ASX risk management

Long-term risk management

Our approach

ASX has a Board-approved Risk Appetite statement that describes the types of risk we encounter in our business, along with our tolerance for outcomes that impact on our stakeholders.

Complementing this is a governance structure, starting with the Board and flowing down through executive level management committees to individuals, which articulates roles and responsibilities for managing risk within the organisation. This is underpinned by the 3 Lines of Defence risk management framework.

The table below explains how ASX manages its risks.

Managing our long-term risks

Managing and protecting our data and that of our customers is critical to maintaining trust and confidence in Australia’s financial markets, and in strengthening the resilience of our operations. Continually strengthening our cybersecurity risk controls, procedures, and prevention strategies are fundamental to protecting our systems and customer information from fraud-related incidents and cyber attacks, as they evolve in their sophistication and frequency.

Our dedicated information security and risk team continued to implement and update the tools and strategies we use to manage and monitor cyberattacks in FY20. Among these initiatives was the implementation of a more contemporary email platform, which is better equipped to deal with the growing volume of sophisticated email threats. It also strengthens our cyber resilience through advanced configuration, analysis, and assessment capabilities.

Key to our efforts in mitigating the risk of cybercrime is the data security training all ASX employees receive, particularly in relation to recognising phishing emails and ransomware activities. We also send out regular communications keeping employees informed of the latest trends in email scams.

The table describes ASX's key risks and how we respond to them.

Risk	The risk and its impact	How we are responding
Regulation, market structure and competition	ASX operates in highly regulated markets. Changes in regulations and/or market structure can impact on ASX or its customers and the environment in which we operate. Examples of how ASX's business could be impacted include if: Regulatory requirements were changed for certain important services ASX's products or services did not meet industry expectations in terms of quality or value New competitors commenced operation in Australia.	We regularly engage with government, regulators and industry participants on market structure issues to promote the best industry-wide efficiency outcomes. We engage with our customers to seek feedback on the quality and value of our products and services, and continually look for ways to improve these. We monitor the performance of individual products and services against those available elsewhere to support ASX's ability to deliver a strong value proposition. We consider the impact of ASX-driven change on our customers. We invest in technology enabling us to stay at the forefront of innovative products and services. We constantly engage with government on the future direction of policy impacting our business.
Economic environment and market activity	ASX's business can be impacted by the level of market activity. Market activity levels are influenced by economic performance, government policy, and general financial market conditions in Australia and overseas. Slowing economic conditions or a lessening of general market volatility can lead to a reduction in activity and revenues. Examples of how ASX's business could be impacted if there was a slowdown in the Australian economy include: Fewer new listings Less secondary capital raisings Decline in the volume and value of equities traded Slowdown of growth rates associated with data products and/or technical services.	We continue to build resilience into our business model through the diversification of revenue streams. We have been growing those services that have annuity-style revenue streams. We have been focusing on enhancing our reputation as a listing venue with emphasis on both technology and foreign companies. We continually look to introduce new domestic and international participants to our trading markets and clearing and settlement facilities.
Operational excellence	The resilience, continuity and quality of our operational processes are critical to our ability to operate. This risk arises when failures in our people, processes, systems or controls impact on the delivery of our products or services to our customers. The occurrence of such a failure may result in reduced customer service, the inability to provide services, reduced revenues, increased costs, fines or regulatory issues. This category also captures the risk that our project execution is poor, which could lead to a failure of our strategic projects to deliver expected outcomes.	We have project management disciplines in place to reduce the likelihood that milestones are missed leading to delays in key strategic projects. We have business continuity plans that are regularly tested. We have an incident management framework requiring that timely attention be paid to rectifying incidents as they occur. We undertake resource planning and have staff training and retention programs.
Technology availability	ASX operates critically important financial market infrastructure which is expected to be open and available at all relevant business times. A risk to ASX arises where infrastructure and technology are unreliable and have slow recoverability or have insufficient capacity and where this cannot be quickly increased. Issues that would heighten this risk are the prevalence of ageing infrastructure, systems or applications that are near their end of life, and a significant increase in cyber attack activity. The risk may result in reduced ability or an inability to deliver ASX's trading, clearing and settlement services, reduced customer service, reduced revenues, unplanned remediation or replacement costs or further licence conditions.	We regularly monitor our systems availability against targets and test to understand maximum throughput capacity. We monitor the health of critical systems and have contingency plans in place for disruptions. We replace ageing technology in a phased and planned manner. Recent examples include the replacement of SYCOM with NTP, the announcement to replace CHESS with a DLT solution, and upgrading our secondary data centre. We constantly engage with our vendor partners who provide some of our critical systems and applications. We have a regular disaster recovery testing program in place. We have a cyber security strategy in place and continually look to improve our capability.
Counterparty default risk	This risk arises in our licensed clearing and settlement facilities when a participant fails to meet its contractual obligations to any of the facilities. Depending on the size and complexity of the defaulting counterparty, the default could lead to extremely volatile conditions in global financial markets. This, along with ASX's default management strategy, will determine the size of any possible loss sustained by ASX.	As part of our regulatory framework, ASX has the financial resources in place to withstand the concurrent default of our two largest participants under extreme but plausible market conditions. We enforce minimum financial and operating criteria for participants. We require participants to provide collateral in the form of initial margin, and to make regular, frequent and at least daily variation margin payments. We hold pre-funded default risk financial resources. We have technology and risk policies and procedures to constantly monitor and manage counterparty exposures. We have default management strategies that are regularly fire-drilled. We have recovery plans for extreme default scenarios.
Investment returns	Financial losses may arise from investment decisions taken in relation to the management of collateral balances received from clearing and settlement activity, from the investment of ASX's own capital, or the clearing and settlement facilities' pre-funded default capital resources. ASX also makes equity investments in support of its broader business objectives (e.g. Yieldbroker, Digital Asset, Sympli).	We have investment limits in place under which ASX is required to invest its funds in highly rated counterparties, with short-term maturities. We closely monitor financial markets activity, performance and sentiment to inform investment decisions. We monitor the business strategy and financial performance of companies that we have invested in, and follow the prescribed accounting treatment in terms of impairment or loss recognition should that be necessary.
Reputation and stakeholder confidence	The ongoing success of ASX is highly dependent on its reputation for trust, integrity and resilience in everything that we do. Reputation risk arises in a wide variety of situations, for example, where ASX is perceived to have not acted with integrity or failed to deliver resiliency in its activities. Any outcome that causes detriment to this reputation has the potential to damage ASX's future business prospects through reduced business volumes or regulatory impact or intervention.	We aspire to be the world's most respected financial marketplace. Understanding the importance of our reputation and protecting it is at the centre of everything we do. ASX considers the possible reputation risk in all its business activities and decisions. We have refreshed our company values and focus on trustworthy behaviours. We have regular and open engagement with customers and wider stakeholders to seek feedback on our performance. We have regular interaction with our regulators and government at management, CEO and Board level to facilitate thorough coverage of issues. We regularly engage with media so they understand and report on the role ASX plays.