Risk Management Policy April 2018

1. Purpose and Application

Risk management is about understanding and managing the Bank's risk environment and taking measures, where necessary, to ensure that risks are contained to acceptable levels consistent with the Bank's risk appetite as outlined in the Risk Appetite Statement. This document sets out, at a high level, the Bank's policy on managing this process.

1.1 Policy Objective

The objective of the Reserve Bank's Risk Management Policy is to ensure the implementation of an effective risk management framework that is consistent with the Bank achieving its policy and operating objectives. In doing so, it follows accepted standards and guidelines for managing risk, particularly those used by public and financial institutions.

The principle underpinning the Bank's approach is that risk management is an integral part of the management function in the organisation and, as such, is the clear responsibility of management. Line managers have the responsibility to evaluate their risk environment, to put in place appropriate controls and to monitor the effectiveness of these controls. This process is supplemented with a review of key enterprise risks by the Bank's Executive Committee.

The Bank is committed to ensuring that effective risk management remains central to all its activities and is a core management competency. The aim is to ensure that risk management is embedded in the Bank's processes and culture, thus contributing to the achievement of its core objectives.

1.2 Application

This Policy applies to the activities of all areas of the Bank. The respective Assistant Governors or Department Heads in charge of those areas are responsible for its implementation.

2. Policy Components

2.1 Coverage

The Bank identifies, assesses and manages risk at both an enterprise (‘top-down’) and a business (‘bottom-up’) level. This process covers the full spectrum of risks including policy, strategic, market, credit and operational risks, including compliance. This Policy aims to achieve the proper identification and oversight of all the risks the Bank faces.

2.2 Risk Profile and Risk Appetite

The Bank seeks to manage its risk profile carefully. This reflects the view that satisfactory fulfilment of its important public policy responsibilities could be seriously jeopardised if poorly managed risks were to lead to impaired operations, significant financial losses and/or damage to the Bank's reputation. The Bank's Risk Appetite Statement sets out the Bank's appetite for its most significant risks. The Bank's management is aware of the high standards that the community expects of its central bank.

2.3 Roles and Responsibilities

The Governor, as the chief executive of the Bank, has overall responsibility for management of the organisation, but day-to-day management of the various areas in the Bank – including risk management – is delegated to the respective Assistant Governors or Department Heads in charge of those areas.

The risks inherent to the Bank's monetary and banking policy, financial stability and payments policy functions are overseen by the Reserve Bank Board and Payments System Board. The risks arising directly from the Bank's shareholding in Note Printing Australia Limited (NPA) are also overseen by the Reserve Bank Board, with the operating risks at NPA remaining the responsibility of both the NPA board and its management.

The Risk Management Committee (RMC) oversees the Bank's overall risk management practices, excluding the risks in the preceding paragraph, via a formal delegation from the Governor. The Committee comprises several senior officers and is chaired by the Deputy Governor. Its role is to ensure that the Bank's risks are identified, assessed and effectively managed in accordance with this Policy. The RMC provides a semi-annual report of its activities to the Board's Audit Committee and to the Bank's Executive Committee.

The Risk and Compliance Department (RM) facilitates, coordinates and advises on the risk management process to help areas manage their risk environment in a manner that is consistent across the Bank. The Department does not, however, conduct risk management on behalf of areas or assume ownership of, or responsibility for, those risks. The Head of RM reports to the Deputy Governor and is a member of the RMC.

Bank management in each area remains responsible for the management of risks, including associated controls and ongoing monitoring processes. Risks identified by one area which may have implications for other areas of the Bank should be reported immediately to RM and the relevant area(s). Events which are not covered by, or which occur other than in accordance with, Bank policies and procedures, and which have (or could have) material undesirable consequences (‘incidents’) are required to be promptly reported to RM. In addition, areas are required to report to RM on experiences that might assist the Bank generally to identify, evaluate and treat risks.

All employees are responsible for adhering to processes and procedures which are designed to manage risks associated with the work they perform. They are also required to alert management to any risk incidents or potential risk incidents that they become aware of in the course of their work. Employees should also discuss with their management any potential gaps in, or improvements to, the control framework that they identify.

The RMC may establish working groups to develop strategies for the management of Bank-wide risks, such as business continuity. The Committee retains oversight of these areas from a risk management perspective, and RM facilitates appropriate coordination across the Bank.

The RMC may request RM to conduct ‘one-off’ risk reviews of either a process or across functional lines if that is judged appropriate.

Audit Department undertakes a risk-based audit program to provide assurance that risks are identified and key controls to mitigate these risks are well-designed and working effectively. This includes reviewing the Bank's risk management framework, risk documentation of each area and testing controls on a sample basis. Audit Department reports independently to the Board's Audit Committee on the effectiveness of controls and any recommendations that are made for improvement. Copies of these reports are also made available to RM (and in the case of Bank-wide audits the Bank's Executives). Audit Department also prepares for the Audit Committee an annual assessment of the overall adequacy and effectiveness of the Bank's internal controls based on the results of the internal audit work conducted during the period.

RM falls within the scope of internal audit reviews. An external independent review of its function may also be commissioned by the RMC.

2.4 Framework for Managing Risk

The Bank's risk management framework endeavours to cover the full spectrum of risks faced by the Bank through evaluating risk from both an enterprise and business perspective. This framework is consistent with the accepted Australian standard (AS/NZS ISO 31000-2009 Risk Management) and comprises several important steps:

  • Identifying and analysing the main risks facing the Bank.
  • Evaluating those risks and making judgements about whether they are acceptable or not.
  • Implementing appropriately designed control systems to manage these risks in a way which is consistent with the Bank's Risk Appetite Statement.
  • Treating unacceptable risks by formulating responses following the identification of unacceptable risks, including actions to reduce the probability or consequences of an event and formulation of contingency plans.
  • Documenting these processes, with summary tables (risk registers) the main forms of documentation, supplemented by risk manuals or related documents as appropriate.
  • Ongoing monitoring, communication and review.

While the framework is applied consistently across the Bank, individual areas must identify and analyse the risks in their own areas, assess the controls in place to deal with those risks, and make decisions about whether to mitigate a particular risk – fully or partially – given its effects and the costs of mitigation. If a residual risk is judged to be unacceptable, the ‘owner’ area is responsible for developing and implementing/overseeing a remedial plan. This process is overseen by the RMC, and by the Bank's Executive Committee where the residual risk is not assessed as ‘low’ or ‘very low’.

Where risks are considered ‘cross-sectional’, that is, owned by one area and managed by another (e.g. IT-related risks), a process is established for ensuring that the risks are both communicated, and action agreed, between the areas concerned. Processes are also in place that facilitate appropriate liaison and consultation with external entities whose activities could inform the Bank's risk environment.

The Bank's approach to risk management aligns with and incorporates the principles of the ‘three lines of defence’ model, including as outlined in Section 4 of the Bank's Compliance Management Framework.

3. Policy Management

3.1 Policy Administration

This Policy is administered by Risk and Compliance Department.

3.2 Monitoring and Review

The Policy is reviewed annually or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy must be approved by the Risk Management Committee.

3.3 Communication

The Policy is published on the Bank's Internet site and Intranet.

4. Resource

4.1 Related Document