Risk Management Policy November 2021

1. Purpose and strategy

The objective of this Risk Management Policy (RMP) is to ensure that we are managing risk to the best of our ability to enable the successful achievement of the Bank's objectives. We do this by implementing an effective risk management framework that is embedded in the Bank's processes and culture. The RMP incorporates the Risk Appetite Statement to guide us on the amount of risk we should be taking.

This RMP applies to the activities of all areas of the Bank and should be read together with the Bank's Risk Management Framework.

1.1 Background

The Reserve Bank of Australia (the Bank or RBA) is established by statute as Australia's central bank with broad objectives and extensive powers. The Bank is charged with carrying out the duties of a central bank in the interests of the people of Australia. This obligation is enshrined in legislation and is central to the core values and mission of the organisation.

Fulfilling these duties requires us to manage varying and often significant amounts of risk for the Bank. Those risks related to monetary and payments policy, which are often the most significant, are overseen by the relevant Boards. Operationalising these policies, as well as conducting the Bank's broader operations, requires consideration and management of risks. For these, specific tolerance levels are established by the Risk Management Committee. Risk appetite categories are included in the RMP which is approved by Governor on an annual basis. Guidance is provided through Key Risk Indicators (KRIs), desired behaviours, and the appetite level, that are then cascaded throughout the Bank to assist staff in their day-to-day management of risk. This helps ensure the all staff operate within our agreed risk appetite.

1.2 Risk Culture

All of our actions related to risk management contribute to the Bank's risk culture, which is defined as the behavioural norms and attitudes related to risk awareness, risk-taking, risk management and controls that shape our decisions on risks. The content of this policy is designed to equip employees with clarity on responsibilities and guidance for managing and taking appropriate risks in a way that contributes to a proactive risk culture.

1.3 Risk appetite profile

Figure 1: Risk Appetite Summary
Risk Appetite Summary

Note: Refer to Table 3 for the description of appetites

We seek to encourage and reward appropriate risk taking in order to achieve our strategic objectives.

We have a ‘High Appetite’ where achievement of our goals within uncertainty requires risk taking. While higher levels of risk for the achievement of our goals may be necessary, we seek the lowest risk that can be achieved. Management of these risks will be guided by the public interest and the Bank's mandate.

We have a ‘Balanced Appetite’ for choosing and implementing strategies where we can balance risk against the outcome. As a public organisation we have duty to ensure we are maximising our ability to achieve our outcomes and objectives, and this will require balancing the risks of doing something against the risk of missed opportunities.

We have a ‘Limited Appetite’ or ‘No Appetite’ in other areas, which primarily relate to our people, processes and systems. To ensure we continue to provide an important services to the Australian public, we need to ensure the risks associated with delivery of these services are managed to ensure the high standards expected of us.

The risks around Policy decisions are managed by the Reserve Bank's two boards, and so the management of these risks sits outside this document. Operationalising policy decisions will, however, generally fit into one of the other broad key risk categories and so management of risks relating to operationalising policy decisions will be guided by this document.

For all our risks, the Bank's values encourage us to use intelligent inquiry to seek and manage risks in the pursuit of the public interest; respectfully challenge how our risk management helps or hinders achievement of our objectives; apply integrity to risk matters; and seek excellence in managing our most critical risks and processes.

Innovation and experimentation are important in meeting our objectives. We take a considered approach to innovation and experimentation, and how we use it to achieve our outcomes.

1.4 Our Roles and responsibilities

Table 1. Risk Appetite Summary

Role Risk Appetite
The Governor
  • As the accountable authority of the Bank, the Governor has overall responsibility for management of the organisation.
  • Day-to-day management of the various areas in the Bank – including risk management – is delegated to the Deputy Governor, respective Assistant Governors and/or Department Heads.
Reserve Bank Board and Payments System Board
  • The Reserve Bank Board and Payments System Board oversee risks inherent to the Bank's monetary and banking policy, financial stability and payments policy functions.
  • Risks arising directly from the Bank's shareholding in Note Printing Australia Limited (NPA) are also overseen by the Reserve Bank Board, with the operating risks at NPA remaining the responsibility of both the NPA board and its management.
Risk Management Committee (RMC)
  • The RMC oversees the Bank's overall risk management practices (excluding the risks overseen by the Reserve Bank Board and Payments System Board). See RMC Charter for more information.
Executive Leadership
  • Executive accountabilities for risk are included in the Executive Accountability Framework
  • Heads of Department are responsible for fostering a safe environment for staff to challenge activities, processes and controls and ensuring that there are no reprisals for staff that do so.
All Staff (including management and contractors)
  • We are responsible for understanding the Bank's risk appetite as it relates to our role requirements, being open and transparent about risk matters, speaking up without hesitation and addressing risk issues in an appropriate and timely manner.
  • We are all responsible for risk management activities including associated controls and ongoing monitoring processes. This includes proactively identifying and discussing improvements in risks and controls.
  • Follow the Incident Reporting process and report experiences (including ‘near misses’) as this process helps to identify, evaluate and manage risk.
Risk and Compliance Department (RM)
  • RM articulates, reports and advises on the risk management process to support the Risk Management Committee to fulfil its accountabilities, and provides an enterprise ‘Line 2’ function.
  • RM provides support for areas to manage their risk environment in a manner that is consistent across the Bank. The Department does not, however, conduct risk management on behalf of areas or assume ownership of, or responsibility for, those risks.
Audit Department
  • The Audit Department undertakes a risk-based audit program to provide assurance that risks are identified and key controls to mitigate these risks are well-designed and working effectively. This includes reviewing the Bank's risk management framework, risk documentation of each area, testing controls on a sample basis and auditing risk culture.
  • The Audit Department reports independently to the Board's Audit Committee on the effectiveness of controls and any recommendations that are made for improvement.

1.5 Operationalising risk management via the Three Lines Model

The Bank's Risk and Compliance Management Framework aligns with and incorporates the principles of the ‘Three Lines Model’. In order to appropriately manage risk in day-to-day operations we are all expected to understand our role within the 3 Lines of Accountability model. Most of us have a ‘First line’ role.

Table 2. Three Lines of Accountability

First line Second line Third line
(primarily Internal Audit)
Own and manage risks and are responsible for implementing, and monitoring controls to keep risks within the appetite of the organisation. Supports the risk management framework and its implementation, including through challenge and review of first line management of risks and controls, oversight of the risk profile, and independent escalation of issues. Provides assurance on the effectiveness of governance, risk management and internal controls.

2. Risk Appetite

2.1 Risk Appetite, Triggers and Tolerances

Our risk appetite is defined as the amount of risk that the Bank is prepared to accept when pursuing its strategic goals and can be expressed on a scale that ranges from High Appetite to No Appetite. This describes the behaviours and outcomes the Bank is seeking. See below:

Table 3. Appetite Level Descriptions

Appetite Level Description
High Appetite

We acknowledge that we may need to take risks to achieve our goals or pursue important objectives. Where outcomes are important, we will not let uncertainty prevent us from pursing those goals and objectives. We will identify and manage these risks but not to the detriment of achieving our goals and objectives.

We take risks for important objectives, while managing the potential downside and the upside.

Balanced Appetite

We may undertake a course of action to pursue opportunities, while also potentially exposing the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. These opportunities would be pursued in order to achieve our strategic goals or pursue important objectives.

Risk exposures arising from pursuit of these opportunities will be managed, considering costs, benefits and consequences.

Limited Appetite

We will generally avoid a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes.

Risk exposures will be minimised to as low as reasonably practicable. Further reductions in risk exposures would require considerable use of public money that is not desirable for the benefits that will be derived.

No Appetite

We will not follow a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes.

Risk exposures will be avoided as any incidents arising would be outside of appetite.

A risk appetite level has been set across six categories, which can be seen in section 1.3 Risk appetite profile.

Outside of Policy risk, we will use Key Risk Indicators (KRIs) to provide guidance on what each appetite category means in practice for each risk appetite category. The KRIs used to measure appetite should have the following characteristics:

  1. Dynamic: KRIs should reflect and respond to the current situation
  2. Quantifiable: KRIs should be easily interpreted and measured, using quantitative metrics wherever possible.
  3. Actionable: clear action owners and required actions should be provided for when a trigger or tolerance is breached.
  4. Preventative and Detective: a range of KRIs should be used to monitor whether a risk has materialised or may materialise in the future.

The current list of approved KRIs are listed in Appendix A.

The risk appetite categories will be reviewed annually, or if there are substantial changes to the risk environment. KRI's and their tolerance and trigger levels will be adjusted as required to support us to manage risk within our appetite.

2.2 Monitoring risk appetite through risk Triggers and Tolerances

We monitor whether we are within risk appetite using risk Triggers and Tolerances. Risk tolerance metrics are chosen to indicate the amount of risk that we operate with, expressed, wherever possible, as a quantifiable metric based on the risk appetite and risk profile. Early warning indicators (triggers) are also selected to help us identify any potential problem areas before a tolerance is breached. We will use a traffic light system to monitor these metrics:

Figure 2: Appetite Level Descriptions
Appetite Level Descriptions

2.3 Monitoring and reporting

There is a formal process to monitor and report business activity against risk appetite. Outcomes against the metrics set out in this Policy are tracked by Risk Owners and reported to the Risk Management Committee (RMC) on a regular basis.

The assessment of whether a risk is outside appetite is a qualitative assessment, and will not be based solely on triggers and tolerances. The Risk Management Committee will use the metrics, along with advice from risk owners, residual risk ratings, progress towards action plans, and contextual information to assess whether risk categories are currently within or outside our appetite.

Risk categories assessed as being outside of appetite will be monitored by the RMC until they are returned to within appetite. The Governor and the Board Audit Committee will be notified and updated on progress.

3. Risk Identification, Evaluation and Mitigation

3.1 Risk Identification

At the core of managing risk is the process for identifying, evaluating and mitigating risk. Undertaking this process on a regular basis enables us to mitigate threats to our business and to take advantage of opportunities.

Risk owners are expected to perform formal risk identification or reviews for each key process, project, and during business planning. Risk identification should take place on a regular basis.

Risk owners should be aware that risks identified by one area may have implications for other areas of the Bank and these should be raised and actions agreed with the appropriate risk owner in a suitable timeframe.

3.2 Risk Evaluation (Inherent Risk Rating)

The inherent level of risk is the product of the likelihood and the consequence ratings. This determines what further risk management is required. For all identified risks, owners should assess inherent risk using the tables in the Risk Matrix. The tables should be used as a guide to help with consistency across the Bank, but ultimately judgement on behalf of the risk owner will be required to arrive at the relevant ratings.

3.3 Risk Decisions

Based on the assessment of each risk, risk owners decide the appropriate treatment to apply, including: Avoidance, Acceptance, Removal (of the particular element that generates the risk), controlling the risk, or transferring the risk (through insurance or contracts). Risk owners may choose a number of options to effectively manage each risk.

3.4 Controls

Controls include any process, policy, device, practice, or other actions which modify risk. Controls are chosen to reduce the likelihood of the risk occurring and/or the impact or consequence of the risk should it occur. An owner should be assigned for each control, and that ‘control owner’ is responsible for ensuring the control is effective. Controls should be tested in accordance with the associated residual risk rating

The Bank acknowledges that controls that have been tested and assessed as effective may, due to unforeseen circumstances, fail, leading to undesired outcomes. For this reason, the Risk Management Committee monitors risks in order to improve understanding of, and ability to mitigate such unforeseen events.

3.5 Risk Evaluation (Residual Risk Rating)

The residual risk is the current risk state given the effectiveness of the controls that have been implemented to manage the risk. The Risk Matrix illustrates interaction between inherent and residual risk rating. Each identified risk is required to have a target residual risk rating. Risk owners should use the overall risk appetite when assessing the appropriate target risk rating.

4. Policy Management

4.1 Administration

This Policy is administered by the Risk and Compliance Department.

4.2 Monitoring and Review

The Policy is reviewed annually or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy must be approved by the Governor.

4.3 Communication

This Policy is published on the Bank's Intranet.

4.4 Related Documents

  1. Executive Accountability Framework
  2. Risk Management Committee Charter
  3. Risk Management Framework

5. Enquiries

For further information or clarification on this Policy or associated documentation, please contact RM – SOR Mailbox.

Appendix A: Risk Appetite by Risk Category

Table A1. Risk Appetite by Risk Category

Category Sub Category Category Description Risk appetite Sub Category Owner
Policy Monetary and Banking Policy Contribute to the stability of the currency, full employment, and the economic prosperity and welfare of the Australian people Limited to Balanced Governor
(Note: management of these risks sits with the Reserve Bank Board)
Payments Policy Controlling risks in the financial system, promoting efficiency in the payments system and promoting competition in payment services Limited to Balanced Governor
(Note: management of these risks sits with the Payments System Board)
Strategic Strategy Selection Development of suitable and viable strategies High Governor
Strategy Implementation Investment decisions support strategic goals Balanced Deputy Governor
Implementation of strategic business goals through change programs or day to day work Limited Deputy Governor
Analysis Exploration and expansion of analysis and decisions to effectively support decision making High Governor
Innovation Considered and deliberate innovation and experiments to achieve our mission High Executives accountable within their functional area
Public Confidence and Trust Maintain public trust in order to achieve the Bank's mandates Limited Governor
Communications Communications to achieve the Bank's strategic goals Balanced Head of Communications
Financial Markets Market Risk Select and manage the asset portfolio to ensure that movements in exchange rates and other market prices do not impair the Bank's capacity to meet its policy objectives
(Excludes market risk associated with policy parameters set by the Reserve Bank Board such as the size of net FX reserves)
Balanced Assistant Governor (Financial Markets) and Head of Risk and Compliance Department
Credit Risk Manage the potential for financial loss due to the default of a counterparty or issuer, or failure of a counterparty or issuer to fulfil their financial obligations Limited Assistant Governor (Financial Markets) and Head of Risk and Compliance Department
Liquidity Risk Ensure ability to undertake policy operations, including ability to quickly liquidate positions or collateral, while limiting financial loss. Limited Assistant Governor (Financial Markets) and Head of Risk and Compliance Department
People and culture Talent The collective capabilities and knowledge of Bank employees Balanced Head of Human Resources
Workplace safety Work Health and Safety (WHS) practices or behaviours that maintain employee safety Limited Head of Human Resources
Risk Culture Behaviour and practices that support us to operate within our risk appetite Limited Executives accountable within their functional area
Staff Misconduct Expected standards of behaviour Limited Head of Human Resources
Operational Business Process Resilience Resilience and continuity of services Limited Executives accountable within their functional area
Technology resilience Availability of critical technology services Limited Chief Information Officer
Availability of non-critical technology services Balanced Chief Information Officer
Cyber resilience Resilience against cyber-attacks Limited Chief Information Officer
Information Management Records can be located, used and retained appropriately Limited Head of Information
Appropriate access to information assets Limited Head of Information
Third Party Management Third party fulfilment of contractual obligations Limited Executives accountable within their functional area
Compliance Intentional Violations Deliberate or purposeful breach of legislative or regulatory obligations does not occur No Appetite Head of Risk and Compliance
Compliance Compliance with legislative and other mandatory external obligations and commitments (avoidance of unintentional non-compliance) Limited Head of Risk and Compliance
Fraud and Corruption Employees do not engage in acts of Fraud or Corruption No Appetite Head of Risk and Compliance