EFIC's Risk Management Framework describes the manner in which EFIC's risk appetite and tolerance is established and subsequently controlled. The Framework sets out core principles, outlines roles and responsibilities, categorises the risks that EFIC faces and identifies the broad strategies it has adopted to manage those risks.
A key element in the Risk Management Framework is the Risk Control Matrix (RCM), which sets out each of the individual risks that the business faces as well as the mitigants in place and the people responsible for managing the risks. It also includes management’s ratings regarding the likelihood and consequences of each risk. By assigning practical responsibilities to individuals and management, the RCM engenders a culture of risk awareness.
Risks are classified depending on their nature: strategic, reputation, credit/country, market and operational/financial. Operational and financial risks are broken down into a number of sub-categories: general processes, external regulation, internal policies, domestic and international laws, and events. Various probability factors are allocated to each risk event, as well as the likelihood of the risk event occurring given existing controls. In this regard, the RCM attempts to capture all of the risks EFIC is managing.
The development of the Risk Management Framework underlines EFIC's commitment to continuously improve its risk management practices, with particular emphasis on planning to identify new risks.
The Board is of the view that risk appetite goes to the heart of how EFIC does business. A clear statement of our risk appetite is important in giving key stakeholders like clients, Government, employees and regulators an indication of how EFIC will operate from a risk-taking perspective and the type of risk culture that EFIC promotes.
In order to ensure effective monitoring and governance, EFIC’s risk appetite incorporates a balanced mix of both quantitative and qualitative measures. These are monitored within well established risk policies, risk tolerances and operational limits set by the Board, the Export Finance and Insurance Corporation Act 1991 ("Cth") ("EFIC Act") and the associated Export Finance and Insurance Corporation Regulations 1991, and the Commonwealth Authorities and Companies Act 1997 (Cth) ("CAC Act") and the regulations and orders made under it.
Risk appetite is set within a range from “risk intolerant” to “risk tolerant”. EFIC willingly accepts risks that are aligned with its risk culture and are consistent with its role of providing services in the segment of the credit and insurance services market where the capacity of commercial financiers or insurers is limited or insufficient to support the needs of financially viable Australian exporters and investors.
RISK MANAGEMENT FRAMEWORK
EFIC's risk management is built on a foundation that includes:
- awareness and commitment to a single mission, common objectives, shared values and a Code of Conduct that are reviewed and renewed periodically
- a suite of policies and procedures which are supplemented by supportive systems
- human resources practices intended to recruit, train and retain employees with the required specialist skills
- delegation of responsibility throughout EFIC and accountability for outcomes
- control processes including structured management reporting, a system of independent review and Board oversight
- an operational philosophy that seeks to anticipate and mitigate risks before they occur and that reflects on the lessons learned when problems arise.
Roles and responsibilities
The Board is ultimately responsible for setting EFIC's risk appetite and tolerances. The Audit Committee of the Board is responsible for overseeing all aspects of risk management and internal control including compliance activity, the audit program, the appropriateness of accounting policies and the adequacy of financial reporting.
The EFIC Executive and the senior management team are responsible at the management level for implementing the Board-approved risk management strategy and developing policies, processes, procedures and controls for identifying and managing risks in all areas of activity.
The Credit Committee, chaired by EFIC's Chief Credit Officer, examines credit policy and practices in relation to all exposures and potential transactions. The Risk and Compliance Committee, chaired by the Compliance Counsel, examines, monitors and regulates compliance risks. The Treasury Risk Review Committee, chaired by the Head of Treasury, examines treasury activities, limits, noteworthy transactions and current issues.
An independent internal audit service provider is engaged by the Board to review risk management and internal controls. The internal audit service provider, currently Deloitte, reports to each of the Board via the Audit Committee and the Executive, and has full access to staff and information when conducting its reviews.
The Australian National Audit Office and their appointed agent, currently Ernst & Young, perform an independent review of EFIC’s financial statements.
The Chief Financial Officer is responsible for the management of this Risk Management Framework, including its periodic review and renewal.
Types of risk
EFIC maintains a comprehensive list of risks that it must manage across the business. This list results from internal consultation within the management team and is reviewed periodically. Risks fall into the following categories:
- strategic risk – the risk to revenues, earnings and product offerings as a result of ineffective corporate planning, specific government policy, trade policy or legislative implications, or poor decision-making or implementation of those decisions
- reputational risk – the risk of deterioration in EFIC's reputation due to adverse publicity
- credit and country risk – the risk that a counterparty will default on obligations resulting in a financial loss.
- market risk – the risk of any fluctuation in the value of a portfolio resulting from adverse changes in market prices and market parameters including interest rates and exchange rates.
- operational and financial risk – the risk of loss resulting from inadequate or failed internal operational or financial processes and systems as well as the actions of people or from external events. EFIC groups operational risks into the sub-categories of general processes, external regulation, internal policies, domestic and international laws, and events.
Summary of Risks
The framework within which strategic risk is managed at EFIC is as follows:
- a Board and Government approved Corporate Plan. A key element of corporate planning is the identification of potential new risks that may emerge over the planning cycle
- business strategies as well as credit and market risk appetite are agreed by the Board at least annually after a review of the business environment and consideration of key risks
- the Board reviews strategies and performance in key functional areas on a periodic basis
- regular dialogue with Government at Board and senior management level to address government policy, trade policy or legislative implications
- management reports financial outcomes monthly and EFIC's position against high-level key performance indicators quarterly
- independent internal auditing and reporting to management and the Board
- audited financial reports are prepared semi-annually.
The framework within which reputational risk is managed at EFIC is as follows:
- a Corporate Responsibility Policy which outlines engagement with key stakeholders and includes a Policy and Procedure for Environmental and Social Review of Transactions
- OECD mandated commitments on export credits such as the Arrangement on Officially Supported Export Credits, the Action Statement on Bribery and Officially Supported Export Credits and the Common Approaches on Export Credits and the Environment
- the EFIC Act and the Code of Conduct, which requires, for example, that employees respect the confidentiality of information concerning EFIC and its clients
- detailed policies and procedures are reviewed by the Risk and Compliance Committee and submitted for approval to the Board including AML/CTF and Fraud
- mandatory compliance training undertaken by all staff
- independent internal auditing and reporting to management and the Board.
Credit and country risk
The framework within which credit and country risk is managed at EFIC is as follows:
- a Board-approved Credit Policy sets out the framework for the management of credit risk within EFIC
- the Credit Committee reviews large or complex exposures and potential transactions and provides advice on matters of policy
- a delegation framework ensures larger exposures are reviewed by senior management, the Board and Government representatives (as appropriate)
- given the higher risk nature of the portfolio, intensive account management is performed throughout the life of an exposure. Systems have been developed to support account management.
- management reporting to the Board includes:
- a credit report (quarterly)
- country commentary (monthly) and a comprehensive review of all countries (annually)
- exceptional cases (reported as they arise).
- independent internal auditing and reporting to Management and the Board.
The framework within which market risk is managed at EFIC is as follows:
- a Treasury Policy and the Credit Policy set out the framework for the management of market risk within EFIC
- the Board and Government provide parameters within which activity can take place
- management’s Treasury Risk Review Committee meets periodically to review factors affecting the portfolio, discuss upcoming transactions and related issues
- a delegation framework ensures involvement of senior management and the Board in significant market risk management decisions
- systems support Treasury operations within the parameters set by the Board, the Government and the delegation structure
- management reporting includes Treasury reports provided quarterly to the Board Audit Committee and the Board and the reporting of exceptional matters as they arise
- independent internal auditing and reporting to Management and the Board.
Operational and Financial risk
The framework within which operational and financial risk is managed at EFIC is as follows:
- the full range of operational and financial risks that EFIC must manage has been identified and is updated annually in the context of EFIC's corporate planning. The entire senior management team is involved in the update
- specific policies and procedures and other control responses are in place to deal with each identified risk
- weekly Executive and regular management meetings facilitate ongoing oversight of key risks.
- employees are required to report compliance breaches to their immediate manager, or alternatively to any member of the senior management team, as they arise. Twice a year, each member of the senior management team makes a compliance declaration for actions within their area of responsibility and each member of the Executive makes a compliance declaration to the Board Audit Committee
- semi-annual written representation letters in relation to the financial accounts are signed by the Managing Director and Chief Financial Officer and tabled at the Audit Committee and Board
- external auditing by the ANAO or their representatives and independent internal auditing and reporting to management and the Board.
The Risk Management Framework is reviewed and renewed periodically.