NAIF’s Risk Management Framework (RMF) is integral to the Investment Decision Process and incorporates the core principles, tools and processes that govern NAIF’s approach to risk management – refer below for details. The RMF document is maintained for internal use and is reviewed by the Board on a regular basis.
The RMF forms part of a hierarchy of documents that govern NAIF’s approach to risk management as per Figure 1 below.
Figure 1: Hierarchy of Risk Management Documents
A core component of the RMF is NAIF’s Risk Appetite Statement (“RAS”) which articulates the amount and type of risk that the Board is willing to take. The RAS guides NAIF’s Investment Decisions and is developed in consultation with the responsible Minister and the relevant Northern Australia jurisdictions. Key aspects of NAIF’s RAS are outlined in Section 7 below.
2. Roles and Responsibilities
The Board comprises seven members, all of whom are appointed by the Minister. Pursuant to the Northern Australia Infrastructure Facility Act (“Act”), NAIF is required to conform to the Public Governance, Performance and Accountability Act 2013 (“PGPA Act”).
A key role of the Board Audit & Risk Committee (“BARC”) is to set a culture that embraces risk management as an essential part of business operations. The three key elements of NAIF’s risk culture are:
- Setting the “tone from the top” through the Board and BARC’s active involvement in the risk management process.
- Risk awareness entrenched throughout the organisation so that it becomes a core function that is considered in the course of day-to-day business processes. This is achieved through recruitment of personnel knowledgeable in project financing risks or via a third party service provider and through on-going communication of risks.
- Adequate disclosure of incidents through ‘no-fault’ incident reporting.
The Board is ultimately responsible for approval of the RAS which outlines the risk strategy that will guide NAIF’s Investment Decisions.
The Australian National Audit Office review independently NAIF’s financial statements annually.
Executive Management supported by services provided by any external service provider, is responsible for developing and implementing, under the direction of the BARC, the RAS and risk management framework, risk policies, systems, processes and controls, and fostering a risk-aware culture. Executive Management will report to the BARC on the effectiveness of the risk management framework and the management of NAIF’s material business risks.
3. Risk Management Policy
- Sets the principles and objectives that govern risk management activities.
- Defines roles, responsibilities and accountabilities for managing risk.
- Establishes the basis for development of the risk framework, stakeholder communication and risk monitoring.
4. Risk Management Framework
NAIF’s RMF conforms to the PGPA Act; the Commonwealth Risk Management Policy published by the Australian Government Department of Finance, and dated 1 July 2014; and the International Standard for Risk Management, AS/NZS ISO31000 (ISO31000).
- Describes the tools and processes adopted by NAIF to operationalise the Risk Management Policy.
- Consists of three principal parts (as discussed below):
- the Risk Management Process
- Risk Measurement Criteria and
- Risk Appetite Statement.
5. Risk Management Process
An effective risk management framework requires a continuous process of identification, assessment, management and monitoring of all material risks that could adversely affect current and future operations. In accordance with ISO31000, the following risk management process has been adopted:
Figure 2: Risk Management Process
5.1 Establish Context
On an annual basis, as part of its planning process, the Board will:
- Conduct an external assessment – review the external environment to understand the impact of political, economic, social, technological, environmental, financing and legal trends.
- Conduct an internal assessment – formally review NAIF’s recent performance and its capacity and capability to meet objectives.
- Review risk measurement criteria – review the risk measurement criteria details in the context of a) and b) above to ensure they remain relevant.
Monitoring and review (refer to 5.6) continues throughout the year. Any major changes to the environment (e.g. loss of key staff, changes to regulations etc.) that occur during the year are discussed by management and may lead to a recommendation to the Board and BARC to re-assess the risk.
5.2 Identify Risks
Identification of Initial Risks
This step utilises the output from 5.1 above to identify events or situations that might affect the achievement of objectives. The purpose of this step is to ensure that the full range of potential risks is considered. The risks identified are maintained in the NAIF Risk Register, which sets out a summary of the root causes of each risk and the controls in place to adequately manage and monitor the risks.
Management monitors and reviews risk on an on-going basis and reports regularly to the BARC as per step 5.6 below. New risks that emerge between annual planning meetings are reported by exception.
5.3 Analyse Risks
Identification of Initial Inherent and Residual Risks
Once risks have been identified, they are analysed. As part of the annual planning process, Management will:
- Assess the inherent risk by rating the likelihood of the risk occurring and its potential impact, if no controls were in place.
- Assess the residual risk by considering the effectiveness of controls, and then rating each risk with controls in place.
Risks may be re-analysed between annual planning meetings either as a result of
a. Changes to the environment (step 5.1 above), and/or
b. New risks that are identified at step 5.2.
In either case, the relevant risk is assessed using the Risk Measurement Criteria and the NAIF Risk Register (a day-to-day tool for monitoring and reporting risk) is updated as required.
5.3 Evaluate Risks
Risk evaluation involves comparing the estimated levels of residual risk to the Board’s appetite and tolerance for risk, in order to decide whether to avoid, transfer, mitigate or accept these residual risks:
- Accept risk – the Board may choose to accept risks where the risk is within the Board’s risk appetite/tolerance and the Board is satisfied the controls are sufficient to prevent the risk from escalating.
- Mitigate risk – the Board may choose further risk mitigating actions where the risk is currently outside the Board’s appetite/tolerance for risk, or where the Board is concerned that a risk may escalate.
- Transfer risk – the Board may choose to transfer the risk to a third party where this is deemed to be the most appropriate method of ensuring the residual risk remains within the risk appetite/tolerance (e.g. using third party insurers or outsourcing arrangements).
- Avoid risk – the Board may choose to avoid risks where it is not satisfied the residual risk can be managed within the Board’s risk appetite/tolerance.
Any new risks identified, or changes to existing risks, resulting from the ongoing review in steps 5.1 to 5.3 above, will be evaluated using the same approach as the annual process above.
5.5 Treat Risks
Having completed a risk assessment, risk treatment involves implementing the controls and risk mitigating strategies that have been agreed in step 5.4 above. Risk treatment is an ongoing process.
5.6 Monitor and Review Risk
On an annual basis, the Board reviews the Risk Register in accordance with steps 5.1 to 5.5 above.
- On an annual basis, management will present a summary of the Risk Register to the BARC with a review of all material risks and compliance or non-compliance with all controls plus any recommended changes.
- All instances of a significant breach are reported to the Chair of the BARC within 10 days of the breach being determined by the CEO. Significant breaches will be reported to the Board at the next available Board meeting.
- On an annual basis, management will provide a status report to BARC including any recommendations for amendments to the RMF. Amendments supported by the BARC will be submitted to the Board for approval.
6. Risk Measurement Criteria
Our approach to risk measurement begins by rating inherent risks on the basis of likelihood and impact. The residual risk rating is then calculated by assessing the effectiveness of the controls that apply to each inherent risk.
Criteria for measuring risk likelihood, risk impact and control effectiveness have been developed from ISO31000 standards and are consistent with industry practice, but are tailored to the unique requirements of NAIF.
7. Risk Appetite Statement (“RAS”)
The RAS provides personnel at all levels of the business with a clear understanding of the acceptable level of risk within which they must execute their business plans in pursuit of the Board’s strategic objectives. It articulates the amount and type of risk that NAIF is willing to seek or retain in pursuit of its objectives (i.e. risk appetite) as well as the amount of risk that it has a readiness to bear at the individual risk level (i.e. risk tolerance). The RAS is subject to review annually to address emerging risks, changes to existing risks, and changes to Commonwealth Government policy.
NAIF’s RAS is based upon the following key principles:
- NAIF must always remain within mandatory investment criteria.
- Risk appetite and tolerance are measured in accordance with NAIF’s risk management framework.
- NAIF’s tolerance for individual risks cannot exceed its overall appetite for the relevant category of risk.
The RAS is not a public document as it describes in detail the manner in which NAIF’s risk appetite and tolerances (qualitative and quantitative) are established and controlled. Risks encompassed in the RAS include:
- Investment Decision Risks
- Governance, Legal and Regulatory risks and
- Operational risks.
NAIF’s policies and procedures define the way it works and behaves. The Board is ultimately responsible for the setting of risk appetite and tolerances. Policies such as the Credit Policy, HR Code of Conduct and delegated authorities are subject to Board approval. These documents are internal documents that embed risk appetite for each risk category and the monitoring requirements for each.
NAIF has a high financing risk tolerance to complement and encourage (“crowd in”) private sector participation in financing a Project, which may include a high risk tolerance for concessions in relation to tenor, pricing, repayment terms, cash flow priority, and willingness to partner with Commercial and other financiers. NAIF also has a high risk tolerance for risk factors that are unique to investing in Northern Australia, including but not limited to distance, remoteness and climate. The RAS accepts that during the initial years of NAIF’s operation, the portfolio of NAIF’s investments may have high concentration risk. The Board is to have regard to a preference for a diversified portfolio including industry and geographic spread across the Northern Australia States and Territory. Over time, the Board may approve a strategy for the management of risk concentrations, including the imposition of limits.
8. Types of Risks
NAIF maintains a comprehensive list of risks that must be managed. Risks fall into the following categories.
- Investment Decision Risks – such risks cover the Performance of Functions (i.e. in relation to the Board’s application of the provisions of the NAIF Act 2016 and the Investment Mandate), Financing Risk, Project Risk and Credit risk. Such risks are described in more detail below.
- Governance, Legal and Regulatory risks – such risks include design and implementation of the Governance Framework, protection of confidential information, strategic risk, conduct risk, statutory and regulatory requirements, and Board composition.
- Operational risks – such risks cover the risk of failure of the design or implementation of the processes, systems and controls used to manage day-to-day operations (including outsourced services), Reputation risk, People Risk (retention/attraction of suitably qualified staff and Board), Health, Safety and Environmental risk. Such risks are described in more detail below.
8.1 Performance of Functions
In applying the various provisions of the Act, the Investment Mandate and the PGPA Act , the Board is required to assess various factors including based on judgement.
8.2 Financing Risks
The risk that NAIF financing terms exceed the extent and mix of all concessions necessary for an Investment Proposal (as defined in the Investment Mandate and the Act) to proceed and having regard to the extent of a projects’s public benefit.
8.3 Project Risk
The risk of financial loss or damage to reputation due to failure of a project to fulfil its goals.
More specifically, project risks include: Proponent Risk, risk that the Project type and size do not qualify, Project Selection Risk, Project Delays, Technology Risk, and risk in relation to the Availability Period of Offer of NAIF finance (i.e. the risk that this period is exceeded).
8.4 Credit Risk
Loan recipient(s) fail to repay the loan in full or refinance or to make payments during the course of the project in accordance with its repayment schedule, which is based on assumptions acceptable to the Board at the time of Board approval of the loan. It includes risks associated with working in partnership with other financiers (given the mandatory criteria that NAIF loan monies are not the majority source of debt funding) and the objectives to encourage private sector participation in the financing of a project). Credit risks also encompass risk on debt repayment sources, ranking of security and concentration risk.
8.5 Reputation Risk
The risk encompasses damage to NAIF’s reputation for any reason.
8.6 Health, Safety and Environmental (HSE) Risk
The risk of legal liability, reputation damage or loss due to an HSE incident.
8.7 Strategic Risk
The risk to income and expenses or to product offerings as a result of ineffective corporate planning, specific government policy, legislation, or poor decision-making or implementation of those decisions.
Management informally reviews the RMF on an on-going basis and will advise the BARC if any changes are required.
The BARC will formally review the RMF (including the RAS) on an annual basis, with any amendments to be submitted to the Board for approval.