Risk Management Policy
1. Purpose and Application
1.1 Policy Objective
The objective of the Reserve Bank's Risk Management Policy is to ensure the implementation of an effective risk management framework that is consistent with the Bank achieving its policy and operating objectives. In doing so, it follows accepted standards and guidelines for managing risk, particularly those used by public and financial institutions.
The principle underpinning the Bank's approach is that risk management is an integral part of the management function in the organisation and, as such, is the clear responsibility of management. Line managers have the responsibility to evaluate their risk environment, to put in place appropriate controls and to monitor the effectiveness of these controls. This process is supplemented with a review of key enterprise risks by the Bank's Executive Committee.
The Bank is committed to ensuring that effective risk management remains central to all its activities and is a core management competency. The aim is to ensure that risk management is embedded in the Bank's processes and culture, thus contributing to the achievement of its core objectives.
This Policy applies to the activities of all groups and departments of the Bank. The respective Assistant Governors or Department Heads in charge of those areas are responsible for its implementation.
2. Policy Components
The Bank identifies, assesses and manages risk at both an enterprise (‘top-down’) and business (‘bottom-up’) level. This process covers the full spectrum of risks including financial, market, credit and operational risks including compliance. The risks inherent to the Bank's monetary and banking policy, financial stability and payments policy functions are the responsibility of the Governor and the Reserve Bank and Payments System Boards.
2.2 Risk Profile and Risk Appetite
The Bank seeks to manage its risk profile carefully. This reflects the view that satisfactory fulfilment of its important public policy responsibilities could be seriously jeopardised if poorly managed risks were to lead to impaired operations, significant financial losses and/or damage to the Bank's reputation. The Bank's Risk Appetite Statement sets out the Bank's appetite for its most significant risks. The Bank's management is aware of the high standards that the community expects of its central bank.
2.3 Roles and Responsibilities
The Governor, as the chief executive of the Bank, has overall responsibility for management of the organisation, but day-to-day management of the various groups and departments in the Bank – including risk management – is delegated to the respective Assistant Governors or Department Heads in charge of those groups or departments.
The Risk Management Committee (RMC) oversees the Bank's overall risk management practices via a formal delegation from the Governor. The Committee comprises several senior officers and is chaired by the Deputy Governor. Its role is to ensure that the Bank's risks are identified, assessed and effectively managed in accordance with this Policy. The RMC provides a semi-annual report of its activities to the Board's Audit Committee and to the Bank's Executive Committee.
The Risk and Compliance Department (RM) facilitates, coordinates and advises on the risk management process to help groups and departments manage their risk environment in a manner that is consistent across the Bank. The Department does not, however, conduct risk management on behalf of groups and departments or assume ownership of, or responsibility for, those risks. The Head of RM reports to the Deputy Governor and is a member of the RMC.
Bank management in each group and department remains responsible for the management of risks, including associated controls and ongoing monitoring processes. Risks identified by one group which may have implications for other areas of the Bank should be reported immediately to RM and the relevant departments. Events which are not covered by, or which occur other than in accordance with Bank policies and procedures, and which have (or could have) material undesirable consequences (‘incidents’) are required to be promptly reported to RM. In addition, groups and departments are required to report to RM on experiences that might assist the Bank generally to identify, evaluate and treat risks.
All employees are responsible for adhering to processes and procedures which are designed to manage risks associated with the work they perform. They are also required to alert management to any risk incidents or potential risk incidents that they become aware of in the course of their work. Employees should also discuss with their management any potential gaps in, or improvements to, the control framework that they identify.
The RMC may establish working groups to develop strategies for the management of Bank-wide risks, such as business continuity. The Committee retains oversight of these areas from a risk management perspective, and RM facilitates appropriate coordination across the Bank.
The RMC may request RM to conduct ‘one-off’ risk reviews of either a process or across functional lines if that is judged appropriate.
Audit Department undertakes a risk-based audit program to provide assurance that risks are identified and key controls to mitigate these risks are well-designed and working effectively. This includes reviewing the Bank's risk management framework and department's risk documentation and testing controls on a sample basis. Audit Department reports independently to the Board's Audit Committee on the effectiveness of controls and any recommendations that are made for improvement. Copies of these reports are made available to RM. Audit Department also prepares for the Audit Committee an annual assessment of the overall adequacy and effectiveness of the Bank's internal controls based on the results of the internal audit work conducted during the period.
RM falls within the scope of internal audit reviews. An external independent review of its function may also be commissioned by the RMC.
2.4 Framework for Managing Risk
The Bank's risk management framework endeavours to cover the full spectrum of risks faced by the Bank through evaluating risk from both an enterprise and business perspective. This framework is consistent with the accepted Australian standard (AS/NZS ISO 31000-2009 Risk Management) and comprises several important steps:
- Identifying and analysing the main risks facing the Bank.
- Evaluating those risks – making judgements about whether they are acceptable or not.
- Implementing appropriately designed control systems to manage these risks in a way which is consistent with the Bank's Risk Appetite Statement.
- Treating unacceptable risks – formulating responses following the identification of unacceptable risks, including actions to reduce the probability or consequences of an event and formulation of contingency plans.
- Documenting these processes, with summary tables (risk registers) the main forms of documentation, supplemented by risk manuals or related documents as appropriate.
- Ongoing monitoring, communication, and review.
While the framework is applied consistently across the Bank, individual groups and departments must identify and analyse the risks in their own areas, assess the controls in place to deal with those risks, and make decisions about whether to mitigate a particular risk – fully or partially – given its effects and the costs of mitigation. If a residual risk is judged unacceptable, the ‘owner’ group or department is responsible for developing and implementing/overseeing a remedial plan. This process is overseen by the RMC, and by the Bank's Executive Committee where the residual risk is not assessed as low or very low.
Where risks are considered ‘cross-sectional’, that is, owned by one area and managed by another (e.g. IT-related risks), a process is established for ensuring the risks are both communicated, and action agreed, between the areas concerned.
3. Policy Management
3.1 Policy Administration
This Policy is administered by Risk and Compliance Department.
3.2 Monitoring and Review
The Policy is reviewed annually or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy must be approved by the Risk Management Committee.
The Policy is published on the Bank's Internet site and Intranet.