Bendigo and Adelaide Bank Risk Principles & Systems Descriptions

Executive Summary

The management of risk is a critical function within Bendigo and Adelaide Bank Limited and its controlled entities ("the Group"). The Group has established an integrated risk management framework of governance, accountability, policies, processes, controls, resourcing and training as summarised below.

The Board of Bendigo and Adelaide Bank Limited (“the Board”) has approved the principles and policies as outlined in this document.

Risk Oversight
Overview	The management of risk is an essential element of the Group’s strategy and in the way we operate. The Board, being ultimately responsible for risk management associated with the Group’s activities, has established an integrated governance and accountability framework, policies and controls to identify, assess, monitor and manage risk. Material business risks relating to the Group can be categorised as: credit, market (including interest rate and currency), liquidity, and operational risk (includes Regulatory Compliance, contagion, environment/sustainability risks). The risk management strategy is based upon risk principles approved by the Board and is underpinned by a system of delegations, passing from the Board through Board committees, the Managing Director (“MD”), management committees to the various risk, support and business units of the Group. Embedded in our culture is the value in all staff to doing the right thing, taking responsibility for managing risks inherent in their role, and engaging with our stakeholders including the broader community to deliver a sustainable business proposition for all.
Board Responsibilities	In accordance with the Board Charter, the Board principally through the Audit, Credit, Risk and Governance & HR Committees oversees the establishment, implementation, review and monitoring of risk management systems and policies, taking into account the Group Risk Appetite, the overall business strategy, management expertise and the external environment. This includes approving risk limits and risk policies.
Board Committee Responsibilities	The Board has approved policies that support the implementation of a risk oversight and management framework for the Group. These policies are overseen by the Board Committees with each Committee operating under a Board approved charter that is reviewed annually. Each Committee has established a reporting structure that describes the relevant responsibilities in respect to oversight and monitoring of Board-approved risk management policies. The Committees evaluate developments in respect to the Group’s structure and operations, as well as economic, industry and market developments that may impact the Group’s management of risk.
Executive Committee Responsibilities	Whilst the Board has responsibility for setting the Group’s appetite for risk, the MD and other Executive Committee members are responsible for developing strategies and business plans commensurate with the Group Risk Appetite. The Executive Committee has responsibility for ensuring that the Board approved strategies and decisions are appropriately implemented as well as managing and monitoring the day to day activities of the Group including the management of risk and consideration of emerging risks and opportunities. The Executive has a number of sub-committees that consider risk management matters including the Asset Liability Management Committee, Credit Committee, Operational Risk Committee, IT Architecture Board and the OH&S and Security Committee. On a day to day basis each Executive, management and staff are responsible for carrying out their roles in a way that manages risk in line with policies and procedures.
Independent Review	Group Assurance The Group Assurance function is an independent function accountable to the Board Audit Committee to: Provide an assessment on the adequacy and effectiveness of the Group’s processes for controlling its activities and managing its risks; Report significant issues related to the processes for controlling the activities of the Group, including potential improvements to those processes, and confirming resolution; •Periodically provide information on the status and results of the annual assurance plan, development of the strategic direction of the function and the sufficiency of resources; and Coordinate with and provide oversight of other control and monitoring functions (e.g. Group Risk, Group Legal, Corporate Secretariat, Finance, external audit). Group Assurance is also required to report to the Board Credit Committee on items arising from credit risk reviews. Group Risk Group Risk is an independent function of the Group, providing the frameworks, policies and procedures to assist the Group in managing credit and operational risk in line with the strategy and Group Risk Appetite set by the Board. The Group Credit Risk function is responsible for reviewing portfolio credit quality, policy development and promulgation, credit policy compliance, the assessment of large/maximum credit and manages the performance of the credit management system at the Group level. The Group Operational Risk function is responsible for providing the frameworks, tools and support to assist the business in the management of its operational risk (including Regulatory Compliance, Business Continuity, Financial Crimes and dealings through Partners). Group Treasury Functional units have been established within Group Treasury that are responsible for monitoring, reporting and communication in relation to capital planning requirements & management, financial markets, securitisation, liquidity and balance sheet management. Group Treasury also has an independent market risk function responsible for reporting and monitoring market risk (including adherence to tolerance limits). Group Treasury has direct access to the Asset Liability Management Committee and in turn the Board Risk Committee.
MD and CFO Assurance	As part of the statutory reporting arrangements for the Group, the MD and Chief Financial Officer (“CFO”), provide a written declaration to the Board that: The company’s and group’s financial statements and notes to the financial statements comply with accounting standards: give a true and fair view, and comply with the Corporations Regulations 2001; The financial records of the Group for the financial year have been properly maintained in accordance with Section 286 of the Corporations Act 2001, and The above statements regarding the integrity of the financial reports are founded on a sound system of risk management and internal control and that the systems, including those relating to business continuity, are operating effectively in all material respects in relation to financial reporting risks. To provide this assurance a formal due diligence and verification process is completed in respect to the financial report and a risk management declaration process is completed in respect to the group’s risk management framework. This process is described further at section 5. Further, a description of the systems and policies employed to manage the key risks to which the Group is exposed is provided to the Australian Prudential Regulatory Authority (APRA). The MD confirms annually the integrity of these descriptions to APRA with the endorsement of the Board.
Risk Principles
Overview	The Risk Management Principles and Systems Description document summarises the risk management control framework of the Group. These principles are approved by the Board and may be amended with endorsement of the Board. Specific details and responsibilities for managing each category of risk are contained in the relevant policy statements, frameworks and procedural manuals. The risk principles are summarised below.
Risk Management Framework	A structured framework has been established to ensure that the risk management objectives are linked to its Group’s business strategy and operations. The risk management strategy is underpinned by an integrated framework of responsibilities and functions driven from Board level down to operational levels, covering all aspects of risk, most notably market, credit, liquidity, operational (includes Regulatory Compliance, contagion and environmental). The framework recognises the governance structure and risk management framework referred to in Section 1.
Risk Management Functions	Dedicated and independent risk management functions are in place (see 1.5 above) for the material risk areas faced by the Group. These functions provide subject matter expertise on their respective risk areas and are charged with facilitating the consistent implementation of the risk policies and frameworks across the Group.
Risk Management Measurement Reporting and Control	Effective measurement, reporting and control of risk is vital to manage the Group’s business activities in accordance with overall strategic and risk management objectives. The risk management, reporting and control framework requires the quantification of market, credit, interest rate and liquidity risk, the capability to aggregate and monitor exposures, a comprehensive set of limits to ensure that exposures remain within agreed boundaries, and a mechanism for evaluating performance on a risk-adjusted basis. The management of operational risk is based on a documented policy and framework. The Board has defined general parameters to manage the Group-wide risk profile to comply with the approved Group Risk Appetite and tolerances which considers both downside risk and opportunities.
Internal controls	The risk management framework requires robust internal controls across all aspects of the business as well as strong support functions covering legal, regulatory, governance, reputation, finance, information technology, human resources and strategy. Consequently the effectiveness and efficiency of controls is evaluated in all new and amended products, processes and systems or where external and internal factors impact the operating environment (e.g. changes in organisation structure, growth, new regulation).
Risk Management Systems	Accurate, reliable and timely information is vital to support decisions regarding risk management at all levels. The requirements span a diverse range of risk functionality including market and credit risk analysis systems, budgeting, strategic planning, asset and liability management, performance measurement, operational risk and regulatory reporting, as well as trading and trade processing systems and those systems supporting our staff. Data reconciliation is established to provide for the integrity of the information used and appropriate security controls around all systems. Back-up and recovery procedures are defined and business continuity plans approved and communicated to promote resilience and minimise the impact of an incident. The Group maintains and implements specific policies and procedures to measure, monitor, manage and report on the material risks to which the Group is exposed. Each policy contains requirements to be met for review and approval.
Material Risks
Overview	The risk management framework of the Group is structured upon: Core Risk Principles - overriding principles governing all activities and risk monitoring procedures; and Specific Risk Policies - appropriate policies, framework documents, procedures and processes implemented to manage specific risks to which the Group is exposed. The Board, and industry regulators, have identified that the material risks relating to the Group can be categorised as: credit, market (including interest rate and currency), liquidity, operational and strategic risk. The risks are described in sections 3.2 to 3.8 below.
Credit Risk	Credit risk is the potential that the Group will suffer a financial loss due to the unwillingness or inability of a counterparty to fully meet their contractual debts and obligations. The Board Credit Committee is responsible for monitoring adherence to credit policies, practices and procedures within the Group. The Board has established levels of delegated lending authority under which various levels of management, partners and the Board Credit Committee can approve transactions. Group Credit Risk has responsibility for: Managing, maintaining and enhancing the currency and relevance of the Group’s Credit Policies; Providing support and analysis of credit portfolio information for credit management purposes; and Reporting to the Credit Committee and the Board Credit Committee.
Market Risk (including interest rate and currency risk)	Market risk is the risk of losses arising from adverse movements in market prices which in turn affect the value of balance sheet positions. Interest rate risk is the potential for volatility in earnings to the Group due to adverse movements in interest rates. As part of the Group’s activities we strive to meet customers’ demands for products with various interest rate structures and maturities. This results in mismatches in the repricing dates, cash flows and other characteristics of assets and liabilities, which become sensitive to interest rate movements. Interest rate risk is managed through Group Treasury using gap analysis and simulation modelling techniques. The objective is to enhance the Group’s earnings performance by minimising fluctuations in net interest income and market value that may occur over time as a result of changes in interest rates. Managing interest rate risk may involve specific actions to vary the physical term or structure of the various portfolios, or the use of derivative financial instruments, including interest rate swaps, futures and options. Monitoring of adherence to policies, limits and procedures is the responsibility of and controlled through the Asset Liability Management Committee and the Board Risk Committee. Currency risk is the risk of loss of earnings to the Group due to adverse movements in exchange rates. Currency risk of the Group arises from foreign currency wholesale funding activities and customer related foreign exchange transactions. It is the policy of the Group to hedge foreign currency wholesale funding and to manage its exposure in relation to customer related foreign exchange transactions within approved limits and policy requirements. The Financial Markets unit manages currency risk and reports through the Asset Liability Management Committee and Board Risk Committee who are responsible for the currency risk of the Group. It is the current policy of the Group that it does not trade in derivatives (i.e.customer currency options are backed out with Interbank counterparts).
Liquidity Risk	Liquidity riskis the inability to access funds, both anticipated and unforeseen, which may lead to the Group being unable to meet its obligations in an orderly manner as they arise or foregoing investment opportunities. Group Treasury is responsible for implementing liquidity risk management strategies in accordance with approved policies and direction of the Asset-Liability Management Committee and Board Risk Committee. This includes maintaining prudent levels of liquid reserves and a diverse range of funding options to meet daily, short-term and long-term liquidity requirements. Liquidity scenarios are calculated under stressed and normal operating conditions to assist in anticipating cash flow needs and providing adequate reserves.
Operational Risk	Operational risk is defined by the Group as: ”the risk of impact on objectives resulting from inadequate or failed internal processes, people and systems or from external events, including legal and reputation risk but excluding strategic risk”. The Board Risk Committee is responsible for the oversight of the operational risk management policies and effectiveness of implementation across the Group. The Operational Risk Committee is responsible for monitoring the operational risk profile of the Group, including monitoring the progress of the Business Continuity Management Program, and the execution of the Financial Crimes Strategy. Each individual Executive member has day to day responsibility and accountability for the management of operational risk in their business/support line including, but not limited to ensuring operational risk management strategies are in place and operating effectively. Management and staff in each business are responsible for identifying operational risks and determining, implementing, monitoring and reporting on policies and practices to manage operational risks to which their business is exposed. Group Operational Risk, has a role to assist and support the Executive and Operational Risk Committees and Business Units to develop, implement, monitor and report on the effectiveness of implementation of the Group’s Operational Risk Management framework. It reports to the Board Risk Committee on the status of the implementation of the framework and implications of significant risks and risk events at the Group level. The Group considers both the internal and external environment as well as emerging risks when monitoring and assessing operational risk.
Strategic Risk	Strategic riskis defined as the risk that adverse business decisions, ineffective or inappropriate business plans or failure to respond to changes in the environment will impact our ability to meet our objectives. The Group undertakes a formal strategic planning process annually, utilising a structured template and a series of meetings to obtain input from all members of the Executive team, including the MD and CGM Strategy. The Board of Directors have ultimate responsibility for strategic risk.