The study - undertaken by the WFE’s Enterprise Risk Working Group (ERWG) as a first step to agreeing and harmonising industry Enterprise Risk Management (ERM) practices - is unique in seeking to understand and detail the way in which exchange and CCP operators structure their approach to risk management through dedicated teams; and the relationship with other parts of their organisations. It also outlines how governance arrangements feed up to the board level, and how necessary independent assurances operate.

Key findings from the study are:

On average, the dedicated enterprise risk function currently accounts for around 2% of a company’s entire workforce.
All the responding entities employ, as a base level, the three lines of defence model (with some labelling senior management or supervisors as an additional line):
First line of defence is the Executive (Group-level risk) Committee, whose primary responsibility is the day-to-day management of risk;
Second line of defence is the Risk (management oversight) Committee, which incorporates the ERM function, and is governed by the Chief Risk Officer. This line provides the risk universe and risk manager framework, ensures compliance, and reports up to the senior management team;
Third line of defence is the internal and external auditors who perform an independent assessment on the efficiency and effectiveness of the internal controls, risk management and governance.
Internal audit (IA) forms an integral part of the third line of defence and the wider risk management structure. It is an independent function, performing regular reviews, providing oversight, and holding responsibility for risks, controls and governance assurance.
Some firms have extended the model to include a ‘fourth line of defence’, reporting via bespoke committees or processes to their regulators. Further, some entities also designate the actions and roles of the senior management and board as distinct lines of defence, and integrate those additional lines within the model.

Nandini Sukumar, Chief Executive Officer, WFE said: “The WFE’s benchmarking paper will serve as a foundation of how market infrastructures are establishing and directing their enterprise risk functions, in addition to showcasing the actions of the industry, in order to share practices as a step towards agreeing and harmonising practices globally. We found that WFE members are implementing sophisticated ERM practices right across their operations, which befits their status as national critical infrastructure. As ERM is an effective way of enhancing the resilience of exchanges and CCPs, it is imperative that all market infrastructures establish and operate the most advanced functions possible to ensure their resilience.”

The WFE’s ERWG was established in June 2018 to connect ERM and Operational Risk Management (ORM) thinking and leadership across the world’s exchanges and CCPs. The group’s mandate is to forge best practices, codes of conduct and guidelines, as well as being a place for information exchange. The benchmarking exercise was completed by risk managers from within the ERWG across 12 key jurisdictions around the world, representing a range of exchanges and CCPs. The paper today is the first of several.

The ERWG will be holding its second ERWG Congress on Tuesday 24 and Wednesday 25 March 2020 in Malta, hosted by Malta Stock Exchange.