Risk Management Policy August 2023

1. Purpose and Strategy

The objective of this Risk Management Policy (RMP) is to ensure that we are managing risk to the best of our ability to enable the successful achievement of the Bank's objectives. We do this by implementing an effective risk management framework that is embedded in the Bank's processes and culture. The RMP incorporates the Risk Appetite Statement to guide us on the amount of risk we should be taking.

This RMP applies to the activities of all areas of the Bank and should be read together with the Bank's Risk and Compliance Management Framework.

1.1 Background

The Reserve Bank of Australia (the Bank or RBA) is established by statute as Australia's central bank with broad objectives and extensive powers. The Bank is charged with carrying out the duties of a central bank in the interests of the people of Australia. This obligation is enshrined in legislation and is central to the core values and mission of the organisation.

Fulfilling these duties requires us to manage varying and often significant amounts of risk for the Bank. Those risks related to monetary and payments policy are overseen by the relevant Boards. Operationalising these policies, as well as conducting the Bank’s broader operations, requires consideration and management of risks. For these, specific tolerance levels are established by the Risk Management Committee. Risk appetite categories are included in the RMP which is approved by Governor on an annual basis. Guidance is provided through Key Risk Indicators (KRIs), desired behaviours, and the appetite level, that are then cascaded throughout the Bank to assist staff in their day-to-day management of risk. This helps ensure that all staff operate within our agreed risk appetite.

We seek to continuously improve our risk management policies and practices and to align our risk management policies and procedures with good practices in comparable organisations.

1.2 Risk Culture

All of our actions related to risk management contribute to the Bank's risk culture, which is defined as the behavioural norms and attitudes related to risk awareness, risk-taking, risk management and controls that shape our decisions on risks. The content of this policy is designed to equip employees with clarity on responsibilities and guidance for managing and taking appropriate risks in a way that contributes to a proactive risk culture.

To support and embed our risk culture, we reflect the risk appetite into our policies and procedures and include risk responsibilities into our governance committees. Therefore, it is important that we both comply with and improve internal policies, processes and procedures.

1.3 Risk Appetite Profile

Figure 1: Risk Appetite Summary
The Bank’s Risk appetite summary:  Provides risk categories and plots the degree of risk that the Bank is willing to accept in pursuit of its strategic objectives.

Note: Refer to Table 3 for the description of appetites

We seek to encourage and reward appropriate risk taking in order to achieve our strategic objectives.

We have a ‘High Appetite’ where achievement of our goals within uncertainty requires risk taking. While higher levels of risk for the achievement of our goals may be necessary, we seek the lowest risk that can be achieved. Management of these risks will be guided by the public interest and the Bank's mandate.

We have a ‘Balanced Appetite’ for choosing and implementing strategies where we can balance risk against the outcome. As a public organisation we have duty to ensure we are maximising our ability to achieve our outcomes and objectives, and this will require balancing the risks of doing something against the risk of missed opportunities.

We have a ‘Limited Appetite’ or ‘No Appetite’ in other areas, which primarily relate to our people, processes and systems. To ensure we continue to provide important services to the Australian public, we need to ensure the risks associated with delivery of these services are managed to ensure the high standards expected of us.

The risks around Policy decisions are managed by the Reserve Bank's two boards, and so the management of these risks sits outside this document. Operationalising policy decisions will, however, generally fit into one of the other broad key risk categories and so management of risks relating to operationalising policy decisions will be guided by this document.

For all our risks, the Bank's values encourage us to use intelligent inquiry to seek and manage risks in the pursuit of the public interest; respectfully challenge how our risk management helps or hinders achievement of our objectives; apply integrity to risk matters; and seek excellence in managing our most critical risks and processes.

Innovation and experimentation are important in meeting our objectives. We take a considered approach to innovation and experimentation, and how we use it to achieve our outcomes.

1.4 Our Roles and Responsibilities

Table 1. Risk Appetite Summary

Role Risk Appetite
The Governor
  • As the accountable authority of the Bank, the Governor has overall responsibility for management of the organisation.
  • Day-to-day management of the various areas in the Bank – including risk management – is delegated to the Deputy Governor, respective Assistant Governors and/or Department Heads.
Reserve Bank Board and Payments System Board
  • The Reserve Bank Board and Payments System Board oversee risks inherent to the Bank's monetary and banking policy, financial stability and payments policy functions.
  • Risks arising directly from the Bank's shareholding in Note Printing Australia Limited (NPA) are also overseen by the Reserve Bank Board, with the operating risks at NPA remaining the responsibility of both the NPA board and its management.
Risk Management Committee (RMC)
  • The RMC oversees the Bank's overall risk management practices (excluding the risks overseen by the Reserve Bank Board and Payments System Board). See RMC Charter for more information.
  • The RMC will request action on, or further investigation of, any risks or practices which may present a current or future gap relative to the Bank’s risk appetite.
Executive Leadership
  • Executive accountabilities for risk are included in the Executive Accountability Framework
  • Executives are responsible for supporting staff in their areas to meet the requirements of the risk management policy and framework, embedding risk management into the day to day decision making process of their functional areas, and identifying capability and resourcing gaps preventing effective management of risks.
  • Executives are responsible for fostering a safe environment for staff to challenge activities, processes and controls and ensuring that there are no reprisals for staff that do so.
All Staff (including management and contractors)
  • We are responsible for understanding the Bank's risk appetite as it relates to our role requirements, being open and transparent about risk matters, speaking up without hesitation and addressing risk issues in an appropriate and timely manner.
  • We are all responsible for risk management activities including controls and monitoring processes. This includes proactively identifying and discussing improvements in risks and controls, identifying and escalating issues, and where required, implementing and monitoring risk treatments.
  • Follow the Incident Reporting process and report experiences (including ‘near misses’) as this process helps to identify, evaluate and manage risk.
Risk and Compliance Department (RM)
  • RM is headed by the Chief Risk Officer, who has a dual reporting line to the Deputy Governor and the Chair of the Board Audit Committee.
  • RM articulates, reports and advises on the risk management process, risk capability and risk culture, and emerging risks, to support the Risk Management Committee to fulfil its accountabilities, and provides a ‘Line 2’ function for the Bank.
  • RM is responsible for ensuring reliable information on our risk profile, including through reviewing and challenging risk management activities and assessments of risk by the first line, who will support timely access to the required information. RM will notify the Governor of any significant breach of the risk framework.
  • RM provides support and guidance for areas to manage their risks in line with the risk framework. The Department does not, however, conduct risk management on behalf of areas or assume ownership of, or responsibility for, those risks.
Audit Department
  • The Audit Department undertakes a risk-based audit program to provide assurance that risks are identified and key controls to mitigate these risks are well-designed and working effectively. This includes reviewing the Bank's risk management framework, risk documentation of each area, testing controls on a sample basis and auditing risk culture.
  • The Audit Department reports independently to the Board's Audit Committee on the effectiveness of controls and any recommendations that are made for improvement.

1.5 Operationalising Risk Management via the Three Lines Model

The Bank's Risk and Compliance Management Framework aligns with and incorporates the principles of the ‘Three Lines Model’. In order to appropriately manage risk in day-to-day operations we are all expected to understand our role within the 3 Lines of Accountability model. Most of us have a ‘First line’ role. To support risk-based decisions and help us operate within our risk appetite, the first line ensures the participation of the second and third lines in decision making processes as appropriate and welcomes challenge.

Table 2. Three Lines of Accountability

Governor
First line Second line Third line
(primarily Internal Audit)
Own and manage risks and are responsible for implementing, and monitoring controls to keep risks within the appetite of the organisation. Operationally independent from the first line, supports the risk management framework and its implementation, including through challenge and review of first line management of risks and controls, oversight of the risk profile, and independent escalation of issues. Provides assurance on the effectiveness of governance, risk management and internal controls.

2. Risk Appetite

2.1 Risk Appetite, Triggers and Tolerances

Our risk appetite is defined as the amount of risk that the Bank is prepared to accept when pursuing its strategic goals and can be expressed on a scale that ranges from High Appetite to No Appetite. This describes the behaviours and outcomes the Bank is seeking. See below:

Table 3. Appetite Level Descriptions

Appetite Level Description
High Appetite

We acknowledge that we may need to take risks to achieve our goals or pursue important objectives. Where outcomes are important, we will not let uncertainty prevent us from pursing those goals and objectives. We will identify and manage these risks but not to the detriment of achieving our goals and objectives.

We take risks for important objectives, while managing the potential downside and the upside.

Balanced Appetite

We may undertake a course of action to pursue opportunities, while also potentially exposing the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. These opportunities would be pursued in order to achieve our strategic goals or pursue important objectives.

Risk exposures arising from pursuit of these opportunities will be managed, considering costs, benefits and consequences.

Limited Appetite

We will actively identify and manage our exposure to these risks to within tolerance levels, and will consider a range of mitigation options to do so. We will generally avoid a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes.

Risk exposures will be minimised to as low as reasonably practicable. Further reductions in risk exposures would require considerable use of public money that is not desirable for the benefits that will be derived.

No Appetite

We will not follow a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes.

Risk exposures will be avoided as any incidents arising would be outside of appetite.

A risk appetite level has been set across six categories, which can be seen in section 1.3 Risk appetite profile.

Outside of Policy risk, we will use Key Risk Indicators (KRIs) to provide guidance on what each appetite category means in practice for each risk appetite category. The KRIs used to measure appetite should have the following characteristics:

  1. Dynamic: KRIs should reflect and respond to the current situation
  2. Quantifiable: KRIs should be easily interpreted and measured, using quantitative metrics wherever possible.
  3. Actionable: clear action owners and required actions should be provided for when a trigger or tolerance is breached.
  4. Preventative and Detective: a range of KRIs should be used to monitor whether a risk has materialised or may materialise in the future.

The risk appetite categories will be reviewed annually, or if there are substantial changes to the risk environment. KRI's and their tolerance and trigger levels will be adjusted as required to support us to manage risk within our appetite.

2.2 Monitoring Risk Appetite through Risk Triggers and Tolerances

We monitor whether we are within risk appetite using risk Triggers and Tolerances. Risk tolerance metrics are chosen to indicate the amount of risk that we operate with, expressed, wherever possible, as a quantifiable metric based on the risk appetite and risk profile. Early warning indicators (triggers) are also selected to help us identify any potential problem areas before a tolerance is breached. We will use a traffic light system to monitor these metrics:

Figure 2: Appetite Level Descriptions
Appetite level descriptions: Illustrates the tolerance and trigger
								 metrices of a risk in relation to the set limit. , Expected level is defined
								 as the state when risks are operating within a normal range and considered to be
								 within risk appetite. Trigger, slightly higher than the expected level, is a measure
								 which indicates that while risks are operating within acceptable risk appetite levels,
								 they are approaching the maximum tolerance level. Action is required to ensure risks
								 remain within an acceptable level. Tolerance  is a measure indicating the upper limit
								 of the risk, and once reached, indicates that risks are outside
								 acceptable risk appetite. Immediate action needs to occur to bring risks within acceptable levels.

2.3 Monitoring and Reporting

There is a formal process to monitor and report business activity against risk appetite. Outcomes against the metrics set out in this Policy are tracked by Risk Owners and reported to the Risk Management Committee (RMC) on a regular basis.

The assessment of whether a risk is outside appetite is a qualitative assessment, and will not be based solely on triggers and tolerances. The Risk Management Committee will use the metrics, along with advice from risk owners, residual risk ratings, progress towards action plans, and contextual information to assess whether risk categories are currently within or outside our appetite.

Risk categories assessed as being outside of appetite will be monitored by the RMC until they are returned to within appetite. The Governor and the Board Audit Committee will be notified and updated on progress.

3. Risk Identification, Evaluation and Mitigation

3.1 Risk Identification

At the core of managing risk is the process for identifying, evaluating and mitigating risk. Undertaking this process on a regular basis enables us to mitigate threats to our business and to take advantage of opportunities.

An owner should be assigned for each risk, and that risk owner is responsible for understanding their risk and how it might occur, assessing the risk (inherent and residual), and reporting on the overall status of the risk. Risks should be regularly assessed in accordance with the materiality of the risk, at least annually.

This includes establishing processes to assess controls and monitoring risk indicators and other information, and escalating and monitoring control gaps or weaknesses. Risk managers support risk owners in this work.

Risk owners are expected to perform formal risk identification or reviews for each key process, project, and during business planning. Risk identification should take place on a regular basis.

Risk owners should be aware that risks identified by one area may have implications for other areas of the Bank and these should be raised, and actions agreed with the appropriate risk owner in a suitable timeframe.

Where risks are shared across functional areas and there is interdependence between risks, risk owners should work together to develop suitable management plans.

3.2 Risk Evaluation

3.2.1 Inherent Risk Rating

The inherent level of risk is the product of the likelihood and the consequence ratings. This determines what further risk management is required. For all identified risks, owners should assess inherent risk using the tables in the Risk Matrix. The Risk Matrix is in the Risk and Compliance Management Framework. The tables should be used as a guide to help with consistency across the Bank, but ultimately judgement on behalf of the risk owner will be required to arrive at the relevant ratings.

3.2.2 Residual Risk Rating

The residual risk is the current risk state given the effectiveness of the controls that have been implemented to manage the risk. The Risk Matrix illustrates interaction between inherent and residual risk rating.

In addition, each identified risk is required to have a target residual risk rating. Risk owners should use the overall risk appetite when assessing the appropriate target risk rating.

3.3 Risk Decisions

Based on the assessment of each risk, risk owners decide the appropriate treatment to apply, including: Avoidance, Acceptance, Removal (of the particular element that generates the risk), controlling the risk, or transferring the risk (through insurance or contracts). Risk owners may choose a number of options to effectively manage each risk.

3.3.1 Controls

Controls include any process, policy, device, practice, or other actions which modify risk. Controls are chosen to reduce the likelihood of the risk occurring and/or the impact or consequence of the risk should it occur. An owner should be assigned for each control, and that ‘control owner’ is responsible for ensuring the control is effective and reporting on the implementation, testing and effectiveness of the control. Controls should be regularly assessed and tested in accordance with the materiality of the risk and the importance of the control.

3.3.2 Risk Escalation and Acceptance

Risks requiring treatment should be notified to the appropriate owner based on the functional areas impacted, any enterprise accountabilities, and the severity of the residual risk. If a risk cannot be addressed, this should be raised at an appropriate level and a decision to accept the risk or to pursue further remediation can then be considered based on the severity of the risk.

3.4 Risk Materiality

Risks which have the potential for a material consequence on the Bank or on stakeholders require additional review and management. The requirements for management of material risks are outlined in the Risk and Compliance Management Framework.

4. Policy Management

4.1 Administration

All executives are accountable for implementing this policy in their functional area, in line with the responsibilities outlined in this document, as part of a ‘first line’ accountability.

This policy is administered by the Risk and Compliance Department.

4.2 Monitoring and Review

Risk and Compliance Department is responsible for supporting the consistent and effective application of this policy, in line with the responsibilities outlined in this document, as part of a ‘second line’ accountability.

The policy is reviewed annually or more frequently if there is a major change to the Bank’s risk management framework. Changes to the Policy must be approved by the Governor.

4.3 Communication

This Policy is published on the Bank's Intranet.

4.4 Related Documents

  1. Executive Accountability Framework
  2. Risk Appetite Statement
  3. Risk Management Committee Charter
  4. Risk and Compliance Management Framework

5. Enquiries

For further information or clarification on this Policy or associated documentation, please contact RM – SOR Mailbox.

Appendix A: Risk Appetite by Risk Category

Table A1. Risk Appetite by Risk Category

Category Sub Category Category Description Risk appetite Sub Category Owner
Policy Monetary and Banking Policy Contribute to the stability of the currency, full employment, and the economic prosperity and welfare of the Australian people Limited to Balanced Governor
(Note: management of these risks sits with the Reserve Bank Board)
Payments Policy Controlling risks in the financial system, promoting efficiency in the payments system and promoting competition in payment services Limited to Balanced Governor
(Note: management of these risks sits with the Payments System Board)
Strategic Strategy Selection Development of suitable and viable strategies High Governor
Strategy Implementation Investment decisions support strategic goals Balanced Deputy Governor
Implementation of strategic business goals through change programs or day to day work Limited Deputy Governor
Analysis Exploration and expansion of analysis and decisions to effectively support decision making High Governor
Innovation Considered and deliberate innovation and experiments to achieve our mission High Executives accountable within their functional area
Public Confidence and Trust Maintain public trust in order to achieve the Bank's mandates Limited Governor
Communications Communications to achieve the Bank's strategic goals Balanced Head of Communications
Financial Markets Market Risk Select and manage the asset portfolio to ensure that movements in exchange rates and other market prices do not impair the Bank's capacity to meet its policy objectives or result in significant financial loss.
(Excludes market risk associated with policy parameters set by the Reserve Bank Board such as the size of net FX reserves)
Balanced Assistant Governor (Financial Markets) and Chief Risk Officer
Credit Risk Manage the potential for financial loss due to the default of a counterparty or issuer, or failure of a counterparty or issuer to fulfil their financial obligations Limited Assistant Governor (Financial Markets) and Chief Risk Officer
Liquidity Risk Ensure ability to undertake policy operations, including ability to quickly liquidate positions or collateral, while limiting financial loss. Limited Assistant Governor (Financial Markets) and Chief Risk Officer
People and culture Talent The collective capabilities and knowledge of Bank employees Balanced Head of Human Resources
Workplace safety Work Health and Safety (WHS) practices or behaviours that maintain employee safety Limited Head of Human Resources
Risk Culture Behaviour and practices that support us to operate within our risk appetite Limited Executives accountable within their functional area
Staff Misconduct Expected standards of behaviour Limited Head of Human Resources
Operational Business Process Resilience Resilience and continuity of services Limited Executives accountable within their functional area
Technology resilience Availability of critical technology services Limited Chief Information Officer
Availability of non-critical technology services Balanced Chief Information Officer
Cyber resilience Resilience against cyber-attacks Limited Chief Information Officer
Information Management Records can be located, used and retained appropriately Limited Head of Information
Appropriate access to information assets Limited Head of Information
Third Party Management Effective management of relationships with third parties including ensuring third party fulfilment of contractual obligations Limited Executives accountable within their functional area
Compliance Intentional Violations Deliberate or purposeful breach of legislative or regulatory obligations does not occur No Appetite Chief Risk Officer
Unintentional non-compliance Unintended non-compliance with legislative and regulatory obligations, or other mandatory external obligations and commitments, including contracts Limited Chief Risk Officer
Fraud and Corruption Employees do not engage in acts of Fraud or Corruption No Appetite Chief Risk Officer