Risk Appetite Statement Policy¶
| Code | GOV-002 |
| Domain | Governance & Accountability |
| Owner | Chief Risk Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD08 |
| Review date | 2027-03-25 |
Regulations: APS 110 Capital Adequacy · DTA Capital Standard¶
Purpose¶
Govern the platform's Risk Appetite Statement — its structure, quantitative and qualitative thresholds, Board approval requirements, and obligations when risk positions breach approved tolerances.
Scope¶
All material risk domains of the platform in NZ and AU, including credit, market, liquidity, operational, compliance, and conduct risk.
Policy statements¶
The Board SHALL approve a Risk Appetite Statement (RAS) annually, prior to the commencement of each financial year. The RAS SHALL define quantitative tolerances and qualitative statements for each material risk domain, expressed in terms the Board can monitor and act on.
The RAS SHALL include explicit breach thresholds for each material risk metric. Breach thresholds SHALL distinguish between escalation thresholds (requiring management action and reporting to the Board Risk Committee) and hard limits (requiring immediate Board-level response).
The Chief Risk Officer SHALL translate the Board-approved RAS into operational risk limits for each business domain and system domain. Operational limits SHALL be cascaded to system controls where technically feasible.
The CRO SHALL report the platform's risk position against appetite to the Board Risk Committee at each quarterly meeting, and to the full Board at each Board meeting. The risk position report SHALL include all metrics, breaches, and remediation status.
Any breach of a RAS hard limit SHALL be escalated to the CRO and reported to the Board Risk Committee within 24 hours of detection. The response to a breach SHALL be documented, including the cause, remediation action, and any proposed amendment to the RAS.
The RAS SHALL be reviewed out-of-cycle following any material change to the platform's business model, product suite, regulatory environment, or capital position.
The RAS SHALL be consistent with the platform's capital adequacy obligations under APRA APS 110 and applicable RBNZ capital requirements. The capital adequacy projections used to set the RAS SHALL be reviewed by the CFO before Board approval.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-010 | CDD tier assignment engine | GATE |
Customer risk score within RAF thresholds — auto-decline or auto-refer above appetite |
| MOD-013 | Real-time sanctions screener | AUTO |
Sanctions exposure maintained at zero — RAF threshold enforced by system not process |
| MOD-032 | LCR / NSFR calculator | ALERT |
LCR breach of RAF threshold triggers automatic escalation — no reliance on manual monitoring |
| MOD-033 | RWA & capital ratio engine | ALERT |
Capital ratio breach (CET1, Tier 1, or Total Capital) triggers an alert to CFO and CRO via MOD-076 alarm-intake, distinguishing between the regulatory minimum and the internal management buffer — FR-207. |
| MOD-034 | Stress testing scenario engine | CALC |
Stress scenarios include RAF threshold breach — recovery plan triggers identified automatically |
| MOD-035 | IRRBB / EVE / NII model | ALERT |
EVE sensitivity breach of limit triggers automatic alert to ALCO and CRO |
| MOD-064 | Operations work queue | AUTO |
Routes every decision that requires human review to a role-appropriate queue — no manual triage needed. |
| MOD-074 | Back-office customer 360 | LOG |
All back-office access to customer data and all manual actions taken on customer accounts are logged with operator identity and timestamp. |
| MOD-150 | Risk management platform | CALC |
The RAF dashboard is continuously computed from SD06 outputs; RAF threshold breach auto-alerts the CRO and Board Risk Committee chair. |
| MOD-152 | Climate risk assessment | ALERT |
Climate risk indicators (physical risk concentration, high-transition-risk sector exposure) included in the RAF dashboard; breach of climate risk appetite limits triggers automatic Board alert. |
| MOD-170 | Regulatory Submissions Portal | LOG |
All portal access events (view, approve, reject) are logged with staff_id, timestamp, return_code, and run_id, satisfying the Risk Appetite Statement governance audit requirement for regulatory submission actions. |
| MOD-171 | Risk Intelligence Dashboard | CALC |
The RAF summary page continuously computes all configured risk appetite indicators (CET1, LCR, NSFR, EVE, stress headroom, related party exposure) from SD06 published views and displays them against board-approved thresholds — the dashboard IS the Risk Appetite Framework reporting required by GOV-002. |
Part of Governance & Accountability · Governance overview
Compiled 2026-05-22 from source/entities/policies/GOV-002.yaml