Risk management

The successful delivery of the bank’s strategy is dependent on sound risk management. All of the bank’s activities involve – to varying degrees – the analysis, evaluation, acceptance and management of risks or a combination of risks.

Sound risk management plays a critical role in positioning us to prepare for, and respond to, opportunities and challenges in our operating environment.

Our progress

This year we have continued to strengthen our risk management capabilities, focusing on:

Culture and conduct

  • We have initiated a programme of work to build out how we will measure, monitor and manage conduct risk to allow us to better understand and respond to the drivers of poor conduct. This has included introducing new accountability and consequence principles for employees found accountable for material failure and non-compliance as well as recognising positive risk behaviours in our annual performance and remuneration reviews.
  • We have raised employee awareness about our whistleblower processes and made it easier for them to ‘speak up’– including through initiatives such as the inaugural Whistleblower Awareness Week this year.

Simplification

  • Investment has been made in our risk systems, including enhancing our data analytics to improve our ability to identify issues, and more swiftly understand the root causes.
  • Standardisation and simplification of our wholesale risk practices and policies has helped significantly improve time responsiveness thereby delivering a better banker and customer experience.

Non-financial risk

  • We have redesigned our non-financial risk framework in response to feedback that it was too complex. Significant work has been undertaken to simplify our language around operational risk, consolidate our framework documentation, and clarify the requirements and roles and responsibilities of our staff.
  • We have established a Royal Commission and Self-Assessment Oversight Group to provide oversight of the integrated approach and plans to address the Self-Assessment focus areas and Royal Commission ‘lessons’. This includes for example, commissioning and reviewing reports on progress in addressing the Self- Assessment focus areas, our 16 Royal Commission commitments and actions by government to respond to the Royal Commission.
“Strong risk management is a necessity if we are to anticipate and navigate ANZ through a changing environment.” Kevin Corbally – Group Chief Risk Officer

Our Risk Management Framework

The Board is responsible for establishing and overseeing the Group’s risk management framework. The Board has delegated authority
to the Board Risk Committee (BRC) to develop and monitor compliance with the Group’s risk management policies.
The Committee reports regularly to the Board on its activities.

The key pillars of the Group’s risk management framework include:

  • the Risk Appetite Statement (RAS), which sets out the Board’s expectations regarding the degree of risk that the Group is prepared to accept in pursuing its strategic objectives and its operating plan; and
  • the Risk Management Statement (RMS), which describes the Group’s strategy for managing risks and a summary of the key elements of the Risk Management Framework (RMF) that give effect to that strategy. The RMS includes: a description of each material risk; and an overview of how the RMF addresses each risk, with reference to the relevant policies, standards and procedures. It also includes information on how the Group identifies, measures, evaluates, monitors, reports and then either controls or mitigates material risks.

The Group operates a Three Lines-of-Defence Model in regard to risk management that helps embed a culture where risk is everyone’s responsibility. The business – as the first line of defence – has day to day ownership of risks and controls and is accountable for identifying and managing its own risks. The Risk Function is the second line of defence, providing a strong and independent oversight of the work undertaken to manage the risk, as well as developing and maintaining the Risk Management Framework.

The final line of defence is Internal Audit and includes independent assurance that evaluates the adequacy and effectiveness of both first and second line risk management approaches.

Links to 2019 Group Performance Framework

We continue to operate in a dynamic and challenging external and regulatory environment placing significant demands on the Risk and Compliance function. There were no material breaches of our Group Risk Appetite Statement, and the number of adverse audits fell by a third with management demonstrating accountability for fixing issues in a timely
and sustainable manner. While there were many positives from a risk perspective there were some non-financial risk shortcomings from a regulatory, customer and community perspective.

Refer to the Remuneration Report section of the Annual Report available at anz.com/shareholder/centre for further details.

Fighting financial crime

Financial crime threats continue to evolve, as do the regulatory measures required to address them. In response we have:

  • invested heavily in capturing and understanding financial crime data and infrastructure, upgrading sanctions and fraud platforms;
  • implemented a network data analysis tool, improving our ability to collaborate with external parties to fight financial crime; and
  • focused on the growth and development of employees, developing a gap analysis tool to inform our thinking on the current and future capabilities required of our people to combat financial crime.

The governance and oversight of risk, whilst embedded in day to day activities, is also the focus of committees and regular forums across the bank (see diagram below). The committees and forums discuss and monitor known and emerging risks, reviewing management plans and monitoring progress to address known issues.

The risk landscape is continually evolving and we are therefore constantly reviewing issues to consider their materiality to the bank’s operations. Two risks we are currently seeking to understand further are:

Cyber security risk: while not new, the increasing reliance we have on information security systems to hold our data and our customers’ data requires us to continually invest in and test the adequacy of our safeguards against evolving cyber attacks and new technology. See page 20 for further detail,

Climate change risk: the financial risks associated with climate change are subject to increasing prudential and regulatory oversight and are therefore an area of focus for us. See pages 48 to 49 for further detail on our approach to climate-related financial risks.