ASIC Reports on Review of ASX Group’s Technology Governance and Operational Risk Management Standards

ASIC BIG LOGOASIC has today released a report on the recent review of the Australian Securities Exchange Limited (ASX) Group’s technology governance and operational risk management arrangements.

ASX Group’s arrangements for managing operational and technological risk have historically served the Australian market well. Report 592Review of ASX Group’s technology governance and operational risk management standards acknowledges this and sets out identified areas for improvement and recommendations for ASX Group to address these.

The review was conducted with the help of KPMG and the Reserve Bank of Australia (RBA) also worked closely with ASIC. The review benchmarked ASX Group’s technology governance and operational risk management arrangements against internationally recognised standards. It found ASX Group’s practices were more comparable to those of other global exchanges but lagged behind the better practices in the broader financial services sector.

ASX Group recognises the areas for improvement identified in the review. It is undertaking an extensive work program to implement all of the recommendations and already had improvements in progress in almost half of the identified areas before the review started or before the recommendations were finalised.

ASX Group anticipates a significant component of the action items in this work program will be completed by the end of 2018 and expects all of the recommendations from the review to be fully implemented and embedded within three years.

The program of work that ASX Group is undertaking is being closely supervised by ASIC and the RBA.

Many of the findings and recommendations from this review will be relevant to other financial services sector organisations regulated by ASIC. We encourage the boards and senior management of these other organisations to critically review their own technology governance and operational risk controls and to evaluate this report’s findings and recommendations in the context of their own business.


Following our incident-specific review of the ASX equity market outage in September 2016, we foreshadowed (REP 509) our intention to undertake a more extensive review of ASX Group’s technology governance and operational risk management arrangements, possibly drawing on the expertise of a third party.

At ASIC’s and the RBA’s request, ASX Group tendered for the appointment and selected KPMG for this purpose. As the RBA oversees the stability of clearing and settlement (CS) facilities operating in Australia, with a view to managing systemic risk, the RBA worked closely with ASIC during this review.

ASX Group is the holder of two market licences, one for its securities exchange (ASX Limited) and one for its futures exchange (the ASX 24 market). ASX Group also holds four CS facility licences. These are held by ASX Clear Pty Limited and ASX Settlement Pty Limited – for clearing and settling the cash equities market; as well as ASX Clear (Futures) Pty Limited and Austraclear Limited.

Under the Corporations Act, ASX Group is required to ensure its securities and futures markets operate in a fair, orderly and transparent way (s792A(a) of the Corporations Act) and that its four licensed CS facilities are fair and effective (s821A(a) of the Corporations Act).

All of its licensed businesses are required to have sufficient resources (including financial, technological and human resources) to operate the market or CS facility properly (s792A(d) and s821A(d) of the Corporations Act).