22. The SWF should have a framework that identifies, assesses, and manages the risks of its operations.
22.1. The risk management framework should include reliable information and timely reporting systems, which should enable the adequate monitoring and management of relevant risks within acceptable parameters and levels, control and incentive mechanisms, codes of conduct, business continuity planning, and an independent audit function.
22.2. The general approach to the SWF’s risk management framework should be publicly disclosed.
An NTMA Enterprise Risk Management Committee (ERMC) has been established to oversee, monitor and guide risk management activity across the NTMA, which comprises a number of business divisions including ISIF. The ERMC is responsible for setting the appropriate risk framework for the NTMA, for approval and endorsement by the Agency, on a recommendation from the Agency Risk Committee. Each Business Unit/Corporate Function and the staff within that Business Unit/Corporate Function has responsibility for identifying and assessing risks and putting mitigants/controls in place to manage those risks. The ERMC has established a number of sub-committees.
The ISIF Unit maintains a comprehensive risk register and implements appropriate controls to mitigate such risks, a third party risk management regime and semi-annual control attestation.
The ISIF’s risk management function is fully linked into the overall management of risk across the NTMA with members of the ISIF Unit participating in the Agency Management Group, the Enterprise Risk Management Committee, In addition, the ISIF Risk Register is maintained within the NTMA’s Corporate Risk database, which better facilitates the management of risks at an aggregate NTMA level and the identification of common risks.
The Agency’s risk management framework is predicated on the three-lines-of-defence model. Within this model, functional ISIF Business Unit staff and management (the first line) incur and own the risks, while NTMA Risk Management, compliance and other control functions (the second line) provide independent oversight and objective challenge to the first line of defence, as well as monitoring, reporting and control of risk. Internal Audit (the third line) provides assurance that control objectives are achieved by the first and second lines of defence.
Risk Management is discussed in the ISIF Investment Strategy document and the Terms of Reference for the Agency Risk Committee has been published on the NTMA website