Managing risk remains integral to generating sustainable shareholder and stakeholder value. The JSE has succeeded in applying the principles of King III to such an extent as to make risk management not only a reporting and oversight obligation, but a management discipline. In support of this, an executive risk working group was established in 2013 to further support the formal risk reporting structures and to drive risk management into the organisational practice.
Roles and responsibilities
JSE Board and Risk Management Committee
The JSE Board has constituted the Risk Management Committee to help it to discharge its duties and responsibilities with regard to risk management. The committee provides enterprise risk management (ERM) oversight by monitoring the implementation of the JSE risk framework and driving corrective actions based on the risk reporting provided.
The JSE executive and its management structures are responsible for applying the defined risk management process across the enterprise. This is done to enable management to identify potential events that, if they occur, will affect the JSE in terms of achieving its enterprise objectives. Risks must be managed within the JSE’s set risk appetite.
The Corporate Services division, specifically the Risk department, is the owner of the JSE risk framework and spearheads implementation and reporting for ERM.
- defining and implementing the risk process;
- facilitating risk workshops with all organisational areas at least annually;
- ensuring updates to risk reporting at least quarterly;
- ensuring risk actions are updated and tracked;
- compiling and presenting report-backs to line management;
- providing formal risk reporting to the JSE executive committee;
- providing risk reporting to the Risk Management Committee; and
- entrenching risk management as an effective management tool in the enterprise.
Risk management is conducted using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework guidelines and is in line with principles defined in ISO 31000. Risks are analysed in the context of the JSE risk framework and cover the following categories:
- Operational risk – The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, in the following areas:
– Human capital;
– Technology and systems;
– Fraud and theft;
– Procurement and third party;
– JSE site management;
– Business disruption and continuity;
– Regulation of markets;
– Market operations;
– JSE client concentration;
– Strategic arrangements; and
- Finance risk – This is an umbrella term for any risk associated with any form of financial management of the enterprise.
- Strategic risk – This risk is the impact on the organisation arising from adverse business decisions and/or the lack of responsiveness to changes.
- Black swan events – Anticipating and considering low probability (not identified as a possible emerging risk on its risk radar) and catastrophic impact events as part of the enterprise’s risk approach.
The 2013 financial year saw a renewed focus on the strategic alignment of risk management in the JSE. Using the existing risk profile, rated according to probability and impact, the executive team specifically identified 20 top risks. The other risks areas were still managed but, at an executive level, the JSE focused specifically on the top 20 risks during 2013. Progress has been made with regard to all the risk areas in terms of implementing mitigating controls and action plans. Using the same cut-off point for residual risks, only 14 risks were in the top category at the end of 2013. The areas that showed most improvement included the possible risk of:
- inadequate cost management,
- client dissatisfaction with fees,
- an inappropriate billing model; and
- insufficient post-trade risk management.
The current focus areas are centred around the possible risks associated with:
- the provision of strategic, competitive world-class offerings;
- regulatory changes negatively affecting the JSE and its clients’ business;
- the combined effect of investments in large-scale projects not being sustainable; and
- inefficient project execution.
These focus risk areas all relate to the JSE’s and its clients’ ability to digest and react to substantial changes occurring in the industry.
The JSE further expanded its risk framework in 2013 to include the use of risk indicators. Indicators are quantifiable values that relate either to the level of risk or to the effectiveness of a control. These are measured at predefined intervals. As part of the risk reporting process, trends will be tracked over time. The focus of indicators was initially on high inherent, low residual risks. This means that, regardless of the fact that the JSE believes it is effectively managing the risk, measurements are in place to indicate cases where the risk profile deteriorates because of a change in circumstances. It is worth noting that not all risks lend themselves to the indicator approach. Such risks will be managed on the basis of the probability and impact methodology only. Some of the risk indicators will be considered for inclusion in the 2014 annual report.
The figure below depicts the information flows related to the agreed risk reporting structure at the JSE.
In addition, formal risk reporting channels in the JSE can be broken down as follows:
- Business areas are required to provide risk reporting to the risk team in the Corporate Services division.
- An enterprise-wide risk report is then compiled by the risk team and presented to JSE Exco for comment and ratification before the report is submitted to the Risk Management Committee.
- The risk team also has the ability to independently escalate risk issues directly to the Risk Management Committee, if required, to ensure independence of reporting. This escalation would only occur should it not be possible to achieve consensus at Exco level.
- The Risk Management Committee, in turn, provides assurance to the JSE Board on both the acceptability of the JSE’s risk profile as well as the effective functioning of the risk process.
The JSE has also formed a Risk Working Group that consists of selected Exco members, based on their divisional responsibilities and the consequential impact of these on the JSE risk profile. This working group directs and guides the risk team in setting robust, appropriate and business focused risk practices.
Risk management reporting is not an isolated reporting process and is not intended to replace management reporting.
Governance of information technology (IT)
In executing the board mandate for IT governance, the JSE successfully built on the foundations set in previous years under the direction of the chief information officer (CIO). Continuing with the strategic objective alignment done by the IT area in 2013, the JSE has, through collaboration between IT and business, defined a number of implementation roadmaps. These roadmaps not only define the strategic direction for IT implementation but also define objectives, timelines and the approach to achieving these objectives. The IT area has also achieved various improvements in service delivery. One that is specifically worth noting is that an Agile delivery methodology is being pursued for selected projects. This has been implemented with great success. Continuous improvement in the operation of IT ensures a world class IT operation involving various IT disciplines.
IT risks have been successfully managed and it is worth highlighting that the IT risk focus is moving away from operational issues to more strategic issues, an indicator of greater operational maturity.