Reserve Bank of Australia Annual Report – 2019 Risk Management
As the Reserve Bank is exposed to significant risks when carrying out its policy responsibilities, a framework for managing these risks is embedded in the culture of the Bank. The Bank's risk management framework supports effective decision-making, while allowing enterprise-wide and emerging risks to be identified and managed in a way that is consistent with the Bank's risk appetite. This framework is overseen by the Risk Management Committee.
Objectives and Governance Structure
The Reserve Bank, like any organisation, cannot achieve its objectives without taking on risk. Management of these risks is the responsibility of all staff. In particular, managers have a responsibility to evaluate their risk environment, put in place appropriate controls and ensure that these controls are well developed and implemented effectively. The Bank identifies, assesses and manages risk at both an enterprise (‘top-down’) and business (‘bottom-up’) level, a process that is subject to ongoing review. These risks are managed to a level that is consistent with the Bank's risk appetite through processes that emphasise the importance of integrity, intelligent inquiry, maintaining high-quality staff and public accountability. Responsibility for articulation of the Bank's risk appetite resides with the management of the Bank. The development and maintenance of an active risk management culture that acknowledges the need for careful analysis and management of risk in all business processes is an important objective of this framework.
Oversight of the Reserve Bank's arrangements for risk management is undertaken by the Risk Management Committee. The committee is chaired by the Deputy Governor and comprises: the Assistant Governors for the Business Services, Corporate Services and Financial Markets groups; the Chief Financial Officer; the Chief Information Officer; the Heads of the Audit, Human Resources, Information, and Risk and Compliance departments; and the General Counsel. The Risk Management Committee meets at least six times each year and keeps the Executive Committee and the Reserve Bank Board Audit Committee informed about its activities.
The Risk Management Committee is responsible for ensuring the proper assessment and effective management of all the risks the Reserve Bank faces, with the exception of those arising directly from its monetary and financial stability policies and payments policy functions. These risks remain the responsibility of the Governor, the Reserve Bank Board and the Payments System Board. The risks associated with the Bank's ownership of Note Printing Australia Limited (NPA) are overseen by the Reserve Bank Board. The NPA Charter, which is reviewed annually by the Reserve Bank Board, defines the scope of NPA's activities and sets out the approach to risk management to be taken by the NPA Board. However, responsibility for the day-to-day activities of NPA rests with the NPA Board and management. The Bank's risk management framework covers the relationships that it has with NPA other than its ownership – for example, the relationships of customer and landlord.
The Risk Management Committee is assisted in its responsibilities by the Risk and Compliance Department. The department assists individual business areas manage their risk and compliance environment effectively within a framework that is consistent across areas. It monitors risk and performance associated with the Reserve Bank's activities in financial markets. It also supports the business areas by implementing Bank-wide control frameworks covering fraud, bribery and corruption, business continuity and compliance-related risks. The Head of Risk and Compliance Department reports directly to the Deputy Governor.
The Audit Department undertakes a risk-based audit program to provide assurance that risks are identified and key controls to mitigate these risks are well designed and working effectively. This includes periodic reviews of the Reserve Bank's risk management framework and testing key controls in business areas on a sample basis. The Head of Audit Department reports directly to the Chair of the Reserve Bank Board Audit Committee and the Deputy Governor.
Portfolio Risks
The Reserve Bank holds domestic and foreign currency-denominated financial instruments to support its operations in financial markets in pursuit of its policy objectives. These instruments account for the majority of the Bank's assets and expose its balance sheet to a number of financial risks. The primary responsibility for managing these risks rests with the Financial Markets Group. Risk and Compliance Department monitors these risks and assesses compliance with approved authorities and limits. Compliance with financial management guidelines and developments in portfolio risks are reported to the Risk Management Committee.
Exchange rate risk
The Reserve Bank is exposed to exchange rate risk as a large share of the Bank's assets are denominated in foreign currency, while most of the Bank's liabilities are denominated in Australian dollars. As foreign currency reserve assets are held for policy purposes, the Bank does not seek to eliminate or hedge this exposure. However, the Bank mitigates some of this risk by diversifying these assets across various currencies. The foreign portfolio has target shares of 55 per cent in US dollars, 20 per cent in euros and 5 per cent each in Japanese yen, Canadian dollars, UK pound sterling, Chinese renminbi and South Korean won; these shares have been stable over the past couple of years. The portfolio composition reflects the Bank's risk appetite and desired liquidity to meet policy objectives. Some limited variation in actual portfolio shares from the target shares is permitted. The Bank also has holdings of gold, Special Drawing Rights (an international reserve asset created by the International Monetary Fund) and an investment in the Asian Bond Fund, an investment that is managed externally by the Bank for International Settlements.
The Australian dollar value of the Reserve Bank's foreign portfolio increased slightly over 2018/19 owing to the broad-based depreciation in the Australian dollar, but was unchanged in foreign currency terms. Based on the level of reserves as at 30 June 2019, a 10 per cent appreciation of the Australian dollar would result in a mark-to-market loss of $5.5 billion. The increase in exchange rate risk over the previous decade and a half mainly reflects the increase in the size of net foreign exchange reserves over that period.
Interest rate risk
The value of the Reserve Bank's financial assets is also exposed to movements in market interest rates.
Total holdings of domestic securities decreased by $6.1 billion over 2018/19 to $108.2 billion. At 30 June 2019, domestic securities held on a temporary basis under repurchase agreements (repos) accounted for $98.8 billion and securities held outright accounted for $9.4 billion. Interest rate risk faced by the Reserve Bank on its outright holdings of domestic securities declined over 2018/19 owing predominantly to reduced holdings of Australian Government Securities (AGS). These securities are typically purchased to manage the liquidity impact of maturing AGS and have a very short term to maturity.
The Reserve Bank's foreign currency assets are managed relative to benchmark portfolios in each currency, with duration targets that reflect the Bank's long-term appetite for risk and return. These targets are reviewed periodically. During 2018/19, duration targets were unchanged in all seven asset benchmark portfolios – the duration target for the Chinese and South Korean portfolios is 18 months, for the US, European, and Canadian portfolios it is 6 months, for the UK portfolio it is 3 months and for the Japanese portfolio it is less than 3 months. Some limited variation in actual portfolio duration from the duration targets is permitted to reduce transaction costs and to provide scope to staff to enhance portfolio returns. The weighted-average benchmark duration target for the Bank's total foreign portfolio was little changed over 2018/19 at around 6¾ months. This is low by historical standards, reflecting the generally low level of interest rates, which offer little compensation for the risk of capital losses should longer-term bond yields increase significantly.
Total interest rate risk on the Reserve Bank's domestic and foreign financial assets fell over 2018/19 to its lowest level in more than 20 years. The Bank would incur a valuation loss of around $371 million if interest rates in Australia and overseas rose uniformly by 1 percentage point across the yield curve.
The Reserve Bank is exposed to very little interest rate risk on its balance sheet liabilities. Banknotes on issue account for about 43 per cent of total liabilities and carry no interest cost to the Bank. Other sizeable obligations include deposits held by the Australian Government and its agencies, and Exchange Settlement Account balances mainly held by authorised deposit-taking institutions. These deposits have short maturities that broadly match the Bank's domestic assets held under repo. Interest paid on these deposits reflects domestic short-term interest rates, effectively hedging part of the interest rate exposure of the domestic asset portfolio.
Credit risk
Credit risk is the potential for financial loss arising from the default of a debtor or issuer, or from a decline in asset values following a deterioration in credit quality. The Reserve Bank manages its credit exposure by applying a strict set of eligibility criteria to its holdings of financial assets and to counterparties with which it is willing to transact.
The Reserve Bank is exposed to very little issuer credit risk on its outright holdings in the domestic portfolio as it invests only in securities issued by the Australian Government or by state and territory government borrowing authorities. The Bank is exposed to a small amount of counterparty credit risk on domestic assets that are held under repo. The Bank would face a loss only if a counterparty failed to repurchase securities sold to the Bank under repo and the market value of the securities fell below the agreed repurchase amount. The Bank manages this exposure by requiring that these securities meet the eligibility criteria and applying an appropriate margin to the securities, which increases with the risk profile of the security. The required margin is maintained throughout the term of the repo through daily two-way margining.
The counterparties with which the Reserve Bank deals in carrying out policy operations in the domestic market must be members of the Reserve Bank Information and Transfer System (RITS), subject to an appropriate level of regulation and be able to settle transactions within the Austraclear system. Repo transactions with the Bank are also governed by a Global Master Repurchase Agreement as part of the RITS Regulations.
Investments in the Reserve Bank's foreign currency portfolio are typically confined to highly rated and liquid securities, as well as deposits with foreign central banks. The majority of the Bank's outright holdings are securities issued by the national governments of the United States, Germany, France, the Netherlands, Japan, Canada, the United Kingdom, China and South Korea, with modest holdings of securities issued by highly rated supranational institutions and government agencies. At 30 June 2019, gross holdings of Japanese yen-denominated assets accounted for the largest share of the Bank's foreign currency issuer exposures, with the majority of these assets funded under short-term foreign exchange swaps (see the chapter on ‘Operations in Financial Markets’ for more detail). A limit on the size of exposures to individual currencies based on the Bank's capital operates to mitigate concentration risk.
The Reserve Bank holds a portion of its foreign currency portfolio in short-term repos. This exposes the Bank to the small amount of residual credit risk that is inherent in repos, as noted above. The Bank manages this risk by requiring 2 per cent over-collateralisation, which is maintained through two-way margining in the local currency, and accepting only high-quality and liquid securities as collateral. Credit exposure on foreign repos is further managed by imposing limits on individual counterparty exposures and requiring execution of a Global Master Repurchase Agreement (or Master Repurchase Agreement where appropriate) with each counterparty.
The Reserve Bank undertakes foreign exchange swaps as part of its policy operations and as a means of enhancing returns on the foreign currency portfolio. Credit risk on these instruments is managed by transacting only with counterparties that meet strict eligibility criteria, including the requirement to have executed with the Bank an International Swaps and Derivatives Association (ISDA) agreement with a credit support annex. Exposures generated by movements in market exchange and interest rates are managed through daily two-way margining in Australian dollars. After accounting for margin calls, the Bank's maximum daily exposure to an individual counterparty is generally limited to no more than $5 million.
The Reserve Bank undertakes some limited lending of its gold holdings. The lending is either fully collateralised or the borrower has government support. As at 30 June 2019, 11.1 tonnes of gold valued at $718 million was on loan.
Operational Risks
The Reserve Bank faces a diverse range of operational risk in its day-to-day activities. They include risks relating to the availability of technology and facilities services, retention of high-quality staff and the unintentional disclosure of confidential and sensitive information. Generally, the Bank has a low appetite for these types of risk, but recognises that it is neither possible nor necessarily desirable to eliminate some risks inherent in its activities. The acceptance of some risk is often necessary to foster innovation and efficiencies in business practices.
While all parts of the Reserve Bank are exposed to operational risk of varying degrees, the most significant risks are those related to:
- transacting in financial markets to implement monetary policy
- maintaining the infrastructure to facilitate real-time interbank payment and settlement services through RITS
- providing banking facilities for a number of government entities, including the Australian Taxation Office, Medicare and Centrelink
- the provision of safe, secure and reliable Australian banknotes.
Any operational failure in these critical activities could have widespread consequences. Financial Markets Group, for example, executed around 50,000 transactions in 2018/19 generating an average daily settlement value of around $41 billion, while RITS settles just under $200 billion every day on average.
These activities are highly dependent on information technology (IT) systems. The Reserve Bank's risk management framework supports an ongoing focus on managing the risks associated with complex IT systems. The Bank's IT Department collaborates with relevant business areas to facilitate the monitoring, assessment and management of IT-related risks and ensures IT-related initiatives are consistent with the Bank's technology strategy. This work is supported by the continuous evaluation of industry developments in order to ensure that the Bank's systems and procedures conform to current IT standards and remain robust. Assessment of appropriate resourcing, the adequacy of IT process controls and the level of security over information management are all incorporated in the Bank's risk management framework.
As part of the Reserve Bank's management of the risks associated with technology and operational systems, a significant focus is placed on the security of these systems. The Bank invests in significant security controls and risk assurance functions, which are supported by a regular assessment regime. These activities are informed by liaison with the security services, other central banks, the Australian Government and industry participants. The Bank receives regular independent assurance of its compliance with security strategies endorsed by the Australian Signals Directorate, and maintains independent certification for the ISO 27001 global standard for Information Security Management.
The continuity of critical business functions during and after a disruptive event is a key area of focus for the Reserve Bank. In that regard, a power outage on 30 August 2018 led to the loss of power supply to the Bank's Head Office data centre, which caused significant disruption to the activities of the Bank. The root cause was incorrect execution of routine fire control systems testing by an external contractor in the data centre, which led to a loss of power, including uninterruptable power supplies (the fire suppression systems are designed to protect life). The power loss abruptly cut off all technology systems operating from the data centre, resulting in a large-scale loss of internal and external services and affected critical business functions.
Key external impacts of the outage were:
- Delays to all payment settlements for all payment streams on 30 August 2018, although virtually all settlements were completed by the end of the day. The streams included high-value payments, debt securities settlements, electronic property settlements, low-value settlements and ASX settlements.
- Key Reserve Bank online banking services were unavailable for lengthy periods on 30 August 2018. This resulted in delays to payments on behalf of government departments, including Department of Human Services emergency payments to recipients' bank accounts.
- Government departments were unable to process payments and check banking account statements.
- There was a delay in publication of some information, such as exchange rate data, on the Bank's public website.
The disruption to the Reserve Bank's operations was disappointing, in particular, the fact that some critical systems did not failover to the Bank's alternate site as expected. Nevertheless, the Bank was well served by existing business continuity plans in terms of responding to the incident, with all critical services restored by the end of the day of the incident.
Following the incident, the Reserve Bank conducted a full review of its servicing and maintenance arrangements for critical infrastructure, the technology issues encountered on the day, the communications and crisis management protocols and business continuity testing arrangements. As a result of the review and discussions with external organisations, a number of changes have been made. These include: changes to the arrangements for servicing and maintaining critical infrastructure; remediation of the gaps in the Bank's ‘high availability’ architecture for key systems; revision of the Bank's business continuity testing regime; and improvements in the Bank's communication plans. This is an ongoing process, with the Bank looking to continually improve its arrangements and implement the lessons learnt.
The Reserve Bank has a dedicated Business Resumption Site in north-west Sydney, where permanent staff from some of the Bank's most critical operational areas are located. Departments regularly test their back-up plans, including combined exercises involving multiple areas testing interdependencies and also testing plans to work at alternate locations. Regular workshops are scheduled with critical business areas to discuss response strategies to situations such as technology service disruptions and the unavailability of staff. The Bank continues to participate in contingency exercises with external organisations to ensure that staff are well briefed on their roles during disruptions and that effective internal and external communication arrangements are in place. The results of such exercises are monitored by the Risk Management Committee.
During the past year, the Reserve Bank continued to direct significant resources towards the delivery or completion of a number of large and complex multi-year projects. These include the renovation of banking applications and systems, the upgrade of Australia's banknotes and the development of infrastructure to facilitate real-time retail payments. Successfully completing and embedding these projects will ensure high-quality services are maintained for the Bank's clients and the Australian public. The risks associated with project work are carefully managed so that adequate resources are available, nominated project deadlines are met and change management is effective. Project steering committees play an important role in overseeing the management of these risks.
The Reserve Bank has responsibilities in terms of managing the risks related to the handling of confidential and sensitive information and, in particular, ensuring that there is no unintended disclosure. While the primary focus is on ensuring that sufficient controls exist to prevent a data breach occurring, the risk framework also seeks to ensure that the Bank would respond appropriately if one was to occur. The Bank is implementing the government's ‘Digital Continuity 2020 Policy’, issued by the National Archives of Australia, which seeks to ensure that agencies manage their information as an asset, that they transition to digital work processes and that agencies have interoperable information systems and processes.
The Reserve Bank does not tolerate dishonest or fraudulent behaviour and is committed to deterring and preventing such behaviour. It takes a very serious approach to cases, or suspected cases, of fraud. All staff involved in financial dealing have well-defined limits to their authority to take risks or otherwise commit the Bank. These arrangements are further enhanced by the separation of front-, back- and middle-office functions, where staff involved in trading, settlement and reconciliation activity remain physically separate and have separate reporting lines. For non-trading activities, several layers of fraud control are in place, including preventative, detective and corrective controls. A clear decision-making hierarchy, separation of duties and physical controls over systems and information have been established and are subject to regular review. Ongoing training and awareness programs are also conducted. The Bank requires all staff to undertake fraud awareness training. The Bank has arrangements in place for staff and members of the public to report concerns anonymously. All concerns are fully investigated. During 2018/19, there were no reported instances of fraud by employees.
The Reserve Bank remains strongly committed to maintaining and strengthening a workplace culture in which employees uphold the highest standards of behaviour. The Code of Conduct sets out requirements of the Bank's employees and others who are involved in its activities. The Bank has arrangements in place for staff to report concerns about breaches of the Code of Conduct, including channels by which concerns can be reported anonymously. Arrangements are in place to ensure staff are comfortable reporting concerns across a range of issues. During the past year the Risk Management Committee also considered the findings of the Financial Services Royal Commission, including possible lessons for the Bank.
The effective management of compliance risk is central to the Reserve Bank's activities. Risk and Compliance Department collaborates with all business areas to ensure this risk is being managed effectively and keeps the Risk Management Committee informed regarding the level of compliance in key areas. Staff complete a number of training modules each year, focusing on areas such as privacy and workplace health and safety. Work was undertaken over the course of the past year to refresh all modules to help staff better engage with the areas covered and improve learning outcomes.
Notwithstanding these measures, events can occur from time to time that may adversely affect the Reserve Bank's reputation or lead to financial or other costs. Timely reports on any such incidents and ‘near misses’ are provided to the Risk Management Committee. These reports outline the circumstances, including impact and cause, as well as identify areas where new controls may be needed or where existing controls should be strengthened.
The Reserve Bank continues to act as the administrator of the Guarantee of State and Territory Borrowing. Applications for new guaranteed liabilities under this scheme closed in 2010, although existing liabilities will continue to be guaranteed until maturity, at the latest in 2023. To date, a total of $423 million in fees has been collected for state and territory borrowing since the scheme commenced in 2009, with $6 million collected in 2018/19.