Enterprise risk management

Our purpose is to secure our members’ future. A key part of this is proactively managing risks and implementing measures to safeguard our members’ investments.


Everyone has a role to play in enterprise risk management and this culture is underpinned by our ‘Three Lines of Defence’ model. The key components of our risk management framework are summarised below.

How we define enterprise risk 

Enterprise risks are any non-investment risks that could impact the achievement of our purpose and strategic goals. Enterprise risks can include strategic, operational, legal and regulatory risks. 

How we manage enterprise risk

We have a comprehensive framework to manage the enterprise risks we face. This framework includes policies, processes, tools and governance arrangements designed to identify, assess, monitor, and manage risk across the business. 

The Railpen Board has primary responsibility for the framework and delegates activities to risk committees.  

Our approach to enterprise risk management is embedded throughout Railpen and consists of the following eight interrelated components:

  1. Governance and culture 

Risk governance and culture ensure that everyone understands their roles and responsibilities under our ‘Three Lines of Defence’ risk management model. This is supported by framework, policy and directive documentation and risk committees. 

  1. Strategy and risk appetite alignment 

We define risk appetite as the type and amount of risk we are prepared to take in order to achieve our strategic goals and fulfil our purpose. This ensures that enterprise risk management is aligned with our strategic objectives and risk appetite. 

  1. Risk identification 

Risks to achieving our purpose, strategic goals or objectives are recorded in our enterprise risk management system. They are assigned an appropriate owner, and then mapped to one of our five principal enterprise risk categories of governance, strategic, operational, legal, conduct and regulatory, and financial. 

  1. Risk assessment 

We assess how material each risk is to the achievement of objectives by using two criteria; the likelihood of their occurrence and their impact.  

  1. Risk response 

The materiality assessment drives the response and determines how the risk is prioritised and managed in line with our appetite. 

  1. Internal control 

Our robust controls are recorded against identified risks in our enterprise risk management system and appropriately assessed. The adequacy of our controls drives the appropriate level of assurance work. 

  1. Information and reporting 

We use several risk monitoring and reporting tools, including risk registers and incident logs. This ensures relevant enterprise risk information is identified, recorded, monitored and reported in a manner and timeframe that enables governing bodies and risk owners to take adequate action to manage their risks. 

  1. Review and revision 

Our approach to enterprise risk management continues to evolve to support the ongoing needs of our business and stakeholders, and we commit to at least an annual review of our framework, policy and directive. 

Also in this section...