and risk tolerances for both financial and non-financial risks as relevant.

Valuation principles and portfolio sensitivities

Establish valuation methodology principles and understand portfolio sensitivities.

Valuation methodology principles

Develop robust valuation methodology principles for different investment types (excluding grants).

Valuation methodologies are essential to understanding how the value of the investment portfolio changes based on the specific conditions of individual investments. SIVs should adopt fit for purpose valuation methodology principles that, at a minimum, consider the following:

how frequently will valuations be conducted?
- consider the balance of frequency given the nature of the underlying investment together with the availability of data, cost and price discoverability.
how comprehensive does your valuation need to be?
- consider the balance of robustness and accuracy against ease and cost given the nature of the underlying investment.
who should conduct the valuation?
- consider whether the valuation should be completed internally, independently or a combination of both.
what are the project specific factors?
- consider the project specific risks, including the asset type, sector, project stage, financial structure, development type, investment horizon, geography and macroeconomic factors.

Stress testing and sensitivity analysis

Undertake periodic sensitivity analysis, scenario analysis and stress testing.

Sensitivity analysis, scenario analysis and stress testing are essential to understanding how investment portfolios fare in different economic scenarios and are an important part of an overall risk management strategy. The analysis should reflect the size, scale and complexity of the SIV. This may not be appropriate across all investment types such as grants.

Sensitivity analysis considers the impacts of independent variations in major economic and other key input variables which could impact key target policy or financial outcomes. This type of analysis could be useful, for example, in considering the impact of a forecast error on an individual economic parameter or portfolio returns. Examples of input variables include but are not limited to:

market risks, such as interest rate or inflation assumption changes, commodity or input price changes and currency fluctuations
operational risks, such as schedule delays, supply shocks affecting multiple investments and significant cyber security incidents.

Stress testing should look to severe yet plausible scenarios. SIVs should also have established methods for anomaly detection and horizon scanning.

Testing scenarios can quantify the impacts from variations to the economic outlook or major shocks impacting multiple investments. Analysis of economic scenarios can take account of the intricate linkages in the Australian economy and the influence of global variables to determine their effects on policy or financial outcomes for the portfolio to provides a better understanding of the impacts of a future general economic environment being materially different from expectations.