Risk Management Policy December 2019

1. Purpose and Application

Risk management is about understanding and managing the Bank's risk environment and taking measures, where necessary, to ensure that risks are contained to acceptable levels consistent with the Bank's risk appetite as outlined in the Risk Appetite Statement. This document sets out, at a high level, the Bank's policy on managing this process.

1.1 Policy Objective

The objective of the Reserve Bank's Risk Management Policy is to ensure the implementation of an effective risk management framework that is consistent with the Bank achieving its policy and operating objectives. In doing so, it follows accepted standards and guidelines for managing risk, particularly those used by public and financial institutions.

The principle underpinning the Bank's approach is that risk management is an integral part of the management function in the organisation and, as such, is the clear responsibility of management. Line managers have the responsibility to evaluate their risk environment, to put in place appropriate controls and to monitor the effectiveness of these controls. This process is supplemented with a review of key enterprise risks by the Bank's Executive Committee.

The Bank is committed to ensuring that effective risk management remains central to all its activities and is a core management competency. The aim is to ensure that risk management is embedded in the Bank's processes and culture, thus contributing to the achievement of its core objectives.

1.2 Application

This Policy applies to the activities of all areas of the Bank. The Deputy Governor, respective Assistant Governors or Department Heads in charge of those areas are responsible for its implementation.

2. Policy Components

2.1 Coverage

The Bank identifies, assesses and manages risk at both an enterprise (‘top-down’) and a business (‘bottom-up’) level. This process covers the full spectrum of risks including policy, strategic, market, credit and operational risks, including compliance. This Policy aims to achieve the proper identification and oversight of all the risks the Bank faces.

2.2 Risk Profile and Risk Appetite

The Bank seeks to manage its risk profile carefully. This reflects the view that satisfactory fulfilment of its important public policy responsibilities could be seriously jeopardised if poorly managed risks were to lead to impaired operations, significant financial losses and/or damage to the Bank's reputation. The Bank's Risk Appetite Statement sets out the Bank's appetite for its most significant risks, while the Risk Management Framework details the operational elements. The Bank's management is aware of the high standards that the community expects of its central bank.

2.3 Roles and Responsibilities

The Governor, as the accountable authority of the Bank, has overall responsibility for management of the organisation, but day-to-day management of the various areas in the Bank – including risk management – is delegated to the Deputy Governor, respective Assistant Governors or Department Heads in charge of those areas.

The risks inherent to the Bank's monetary and banking policy, financial stability and payments policy functions are overseen by the Reserve Bank Board and Payments System Board. The risks arising directly from the Bank's shareholding in Note Printing Australia Limited (NPA) are also overseen by the Reserve Bank Board, with the operating risks at NPA remaining the responsibility of both the NPA board and its management.

The Risk Management Committee (RMC) oversees the Bank's overall risk management practices, excluding the risks in the preceding paragraph, via a formal delegation from the Governor. The Committee comprises several senior officers and is chaired by the Deputy Governor. Its role is to ensure that the Bank's risks are identified, assessed and effectively managed in accordance with this Policy. The RMC provides a semi-annual report of its activities to the Board's Audit Committee and to the Bank's Executive Committee.

The RMC may establish working groups to develop strategies for the management of Bank-wide risks, such as business continuity. The Committee retains oversight of these areas from a risk management perspective, and RM facilitates appropriate coordination across the Bank.

The RMC may request Risk and Compliance Department (RM) to conduct ‘one-off’ risk reviews of either a process or across functional lines if that is judged appropriate.

Bank management in each area remains responsible for the management of risks, including associated controls and ongoing monitoring processes. Risks identified by one area which may have implications for other areas of the Bank should be reported immediately to RM and the relevant area(s). Events which are not covered by, or which occur other than in accordance with, Bank policies and procedures, and which have (or could have) material undesirable consequences (‘incidents’) are required to be promptly reported to RM. In addition, areas are encouraged to report to RM on experiences (including ‘near misses’) that might assist the Bank generally to identify, evaluate and treat risks.

All employees are responsible for adhering to processes and procedures which are designed to manage risks associated with the work they perform. They are also required to alert management to any risk or incident that they become aware of in the course of their work. Employees should also discuss with their management any potential gaps in, or improvements to, the control framework that they identify.

RM facilitates, coordinates and advises on the risk management process to help areas manage their risk environment in a manner that is consistent across the Bank. The Department does not, however, conduct risk management on behalf of areas or assume ownership of, or responsibility for, those risks. The Head of RM reports to the Deputy Governor and is a member of the RMC.

Audit Department undertakes a risk-based audit program to provide assurance that risks are identified and key controls to mitigate these risks are well-designed and working effectively. This includes reviewing the Bank's risk management framework, risk documentation of each area, and testing controls on a sample basis. Audit Department reports independently to the Board's Audit Committee on the effectiveness of controls and any recommendations that are made for improvement. Copies of these reports are also made available to the RMC (and, in the case of Bank wide audits, the Bank's Executives). Audit Department also prepares for the Audit Committee an annual assessment of the overall adequacy and effectiveness of the Bank's internal controls based on the results of the internal audit work conducted during the period.

RM falls within the scope of internal audit reviews. An external independent review of its function may also be commissioned by the RMC.

2.4 Framework for Managing Risk

The Bank's risk framework is designed to enable the Bank to understand and communicate its risk profile, ensure that risks remain at acceptable levels, assess how risks are likely to evolve as a result of new activities or changes in the operating environment, and assist in the quick recovery from a risk event. The approach aligns with and incorporates the principles of the ‘three lines of defence’ model, which is based on a set of layered defences that align responsibility for risk taking with accountability for risk control.

Departments (the first line) own and manage risks and are responsible for implementing controls to keep risks to within the appetite of the organisation; the second line provides specialised risk and compliance management services; and the third line, primarily Audit Department, provides assurance to senior management on the effectiveness of governance, risk management and internal controls.

The Bank's general approach is to have a second-line where it is necessary to give additional confidence that the residual risk is acceptable. Reflecting this, the Bank’s second-line activities are conducted through a mix of a centralised independent function, dedicated departmental functions, knowledge centres for key areas of risk and compliance, and centralised monitoring functions. Heads of Department are responsible for fostering an open environment for staff members to challenge activities, processes and controls and ensuring that there are no reprisals for staff that do so.

The Bank's framework endeavours to cover the full spectrum of risks faced by the Bank through evaluating risk from both an enterprise and business perspective. This framework is consistent with the accepted Australian standard (ISO 31000-2018 Risk Management) and comprises several important steps:

  • Identifying and analysing the main risks facing the Bank.
  • Evaluating those risks and making judgements about whether they are acceptable or not.
  • Implementing appropriately designed control systems to manage these risks in a way which is consistent with the Bank's Risk Appetite Statement.
  • Treating unacceptable risks by formulating responses following the identification of unacceptable risks, including actions to reduce the probability or consequences of an event and formulation of contingency plans.
  • Documenting these processes, with summary tables (risk registers) the main forms of documentation, supplemented by risk manuals or related documents as appropriate.
  • Ongoing monitoring, communication and review.

While the framework is applied consistently across the Bank, individual areas must identify and analyse the risks in their own areas, assess the controls in place to deal with those risks, and make decisions about whether to mitigate a particular risk – fully or partially – given its effects and the costs of mitigation. If a residual risk is judged to be unacceptable, the ‘owner’ area is responsible for developing and implementing/overseeing a remedial plan. This process is overseen by the RMC, and by the Bank's Executive Committee where the residual risk is not assessed as ‘low’ or ‘very low’.

Where risks are considered ‘cross-sectional’ or ‘common’ – that is, owned by one area and managed by another (e.g. IT-related risks) – a process is established for ensuring that the risks are both communicated, and action agreed, between the areas concerned. Processes are also in place that facilitate appropriate liaison and consultation with external entities whose activities could inform the Bank’s risk environment.

3. Policy Management

3.1 Administration

This Policy is administered by Risk and Compliance Department.

3.2 Monitoring and Review

The Policy is reviewed biennially or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy must be approved by the Risk Management Committee.

3.3 Communication

The Policy is published on the Bank's Internet site and Intranet.

4. Resource

4.1 Related Document