Each operational area across the bank manages its own risks. This approach creates a first line of defence and encourages a risk culture that involves all staff. A central risk and compliance team, led by our Chief Risk Officer, creates a second line of defence.
This team is responsible for:
- ensuring the risk framework is consistent with prudential and industry practice
- developing risk strategy and risk treatment plans
- overseeing risk management practices
- maintaining risk registers, incident and issue registers, complaints and disputes registers
- monitoring compliance obligations, and
- coordinating how risk appetite applies in day-to-day business activities.
Internal audit provides our third line of defence, via an independent assurance function. Our internal auditors, KPMG report to the Audit and Compliance Committee, which meets quarterly.
The Board’s Risk Committee meets monthly and considers all aspects of our risk framework, including risk appetite and risk monitoring. Our tolerances for credit risk, capital and liquidity risk are well above those set by APRA, reflecting our responsible banking practices and sensitivity to risk.
Risk management framework
Bank Australia’s manages risks within a framework of six major categories:
- Financial Risk. This category covers risks directly associated with the bank meeting its financial obligations as and when they fall due.
- Credit Risk. This category covers the risk of financial loss if a customer fails to meet contractual obligations to repay a debt, and it arises principally from loans and advances to customers.
- Governance Risk. This category covers the rules, processes, policies, and regulations outlining and defining the bank’s capacity, operational management and administration. It includes risk management and compliance risk.
- Development Risk. This category covers all risks associated with promoting and communicating products and services to existing and potential customers.
- Operational Risk. This category covers the risk of loss from inadequate or failed internal processes, people and systems, or from external events.
- Strategic Risk. This category covers the potential loss that might arise from pursuing an unsuccessful corporate strategy.
Each risk is allocated key risk indicators and tolerance levels, which are monitored to ensure the risk remains within acceptable levels. The bank has a Risk Appetite Statement to help identify and manage risks.
Top 10 risks
We identify key risks at least annually. The top 10 risks in 2015 were:
- credit risk
- liquidity risk
- strategic risk
- change risk
- organised crime risk
- technology risk
- competition risk
- cyber risk
- economic risk
- key person risk.
Key risk incidents and how we managed them
There were no significant risk incidents during the past 12 months. We addressed minor fraud incidents and computer system downtime incidents as part of business as usual, improving controls when considered appropriate.