The World Federation of Exchanges (“WFE”), the global industry group for exchanges and CCPs, has published a benchmarking paper examining the organisational structures for enterprise and operational risk within market infrastructures (MIs).
The study - undertaken by the WFE’s Enterprise Risk Working Group (ERWG) as a first step to agreeing and harmonising industry Enterprise Risk Management (ERM) practices - is unique in seeking to understand and detail the way in which exchange and CCP operators structure their approach to risk management through dedicated teams; and the relationship with other parts of their organisations. It also outlines how governance arrangements feed up to the board level, and how necessary independent assurances operate.
Key findings from the study are:
- On average, the dedicated enterprise risk function currently accounts for around 2% of a company’s entire workforce.
- All the responding entities employ, as a base level, the three lines of defencemodel (with some labelling senior management or supervisors as an additional line):
- First line of defence is the Executive (Group-level risk) Committee, whose primary responsibility is the day-to-day management of risk;
- Second line of defence is the Risk (management oversight) Committee, which incorporates the ERM function, and is governed by the Chief Risk Officer. This line provides the risk universe and risk manager framework, ensures compliance, and reports up to the senior management team;
- Third line of defence is the internal and external auditors who perform an independent assessment on the efficiency and effectiveness of the internal controls, risk management and governance.
- Internal audit (IA) forms an integral part of the third line of defence and the wider risk management structure. It is an independent function, performing regular reviews, providing oversight, and holding responsibility for risks, controls and governance assurance.
- Some firms have extended the model to include a ‘fourth line of defence’, reporting via bespoke committees or processes to their regulators. Further, some entities also designate the actions and roles of the senior management and board as distinct lines of defence, and integrate those additional lines within the model.