Risk Management Policy November 20211. Purpose and strategyThe objective of this Risk Management Policy (RMP) is to ensure that we are managing risk to the best of our ability to enable the successful achievement of the Bank's objectives. We do this by implementing an effective risk management framework that is embedded in the Bank's processes and culture. The RMP incorporates the Risk Appetite Statement to guide us on the amount of risk we should be taking. Show
This RMP applies to the activities of all areas of the Bank and should be read together with the Bank's Risk Management Framework. 1.1 BackgroundThe Reserve Bank of Australia (the Bank or RBA) is established by statute as Australia's central bank with broad objectives and extensive powers. The Bank is charged with carrying out the duties of a central bank in the interests of the people of Australia. This obligation is enshrined in legislation and is central to the core values and mission of the organisation. Fulfilling these duties requires us to manage varying and often significant amounts of risk for the Bank. Those risks related to monetary and payments policy, which are often the most significant, are overseen by the relevant Boards. Operationalising these policies, as well as conducting the Bank's broader operations, requires consideration and management of risks. For these, specific tolerance levels are established by the Risk Management Committee. Risk appetite categories are included in the RMP which is approved by Governor on an annual basis. Guidance is provided through Key Risk Indicators (KRIs), desired behaviours, and the appetite level, that are then cascaded throughout the Bank to assist staff in their day-to-day management of risk. This helps ensure the all staff operate within our agreed risk appetite. 1.2 Risk CultureAll of our actions related to risk management contribute to the Bank's risk culture, which is defined as the behavioural norms and attitudes related to risk awareness, risk-taking, risk management and controls that shape our decisions on risks. The content of this policy is designed to equip employees with clarity on responsibilities and guidance for managing and taking appropriate risks in a way that contributes to a proactive risk culture. 1.3 Risk appetite profileFigure 1: Risk Appetite Summary Note: Refer to Table 3 for the description of appetites We seek to encourage and reward appropriate risk taking in order to achieve our strategic objectives. We have a ‘High Appetite’ where achievement of our goals within uncertainty requires risk taking. While higher levels of risk for the achievement of our goals may be necessary, we seek the lowest risk that can be achieved. Management of these risks will be guided by the public interest and the Bank's mandate. We have a ‘Balanced Appetite’ for choosing and implementing strategies where we can balance risk against the outcome. As a public organisation we have duty to ensure we are maximising our ability to achieve our outcomes and objectives, and this will require balancing the risks of doing something against the risk of missed opportunities. We have a ‘Limited Appetite’ or ‘No Appetite’ in other areas, which primarily relate to our people, processes and systems. To ensure we continue to provide an important services to the Australian public, we need to ensure the risks associated with delivery of these services are managed to ensure the high standards expected of us. The risks around Policy decisions are managed by the Reserve Bank's two boards, and so the management of these risks sits outside this document. Operationalising policy decisions will, however, generally fit into one of the other broad key risk categories and so management of risks relating to operationalising policy decisions will be guided by this document. For all our risks, the Bank's values encourage us to use intelligent inquiry to seek and manage risks in the pursuit of the public interest; respectfully challenge how our risk management helps or hinders achievement of our objectives; apply integrity to risk matters; and seek excellence in managing our most critical risks and processes. Innovation and experimentation are important in meeting our objectives. We take a considered approach to innovation and experimentation, and how we use it to achieve our outcomes. 1.4 Our Roles and responsibilitiesTable 1. Risk Appetite Summary
1.5 Operationalising risk management via the Three Lines ModelThe Bank's Risk and Compliance Management Framework aligns with and incorporates the principles of the ‘Three Lines Model’. In order to appropriately manage risk in day-to-day operations we are all expected to understand our role within the 3 Lines of Accountability model. Most of us have a ‘First line’ role. Table 2. Three Lines of Accountability
2. Risk Appetite2.1 Risk Appetite, Triggers and TolerancesOur risk appetite is defined as the amount of risk that the Bank is prepared to accept when pursuing its strategic goals and can be expressed on a scale that ranges from High Appetite to No Appetite. This describes the behaviours and outcomes the Bank is seeking. See below: Table 3. Appetite Level Descriptions
A risk appetite level has been set across six categories, which can be seen in section 1.3 Risk appetite profile. Outside of Policy risk, we will use Key Risk Indicators (KRIs) to provide guidance on what each appetite category means in practice for each risk appetite category. The KRIs used to measure appetite should have the following characteristics:
The current list of approved KRIs are listed in Appendix A. The risk appetite categories will be reviewed annually, or if there are substantial changes to the risk environment. KRI's and their tolerance and trigger levels will be adjusted as required to support us to manage risk within our appetite. 2.2 Monitoring risk appetite through risk Triggers and TolerancesWe monitor whether we are within risk appetite using risk Triggers and Tolerances. Risk tolerance metrics are chosen to indicate the amount of risk that we operate with, expressed, wherever possible, as a quantifiable metric based on the risk appetite and risk profile. Early warning indicators (triggers) are also selected to help us identify any potential problem areas before a tolerance is breached. We will use a traffic light system to monitor these metrics: Figure 2: Appetite Level Descriptions 2.3 Monitoring and reportingThere is a formal process to monitor and report business activity against risk appetite. Outcomes against the metrics set out in this Policy are tracked by Risk Owners and reported to the Risk Management Committee (RMC) on a regular basis. The assessment of whether a risk is outside appetite is a qualitative assessment, and will not be based solely on triggers and tolerances. The Risk Management Committee will use the metrics, along with advice from risk owners, residual risk ratings, progress towards action plans, and contextual information to assess whether risk categories are currently within or outside our appetite. Risk categories assessed as being outside of appetite will be monitored by the RMC until they are returned to within appetite. The Governor and the Board Audit Committee will be notified and updated on progress. 3. Risk Identification, Evaluation and Mitigation3.1 Risk IdentificationAt the core of managing risk is the process for identifying, evaluating and mitigating risk. Undertaking this process on a regular basis enables us to mitigate threats to our business and to take advantage of opportunities. Risk owners are expected to perform formal risk identification or reviews for each key process, project, and during business planning. Risk identification should take place on a regular basis. Risk owners should be aware that risks identified by one area may have implications for other areas of the Bank and these should be raised and actions agreed with the appropriate risk owner in a suitable timeframe. 3.2 Risk Evaluation (Inherent Risk Rating)The inherent level of risk is the product of the likelihood and the consequence ratings. This determines what further risk management is required. For all identified risks, owners should assess inherent risk using the tables in the Risk Matrix. The tables should be used as a guide to help with consistency across the Bank, but ultimately judgement on behalf of the risk owner will be required to arrive at the relevant ratings. 3.3 Risk DecisionsBased on the assessment of each risk, risk owners decide the appropriate treatment to apply, including: Avoidance, Acceptance, Removal (of the particular element that generates the risk), controlling the risk, or transferring the risk (through insurance or contracts). Risk owners may choose a number of options to effectively manage each risk. 3.4 ControlsControls include any process, policy, device, practice, or other actions which modify risk. Controls are chosen to reduce the likelihood of the risk occurring and/or the impact or consequence of the risk should it occur. An owner should be assigned for each control, and that ‘control owner’ is responsible for ensuring the control is effective. Controls should be tested in accordance with the associated residual risk rating The Bank acknowledges that controls that have been tested and assessed as effective may, due to unforeseen circumstances, fail, leading to undesired outcomes. For this reason, the Risk Management Committee monitors risks in order to improve understanding of, and ability to mitigate such unforeseen events. 3.5 Risk Evaluation (Residual Risk Rating)The residual risk is the current risk state given the effectiveness of the controls that have been implemented to manage the risk. The Risk Matrix illustrates interaction between inherent and residual risk rating. Each identified risk is required to have a target residual risk rating. Risk owners should use the overall risk appetite when assessing the appropriate target risk rating. 4.1 AdministrationThis Policy is administered by the Risk and Compliance Department. 4.2 Monitoring and ReviewThe Policy is reviewed annually or more frequently if there is a major change to the Bank's risk management framework. Changes to the Policy must be approved by the Governor. 4.3 CommunicationThis Policy is published on the Bank's Intranet. 4.4 Related Documents
5. EnquiriesFor further information or clarification on this Policy or associated documentation, please contact RM – SOR Mailbox. Appendix A: Risk Appetite by Risk CategoryTable A1. Risk Appetite by Risk Category
What is risk appetite explain why risk appetite varies from organization to organization quizlet?Explain why risk appetite varies from organization to organization? Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade offs between perfect security and unlimited accessibility.
Which of the following activities is a part of the risk identification process?There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring.
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?Risk appetite is the level of risk that an organization is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.
What is the risk to information assets that remains even after current controls have been applied?Residual risk is the risk that remains after your organization has implemented all the security controls, policies, and procedures you believe are appropriate to take. Put another way, residual risk can affect your business even after taking all the security measures.
|