General - Risk management environment
A major consideration of the Athens Exchange Group (Group) is the management of risk that arises from international developments in the sector, its business activities and its business operation. The description of the risk management system is published in the Group's annual and half-yearly Financial Report.
The Group, as operator of the capital market, has developed a framework for managing the risks to which it is exposed, ensuring its viability and development, and contributing to the stability and security of the capital market. Risk management is recognized as part of its supervisory functions which, together with the regulatory compliance system, form the second level of defense of the organization.
In particular, Athens Exchange Clearing House (ATHEXClear), 100% subsidiary of ATHEX, operates as a Central Counterparty (CCP) for clearing cash and derivative markets products and as such is obliged to satisfy the strict requirements of the current regulatory framework EMIR (European Market Infrastructure Regulation) concerning risk management in accordance with which it has been licensed since 2015.
In addition, Hellenic Central Securities Depository (ATHEXCSD), 100% subsidiary of ATHEX, follows the particularly extensive requirements of the CSDR (Central Securities Depositories Regulation) framework, under which it has been operating since April 2021.
Finally, in the parent company ATHEX, the risk management system operates effectively, coordinating the actions and priorities of all Group companies at the level of Board of Directors' committees, protecting the interests of shareholders from risks to which ATHEX and its subsidiaries are exposed, through a single framework that combines the highest requirements of regulatory frameworks and international best practices.
Risk Strategy and Risk Management
The risk strategy of the Group is aligned with its business strategy to provide the appropriate infrastructure for the reliable, secure and continuous operation of the capital market. In accordance with the strategy of the Group, the risk appetite level is set in order to correspond with the capital adequacy of the companies of the Group, satisfy the needs of the market, contain costs for participants, maximize the exploitation of business opportunities but also ensures market security and compliance with regulatory requirements.
In particular, the Group monitors risks and assesses their riskiness at two levels. The management level and the operational level. Alignment of the risk management strategy with the Group's business strategy is achieved, among other things, through the Enterprise Risk Management system which supports the planning and monitoring of risk mitigation actions, aligning them with the development actions and objectives for the year, as included in the relevant budget.
Organizational structure
The risk management system is managed through the risk management committees of each company of the Group, while coordination for the alignment of risk management strategy, risk appetite and the prioritization of risk areas, where efforts to improve the control environment are focused, is ensured by the joint chairmanship of the three committees of the three companies and the common framework and policies adopted by the companies.
The operational structure of the organization follows the three lines of defense model, establishing the intermediate line between the first and the second line of defense, especially for the business continuity systems (BCP), information security (DPO) and information systems security (ISO). It supports the second line of defense with an independent organic unit, the Risk Management Unit, ensuring the independence of internal audit in the third line of defense.
Besides the comprehensive measures for ensuring the smooth operation of the systems of the Group, each organizational unit of the Group is responsible for monitoring and managing the sources of risk related to its activity and scope of competence in such a way as to react immediately and effectively in case of occurrence of events or incidents, carry out the analysis of key objections and introduce or improve the control environment.
In particular, for each company of the Group separately, the organizational structure that supports risk management includes the following units:
- Board of Directors, which has the final responsibility regarding the risk management function of the company.
- Risk Committee, which advises the Board of Directors on risk management matters.
- Risk Management Department of the Risk Management & Clearing Division of ATHEXClear, which is sufficiently independent from the other functions of the company, and whose main responsibility is the comprehensive approach to the risks that ATHEXClear faces.
- Risk Management Unit of the Group, headed by the Chief Risk Officer of the parent company ATHEX, which is responsible for the efficient and effective operation of risk management, as an oversight mechanism and a prevention mechanism (ex-ante) for failures at the Group.
- Organizational Units which are responsible for identifying and managing risks within their scope and participate in the overall risk management at the Group.
Single risk management
The Group approaches the risk profile map of the organization from two perspectives. The management perspective (top-down) and the business perspective (bottom-up).
Risk management actions from the Top-Down management perspective aim to protect shareholders, trading parties, employees and society at large, from adverse events arising from or enhanced by the Group's activities.
Risk management activities from the business perspective, Bottom-Up, aim to continuously improve the quality of operations and to contribute to the documentation of the risk assessment as they are reflected in the risk profile mapping of the organization of top-down processes. At the administrative level, risk categories are developed on the basis of four main categories.
- Operating risk
- Regulatory compliance risk
- Business risk
- Financial risk
This management perspective focuses on comparative risk calibration, with the aim of setting the right priorities for risk mitigation actions throughout the organization.
The risk management activities from the operational perspective, Bottom-Up, aim to continuously improve the quality of operations and contribute to the documentation of the risk assessment of the risks as they are reflected in the risk profile of the organization, which is the result of the Top-Down processes. At the management level, risk categories are developed on the basis of four main categories.
These processes consist of the following:
- Risk Identification & Risk assessment
- Risk control system (KRI's)
- Risk containment (Controls management)
- Monitoring & reporting risks (Reporting)
Risk management at the management level maps the risks that have been identified and formulates the distribution of their risk in this mapping, in such a way that priority is given to actions with an annual horizon, aimed at mitigating and controlling these risks. In 2023, priority has been given to risks related to cyber risk, the modernization of information systems and software development technology and risks related to the Group's commercial operations. The actions to mitigate risks related to human resources issues launched in 2022 have improved the control environment and downgraded these risks in relation to the risk allocation as formulated for 2023.
At the same time, risk management at the operational level motivates the organization to improve the quality of the services provided and the safe and smooth execution of the functions that support them. In 2023, emphasis has been placed on the analysis of the data collected and the adoption of actions by the individual units of the organization to implement the recommendations for improving the functioning of the institutional services of the companies of the Group.
Risk categories
The Group ensures that it deals with all risks, internal or external, present or future, and especially those that have been recognized as significant. It is recognized that each service provided by the Group can expose it to any combination of the risks mentioned below.
The usual risks to which, due to the nature of its activities, the Group may be exposed to are:
Operational Risk
Risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk. Risk corresponding to the security of the IT systems, as in the majority of companies, is now becoming very important, and appropriate measures to contain it are being taken.
Regulatory compliance risk
Risk due to inadequate or ineffective adoption of the provisions of the regulatory and legal frameworks governing the operations of the companies of the Group. Risks related to conflicts of interest and biased decision-making, deviations of the code of conduct and neutrality in supporting market participants.
Business Risk
Risk assumed by the Group in selecting, designing and implementing development projects, partnerships, innovative services and other commercial activities, as well as risks arising from communication and publicity and the organization's performance in meeting its sustainable development objectives.
Financial Risk
Liquidity and capital adequacy risk, accounting and tax compliance risks, forecasting, budgeting and controlling its execution, credit and other financial risks. Specifically, for the management of the ATHEXClear subsidiary, the following risks are monitored by a dedicated unit for the specific subsidiary, according to the EMIR regulation:
- Counterparty risk (credit risk arising from the default of the clearing obligations by one or more clearing member counterparties).
- Market risk (changes in exchange rates, interest rates, market prices, commodities and volatility), mainly as a result of the occurrence of counterparty risk.
- Credit risk (mainly from equity investments).
- Liquidity risk (mainly cash flow risk), mainly as a result of the occurrence of counterparty risk.
The Group, and in particular the parent company ATHEX, monitors the risk of its participation in the two individual subsidiaries, as well as, of course, in its other participations in third companies, and reflects the risk appetite. The level of risk that the parent company ATHEX therefore assumes from the operation of the subsidiary ATHEXClear in its role as a central counterparty of the market, is clearly documented in the risk management of the parent company and is completely within its ability to absorb it without impacting its operation and its economic value.
Description of main risk factors
The Group recognizes that the appearance of systemic risk depends on macroeconomic developments and is affected by external events such as changes in the competitive capital markets environment, changes in the international and domestic economic environment, legal and regulatory developments, changes in taxation policy and in technology etc. Such events may impact the growth and sustainability of the Group, causing a reduction in trading activity, a drop in expected earnings, inability to liquidate and/or asset impairment etc.
In this context, the Group continually and systematically monitors developments and adapts to the environment and calculates on an annual basis its capital requirements for business risk.
The Group also recognizes the risks associated with the changing business environment and the speed of developments in the digital operating environment, both in relation to the skills and development of its human resources, as well as in relation to the modernization of the services provided. It has given special emphasis to its digital transformation strategy and the modernization of the environment for the development and operation of its infrastructure.
The Group also recognizes the risks associated with the changing business environment and the speed of developments in the digital operating environment, both in relation to the skills and development of its human resources, as well as in relation to the modernization of the services provided. It has given special emphasis to its digital transformation strategy and the modernization of the environment for the development and operation of its infrastructure.
Operational risk
Operational risk is maintained at acceptable levels, through a combination of good corporate governance and risk management, robust systems and controls. In September 2022, there was an incident of unavailability of transactional activity, the root causes of which were identified across the full range of impacts and all necessary actions were implemented to radically resolve them. There were no instances of delay in the completion of the securities and derivatives trade clearing process.
Measures to reduce operational risk
The Group, as an operating infrastructure of the capital market, pays particular attention to the assessment, monitoring and reduction of operational risk contained in its operations and activities, as well as the need to maintain sufficient capital in order to be able to deal with this type of risk.
Business continuity plan
The Group has processed and put into operation an appropriate infrastructure and a disaster recovery plan, and it has received and it maintains its certification in accordance with the international business continuity standard ISO-22301. These include:
- Operation of an active Disaster Recovery Site: The Group maintains a disaster recovery site for its IT systems. The alternative IT site is located in a geographically remote area, is active and operates in addition to the main IT site, ensuring systems backup, increased availability and balancing of computational requirements.
- Formation of crisis management teams and emergency incident management: The purpose of these teams is to maintain continuity in the provision of trading services in case of an unforeseen event. They have been assigned specific responsibilities and specially trained Group staff have been assigned to them.
The above are systematically tested in different adverse scenarios in order to ensure the operational resilience of the organization.
Information security and cybersecurity
The Group has put into operation, within the Technology Division and under the supervision of the Risk Management Unit, all measures to protect systems and information from cyberattacks or intentional and unintentional leakage of information, in accordance with ISO 27001 standards.
Other risk categories
The Group is exposed to a limited extent to market risk resulting from its activities. In each case, the Group monitors the potential exposure that may result in market risk and calculates any capital that it must maintain against market risk in accordance with the capital adequacy methodology that it applies.
The Group faces credit risk both from equity investments as well as from client balances. As part of its Investment Policy, specific principles are defined for cash deposit arrangements. Cash deposit arrangements are with the four systemic banks of the country, in approximately equal amounts, minimizing the level of credit risk.
Short term cash arrangements that do not exceed three months take place at Greek Systemic Banks, in accordance with the Investments Policy set by the management of the ATHEX Group. In particular, out of total cash and cash equivalents of the Group of €60.7m, approximately €46.0m is deposited in Greek systemic banks, and the remaining approximately €14.7m at the Bank of Greece.