The National Pension Insurance Funds Act stipulates that the board is responsible for the Fund’s management, organisation and overall activities.
This responsibility includes ensuring effective internal control. AP3 has a governance framework that defines its fund management systems, risk management and internal control structure. The board of directors issues general policies and guidelines, while the CEO establishes directives, and all policy documents are revised on a regular basis.
Responsibilities and roles
The board of directors also bears ultimate responsibility for the Fund’s risk management and internal control. The risk management plan is the policy in which the Fund’s stance on risk, roles and responsibilities, guidelines, frameworks and reporting are established by the board. The Fund’s two control departments are Risk Control & Return Analysis (previously Middle Office), which focuses on financial risk, and Compliance, which primarily addresses regulatory compliance and operating risks.
Risk Control & Return Analysis is in charge of defining, identifying, monitoring and controlling risks arising from asset management operations. It also identifies and reports any deviations from set “limits”. Limits apply at various levels to ensure that AP3 operates within statutory guidelines and the parameters set by the board and CEO.
- Board of directors – Stipulates the Fund’s level of risk and overall exposure and risk interval for the six risk categories: Equities, Fixed income, Credit, Inflation, Currencies and Absolute return strategies.
- Audit committee – Prepares and monitors matters for the board and is primarily active in the areas of financial reporting, accounting, internal control and risk management, and auditing. The audit committee reports to the board on a regular basis.
- CEO – In charge of day-to-day management and ensuring compliance with the board’s guidelines. The CEO is in charge of ensuring robust supervision of asset management, risk management, risk control and reporting.
- CIO (Chief Investment Officer) – Responsible for managing the portfolio mix and delegating day-to-day management of the portfolio within the framework adopted by the board and CEO. Each manager is responsible for managing the risk within their mandate to achieve targets within the assigned parameters.
- CRO (Chief Risk Officer) – In charge of monitoring and reporting on risk and returns to the board. The CRO ensures that decisions are made within the limits of the risk framework established by the board.
- RMC (Risk Management Committee) – The CEO appoints the members of the RMC. It currently comprises the CEO, CRO, CIO, the Chief Portfolio Risk Manager, the head of Strategic allocation, the head of Alternative investments, the head of Alpha management, the head of Beta management, the head of External management, and the head of Risk Control & Return Analysis. The RMC prepares matters for the board concerning the Fund’s overall risk management and risk control. The CRO presides over the RMC.
Three lines of defence
Day-to-day risk management and control are decentralised and follow the three lines of defence principle, which differentiates between departments that have primary responsibility for risk and regulatory compliance (first line), departments responsible for monitoring and control (second line) and those tasked with independent oversight (third line).First line of defence
Responsibility for the first line rests with the investment organisation, which includes teams in the asset management department as well as the back office. Hence, responsibility for risk management is borne where the risk arises. The control process spans the entire transaction flow. Each employee manages risk in his or her own area of responsibility. The CIO has overall responsibility for the first line of defence.
The second line of defence comprises internal risk control department and compliance. The former ensures that the risk management framework is adhered to. The risk control process makes sure that the Fund as a whole and in relevant areas stays within stipulated limits and complies with applicable restrictions and instructions. The department is independent and organisationally separate from the functions that execute investment decisions. Ultimate responsibility rests with the CRO.
The third line of defence is internal audit, which in AP3’s case is subcontracted to an external audit firm. The internal auditors are appointed by the board of directors via the audit committee and are independent from the Fund and its investment operations. The internal auditors report to the board via the audit committee. Every year the audit committee gives the internal auditors a time-specific mandate to examine one or more areas of the Fund’s operations to establish that the relevant departments are meeting their risk management responsibilities.
Financial risks and financial risk management
Financial risks differ from other risks in the sense that they must be taken to generate returns, whereas other risks must be limited. Financial risks primarily comprise market, credit and liquidity risks.Market risk
Market risk is the risk that the value of an asset may fall due to changes in asset prices on the financial markets, for example changes in equity prices, bond rates and currencies. It can be shown in absolute or relative terms and can be forward-looking (ex ante) or backward-looking (ex post). Common ways to measure fund level risk include volatility, value at risk (VaR), tracking error, sensitivity analysis and stress tests. AP3 monitors market risk on a daily basis, both at general level and for individual mandates, using the VaR metric, different types of stress test and sensitivity analysis. Market risk is the main risk attached to the AP3 portfolio. By managing risk within specific limits, the Fund generates investment returns.
Credit risk is the general risk of incurring a loss due to the failure of a counterparty in a financial transaction to meet repayment obligations. It can be divided into issuer risk, counterparty risk and settlement risk.
Issuer risk is the risk that the issuer of a financial security will default and be unable to meet repayment obligations on the maturity date. AP3 limits issuer risk by working within set limits for total credit risk in the portfolio. The Fund uses tools such as credit ratings to limit the exposure of specific mandates to specific issuers. The risk management committee regularly reviews risk relating to specific issuers and groups of issuers.
Counterparty risk is the risk of a party to a transaction being unable to fulfil obligations under a bilateral financial contract such as a derivative or currency transaction, deposit or buyback. AP3 actively seeks to minimize counterparty risk by selecting counterparties with a good credit rating. AP3 also requires counterparties to sign ISDA agreements1 with AP3 that regulate how receivables and liabilities are to be managed if either counterparty can no longer fulfil its commitments. The Fund also insists on a CSA agreement, 1 under which counterparties with an outstanding liability agree to provide collateral in cash or securities.
Settlement risk arises when transactions are settled but the parties do not fulfil their commitments simultaneously. Where possible, AP3 eliminates delivery risks on currency transactions through CLS,1 a system that permits simultaneous settlement of transactions through an independent third party.
Liquidity risk is the risk that AP3 cannot make intended or necessary changes in the portfolio structure without incurring excessive transaction costs. Generally speaking, the Fund’s most liquid assets are equities and government bonds with a high credit rating. Corporate bonds, unlisted equities and real estate are usually less liquid. AP3 manages liquidity risk via a balanced mix of asset types with both high and low liquidity. For refinancing risk, the Fund monitors future payment obligations versus available liquidity to minimise the risk of excessive financing costs.
General risk analysis
AP3 bases effective risk management on an annual analysis of the Fund’s total risk. The analysis report sets a framework for identifying and measuring risk in all areas and for making it possible to act to reduce risk as and when appropriate. Executive management is responsible for the Fund’s risk analysis, which is based on self-assessment and seeks to promote high risk awareness and a prudent approach to risk throughout the organisation. The Fund uses the risk analysis when drawing up operating and resource plans for the coming year. The risk analysis report and action plans are submitted to the audit committee and board of directors every year.
The Fund’s risks are categorised in the following areas:
- Enterprise level risk – Risks relating to AP3’s mission, objectives and administration.
- Financial risk – Financial risks arising from investing activities.
- Operational risk – Risks relating to processes, systems, human resources, laws and regulatory compliance.
A probability and consequence are assigned to each risk identified in each category. The consequence may be financial, reputational or require extra work.