The SBCI aims to manage risk in an informed and proactive manner, in accordance with its Risk Management Policy and Framework and its Risk Appetite Statement, such that the level of risk is consistent with the underlying business activity, and that the SBCI understands and is able to manage or absorb the impact of a risk in the event that it materialises. The SBCI complies with the risk management provisions of the Code of Practice for the Governance of State Bodies

The Board reviewed the Risk Register in 2016, and receives a risk management update of high and emerging risks as part of each CEO Report.

Roles and Responsibilities

The Board is responsible for setting the risk appetite, overseeing and guiding risk management activity across the SBCI. The Board has mandated that risk management be integrated and embedded into the tone and culture of the SBCI.

The Audit and Risk Committee is responsible for overseeing the implementation of the SBCI Risk Management Policy and Framework and ensuring that the SBCI’s risk management governance model provides appropriate levels of independence and challenge. The Audit and Risk Committee reports to the Board.

Three Lines of Defence

The SBCI’s Risk Management Policy and Framework is predicated on the three-lines-of-defence model. Within this model, the SBCI team and management (the first line) incur and own the risks, while the SBCI Risk function and other control functions (the second line) provide independent oversight and objective challenge to the first line of defence, and provide risk monitoring and reporting. The Internal Audit function (the third line) provides independent, reasonable, risk-based assurance to key stakeholders on the robustness of the SBCI risk management system, governance and the design and operating effectiveness of the internal control environment.

Audit

In accordance with statutory requirements, the SBCI is audited by the Comptroller and Auditor General. The SBCI’s internal audit process is managed by the NTMA Internal Audit function and includes an external firm, currently KPMG, appointed to carry out internal audit work reporting to the NTMA Head of Internal Audit.

Principal Risks and Uncertainties

The SBCI is exposed to a wide variety of risks which have the potential to affect the financial and operational performance of the SBCI. The Risk Management Policy and Framework establishes the processes to identify, assess, evaluate, report and mitigate risk. The SBCI has identified the following principal risks and uncertainties which may adversely affect the achievement of its objectives.

Strategic Risk

The SBCI relies on demand from on-lenders and SMEs in order to meet its key strategic objective of providing additional credit to SMEs in Ireland, and in order to achieve financial sustainability. Should it fail to structure its products appropriately and deploy an appropriate strategy for delivering these, there is a risk that on-lenders will not participate as envisaged and SMEs will not avail of the offered products.

Credit Risk

The SBCI is exposed to the risk that a borrowing counterparty defaults on its obligations and fails to repay its debt in full, resulting in losses to the SBCI. The SBCI’s primary credit risk exposure is to the on-lenders to which it lends. However, in 2017, the SBCI will assume some credit risk exposure, on a limited basis, to the final beneficiary SMEs whose loans are covered by guarantees issued by the SBCI to on-lenders.

Operational Risk

The SBCI is exposed to a broad range of operational risks arising from the people, systems and processes involved in meeting its objectives. Key operational risks include systems failures, process errors, over reliance on key individuals, failure to follow procedures, reporting errors, which could ultimately result in the SBCI failing to meet its objectives and significant reputational damage.

Resourcing Risk

The SBCI is a small organisation that relies on skilled specialist professionals to meet its statutory objectives. There is a risk that the SBCI is not adequately resourced with the appropriate experience and expertise, resulting in failure to achieve its objectives.