We believe that effective governance of our own operations is essential to the successful pursuit of our objectives. In particular, we are focused on the prudent management of risk.
The organisation, along with many financial institutions, has adopted the ‘Three Lines of Defence’ model for risk governance. This model is built around three elements which we have adapted to suit our organisation:
- First line of defence is the business. The business ‘owns’ each risk and must ensure that there are controls in place to appropriately manage the risk within the Board’s risk appetite. The business is responsible for identifying, analysing, managing, monitoring and reporting risks.
- Second line of defence is the independent Risk Team, led by the Chief Risk Officer. This team develops the organisation’s risk management framework to promote effective and consistent risk management across the organisation, assists and supports the business in developing its risk management policies, systems and controls, and provides independent review and challenge of the first line. The Risk Team reports periodically to the Board, Board Committees and Agency Committees. The Risk Team considers organisational risk management from a strategic perspective as well as at the individual key risk level.
- Third line of defence is an independent internal audit function which is outsourced. The function provides independent assurance that the risk management framework is appropriate and is operating effectively (including through independent control testing).