Risk and Compliance Management Framework April 2026

1. Purpose

The Risk and Compliance Management Framework (RCMF or the Framework) sets out the overarching practices and capabilities that enable effective management of risk and compliance at the Reserve Bank of Australia (RBA). It provides a structured, consistent approach to support the RBA in achieving its objectives and strategic priorities.

The Framework outlines the principles, roles and practices that guide risk and compliance management across the RBA. It is supported by the RBA’s Risk Appetite Statement, policies and standards. These translate the principles in the Framework into operational requirements by clarifying responsibilities, required actions and how activities should be carried out.

Risk and compliance management is integral to all aspects of the RBA’s operations and is the responsibility of all staff, including contractors, consultants, agencies or third parties. The Framework applies across all departments.

Note Printing Australia (NPA), a wholly owned subsidiary of the RBA, operates under its own Risk Management Framework and Risk Appetite Statement, both of which are approved by the NPA Board. While NPA maintains operational independence in the management of its risks, it remains subject to oversight by the RBA through established governance arrangements. These arrangements are designed to ensure, as far as practicable, that NPA operates within the RBA’s overarching risk appetite and does not undertake any activities beyond the powers conferred upon the RBA.

This version of the Framework reflects both current practices and the target state the RBA is working towards. It supports a program to strengthen the RBA’s risk and compliance management capability and maturity aligned with recommendations from recent reviews and the RBA’s strategic priorities.

1.1 Framework Overview

Figure 1 provides a visual overview of the RCMF, illustrating its key components and how they interrelate.

  • The Framework is a strategic enabler that supports the RBA to deliver its mandate under the Reserve Bank Act 1959 and achieve its objectives and strategic priorities. It also reflects and reinforces the RBA’s core values by promoting transparency, ethical conduct, and clear ownership of risk and compliance (see Section 2).
  • It is underpinned by risk culture and the three lines of accountability model, which promote clear definition, understanding and application of risk and compliance responsibilities across all levels of the RBA (see Sections 3 and 4).
  • Governance structures – including committees, roles and responsibilities – enable effective oversight, escalation, and decision-making (see Section 5).
  • The Framework describes a structured approach to identifying, assessing and managing the risks, obligations and controls prevailing across the RBA’s operations. It supports timely identification and resolution of incidents and issues, contributing to a comprehensive risk profile that helps the RBA operate within its risk appetite (see Sections 6–12).
  • Reliable data, integrated systems, and clear reporting enable informed decision-making, support transparency and drive continuous improvement (see Section 13).
  • A suite of frameworks, policies, and standards provides the foundation for consistent and effective risk and compliance practices. These documents define expectations, support alignment with objectives and strategic priorities, and are subject to ongoing review and governance (see Section 14).
Figure 1: Risk and Compliance Management Framework
Figure 1: Risk and Compliance Management Framework

2. Alignment with RBA Objectives and Strategic Priorities

The RBA corporate plan outlines the RBA’s objectives and strategic priorities in support its mandate to promote the economic prosperity and welfare of the Australian people, now and into the future.

The Framework describes the practices that support the achievement of these objectives and strategic priorities, as well as the requirements of the Reserve Bank Act 1959 and the RBA’s core values.

By embedding risk and compliance considerations into strategic planning, decision-making, and day-to-day operations, the Framework enables informed and accountable decisions, enhances organisational resilience, and supports effective delivery of the RBA’s strategic priorities.

The RBA has aligned its risk and compliance management approach, as outlined in the Framework, with recognised industry best practice. It monitors developments in regulatory and professional standards and considers their relevance when reviewing and updating the Framework.

3. Risk Culture

Risk culture refers to the behavioural norms and attitudes related to risk awareness, risk-taking, decision making, risk management and controls that influence how employees respond to and manage risk. It is a subset of the RBA’s broader organisational culture, shaped by leadership, governance, and everyday behaviours.

As part of its broader efforts to enhance risk and compliance capability, the RBA is focused on embedding a strong and sustainable risk culture by integrating risk and compliance practices into daily operations, supporting staff through targeted training and applying structured methods to assess and monitor progress over time.

4. Three Lines of Accountability

4.1 Three Lines of Accountability Model

The RBA applies the three lines of accountability model to its day-to-day activities to support effective risk and compliance management. The model promotes ownership and management of risks and obligations by the departments where they reside, while also providing independent review, challenge, and insight.

Table 1: Three Lines of Accountability
Three Lines
First line
(All departments, excluding Risk & Compliance Department and Audit Department) 		Second line
(Risk & Compliance Department) 		Third line
(Audit Department)
OWN & MANAGE RISKS AND OBLIGATIONS REVIEW, CHALLENGE & INSIGHT INDEPENDENT ASSURANCE
Own and manage the risks and obligations they originate in pursuit of their department objectives in accordance with the guardrails defined in Second Line. Provides review and challenge of First line risk and compliance management activities, thematic insight, specialist advice and oversight on the implementation of the Risk and Compliance Management Framework. Provides independent, risk-based, and objective assurance to the Governance Board and senior management that the Risk and Compliance Management Framework is operating effectively to support the achievement of department objectives.

4.2 Roles and Responsibilities

Clear articulation of roles and responsibilities is essential for effective risk and compliance management across the RBA. The table below outlines the key risk and compliance accountabilities of senior leaders, team members and departments across the three lines of accountability model.

Table 2: Roles and Responsibilities across the Three Lines of Accountability model
Senior Leaders (including Assistant Governors and Head of Departments)

Senior Leaders’ accountabilities for risk and compliance are defined in the Executive Accountability Framework.

They are responsible for:

  • Embedding risk and compliance into departmental decision making and supporting staff to meet the framework requirements.
  • Identifying capability and resourcing gaps that prevent effective management of risks and obligations.
  • Promoting a strong risk culture by modelling desired behaviours, setting clear expectations, and fostering a safe environment for staff to challenge activities, processes, and controls, without fear of adverse consequences.
  • Monitoring risk and compliance performance and driving continuous improvement in line with the Bank’s strategic priorities.
  • Contributing to cross-departmental decision-making at the Executive Committee level, ensuring risk and compliance considerations are factored into enterprise-wide decisions.
All Staff (including management and contractors)

All staff are responsible for:

  • Understanding the Bank’s risk appetite and obligations as it relates to their role.
  • Being open and transparent about risk and compliance matters, speaking up about concerns, and addressing issues in an appropriate and timely manner.
  • Undertaking risk and compliance management activities in line with the Framework, including operating controls and monitoring processes.
  • Proactively identifying and discussing improvements to risks, obligations, and controls, to the extent appropriate to their role.
  • Identifying and escalating incidents and issues, and where required, implementing and monitoring risk and compliance treatments.
Chief Risk Officer/ Risk and Compliance Department (RM)

RM is headed by the Chief Risk Officer, who has a dual reporting line to the Deputy Governor and the Audit and Risk Committee.

RM is responsible for:

  • Articulating, reporting, and advising on the risk and compliance management process, capability, culture, emerging risks, and regulatory change, to support the Risk Management Committee (RMC) and provide a Second line function for the Bank.
  • Ensuring reliable information on the Bank’s risk profile by reviewing and challenging First line risk and compliance activities and assessments. First line departments are expected to support timely access to required information.
  • Escalating significant breaches to the Framework, as appropriate.
  • Providing support and guidance to departments to manage their risks and obligations in line with the Framework.
  • Not performing risk and compliance management on behalf of departments, nor assuming ownership or responsibility for their risks and obligations.
Audit Department

The Head of Audit Department reports to the Deputy Governor and the Audit and Risk Committee. The Audit Department’s work is governed by a charter, which is approved by the Audit and Risk Committee (ARC).

The Audit Department undertakes a risk-based audit program to provide independent assurance that risks are identified and key controls are well-designed, implemented and operating effectively. This includes:

  • Reviewing the Bank’s Framework, and departmental risk and compliance documentation.
  • Testing controls on a sample basis.
  • Auditing risk culture.

5. Governance Oversight

5.1 Governance Structure

The RBA maintains a formal governance structure to support effective risk and compliance management. The Governance Board is ultimately accountable for overseeing risk and compliance management across the RBA and approves the Framework on the recommendation of the Audit and Risk Committee (ARC). Specific governance responsibilities have been delegated to the ARC, as detailed in Table 3 below.

The roles, responsibilities, membership, decision-making authorities and oversight accountabilities of the RBA’s Boards and Committees are formally documented in charters. These charters are reviewed periodically to ensure alignment with the RBA’s objectives, strategic priorities and regulatory requirements and expectations.

Figure 2: Board and management level committees
Figure 2: Board and management level committees - RBA Governance Structure chart showing boards, committees and departments.
  1. Under section 7A of the Reserve Bank Act 1959, the Governance Board is the accountable authority of the RBA for the purposes of the Public Governance, Performance and Accountability Act 2013.
  2. Note Printing Australia Limited.
  3. Under section 12 of the Reserve Bank Act, the Governor is responsible for managing the RBA.

5.2 Roles and Responsibilities of Governance Structures

Clear articulation of roles and responsibilities is essential for effective governance and oversight of risk and compliance across the Bank. The table below outlines the key responsibilities and accountabilities of the Bank’s governance structures involved in risk and compliance management, and describes how each contributes to the oversight, management, and assurance of the Framework.

Table 3: Roles and Responsibilities of Governance Structure
The Governor
  • The Governor has overall responsibility for the day-to-day management of the Bank, including managing the Bank’s operations and risk profile.
  • The Deputy Governor and Chief Operating Officer assist the Governor in the management of the Bank, including in relation to risk and compliance management and oversight of the Bank’s Three Lines of Accountability model.
Our Boards
  • The Monetary Policy Board and Payments System Board oversee risks inherent in decisions relating to the Bank’s monetary and financial stability policies and payments policies, respectively.
  • The Governance Board oversees and determines policies for the management and organisational affairs of the Bank, including oversight of the Bank’s Risk and Compliance Management Framework, its operation by management, and setting the Bank’s risk appetite. The Governance Board must discharge its responsibilities within the limits of its powers. In particular, the Governance Board is not authorised to do anything that would limit the Monetary Policy Board performing its functions or exercising its powers in ways that affect the Bank’s balance sheet or to determine the Bank’s approach for implementing the policies of the Monetary Policy Board or Payment System Board.
  • Risks arising directly from the Bank’s shareholding in NPA are also overseen by the Governance Board, with the operating risks at NPA remaining the responsibility of both the NPA board and its management.
Audit and Risk Committee (ARC)
  • The ARC assists the Governance Board in overseeing the effectiveness of the Bank’s Risk and Compliance Management Framework and system of internal control.
Risk Management Committee (RMC)
  • The RMC provides executive-level oversight of the Bank’s overall risk and compliance management practices. Refer to the RMC Charter for further detail.
  • The RMC will request action or further investigation of any risks, obligations or practices which may present a current or future gap relative to the Bank’s risk appetite and meeting the Bank’s obligations.

6. Risk Appetite Statement

The Risk Appetite Statement (RAS) defines the amount and type of risk the RBA is willing to accept in pursuit of its objectives and strategic priorities. It reflects the RBA’s commitment to sound risk management and supports informed decision-making across all levels of the RBA.

The RAS considers the most material risks inherent in the RBA’s strategy and is structured around six risk classes, as outlined in Table 4. It sets out expected behaviours, qualitative appetite statements and risk tolerances, supported by quantitative metrics.

The RAS is formally approved by the Governance Board (subject to the limitations set out in Table 3) and is monitored regularly through reporting to the RMC, ARC and Governance Board. This is to ensure that risks remain within appetite and are actively monitored and managed.

The RAS plays a central role in guiding strategic planning, resource allocation and operational decision-making across the RBA. It enables a consistent approach to evaluating risk-reward trade-offs and supports alignment with the RBA’s strategic priorities and values. Responsibilities for monitoring and managing risks against appetite are assigned to accountable senior leaders and are being progressively embedded within management and committee structures.

Table 4: Material Risk Classes
Level 1 Risk Class Level 1 Risk Class Description
Policy Meeting policy objectives or ensuring that policies are suitable for their purpose.
Strategic Effective strategic planning and execution that supports the RBA to achieve its long-term goals.
Operational Internal processes, personnel, and systems to achieve value, and mitigate potential or actual losses from inefficiencies, errors, or external events.
People and Culture The effective management and rewarding of people across the RBA
Financial Effect of volatility in financial markets is adequately managed and operations respond where possible to possible losses or the ability to conduct operations.
Compliance Adhering to rules, legislation, and statements of regulatory policy.
Figure 3: Risk Appetite Summary
Material Risk Classes Risk Appetite
No appetite Limited Balanced High
Compliance  
Financial      
Operational      
People and culture    
Policy development  
Strategic      
  • Compliance: We have no appetite for this risk, reinforcing zero tolerance for willful or negligent breaches.
  • Financial: We have limited to high appetite enabling flexibility for market risk, where risk-taking is essential to achieving monetary policy and financial stability objectives.
  • Operational: Appetite ranges from limited to high appetite. Model risk allows high appetite where models are used for hypothesis generation or early-stage exploration with defined controls.
  • People and culture: We have no to limited appetite, reflecting no tolerance for staff misconduct and the Bank’s commitment to a positive, safe and inclusive workplace.
  • Policy development: We have limited appetite reflecting the narrower scope of this risk. The policy development risk class now focuses on risks to achieving charter objectives through inadequate policy design or internal communication. Financial execution risk now sits under financial risk.
  • Strategic: We have limited to high appetite, with high appetite for research and analysis supporting policy development. Strategic selection risk, encompassing effective strategic planning and execution supporting the Bank's long-term goals, has a limited to balanced appetite, given a desire for strong governance and quality stakeholder engagement.

7. Risk Identification and Assessment

At the core of the Framework is a structured process for identifying, assessing, and managing risks and obligations. Regular execution of this process, in line with the Three Lines of Accountability model, enables the Bank to mitigate threats, fulfil obligations, and take advantage of opportunities.

To support consistent risk identification, risks are grouped into broad categories known as risk classes, as defined in the Bank’s Risk Taxonomy. This taxonomy provides a structured classification of risks that could affect the Bank’s strategic priorities and operations. It facilitates consistent definition, reporting and aggregation of risks and is reviewed periodically to support its continued relevance and alignment with the Bank’s needs.

Each risk class has a designated Risk Class Owner, who is responsible for supporting oversight of how the risk class is managed across the Bank. These roles are relatively new and are being progressively embedded.

Within departments, Risk Owners and Control Owners play a critical role in managing risks relevant to their objectives and operations. Risks are assessed using a Risk Matrix, which evaluates both the likelihood and impact of potential events. This supports prioritisation of risk responses and informs decision-making at all levels.

The Bank’s Risk and Control Management Standards outline the key requirements for identifying and assessing risks and controls and define the roles and responsibilities of all relevant parties.

7.1 Emerging Risks

The Bank actively identifies, assesses and monitors emerging risks and opportunities. Emerging risks are new or evolving risks that may affect the Bank in the future and can arise from a range of external factors, including geopolitical events, technological changes, economic shifts, workforce trends, and climate change.

Emerging risks can also originate from within the Bank, particularly through major projects or organisational change. This is referred to as risk in change or delivered risk, which captures the potential risks introduced when new systems, processes or initiatives are implemented.

All departments are expected to monitor emerging risks that could affect their business objectives. This decentralised approach is supported by centrally coordinated activities that identify and discuss emerging risk themes across the Bank.

While mechanisms are in place to support enterprise-wide visibility of emerging risks, further uplift is planned to enhance horizon scanning, improve integration of insights, and strengthen strategic foresight.

Proactive management of emerging risks is a key enabler of resilience and informed decision-making across the Bank.

8. Compliance Management

The Bank is committed to meeting its obligations which includes contractual, legislative requirements and commitments. These obligations are identified and managed alongside risks, with processes being progressively strengthened to improve how obligations are captured, assessed, and monitored across the Bank.

The approach is aligned with the Bank’s strategic objectives and is implemented in accordance with the Three Lines of Accountability model and broader risk and compliance management practices. It promotes proactive compliance, supports a strong compliance culture, and enables consistent oversight and reporting.

While the Bank’s compliance and obligations management processes are still maturing, work is underway to improve visibility of obligations across departments, clarify responsibilities for management compliance risks and embed compliance considerations into operational practices.

8.1 Regulatory Change

The Bank is progressively strengthening the identification, assessment, and monitoring of actual or anticipated regulatory change that may impact its obligations. This process supports the Bank in remaining responsive to evolving regulatory requirements and expectations, and helps maintain a strong compliance posture.

When assessing regulatory change, the Bank considers impact on people, processes, systems, and data, as well as its operational readiness to implement and embed the change effectively.

9. Control Assessment

The Bank designs and applies controls to manage key risks, support the achievement of objectives, and meet its obligations. These controls are reviewed regularly to confirm they are appropriately designed and operating effectively, with supporting documentation and evidence.

When gaps or weaknesses are identified, actions are taken to improve the control environment, reduce associated risks and strengthen the management of obligations. These findings may result in the identification of issues, which are currently managed through mitigation action plans. Work is underway to enhance the consistency and structure of how issues are tracked and addressed across the Bank.

Control assessments are documented and reported through appropriate channels to support effective oversight and informed decision making.

10. Issue Management

Issue Management refers to the process of identifying and resolving gaps or weaknesses in the control environment. These may arise from control assessments, audits, assurance activities, or other sources.

Issues may or may not be linked to a specific incident. They typically require corrective actions to strengthen controls and reduce the likelihood of future disruption or non-compliance.

Effective Issue Management enables prioritisation of remediation activities based on severity, urgency, and potential impact. This supports continuous improvement of the control environment and the Bank’s overall risk and compliance posture.

11. Incident Management

Incident Management refers to the response to discrete events that result in an impact, such as disruption, loss, or non-compliance. Examples include system outages, fraud, or regulatory breaches. It also includes near misses, events that could have caused an impact but were avoided or contained before harm occurred.

Incidents reflect events that have already taken place. While not all incidents require corrective action, particularly where the impact is contained, remedial measures are implemented where necessary to manage or mitigate immediate effects.

The Framework promotes timely identification, recording, escalation, and resolution of incidents to support operational resilience and compliance. Importantly, the occurrence of incidents, even with strong controls in place, is not necessarily a sign of failure. In complex operating environments, incidents are expected from time to time. What matters is that incidents are responded to effectively, with attention to their severity and potential impact, and with a focus on understanding what happened, and what can be learned to improve future outcomes.

12. Action Management

Action Management refers to the tracking and oversight of activities undertaken to address identified issues, respond to incidents, or implement improvements arising from assurance processes.

Actions may be preventive, corrective, or enhancement focused. They are used to mitigate risks, strengthen controls, and support continuous improvement.

The Framework promotes clear ownership, timely implementation, and closure of actions. This ensures accountability and sustained risk reduction, reinforcing the Bank’s commitment to effective risk and compliance management.

13. Data, Systems and Reporting

The Bank maintains a governance, risk, and compliance (GRC) system that serves as the single source of truth for capturing, assessing, monitoring, and reporting on risks, controls, incidents, issue and related actions. This system underpins the Bank’s enterprise risk and compliance management approach by promoting, transparency, and consistency of information.

All departments are responsible for recording their risk and compliance information in the system, and maintaining its completeness and accuracy.

The system is a key enabler of informed decision-making and strategic oversight. It provides senior management and governance committees with timely and relevant insights through both standard and tailored reports. These reports integrate key risk management outcomes, including the Bank’s position relative to risk appetite, control assessment outcomes, emerging risks, and the status of incidents and issues. This supports a comprehensive view of the Bank’s risk profile and informs prioritisation, escalation, and assurance activities.

Enhancements to the system are currently underway to better support risk management processes. Future improvements to compliance functionality under consideration as part of a broader uplift program.

14. Framework, Policies and Standards

The RCMF is supported by a structured set of frameworks, policies, and standards that guide consistent and effective risk and compliance practices across the Bank. These documents define the principles, minimum requirements, and expectations for how risks and compliance obligations are managed.

They promote a common understanding of responsibilities, support alignment with the Bank’s strategic objectives and regulatory obligations and enable consistent implementation across departments. These documents are reviewed periodically to ensure they remain current, relevant, and aligned with the Bank’s risk appetite.

Work is underway to strengthen the governance of frameworks, policies, and standards by clarifying ownership, review cycles, and approval pathways. This will support greater consistency, improve visibility of key requirements, and ensure alignment across the broader risk and compliance architecture.

15. Framework Management

15.1 Administration

This Framework is administered by the Risk and Compliance Department

15.2 Communication

This Framework is published on RBA’s intranet and external website.

15. Resources

15.1 Related Documents

  1. Executive Accountability Framework
  2. Risk Appetite Statement
  3. Risk Management Committee Charter