I. Introduction

On March 31, 2022, ICE Clear Europe Limited (“ICE Clear Europe”) filed with the Securities and Exchange Commission (“Commission”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Act”) ^[1] and Rule 19b-4 thereunder,^[2] a proposed rule change to amend its Operational Risk Management Policy (the “ORMP”) and add to ICE Clear Europe's rule framework the Risk Identification Framework (the “RIF”). The proposed rule change was published for comment in the Federal Register on April 14, 2022.^[3] The Commission did not receive comments regarding the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Description of the Proposed Rule Change

i. ORMP

The current ORMP describes ICE Clear Europe's process for identifying, assessing, managing, monitoring, and reporting operational risks and requires that ICE Clear Europe assess its operational risks at least annually.^[4] The proposed rule change would maintain the overall process as found in the current ORMP but revise the description of the specific steps that makeup the overall process—generally by incorporating into the ORMP additional detail regarding current practices relating to those steps—and modify certain aspects of some of those steps.

First, the proposed rule change would explicitly incorporate into the ORMP ICE Clear Europe's Enterprise Risk Register, which ICE Clear Europe also refers to as the Risk Register Dashboard (referred to herein as the “Risk Dashboard”). Currently, once ICE Clear Europe identifies operational risks pursuant to the existing ORMP, it documents those risks in the Risk Dashboard. The Risk Dashboard therefore serves as an inventory of the specific operational risks that ICE Clear Europe has identified as part of its existing risk identification process under the ORMP. The Risk Dashboard also includes information about, among other things, the ICE Clear Europe department that owns the risk (the “Risk Owner”), the level of inherent risk, and the overall rating for the control that mitigates each risk. However, while the Risk Dashboard currently is used as part of ICE Clear Europe's risk identification process under the ORMP, it is not actually referenced in the ORMP. The proposed rule change would formally incorporate the Risk Dashboard into the ORMP and include it as an appendix to the ORMP. The proposed rule change also would add to the ORMP a description of the process for reviewing and updating the Risk Register as part of ICE Clear Europe's existing annual assessment of its operational risks, thereby formalizing that process as a requirement under the ORMP.

The current ORMP requires that Risk Owners complete the risk identification process at least once a year and specifies that this process shall not only allow the Start Printed Page 33859 identification of new risks but also the discontinuation of those that no longer exist. It also specifies that if risks emerge or cease to exist in between the annual reviews, ad hoc assessments shall be triggered, which necessarily implies that risks must be identified more frequently than annually as needed to determine whether risks emerge or cease to exist in between annual reviews. The revised ORMP would continue to require that Risk Owners complete the risk identification process at least once a year, but explicitly require that the risk identification process be completed more frequently than annually as needed to reflect material risk changes, such as operational risk incidents. The revised ORMP also would explicitly acknowledge that this process would allow ICE Clear Europe to identify new risks and discontinue documenting risks that no longer exist.

With respect to the assessment of risks, the current ORMP requires that Risk Owners measure the potential impact of identified risks and categorize this potential impact by severity and likelihood. Risk Owners also consider the effect of controls on reducing the potential impact of identified risks. The risk remaining after considering the reduction caused by a control is the residual risk. The current ORMP treats residual risk as an assessment of the effectiveness of a control in reducing the potential impact of a risk. The revised ORMP would maintain the same general framework for risk assessment as currently used, but would provide additional detail with respect to controls and the assessment of their effectiveness. Under the current ORMP, Risk Owners musts assess risks on a controlled and uncontrolled basis and must consider whether existing control mechanisms should be enhanced, substituted, or abandoned. ICE Clear Europe proposes to continue requiring such assessments, but to elaborate on the process by focusing discussion in the ORMP on inherent risk versus residual risk. Under the revised ORMP, Risk Owners would consider each risk on an inherent basis (without taking into account the reduction caused by mitigating controls) and on a residual basis (taking into account the reduction caused by mitigating controls). Risk Owners would rate each inherent and residual risk on a five-point scale—very low, low, medium, high, or very high. As part of this process, Risk Owners also would rate the mitigation that each control is expected to provide as high/medium/low and the effectiveness of each control as satisfactory/needs improvement/unsatisfactory. Risk Owners would derive the effectiveness of a control from a number of measures, such as control testing, metrics, and governance. The revised ORMP would require Risk Owners to perform the risk assessment and related control assessment at least once a year or more frequently as needed to reflect material risk changes, such as operational risk incidents.

The current ORMP makes Risk Owners responsible for proposing and implementing remedial actions to manage risks, subject to the approval of the Executive Risk Committee. Further, the type of remedial action depends on the potential expected impact of the operational risk and is implemented following the risk assessments or control assessments. The revised ORMP would similarly require Risk Owners to propose and implement remedial actions, but they also would be required to take into account the expected impact of mitigating controls and further remediating actions would be explicitly required for any residual risks assessed as high or very high. In addition, rather than being subject solely to the approval of the Executive Risk Committee, the revised ORMP would require any proposed remedial actions to be immediately escalated to Senior Management and applicable Risk Committees or the ICE Clear Europe Board.

The monitoring of risks under the revised ORMP would be generally the same as under the current ORMP. The current ORMP requires that Risk Owners and the Risk Oversight Department continuously monitor risks, including daily monitoring through the use of certain indicators. The revised ORMP similarly would require that Risk Owners and the Risk Oversight Department continuously monitor risks, but would specify that such monitoring should be ongoing monitoring (not just daily), in order to clarify that monitoring should be continuous and not just once a day. This particular change could be beneficial if, for example, under the current daily monitoring ICE Clear Europe conducts monitoring at a single specific time during the day and the risk emerges after that time. Moreover, the current ORMP requires that the Risk Oversight Department monitor risks daily through the Risk Appetite Metrics and the Management Thresholds. The revised ORMP would likewise require the Risk Oversight Department to conduct such monitoring, but it would specify that the monitoring would be either daily or monthly given that some metrics and thresholds are considered monthly and others are considered daily. ICE Clear Europe calculates some existing risk metrics on a monthly basis, so specifying monthly monitoring here would take into account these metrics while maintaining daily monitoring for the existing daily metrics.

The current ORMP requires assessments and operational incidents to be reported to senior management, the Audit Committee, and the Board Risk Committee, and further provides that the Board Risk Committee and Board shall be informed of material incidents. The review and assessment of operational incidents is part of ICE Clear Europe's second line risk function, therefore the revised ORMP would require that assessments and operational incidents be reported to senior management and the Board Risk Committee, but it would replace the Audit Committee, which is part of ICE Clear Europe's third line of risk defense with the Executive Risk Committee, which is part of its second line of defense, thereby aligning the risk function with its appropriate line of defense. The Commission further notes that given at least one member of the Audit Committee is also a member of the Board Risk Committee, this member could share information related to operational risk with the Audit Committee as needed.^[5]

The requirement that the Board Risk Committee and Board be informed of material incidents would not change. The current ORMP also specifies that the Product Risk Committees and the Executive Risk Committees will receive information related to operational risk. The revised ORMP would require that the Risk Oversight Department report operational risks daily and monthly to senior management and the Executive Risk Committee. Thus, the revised ORMP would specify that the Risk Oversight Department would report this information, and would not include any role for Product Risk Committees. The Commission notes that although the revised ORMP would remove the Product Risk Committees, the CDS Product Risk Committee includes as a member either the ICE Clear Europe President or the Head of First Line Clearing Risk, and that the President and the Head of First Line Clearing Risk are both voting members of the Executive Risk Committee. Given that, the Commission believes that the President or Head of First Line Clearing Risk could share information related to Start Printed Page 33860 operational risk with the CDS Product Risk Committee as needed.^[6]

The revised ORMP would require that the Executive Risk Committee approve changes in the Risk Dashboard at each monthly meeting and report those changes to Board Risk Committee and Board. Although the proposed rule change would add this language to the ORMP (it is not stated in the current ORMP), this requirement is currently found in the Risk Identification Framework, as discussed below.

With respect to the oversight of the ORMP itself, currently the policy provides that it is subject to the oversight of the Audit Committee and Risk Oversight Department. The proposed rule change would remove the Audit Committee, such that the revised ORMP would only be subject to the oversight of the Risk Oversight Department, thereby aligning the risk function with its appropriate line of defense, as discussed above.

Finally, the proposed rule change would correct typographical errors throughout the ORMP. The proposed rule change also would update the appendices to the ORMP by adding descriptive titles to the appendices. For example, the proposed rule change would specify that Appendix A is the Risk Dashboard. The proposed rule change also would explain the numerical scores attached to the assessment guidelines in Appendix C.

ii. Risk Identification Framework

ICE Clear Europe has had its current Risk Identification Framework in place since 2016 but has not yet adopted it through the Commission's proposed rule change process. The proposed rule change would formally adopt the RIF as a Rule of ICE Clear Europe without change to the current document.

As described in Section 1, the RIF provides ICE Clear Europe's Board with a structure to explore, identify, and monitor risks as well as ensure that risk tolerance is articulated and documented. It does this by providing a description of the components of ICE Clear Europe's operational risk management process.

Section 2 of the RIF describes four components of this structure: the risk taxonomy, the Risk Dashboard, risk assessment, and emerging risk assessment. The Risk Taxonomy, which is a single universal risk structure, terminology, and hierarchy, is incorporated into the Risk Dashboard, which, as noted above, inventories ICE Clear Europe's risks and assigns an owner for each risk. The RIF requires that the Enterprise Risk Committee approve changes to the Risk Dashboard monthly and report them to the Board Risk Committee. With respect to the risk assessment, the RIF refers to the details provided in the ORMP, as described above. Finally, with the respect to the emerging risk assessment, the RIF also describes how ICE Clear Europe assesses emerging risks, which are potential, undefined, or unfamiliar one-off risk events that may have a detrimental impact on ICE Clear Europe. ICE Clear Europe does so through a special emerging risk assessment and a register of emerging risk, which is presented to the Board and certain board committees.

Section 3 of the RIF describes the documentation ownership and governance processes in respect of the RIF itself. The Chief Risk Officer owns the RIF, and the Executive Risk Committee and Board must approve any material changes. The Executive Risk Committee and Board review the Risk Identification Framework annually.

Finally, the RIF contains appendices like those found in the ORMP, including the Risk Dashboard and impact assessment guidelines.

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such organization.^[7] For the reasons discussed below, the Commission finds that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act ^[8] and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) thereunder.^[9]

i. Consistency With Section 17A(b)(3)(F) of the Act

Section 17A(b)(3)(F) of the Act requires, among other things, that the rules of ICE Clear Europe be designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions.^[10] Based on its review of the record, and for the reasons discussed below, the Commission believes the proposed changes to the ORMP and the formalization of the RIF are consistent with the promotion of the prompt and accurate clearance and settlement of securities transactions.

The Commission believes that the proposed rule change would improve ICE Clear Europe's process for identifying, assessing, managing, monitoring, and reporting operational risks. It would do so, for example, by revising the description of the risk identification process in the ORMP to include the Risk Dashboard and by including the Risk Dashboard itself as an appendix to the ORMP and to the RIF. Because the Risk Dashboard documents all of ICE Clear Europe's identified operational risks, the Commission believes that adding Risk Dashboard as appendix to the ORMP and RIF would help to ensure that Risk Owners focus on identifying new, undocumented operational risks by delineating ICE Clear Europe's existing, known risks.

Similarly, the Commission believes that the revisions to the ORMP could improve ICE Clear Europe's overall ability to assess the potential impact of operational risks. For example, the requirement that Risk Owners consider and rate each risk on an inherent and a residual basis should help identify the impact of a risk with and without a mitigating control. The Commission believes such an assessment could highlight the impact that could result from the failure of a mitigating control. This assessment in turn could inform Risk Owners' ratings of the effectiveness of mitigating controls and efforts to improve ineffective controls. Overall, the Commission believes that the focus on mitigating controls and their effectiveness would help to ensure that ICE Clear Europe maintains controls that are effective at mitigating operational risk. Finally, requiring Risk Owners to perform the risk assessment and related control assessment at least once a year or more frequently as needed to reflect material risk changes, instead of ad hoc assessments if risks emerge or cease to exist in-between the annual reviews, should help to ensure that ICE Clear Europe timely identifies any issues with respect to the effectiveness of its controls.

The Commission further believes that revising the ORMP to focus on the management of residual risks would improve ICE Clear Europe's ability to manage its operational risks. Because ICE Clear Europe has controls in place to mitigate the potential impact of its operational risks, the Commission considers it appropriate to focus ICE Clear Europe's efforts on maintaining Start Printed Page 33861 the effectiveness of those controls (as discussed above) and the management of the residual risk remaining after accounting for the mitigating controls. The Commission believes that requiring remediating actions for any residual risks assessed as high or very high should help to ensure that ICE Clear Europe manages those residual risks that have a significant impact on ICE Clear Europe's operations. The Commission further believes that requiring that any proposed remedial actions be escalated to Senior Management and applicable Risk Committees or the ICE Clear Europe Board, as opposed to just being approved by the Executive Risk Committee, would help to ensure that appropriate ICE Clear Europe personnel, including Board-level committees, are informed and involved in the management of residual risks.

Finally, the Commission believes that the proposed monitoring and reporting of risks under the revised ORMP would help to ensure that ICE Clear Europe appropriately monitors its operational risks. For example, requiring ongoing monitoring (not just daily) should help to ensure that such monitoring is conducted on an ongoing basis, and not just once a day. As discussed above, this particular change could be beneficial if, for example, under the current daily monitoring ICE Clear Europe conducts monitoring at a single specific time during the day and the risk emerges after that time.

Similarly, requiring monitoring daily or monthly (not just daily) through the Risk Appetite Metrics and the Management Thresholds should help to ensure the inclusion of those metrics and thresholds that are only considered monthly. As discussed above, ICE Clear Europe calculates some existing risk metrics on a monthly basis, so specifying monthly monitoring would take into account these metrics while maintaining daily monitoring for the existing daily metrics. The Commission believes this change would make the ORMP more specific in this regard, thereby making its application by ICE Clear Europe more consistent and clear.

As discussed above, the current ORMP requires assessments and operational incidents to be reported to senior management, the Audit Committee, and the Board Risk Committee, and further provides that the Board Risk Committee and Board shall be informed of material incidents. The revised ORMP similarly would require regular reporting to senior management, the Board Risk Committee, and the Executive Risk Committee. The Commission believes that such reporting should help to ensure that appropriate decision-makers are involved in management of operational risk and able to respond as need to any incidents involving operational risk.

As discussed above, the RIF helps to provide ICE Clear Europe's Board with information on ICE Clear Europe's operational risk management process. The Commission believes that codifying the RIF as part of ICE Clear Europe's rule requirements should help to ensure that the Board has a permanent framework for providing input on the operational risk management process. The Commission believes that the Board's input could, in turn, improve ICE Clear Europe's operational risk management. For example, given the experience of Board members and their vantage point overseeing all of ICE Clear Europe, Board members may be able to offer improvements to mitigating controls.

For these reasons, the Commission believes the proposed rule change would improve the ORMP and the RIF. As discussed above, ICE Clear Europe uses the ORMP and the RIF to manage its operational risk. The Commission therefore believes that these improvements to the ORMP and the RIF should in turn improve ICE Clear Europe's overall management of its operational risks. Improved management of operational risks should, in turn, decrease the likelihood that operational incidents disrupt ICE Clear Europe's ability to promptly and accurately clear and settle securities transactions. The Commission believes therefore the proposed rule change should enhance ICE Clear Europe's ability to promptly and accurately clear and settle securities transactions, consistent with Section 17A(b)(3)(F) of the Act.^[11]

ii. Consistency With Rule 17Ad-22(e)(2)(v)

Rule 17Ad-22(e)(2)(v) requires that ICE Clear Europe establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that, among other things, specify clear and direct lines of responsibility.^[12]

As discussed above, the current ORMP requires assessments and operational incidents to be reported to senior management, the Audit Committee, and the Board Risk Committee, and further provides that the Board Risk Committee and Board shall be informed of material incidents. The revised ORMP would require that assessments and operational incidents be reported to senior management and the Board Risk Committee, but it would replace the Audit Committee with the Executive Risk Committee. The requirement that the Board Risk Committee and Board be informed of material incidents would not change. The Commission believes replacing the Audit Committee with the Executive Risk Committee would specify a clear and direct line of responsibility for the Executive Risk Committee. The Commission further notes that although the revised ORMP would remove the Audit Committee, given that at least one member of the Audit Committee is also a member of the Board Risk Committee, the Commission believes that this member could share information related to operational risk with the Audit Committee as needed.^[13]

Moreover, as discussed above, the current ORMP also specifies that the Product Risk Committees and the Executive Risk Committees will receive information related to operational risk. The revised ORMP would require that the Risk Oversight Department report operational risks daily and monthly to senior management and the Executive Risk Committee. Thus, the revised ORMP would specify that the Risk Oversight Department would report this information, and the revised ORMP would not include any role for Product Risk Committees. The Commission believes this change would specify a clear and direct line of responsibility for the Risk Oversight Department. The Commission further notes that although the revised ORMP would remove the Product Risk Committees, the CDS Product Risk Committee includes as a member either the ICE Clear Europe President or the Head of First Line Clearing Risk, and that the President and the Head of First Line Clearing Risk are both voting members of the Executive Risk Committee. Given that, the Commission believes that the President or Head of First Line Clearing Risk could share information related to operational risk with the CDS Product Risk Committee as needed.^[14]

The revised ORMP also would require that the Executive Risk Committee approve changes in the Risk Dashboard at each monthly meeting and report Start Printed Page 33862 those changes to the Board Risk Committee and Board. The Commission believes that adding this language to the ORMP (it is not stated in the current ORMP but is part of the RIF), would specify a clear and direct line of responsibility for the Executive Risk Committee.

Finally, with respect to the oversight of the ORMP itself, currently the policy provides that it is subject to the oversight of the Audit Committee and Risk Oversight Department. The proposed rule change would remove the Audit Committee, such that the revised ORMP would only be subject to the oversight of the Risk Oversight Department. The Commission believes this change would specify a clear and direct line of responsibility for the Risk Oversight Department, in accordance with the appropriate line of risk defense, as discussed above.

Therefore, the Commission finds that the proposed rule change is consistent with Rule 17Ad-22(e)(2)(v).^[15]

iii. Consistency With Rule 17Ad-22(e)(17)

Rule 17Ad-22(e)(17) requires that ICE Clear Europe establish, implement, maintain and enforce written policies and procedures reasonably designed to manage its operational risks by, among other things, identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.^[16] The Commission believes that the revised ORMP should improve ICE Clear Europe's ability to manage operational risk by identifying the plausible sources of operational risk at ICE Clear Europe. For example, the revised ORMP would include the Risk Dashboard as an appendix, and similarly the RIF includes the Risk Dashboard as an appendix. Because the Risk Dashboard documents all of ICE Clear Europe's identified operational risks, the Commission believes that adding it formally as an appendix to the ORMP would help to ensure that Risk Owners focus on identifying new, undocumented operational risks by delineating those risks that ICE Clear Europe already knows of and has identified.

Similarly, the Commission believes that the revised ORMP should improve ICE Clear Europe's ability to manage operational risk by mitigating the impact of operational risk through the use of appropriate controls. For example, the revised ORMP would provide additional detail with respect to controls and the assessment of their effectiveness, including how Risk Owners would rate the effectiveness of controls. The Commission believes that doing so could help identify and improve controls that could mitigate the impact of operational risks.

Therefore, the Commission finds that the proposed rule change is consistent with Rule 17Ad-22(e)(17).^[17]

IV. Conclusion

On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act, and in particular, with the requirements of Section 17A(b)(3)(F) of the Act ^[18] and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) thereunder.^[19]

It is therefore ordered pursuant to Section 19(b)(2) of the Act ^[20] that the proposed rule change (SR-ICEEU-2022-008) be, and hereby is, approved.^[21]

Footnotes