Risk Management Policy November 2021
1. Purpose and strategy
The objective of this Risk Management Policy (RMP) is to ensure that we are managing risk to the best of our ability to enable the successful achievement of the Bank's objectives. We do this by implementing an effective risk management framework that is embedded in the Bank's processes and culture. The RMP incorporates the Risk Appetite Statement to guide us on the amount of risk we should be taking.
This RMP applies to the activities of all areas of the Bank and should be read together with the Bank's Risk Management Framework.
1.1 Background
The Reserve Bank of Australia (the Bank or RBA) is established by statute as Australia's central bank with broad objectives and extensive powers. The Bank is charged with carrying out the duties of a central bank in the interests of the people of Australia. This obligation is enshrined in legislation and is central to the core values and mission of the organisation.
Fulfilling these duties requires us to manage varying and often significant amounts of risk for the Bank. Those risks related to monetary and payments policy, which are often the most significant, are overseen by the relevant Boards. Operationalising these policies, as well as conducting the Bank's broader operations, requires consideration and management of risks. For these, specific tolerance levels are established by the Risk Management Committee. Risk appetite categories are included in the RMP which is approved by Governor on an annual basis. Guidance is provided through Key Risk Indicators (KRIs), desired behaviours, and the appetite level, that are then cascaded throughout the Bank to assist staff in their day-to-day management of risk. This helps ensure the all staff operate within our agreed risk appetite.
1.2 Risk Culture
All of our actions related to risk management contribute to the Bank's risk culture, which is defined as the behavioural norms and attitudes related to risk awareness, risk-taking, risk management and controls that shape our decisions on risks. The content of this policy is designed to equip employees with clarity on responsibilities and guidance for managing and taking appropriate risks in a way that contributes to a proactive risk culture.
1.3 Risk appetite profile
We seek to encourage and reward appropriate risk taking in order to achieve our strategic objectives.
We have a ‘High Appetite’ where achievement of our goals within uncertainty requires risk taking. While higher levels of risk for the achievement of our goals may be necessary, we seek the lowest risk that can be achieved. Management of these risks will be guided by the public interest and the Bank's mandate.
We have a ‘Balanced Appetite’ for choosing and implementing strategies where we can balance risk against the outcome. As a public organisation we have duty to ensure we are maximising our ability to achieve our outcomes and objectives, and this will require balancing the risks of doing something against the risk of missed opportunities.
We have a ‘Limited Appetite’ or ‘No Appetite’ in other areas, which primarily relate to our people, processes and systems. To ensure we continue to provide an important services to the Australian public, we need to ensure the risks associated with delivery of these services are managed to ensure the high standards expected of us.
The risks around Policy decisions are managed by the Reserve Bank's two boards, and so the management of these risks sits outside this document. Operationalising policy decisions will, however, generally fit into one of the other broad key risk categories and so management of risks relating to operationalising policy decisions will be guided by this document.
For all our risks, the Bank's values encourage us to use intelligent inquiry to seek and manage risks in the pursuit of the public interest; respectfully challenge how our risk management helps or hinders achievement of our objectives; apply integrity to risk matters; and seek excellence in managing our most critical risks and processes.
Innovation and experimentation are important in meeting our objectives. We take a considered approach to innovation and experimentation, and how we use it to achieve our outcomes.
1.4 Our Roles and responsibilities
Table 1. Risk Appetite Summary
Role | Risk Appetite |
---|---|
The Governor |
|
Reserve Bank Board and Payments System Board |
|
Risk Management Committee (RMC) |
|
Executive Leadership |
|
All Staff (including management and contractors) |
|
Risk and Compliance Department (RM) |
|
Audit Department |
|
1.5 Operationalising risk management via the Three Lines Model
The Bank's Risk and Compliance Management Framework aligns with and incorporates the principles of the ‘Three Lines Model’. In order to appropriately manage risk in day-to-day operations we are all expected to understand our role within the 3 Lines of Accountability model. Most of us have a ‘First line’ role.
Table 2. Three Lines of Accountability
Governor | ||
---|---|---|
First line | Second line | Third line (primarily Internal Audit) |
Own and manage risks and are responsible for implementing, and monitoring controls to keep risks within the appetite of the organisation. | Supports the risk management framework and its implementation, including through challenge and review of first line management of risks and controls, oversight of the risk profile, and independent escalation of issues. | Provides assurance on the effectiveness of governance, risk management and internal controls. |
2. Risk Appetite
2.1 Risk Appetite, Triggers and Tolerances
Our risk appetite is defined as the amount of risk that the Bank is prepared to accept when pursuing its strategic goals and can be expressed on a scale that ranges from High Appetite to No Appetite. This describes the behaviours and outcomes the Bank is seeking. See below:
Table 3. Appetite Level Descriptions
Appetite Level | Description |
---|---|
High Appetite | We acknowledge that we may need to take risks to achieve our goals or pursue important objectives. Where outcomes are important, we will not let uncertainty prevent us from pursing those goals and objectives. We will identify and manage these risks but not to the detriment of achieving our goals and objectives. We take risks for important objectives, while managing the potential downside and the upside. |
Balanced Appetite | We may undertake a course of action to pursue opportunities, while also potentially exposing the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. These opportunities would be pursued in order to achieve our strategic goals or pursue important objectives. Risk exposures arising from pursuit of these opportunities will be managed, considering costs, benefits and consequences. |
Limited Appetite | We will generally avoid a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. Risk exposures will be minimised to as low as reasonably practicable. Further reductions in risk exposures would require considerable use of public money that is not desirable for the benefits that will be derived. |
No Appetite | We will not follow a course of action that may expose the Bank or stakeholders to financial loss, reputational damage or breakdown in systems or processes. Risk exposures will be avoided as any incidents arising would be outside of appetite. |
A risk appetite level has been set across six categories, which can be seen in section 1.3 Risk appetite profile.
Outside of Policy risk, we will use Key Risk Indicators (KRIs) to provide guidance on what each appetite category means in practice for each risk appetite category. The KRIs used to measure appetite should have the following characteristics:
- Dynamic: KRIs should reflect and respond to the current situation
- Quantifiable: KRIs should be easily interpreted and measured, using quantitative metrics wherever possible.
- Actionable: clear action owners and required actions should be provided for when a trigger or tolerance is breached.
- Preventative and Detective: a range of KRIs should be used to monitor whether a risk has materialised or may materialise in the future.
The current list of approved KRIs are listed in Appendix A.
The risk appetite categories will be reviewed annually, or if there are substantial changes to the risk environment. KRI's and their tolerance and trigger levels will be adjusted as required to support us to manage risk within our appetite.
2.2 Monitoring risk appetite through risk Triggers and Tolerances
We monitor whether we are within risk appetite using risk Triggers and Tolerances. Risk tolerance metrics are chosen to indicate the amount of risk that we operate with, expressed, wherever possible, as a quantifiable metric based on the risk appetite and risk profile. Early warning indicators (triggers) are also selected to help us identify any potential problem areas before a tolerance is breached. We will use a traffic light system to monitor these metrics:
2.3 Monitoring and reporting
There is a formal process to monitor and report business activity against risk appetite. Outcomes against the metrics set out in this Policy are tracked by Risk Owners and reported to the Risk Management Committee (RMC) on a regular basis.
The assessment of whether a risk is outside appetite is a qualitative assessment, and will not be based solely on triggers and tolerances. The Risk Management Committee will use the metrics, along with advice from risk owners, residual risk ratings, progress towards action plans, and contextual information to assess whether risk categories are currently within or outside our appetite.
Risk categories assessed as being outside of appetite will be monitored by the RMC until they are returned to within appetite. The Governor and the Board Audit Committee will be notified and updated on progress.
3. Risk Identification, Evaluation and Mitigation
3.1 Risk Identification
At the core of managing risk is the process for identifying, evaluating and mitigating risk. Undertaking this process on a regular basis enables us to mitigate threats to our business and to take advantage of opportunities.
Risk owners are expected to perform formal risk identification or reviews for each key process, project, and during business planning. Risk identification should take place on a regular basis.
Risk owners should be aware that risks identified by one area may have implications for other areas of the Bank and these should be raised and actions agreed with the appropriate risk owner in a suitable timeframe.
3.2 Risk Evaluation (Inherent Risk Rating)
The inherent level of risk is the product of the likelihood and the consequence ratings. This determines what further risk management is required. For all identified risks, owners should assess inherent risk using the tables in the Risk Matrix. The tables should be used as a guide to help with consistency across the Bank, but ultimately judgement on behalf of the risk owner will be required to arrive at the relevant ratings.
3.3 Risk Decisions
Based on the assessment of each risk, risk owners decide the appropriate treatment to apply, including: Avoidance, Acceptance, Removal (of the particular element that generates the risk), controlling the risk, or transferring the risk (through insurance or contracts). Risk owners may choose a number of options to effectively manage each risk.
3.4 Controls
Controls include any process, policy, device, practice, or other actions which modify risk. Controls are chosen to reduce the likelihood of the risk occurring and/or the impact or consequence of the risk should it occur. An owner should be assigned for each control, and that ‘control owner’ is responsible for ensuring the control is effective. Controls should be tested in accordance with the associated residual risk rating
The Bank acknowledges that controls that have been tested and assessed as effective may, due to unforeseen circumstances, fail, leading to undesired outcomes. For this reason, the Risk Management Committee monitors risks in order to improve understanding of, and ability to mitigate such unforeseen events.
3.5 Risk Evaluation (Residual Risk Rating)
The residual risk is the current risk state given the effectiveness of the controls that have been implemented to manage the risk. The Risk Matrix illustrates interaction between inherent and residual risk rating. Each identified risk is required to have a target residual risk rating. Risk owners should use the overall risk appetite when assessing the appropriate target risk rating.
4. Policy Management
4.1 Administration
This Policy is administered by the Risk and Compliance Department.
4.2 Monitoring and Review
The Policy is reviewed annually or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy must be approved by the Governor.
4.3 Communication
This Policy is published on the Bank's Intranet.
4.4 Related Documents
- Executive Accountability Framework
- Risk Management Committee Charter
- Risk Management Framework
5. Enquiries
For further information or clarification on this Policy or associated documentation, please contact RM – SOR Mailbox.
Appendix A: Risk Appetite by Risk Category
Table A1. Risk Appetite by Risk Category
Category | Sub Category | Category Description | Risk appetite | Sub Category Owner |
---|---|---|---|---|
Policy | Monetary and Banking Policy | Contribute to the stability of the currency, full employment, and the economic prosperity and welfare of the Australian people | Limited to Balanced | Governor (Note: management of these risks sits with the Reserve Bank Board) |
Payments Policy | Controlling risks in the financial system, promoting efficiency in the payments system and promoting competition in payment services | Limited to Balanced | Governor (Note: management of these risks sits with the Payments System Board) |
|
Strategic | Strategy Selection | Development of suitable and viable strategies | High | Governor |
Strategy Implementation | Investment decisions support strategic goals | Balanced | Deputy Governor | |
Implementation of strategic business goals through change programs or day to day work | Limited | Deputy Governor | ||
Analysis | Exploration and expansion of analysis and decisions to effectively support decision making | High | Governor | |
Innovation | Considered and deliberate innovation and experiments to achieve our mission | High | Executives accountable within their functional area | |
Public Confidence and Trust | Maintain public trust in order to achieve the Bank's mandates | Limited | Governor | |
Communications | Communications to achieve the Bank's strategic goals | Balanced | Head of Communications | |
Financial Markets | Market Risk | Select and manage the asset portfolio to ensure that movements in exchange rates and
other market prices do not impair the Bank's capacity to meet its policy
objectives (Excludes market risk associated with policy parameters set by the Reserve Bank Board such as the size of net FX reserves) |
Balanced | Assistant Governor (Financial Markets) and Chief Risk Officer |
Credit Risk | Manage the potential for financial loss due to the default of a counterparty or issuer, or failure of a counterparty or issuer to fulfil their financial obligations | Limited | Assistant Governor (Financial Markets) and Chief Risk Officer | |
Liquidity Risk | Ensure ability to undertake policy operations, including ability to quickly liquidate positions or collateral, while limiting financial loss. | Limited | Assistant Governor (Financial Markets) and Chief Risk Officer | |
People and culture | Talent | The collective capabilities and knowledge of Bank employees | Balanced | Head of Human Resources |
Workplace safety | Work Health and Safety (WHS) practices or behaviours that maintain employee safety | Limited | Head of Human Resources | |
Risk Culture | Behaviour and practices that support us to operate within our risk appetite | Limited | Executives accountable within their functional area | |
Staff Misconduct | Expected standards of behaviour | Limited | Head of Human Resources | |
Operational | Business Process Resilience | Resilience and continuity of services | Limited | Executives accountable within their functional area |
Technology resilience | Availability of critical technology services | Limited | Chief Information Officer | |
Availability of non-critical technology services | Balanced | Chief Information Officer | ||
Cyber resilience | Resilience against cyber-attacks | Limited | Chief Information Officer | |
Information Management | Records can be located, used and retained appropriately | Limited | Head of Information | |
Appropriate access to information assets | Limited | Head of Information | ||
Third Party Management | Third party fulfilment of contractual obligations | Limited | Executives accountable within their functional area | |
Compliance | Intentional Violations | Deliberate or purposeful breach of legislative or regulatory obligations does not occur | No Appetite | Chief Risk Officer |
Compliance | Compliance with legislative and other mandatory external obligations and commitments (avoidance of unintentional non-compliance) | Limited | Chief Risk Officer | |
Fraud and Corruption | Employees do not engage in acts of Fraud or Corruption | No Appetite | Chief Risk Officer |