Risk Appetite Statement September 2018

1. Introduction

The Reserve Bank of Australia (the Bank) is established by statute as Australia's central bank with broad objectives and extensive powers. The activities undertaken in fulfilment of its responsibilities are overseen by two policy boards and several board and high-level management committees.

The Bank is charged with carrying out the duties of a central bank in the interests of the people of Australia. This obligation is enshrined in legislation and is central to the core values of the organisation. The Bank's ability to fulfil this mandate effectively rests, among other things, on its reputation as an organisation of the highest integrity and professionalism.

This Statement considers the most significant risks to which the Bank is exposed and provides an outline of the approach to managing these risks. All strategic plans and business plans for functional areas need to be consistent with this Statement.

2. General Statement of Appetite

The Bank faces a broad range of risks reflecting its responsibilities as a central bank. These risks include those resulting from its responsibilities in the areas of monetary, financial stability and payments system policy, as well as its day-to-day operational activities.

The risks arising from the Bank's policy responsibilities can be significant. These risks are managed through detailed processes that emphasise the importance of integrity, intelligent inquiry, maintaining high quality staff, and public accountability.

The Bank is also exposed to some significant financial risks, largely due to it holding Australia's foreign exchange reserves. It accepts that the balance sheet risks are large, and manages these risks carefully, but not at the expense of its policy responsibilities.

In terms of operational issues, the Bank has a low appetite for risk. The Bank makes resources available to control operational risks to acceptable levels. The Bank recognises that it is not possible or necessarily desirable to eliminate some of the risks inherent in its activities. Acceptance of some risk is often necessary to foster innovation and efficiencies within business practices.

3. The Risk Management Framework

The Bank's risk management framework seeks to ensure that there is an effective process in place to manage risk across the Bank. Risk management is integral to all aspects of the Bank's activities and is the responsibility of all staff. Managers have a particular responsibility to evaluate their risk environment, to put in place appropriate controls and to monitor the effectiveness of those controls. The risk management culture emphasises careful analysis and management of risk in all business processes.

These risks are identified, assessed and managed at both an enterprise level (‘top-down’) and business level (‘bottom-up’). The Risk Management Committee, which is chaired by the Deputy Governor, has oversight of these processes. This Committee meets at least six times a year and provides a report on its activities to both the Executive Committee and the Reserve Bank Board Audit Committee.

4. Coverage

The Bank's attitude towards its key strategic, financial, people and operational risks is described below.

4.1 Strategic Risks

The Bank aspires to be among the world's leading central banks, measured by the quality and effectiveness of its operations. This requires ongoing development and innovation in its operations through strategic initiatives which often carry significant risk. The Bank has a low appetite for threats to the effective and efficient delivery of these initiatives. It recognises that the actual or perceived inability to deliver strategic initiatives could have a significant impact on its ability to achieve its objectives as well as its reputation.

The Bank's Executive meets regularly to discuss the major initiatives. A framework is in place to ensure that these initiatives are prioritised appropriately, and that the associated risks are well managed and reported on a consistent basis.

4.2 Financial Risks

The Bank holds domestic and foreign currency-denominated financial instruments to support its operations in financial markets in pursuit of its policy objectives. These instruments account for the majority of the Bank's assets and expose the balance sheet to a number of financial risks, of which the largest is exchange rate risk. The Bank does not aim to eliminate this risk as this would significantly impair its ability to achieve its policy objectives. Instead, the risks are managed to an acceptable level through a framework of controls. The Bank acknowledges that there will be circumstances where the risks carried on its balance sheet will have a material impact on its financial accounts. The Bank regards it as desirable to hold sufficient reserves to absorb potential losses.

The Bank has a very low appetite for credit risk. The Bank manages this risk carefully by applying a strict set of criteria to investments, confining its dealings to institutions of high creditworthiness and ensuring that exposures to counterparties are appropriately secured, wherever feasible.

Risk tolerances for the Bank's activities in financial markets are outlined in policies which are approved by the Governor and the Assistant Governor (Financial Markets) under delegation from the Governor. Performance against these measures is monitored daily and reported to the Assistant Governor (Financial Markets), the Head of Risk and Compliance and other senior staff.

4.3 Fraud and Corruption

The Bank has no appetite for any dishonest or fraudulent behaviour and is committed to deterring and preventing such behaviour. It takes a very serious approach to cases, or suspected cases, of fraud or corruption perpetrated by its staff, and responds fully and fairly in accordance with provisions of the Code of Conduct.

4.4 People and Culture Risks

The Bank's significant people and culture-related risks include:

  • Calibre of People – The Bank relies on motivated, diverse and high-quality staff to perform its functions. It aims to create an environment where staff are empowered to the full extent of their abilities.
  • Conduct of People – The Bank expects staff to conduct themselves with a high degree of integrity, to respectfully strive for excellence in the work they perform and the outcomes they achieve, and to promote the public interest. The appetite for behaviours which do not meet these standards is very low. The Bank takes any breaches of its Code of Conduct very seriously.
  • Work Health & Safety (WHS) – The Bank is committed to creating a safe working environment for all of its staff, where people are protected from physical or psychological harm. It has a very low appetite for practices or behaviours that could be expected to lead to staff being harmed while at work.

4.5 Operational Risks

The Bank's appetite for specific operational risks is detailed below. Risks are carefully analysed in all of the Bank's operational activities, including to ensure that the benefit of the risk control measures exceeds the costs of these measures.

(i) Information Technology

Information Technology (IT) risks cover both daily operations and ongoing enhancements to the Bank's IT systems. These include:

  • Technology Service Availability – Prolonged outage of a core RBA system: The Bank has a very low appetite for risks to the availability of systems which support its critical business functions, including those which relate to inter-bank settlements, banking operations and financial markets operations. Service availability requirements have been identified and agreed with each business area.
  • Security – Cyber-attack on RBA systems or networks: The Bank has a very low appetite for damage to Bank assets from threats arising from malicious attacks. To address this risk, the Bank aims for strong internal processes and the development and continuous improvement of robust technology controls.
  • Technology Change Management: The implementation of new technologies creates new opportunities, but also new risks. The Bank has a low appetite for IT system-related incidents which are generated by poor change management practices.

(ii) Physical Security

The Bank provides a highly secure environment for its people and assets by ensuring its physical security measures meet high standards. The Bank has a very low appetite for the failure of physical security measures.

(iii) Compliance

The Bank is committed to a high level of compliance with relevant legislation, regulation, industry codes and standards as well as internal policies and sound corporate governance principles. Identified breaches of compliance will be remedied as soon as practicable. The Bank has no appetite for deliberate or purposeful violations of legislative or regulatory requirements.

(iv) Information Management

The Bank is committed to ensuring that its information is authentic, appropriately classified, properly conserved and managed in accordance with legislative and business requirements. It has a very low appetite for the compromise of processes governing the use of information, its management and publication. The Bank has no appetite for the deliberate misuse of its information.

5. Implementation of the Bank's Risk Appetite

All Heads of Department are responsible for the implementation of, and compliance with, this Statement.

5.1 Communication

The Bank's Risk Appetite Statement is published on the Bank's intranet and the Bank's website.

5.2 Risk Assessments

Each department maintains a Risk Register of the business risks it faces in its day-to-day operations and the control framework which is in place to mitigate risks. These Registers take into account risks from within the Bank and external sources, and are reviewed regularly. Risk Registers are also updated where necessary when there are key changes in policies, structures or functions and in response to incidents.

All risks which are judged as unacceptable at departmental level are reported to the Risk Management Committee and remedial action plans to reduce these risks to acceptable levels are reported, where appropriate, to the Executive Committee.

All departmental risks which are judged as having a residual risk equal to medium or above are reported to the Risk Management Committee annually.

Departments are required to manage their specific operational risks in a manner which is consistent with this Statement, and to manage and address any risks outside appetite or agreed tolerance levels. Departmental risk appetite settings in their Risk Registers for groups of risks with a similar nature must also be consistent with this Statement.

5.3 Reporting & Monitoring

This Statement is complemented by a number of specific risk metrics which assist management in assessing whether outcomes are consistent with the Bank's risk appetite.

Performance against these metrics is tracked and reported to the Risk Management Committee on a regular basis.

Reporting systems are maintained to provide assurance that the risk appetite is effectively incorporated into management decisions.

6. Review

This Risk Appetite Statement is reviewed biennially, or whenever there is a significant change to the Bank's operating environment. This review is coordinated by the Risk and Compliance Department. Changes to the Risk Appetite Statement must be approved by the Risk Management Committee and the Executive Committee.