Risk Management Policy August 2023
1. Purpose and Strategy
The objective of this Risk Management Policy (RMP) is to ensure that we are managing risk to the best of our ability to enable the successful achievement of the Bank's objectives. We do this by implementing an effective risk management framework that is embedded in the Bank's processes and culture. The RMP incorporates the Risk Appetite Statement to guide us on the amount of risk we should be taking.
This RMP applies to the activities of all areas of the Bank and should be read together with the Bank's Risk and Compliance Management Framework.
1.1 Background
The Reserve Bank of Australia (the Bank or RBA) is established by statute as Australia's central bank with broad objectives and extensive powers. The Bank is charged with carrying out the duties of a central bank in the interests of the people of Australia. This obligation is enshrined in legislation and is central to the core values and mission of the organisation.
Fulfilling these duties requires us to manage varying and often significant amounts of risk for the Bank. Those risks related to monetary and payments policy are overseen by the relevant Boards. Operationalising these policies, as well as conducting the Bank’s broader operations, requires consideration and management of risks. For these, specific tolerance levels are established by the Risk Management Committee. Risk appetite categories are included in the RMP which is approved by Governor on an annual basis. Guidance is provided through Key Risk Indicators (KRIs), desired behaviours, and the appetite level, that are then cascaded throughout the Bank to assist staff in their day-to-day management of risk. This helps ensure that all staff operate within our agreed risk appetite.
We seek to continuously improve our risk management policies and practices and to align our risk management policies and procedures with good practices in comparable organisations.
1.2 Risk Culture
All of our actions related to risk management contribute to the Bank's risk culture, which is defined as the behavioural norms and attitudes related to risk awareness, risk-taking, risk management and controls that shape our decisions on risks. The content of this policy is designed to equip employees with clarity on responsibilities and guidance for managing and taking appropriate risks in a way that contributes to a proactive risk culture.
To support and embed our risk culture, we reflect the risk appetite into our policies and procedures and include risk responsibilities into our governance committees. Therefore, it is important that we both comply with and improve internal policies, processes and procedures.
1.3 Risk Appetite Profile
We seek to encourage and reward appropriate risk taking in order to achieve our strategic objectives.
We have a ‘High Appetite’ where achievement of our goals within uncertainty requires risk taking. While higher levels of risk for the achievement of our goals may be necessary, we seek the lowest risk that can be achieved. Management of these risks will be guided by the public interest and the Bank's mandate.
We have a ‘Balanced Appetite’ for choosing and implementing strategies where we can balance risk against the outcome. As a public organisation we have duty to ensure we are maximising our ability to achieve our outcomes and objectives, and this will require balancing the risks of doing something against the risk of missed opportunities.
We have a ‘Limited Appetite’ or ‘No Appetite’ in other areas, which primarily relate to our people, processes and systems. To ensure we continue to provide important services to the Australian public, we need to ensure the risks associated with delivery of these services are managed to ensure the high standards expected of us.
The risks around Policy decisions are managed by the Reserve Bank's two boards, and so the management of these risks sits outside this document. Operationalising policy decisions will, however, generally fit into one of the other broad key risk categories and so management of risks relating to operationalising policy decisions will be guided by this document.
For all our risks, the Bank's values encourage us to use intelligent inquiry to seek and manage risks in the pursuit of the public interest; respectfully challenge how our risk management helps or hinders achievement of our objectives; apply integrity to risk matters; and seek excellence in managing our most critical risks and processes.
Innovation and experimentation are important in meeting our objectives. We take a considered approach to innovation and experimentation, and how we use it to achieve our outcomes.
1.4 Our Roles and Responsibilities
Table 1. Risk Appetite Summary
Role | Risk Appetite |
---|---|
The Governor |
|
Reserve Bank Board and Payments System Board |
|
Risk Management Committee (RMC) |
|
Executive Leadership |
|
All Staff (including management and contractors) |
|
Risk and Compliance Department (RM) |
|
Audit Department |
|
1.5 Operationalising Risk Management via the Three Lines Model
The Bank's Risk and Compliance Management Framework aligns with and incorporates the principles of the ‘Three Lines Model’. In order to appropriately manage risk in day-to-day operations we are all expected to understand our role within the 3 Lines of Accountability model. Most of us have a ‘First line’ role. To support risk-based decisions and help us operate within our risk appetite, the first line ensures the participation of the second and third lines in decision making processes as appropriate and welcomes challenge.
Table 2. Three Lines of Accountability
Governor | ||
---|---|---|
First line | Second line | Third line (primarily Internal Audit) |
Own and manage risks and are responsible for implementing, and monitoring controls to keep risks within the appetite of the organisation. | Operationally independent from the first line, supports the risk management framework and its implementation, including through challenge and review of first line management of risks and controls, oversight of the risk profile, and independent escalation of issues. | Provides assurance on the effectiveness of governance, risk management and internal controls. |
2. Risk Appetite
2.1 Risk Appetite, Triggers and Tolerances
Our risk appetite is defined as the amount of risk that the Bank is prepared to accept when pursuing its strategic goals and can be expressed on a scale that ranges from High Appetite to No Appetite. This describes the behaviours and outcomes the Bank is seeking. See below:
Table 3. Appetite Level Descriptions
Appetite Level | Description |
---|---|
High Appetite | We acknowledge that we may need to take risks to achieve our goals or pursue important objectives. Where outcomes are important, we will not let uncertainty prevent us from pursing those goals and objectives. We will identify and manage these risks but not to the detriment of achieving our goals and objectives. We take risks for important objectives, while managing the potential downside and the upside. |
Balanced Appetite | We may undertake a course of action to pursue opportunities, while also potentially exposing the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. These opportunities would be pursued in order to achieve our strategic goals or pursue important objectives. Risk exposures arising from pursuit of these opportunities will be managed, considering costs, benefits and consequences. |
Limited Appetite | We will actively identify and manage our exposure to these risks to within tolerance levels, and will consider a range of mitigation options to do so. We will generally avoid a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. Risk exposures will be minimised to as low as reasonably practicable. Further reductions in risk exposures would require considerable use of public money that is not desirable for the benefits that will be derived. |
No Appetite | We will not follow a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. Risk exposures will be avoided as any incidents arising would be outside of appetite. |
A risk appetite level has been set across six categories, which can be seen in section 1.3 Risk appetite profile.
Outside of Policy risk, we will use Key Risk Indicators (KRIs) to provide guidance on what each appetite category means in practice for each risk appetite category. The KRIs used to measure appetite should have the following characteristics:
- Dynamic: KRIs should reflect and respond to the current situation
- Quantifiable: KRIs should be easily interpreted and measured, using quantitative metrics wherever possible.
- Actionable: clear action owners and required actions should be provided for when a trigger or tolerance is breached.
- Preventative and Detective: a range of KRIs should be used to monitor whether a risk has materialised or may materialise in the future.
The risk appetite categories will be reviewed annually, or if there are substantial changes to the risk environment. KRI's and their tolerance and trigger levels will be adjusted as required to support us to manage risk within our appetite.
2.2 Monitoring Risk Appetite through Risk Triggers and Tolerances
We monitor whether we are within risk appetite using risk Triggers and Tolerances. Risk tolerance metrics are chosen to indicate the amount of risk that we operate with, expressed, wherever possible, as a quantifiable metric based on the risk appetite and risk profile. Early warning indicators (triggers) are also selected to help us identify any potential problem areas before a tolerance is breached. We will use a traffic light system to monitor these metrics:
2.3 Monitoring and Reporting
There is a formal process to monitor and report business activity against risk appetite. Outcomes against the metrics set out in this Policy are tracked by Risk Owners and reported to the Risk Management Committee (RMC) on a regular basis.
The assessment of whether a risk is outside appetite is a qualitative assessment, and will not be based solely on triggers and tolerances. The Risk Management Committee will use the metrics, along with advice from risk owners, residual risk ratings, progress towards action plans, and contextual information to assess whether risk categories are currently within or outside our appetite.
Risk categories assessed as being outside of appetite will be monitored by the RMC until they are returned to within appetite. The Governor and the Board Audit Committee will be notified and updated on progress.
3. Risk Identification, Evaluation and Mitigation
3.1 Risk Identification
At the core of managing risk is the process for identifying, evaluating and mitigating risk. Undertaking this process on a regular basis enables us to mitigate threats to our business and to take advantage of opportunities.
An owner should be assigned for each risk, and that risk owner is responsible for understanding their risk and how it might occur, assessing the risk (inherent and residual), and reporting on the overall status of the risk. Risks should be regularly assessed in accordance with the materiality of the risk, at least annually.
This includes establishing processes to assess controls and monitoring risk indicators and other information, and escalating and monitoring control gaps or weaknesses. Risk managers support risk owners in this work.
Risk owners are expected to perform formal risk identification or reviews for each key process, project, and during business planning. Risk identification should take place on a regular basis.
Risk owners should be aware that risks identified by one area may have implications for other areas of the Bank and these should be raised, and actions agreed with the appropriate risk owner in a suitable timeframe.
Where risks are shared across functional areas and there is interdependence between risks, risk owners should work together to develop suitable management plans.
3.2 Risk Evaluation
3.2.1 Inherent Risk Rating
The inherent level of risk is the product of the likelihood and the consequence ratings. This determines what further risk management is required. For all identified risks, owners should assess inherent risk using the tables in the Risk Matrix. The Risk Matrix is in the Risk and Compliance Management Framework. The tables should be used as a guide to help with consistency across the Bank, but ultimately judgement on behalf of the risk owner will be required to arrive at the relevant ratings.
3.2.2 Residual Risk Rating
The residual risk is the current risk state given the effectiveness of the controls that have been implemented to manage the risk. The Risk Matrix illustrates interaction between inherent and residual risk rating.
In addition, each identified risk is required to have a target residual risk rating. Risk owners should use the overall risk appetite when assessing the appropriate target risk rating.
3.3 Risk Decisions
Based on the assessment of each risk, risk owners decide the appropriate treatment to apply, including: Avoidance, Acceptance, Removal (of the particular element that generates the risk), controlling the risk, or transferring the risk (through insurance or contracts). Risk owners may choose a number of options to effectively manage each risk.
3.3.1 Controls
Controls include any process, policy, device, practice, or other actions which modify risk. Controls are chosen to reduce the likelihood of the risk occurring and/or the impact or consequence of the risk should it occur. An owner should be assigned for each control, and that ‘control owner’ is responsible for ensuring the control is effective and reporting on the implementation, testing and effectiveness of the control. Controls should be regularly assessed and tested in accordance with the materiality of the risk and the importance of the control.
3.3.2 Risk Escalation and Acceptance
Risks requiring treatment should be notified to the appropriate owner based on the functional areas impacted, any enterprise accountabilities, and the severity of the residual risk. If a risk cannot be addressed, this should be raised at an appropriate level and a decision to accept the risk or to pursue further remediation can then be considered based on the severity of the risk.
3.4 Risk Materiality
Risks which have the potential for a material consequence on the Bank or on stakeholders require additional review and management. The requirements for management of material risks are outlined in the Risk and Compliance Management Framework.
4. Policy Management
4.1 Administration
All executives are accountable for implementing this policy in their functional area, in line with the responsibilities outlined in this document, as part of a ‘first line’ accountability.
This policy is administered by the Risk and Compliance Department.
4.2 Monitoring and Review
Risk and Compliance Department is responsible for supporting the consistent and effective application of this policy, in line with the responsibilities outlined in this document, as part of a ‘second line’ accountability.
The policy is reviewed annually or more frequently if there is a major change to the Bank’s risk management framework. Changes to the Policy must be approved by the Governor.
4.3 Communication
This Policy is published on the Bank's Intranet.
4.4 Related Documents
- Executive Accountability Framework
- Risk Appetite Statement
- Risk Management Committee Charter
- Risk and Compliance Management Framework
5. Enquiries
For further information or clarification on this Policy or associated documentation, please contact RM – SOR Mailbox.
Appendix A: Risk Appetite by Risk Category
Table A1. Risk Appetite by Risk Category
Category | Sub Category | Category Description | Risk appetite | Sub Category Owner |
---|---|---|---|---|
Policy | Monetary and Banking Policy | Contribute to the stability of the currency, full employment, and the economic prosperity and welfare of the Australian people | Limited to Balanced | Governor (Note: management of these risks sits with the Reserve Bank Board) |
Payments Policy | Controlling risks in the financial system, promoting efficiency in the payments system and promoting competition in payment services | Limited to Balanced | Governor (Note: management of these risks sits with the Payments System Board) |
|
Strategic | Strategy Selection | Development of suitable and viable strategies | High | Governor |
Strategy Implementation | Investment decisions support strategic goals | Balanced | Deputy Governor | |
Implementation of strategic business goals through change programs or day to day work | Limited | Deputy Governor | ||
Analysis | Exploration and expansion of analysis and decisions to effectively support decision making | High | Governor | |
Innovation | Considered and deliberate innovation and experiments to achieve our mission | High | Executives accountable within their functional area | |
Public Confidence and Trust | Maintain public trust in order to achieve the Bank's mandates | Limited | Governor | |
Communications | Communications to achieve the Bank's strategic goals | Balanced | Head of Communications | |
Financial Markets | Market Risk | Select and manage the asset portfolio to ensure that movements in exchange rates and
other market prices do not impair the Bank's capacity to meet its policy
objectives or result in significant financial loss. (Excludes market risk associated with policy parameters set by the Reserve Bank Board such as the size of net FX reserves) |
Balanced | Assistant Governor (Financial Markets) and Chief Risk Officer |
Credit Risk | Manage the potential for financial loss due to the default of a counterparty or issuer, or failure of a counterparty or issuer to fulfil their financial obligations | Limited | Assistant Governor (Financial Markets) and Chief Risk Officer | |
Liquidity Risk | Ensure ability to undertake policy operations, including ability to quickly liquidate positions or collateral, while limiting financial loss. | Limited | Assistant Governor (Financial Markets) and Chief Risk Officer | |
People and culture | Talent | The collective capabilities and knowledge of Bank employees | Balanced | Head of Human Resources |
Workplace safety | Work Health and Safety (WHS) practices or behaviours that maintain employee safety | Limited | Head of Human Resources | |
Risk Culture | Behaviour and practices that support us to operate within our risk appetite | Limited | Executives accountable within their functional area | |
Staff Misconduct | Expected standards of behaviour | Limited | Head of Human Resources | |
Operational | Business Process Resilience | Resilience and continuity of services | Limited | Executives accountable within their functional area |
Technology resilience | Availability of critical technology services | Limited | Chief Information Officer | |
Availability of non-critical technology services | Balanced | Chief Information Officer | ||
Cyber resilience | Resilience against cyber-attacks | Limited | Chief Information Officer | |
Information Management | Records can be located, used and retained appropriately | Limited | Head of Information | |
Appropriate access to information assets | Limited | Head of Information | ||
Third Party Management | Effective management of relationships with third parties including ensuring third party fulfilment of contractual obligations | Limited | Executives accountable within their functional area | |
Compliance | Intentional Violations | Deliberate or purposeful breach of legislative or regulatory obligations does not occur | No Appetite | Chief Risk Officer |
Unintentional non-compliance | Unintended non-compliance with legislative and regulatory obligations, or other mandatory external obligations and commitments, including contracts | Limited | Chief Risk Officer | |
Fraud and Corruption | Employees do not engage in acts of Fraud or Corruption | No Appetite | Chief Risk Officer |