Risk and Security Management

The risk and security organization of SIX helps employees to identify internal and external threats, evaluate them correctly and react to them appropriately. The aim is to ensure the long-term stability and security of the company and of the Swiss financial center, and to continue to provide the usual efficient, high-quality services.

Our risk and security organization applies to the entire company. The unit Risk, Security and Compliance, led by the Chief Risk Officer (CRO), defines areas of responsibility, methods, processes and reporting for risks at SIX. At the same time the team acts as the second line of defense in a "three lines of defense" model, which has become standard practice in the financial sector.

The risk and security organization at SIX is optimized on an ongoing basis. SIX thus actively ensures that its risk management is fully in keeping with its own business model and also complies entirely with external requirements, particularly regulatory measures. In 2017, SIX therefore embedded its risk management organization even deeper within the company, expanding the security functions and employing more staff. 

Legal supports the first line of defense in the observance and monitoring of legal, regulatory and internal provisions, advises on all legal issues, regulates legal disputes and is the central coordinator for authority contacts. Public & Regulatory Affairs identifies and classifies relevant legislative and regulatory developments at an early stage in order to ensure the company is informed about external changes. It also represents the interests of SIX in the public political arena. Both departments form part of the first line of defense.

  1. First line of defense
    The first line of defense is to be found in the business units. It is at this level that employees need to recognize risks and weigh them up appropriately in their day-to-day work.  
  2. Second line of defense
    The uniform Group-wide risk and security organization forms the second line of defense. It assists and supports the first line with the monitoring and control of critical topics. The team handles the reporting of financial and non-financial risks, risk analyses and the central insurance portfolio.
  3. Third line of defense
    The Board of Directors and the internal and external auditors constitute the third line of defense. They are responsible for independently monitoring and controlling the risks faced by SIX. At the same time they monitor the internal organization of risk management.

Risk Types

Financial risks at SIX include financial market risks such as defaults, liquidity shortages or market price and exchange rate fluctuations. Non-financial risks cover strategic and operational risks including IT and security risks, project risks and legal and compliance risks. The latter are monitored at SIX by the Legal and Compliance departments and integrated into an overall picture of the risk situation at SIX in close collaboration with the department Risk Management.

Risk Appetite

The framework for risk management at SIX clearly and uniformly defines the risk appetite of SIX and its business units. The Risk department proposes limits for risk appetite and risk tolerance at SIX, monitors compliance with the defined thresholds and shows how the company’s risk profile changes over time. Ensuring compliance with the defined risk appetite and fostering an open dialog on risk-related issues at all levels are intrinsic elements of the risk culture at SIX.