Risk management framework

At Export Finance Australia, we systematically identify and manage risk to increase the likelihood of positive events, while mitigating negative events.

Risk management framework

We approach risk management in a way that helps us achieve our strategy and objectives. Risk management is a critical enabler of our overall corporate objective of being financially sustainable within our Board’s agreed risk appetite. We systematically identify and manage risk to increase the likelihood and impact of positive events, while mitigating negative events.

Our Chief Risk Officer (supported by the Head of Risk & Compliance) is responsible for the management of this framework, including its regular review and renewal. We operate a ‘three lines of defence’ model for managing risk:

1. Business functions take responsibility for risks within their own operations.
2. Internal, but independent, Risk and Compliance functions review and improve our risk management controls.
3. Audits and reviews by Ernst & Young provide detailed reports on improving our risk management approach. The Australian National Audit Office (ANAO) and their appointed agent also review our financial statements independently.

Our risk management framework includes the Risk Appetite Statement and the Risk Control Matrix.

Our Risk Appetite Statement details our risk tolerance for each of the key enterprise risks that we face. The Risk Appetite Statement is not a public document as it describes in detail the way our risk appetite/tolerance (qualitative and quantitative limits) is established and subsequently managed. Risk appetite is a fundamental part of both risk management and capital management. Our approach to risk management and capital management is based on assessing the level of, and appetite for, risk and ensuring that the level and quality of capital is appropriate for that risk profile.

Similarly, the Risk Control Matrix is not a public document as it sets out each of the inherent risks we face, as well as the controls we have in place, to arrive at a residual risk rating. We review the Risk Control Matrix regularly to add new risks or identify changes to existing risks. We also assign people the responsibility for managing each risk and this approach engenders a culture of risk awareness and ownership across our organisation. Risks are classified depending on their nature: strategic, reputation, credit, market and operational.

Risk culture

Our risk culture and risk management foundations include:

  • an open and transparent risk culture that seeks to anticipate, avoid and mitigate risks before they occur, and which always seeks to learn and improve
  • a culture of consultation and speaking up about potential issues
  • an employee performance system that requires and rewards robust risk management behaviours
  • strategies to recruit, develop and retain employees who have the required specialist skills to support the delivery of our mandate
  • rigorous control processes, including management reporting, supported by Board oversight and independent review
  • strong policies and procedures, supported by robust systems and processes
  • clear lines of responsibility and accountability for achieving set outcomes
  • a continual focus on uplifting risk management processes including enhancing the use of data.

Risk management oversight

Risk-related policies, tolerances and operational limits are set by our Board, with support and specific oversight provided by the Board Audit and Risk Committee.

Our Executive and senior management teams are responsible for implementing our Board-approved risk management framework. However, we also emphasise that risk management and reporting is everyone’s responsibility.

Our internal committees support our risk management processes and demonstrate individual accountability by the relevant Executive team members:

  • Executive Committee, chaired by the Managing Director & Chief Executive Officer, examines all aspects of our business
  • Credit Committee, chaired by the Chief Credit Officer, examines large potential transactions
  • Risk and Compliance Committee, chaired by the Chief Risk Officer, reviews, monitors and improves our management of Risk and Compliance
  • Treasury Risk Review Committee, chaired by the Treasurer, examines Treasury activities, limits, noteworthy transactions and current issues
  • Work Health and Safety Committee, chaired by the Chief Risk Officer, examines workplace risks and reports any hazards or safety problems that may cause harm or injury to employees, contractors or visitors
  • Business Continuity Planning Steering Committee, chaired by the Chief Risk Officer, coordinates
  • Business Continuity Planning and Crisis Management.

Key risks

We have developed an enterprise-wide risk management framework that identifies the key risks facing the organisation and the controls we have in place.
Key risks and associated mitigation strategies include:

  • Prudential and capital management risk: Although we are not directly regulated by the Australian Prudential Regulation Authority (APRA), we are guided by APRA prudential standards in managing financial risk. Our approach to capital management is based on assessing the level of appetite for risk and ensuring the level and quality of capital is appropriate to that risk profile. Capital also supports our normal operations by providing a buffer to absorb unanticipated losses from our Commercial Account business activities. We are also supported by a Commonwealth guarantee. There is no capital set aside for National Interest Account transactions as the risks are borne by the Commonwealth.
  • Credit risk: We have an independent Credit function that reviews and assesses the credit and country risks for individual transactions and projects. This function also provides advice to the Managing Director & CEO and the Board. Risk mitigation strategies include
    • Credit Policy and detailed Credit Manual
      ongoing risk monitoring on a portfolio basis, including stress testing
      high risk and non-performing asset reporting processes
    • country surveillance reports
    • credit memorandums that identify any exceptions to the Credit Policy.
  • Social and environmental risk: We conduct comprehensive due diligence and consider the social and environmental impacts of our financing activities by applying our Policy for Environmental and Social Review of Transactions. This policy confirms that we:
    • are bound by the OECD Recommendation of the Council on Common Approaches for Officially Supported Export Credits and Environmental and Social Due Diligence
    • apply the Equator Principles, a globally recognised benchmark used by many financial institutions to manage environmental and social risk in projects
    • apply the International Finance Corporation’s environmental and social performance standards as a benchmark.

These standards were selected as widely used and understood global benchmarks. However, if a higher benchmarking standard applies to a particular transaction, we will apply that higher standard.

  • Cyber risk: We have a broad range of policies and tools to mitigate cyber risks and to comply with the Government’s Essential Eight cyber security strategies. These mitigating strategies include security monitoring tools, firewalls and penetration testing. We also provide regular cyber security training to all employees. We also engage an external security provider who undertakes an annual assessment of the strength of our online environment.

Reviewing our risk management framework

We update our risk management framework on an ongoing basis and formally review it annually.