We consider risk in three broad categories: investment risk, operational risk and external risk:

1. Investment risk – risks for which we expect to be compensated. These risks often cannot be eliminated, particularly if they are of a strategic nature, nor are they inherently undesirable if they are compensated by expected returns. We therefore seek to optimise rather than minimise investment risks.
2. Operational risks – risks for which we do not expect to be compensated. While some level of operational risk is unavoidable in practice, normally we are not compensated for it (ie higher operational risk is not usually expected to produce higher expected returns). This makes operational risk inherently undesirable and hence we seek to take all reasonable measures to minimise it without imposing excessive costs or constraints on our strategy, decision making or operations.
3. External risks – risks that arise from external events which are outside the organisation’s control. These external events usually have a very low probability of occurrence (or at least their form and timing are not predictable) or they are difficult to envisage. They may include natural disasters or terrorism with immediate and major impact, or geopolitical or regulatory change with long-term material impact. These are also likely to be inherently undesirable, but since they are outside our control they cannot be minimised or optimised. We therefore seek to prepare for such events and manage their impact should they occur.

The Board has overall responsibility for risk management for the organisation. This includes setting the risk appetite and acceptance of the residual risk rating for each key risk identified in the organisation’s Risk Register. The Board sets the investment risk appetite (via control ranges, limits ad other directions) within which the Agency’s relevant investment team should operate.

The Board’s Audit & Risk Committee has been established to provide assurance to the Board that the risks as detailed in the organisation’s Risk Register are appropriately identified and managed and to provide assurance and assistance to the Board on the organisation’s risk, control and compliance frameworks.

The Agency operates a number of committees which are directly involved in the oversight of risk management as documented in their respective charters, including:

• Management Committee
• Investment Committee
• Operational Risk & Compliance Committee.

Each Agency committee considers risks within the scope of its oversight role. For example, the Investment Committee has oversight of investment risks.