Risk Management Policy
1. Purpose and Application
1.1 Policy Objective
The objective of the Reserve Bank's Risk Management Policy (the Policy) is to ensure the implementation of an effective risk management framework that is consistent with the Bank achieving its policy and operating objectives. In doing so, it follows accepted standards and guidelines for managing risk, particularly those used by public and financial institutions.
The general philosophy underpinning the Bank's approach is that risk management is an integral part of the management function in the organisation and, as such, is the clear responsibility of management. Line managers have the responsibility to evaluate their risk environment, to put in place appropriate controls and to monitor the effectiveness of these controls. This process is supplemented with a review of key enterprise risks by the Bank's Executive Committee.
The Bank is committed to ensuring that effective risk management remains central to all its activities and is a core management competency. The aim is to ensure that risk management is embedded in the Bank's processes and culture, thus contributing to the achievement of its core objectives.
This Policy applies to the activities of all groups and departments of the Bank. The respective Assistant Governors or Department Heads in charge of those areas are responsible for its implementation.
The Policy is published on the Bank's internet site and intranet.
1.4 Policy ownership
The Policy is owned by the Risk Management Committee (RMC). It is reviewed annually or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy are endorsed by the Bank's Executive Committee.
2. Policy Components
The Bank identifies, assesses and manages risk at both an enterprise (‘top-down’) and business (‘bottom-up’) level. This process covers the full spectrum of risks including financial, market, credit and operational risks including compliance. The risks inherent to the Bank's core monetary, financial stability and payments policy functions are the responsibility of the Governor and the Reserve Bank and Payments System Boards.
2.2 Risk Profile and Risk Appetite
The Bank seeks to manage its risk profile carefully. This reflects the view that satisfactory fulfillment of its important public policy responsibilities could be seriously jeopardised if poorly managed risks were to result in significant financial losses and/or damage to the Bank's reputation. The Bank's Risk Appetite Statement sets out the Bank's appetite for its most significant risks. The Bank's management is aware of the high standards that the community expects of its central bank.
2.3 Governance Structure
The Governor, as the chief executive of the Bank, has overall responsibility for management of the organisation, but day-to-day management of the various groups and departments in the Bank – including risk management – is delegated to the respective Assistant Governors or Department Heads in charge of those groups or departments.
The RMC oversees the Bank's overall risk management practices via a formal delegation from the Governor. The Committee comprises several senior officers and is chaired by the Deputy Governor. Its role is to ensure that the Bank's risks are identified, assessed and managed in accordance with this Policy. The RMC provides a semi-annual report of its activities to the Board's Audit Committee and to the Bank's Executive Committee.
The Risk and Compliance Department (RM) facilitates, coordinates and advises on the risk management process to help groups and departments manage their risk environment in a manner that is consistent across the Bank. The Department does not, however, conduct risk management on behalf of groups and departments or assume ownership of, or responsibility for, those risks. The Head of RM reports to the Deputy Governor and is a member of the RMC.
Bank management in each group and department remains responsible for the management of risks, including associated controls and ongoing monitoring processes. Risks identified by one group which may have implications for other areas of the Bank should be reported immediately to RM and the relevant departments. Events which are not covered by, or which occur other than in accordance with Bank policies and procedures, and which have (or could have) material undesirable consequences (‘incidents’) are required to be promptly reported to RM. In addition, groups and departments are required to report to RM on experiences that might assist the Bank generally to identify, evaluate and treat risks.
The RMC may establish working groups to develop strategies for the management of Bank-wide risks, such as business continuity. The Committee retains oversight of these areas from a risk management perspective, and RM facilitates appropriate coordination across the Bank.
The RMC may request RM to conduct ‘one-off’ risk reviews of either a process or across functional lines if that is judged appropriate.
Audit Department coordinates closely with – but remains separate from – RM. Audit independently reviews departmental procedures to assess if they provide effective control. This work draws on risk documentation and reports of core business areas to help ensure that the approach reflected in these documents is both risk focused and consistent with the views of management in the areas being audited. Audit reports independently to the Board's Audit Committee on the effectiveness of relevant controls and any recommendations that are made for improvement. Copies of these reports are made available to RM. Audit Department also prepares for the Audit Committee an annual assessment of the overall adequacy and effectiveness of the Bank's internal controls based on the results of the internal audit work conducted during the period.
RM falls within the scope of internal audit reviews. An external independent review of its function may also be commissioned by the RMC.
2.4 Framework for Managing Risk
The Bank's risk management framework endeavours to cover the full spectrum of risks faced by evaluating risk from both an enterprise and business perspective. This framework is consistent with the accepted Australian standard, and comprises several important steps:
- Identifying and analysing the main risks facing the Bank.
- Evaluating those risks – making judgements about whether they are acceptable or not.
- Implementing appropriately designed control systems to manage these risks.
- Treating unacceptable risks – formulating responses following the identification of unacceptable risks, including actions to reduce the probability or consequences of an event and formulation of contingency plans.
- Documenting these processes, with summary tables (risk registers) the main forms of documentation, supplemented by risk manuals or related documents as appropriate.
- Ongoing monitoring, communication, and review.
While the framework is applied consistently across the Bank, individual groups and departments must identify and analyse the risks in their own areas, assess the controls in place to deal with those risks, and make decisions about whether to mitigate a particular risk – fully or partially – given its effects and the costs of mitigation. If a residual risk is judged unacceptable, the ‘owner’ group or department is responsible for developing and implementing/overseeing a remedial plan. This process is overseen by the RMC and by the Bank's Executive Committee where the residual risk is not assessed as low.
Where risks are considered ‘cross-sectional’, i.e. owned by one area and managed by another (e.g. IT-related risks), a process is established for ensuring the risks are both communicated, and action agreed, between the areas concerned.