RBNZ Risk Management Thematic Report

UNCLASSIFIED UNCLASSIFIED

Thematic Review Reserve Bank of New Zealand Thematic Review For past issues visit: here. Reserve Bank of New Zealand PO Box 2498 Wellington NEW ZEALAND www.rbnz.govt.nz February 2026 Risk Management Insights on practices in the deposit taking sector

Risk Management: Insights on practices in the deposit taking sector 1 Disclaimer We produce a variety of publications and research about monetary policy, financial stability and related economic and financial issues. Most are available without charge as part of our public information service. We have made every effort to ensure that information published in this paper is accurate and up to date. However, we take no responsibility and accept no liability arising from:  errors or omissions  the way in which any information is interpreted  reliance upon any material. We are not responsible for the contents or reliability of any linked websites and do not necessarily endorse the views expressed within them. Privacy Policy - Reserve Bank of New Zealand - Te Pūtea Matua (rbnz.govt.nz)

Risk Management: Insights on practices in the deposit taking sector 2 Contents Executive Summary____________________________________________________________________________ 3 Purpose of this review 3 What we found 3 Recommendations 4 Next steps 5 Introduction ___________________________________________________________________________________ 6 Detailed Findings ______________________________________________________________________________ 7 Risk management framework 7 Risk management processes 11 Risk governance and oversight 16 Three lines model and risk and assurance functions 20 Next Steps ____________________________________________________________________________________23 Appendix A: Scope and approach __________________________________________________________24 Appendix B: Legislation and guidance references _________________________________________26 Appendix C: Glossary _______________________________________________________________________27 Appendix D: Summary of expectations_____________________________________________________28

Risk Management: Insights on practices in the deposit taking sector 3 Executive Summary Purpose of this review Effective risk management enables early identification and mitigation of risks, reducing the likelihood of operational failures, financial losses and systemic disruptions. It helps build resilience and is therefore central to our mandate of protecting and promoting the stability of New Zealand’s financial system. We conducted a high-level thematic review of risk management practices (Review) of nine deposit takers to:  gain insight into deposit takers’ Risk Management Frameworks (RMF) and related practices;  share good practices and highlight areas for improvement to uplift sector capability; and  inform guidance that will accompany the Risk Management Standard for deposit takers, which will be effective from 2028. 1 The scope focused on three key pillars of sound risk management: the Risk Management Framework, governance and oversight, and the risk management function.2 Risk culture was outside the scope, but it remains critical for driving accountability, informed decision making, and embedding risk awareness. This report presents the key findings from our Review, including what we consider to be essential in promoting effective risk management in the sector. What we found Overall, the risk management practices of the participants in this review were largely proportionate to their size and operational and risk profile complexity. We identified areas of improvement for all participants to uplift their capability to meet our expectations. We were encouraged to see most of these entities investing in uplifting their risk management practices. Larger entities had more mature approaches to managing risks, though some individual weaknesses were identified. Smaller entities were generally found to need greater improvements across a wider range of areas, particularly in setting and using risk appetites, internal audit and risk monitoring and reporting. Additional findings across the three pillars are summarised below: Risk management framework Most entities maintained documented frameworks, policies, and procedures outlining their approach to managing material risks. Good practice included entities aligning their Risk Management Strategy (RMS) and Risk Appetite Statement (RAS) with strategic objectives. Some used dashboards to enhance risk monitoring and

---

1 The standard will be issued under the Deposit Takers Act 2023 and is currently being drafted following industry consultation. Deposit Takers Non-Core Standards - Reserve Bank of New Zealand - Citizen Space 2 Refer to Appendix A for additional details on the scope of the Review.

Risk Management: Insights on practices in the deposit taking sector 4 reporting and forward-looking tools, such as stress testing and scenario analysis to help anticipate emerging and cross-cutting risks. Areas for improvement included independent, regular and comprehensive reviews of the RMF; monitoring and reporting of non-financial risks; identifying emerging and cross-cutting risks; and ensuring risk tools, systems and data are fit for purpose and aligned with risk management needs. While having a documented framework is essential, effective implementation, supported by strong assurance, governance and oversight is critical to achieving the risk management objectives of the entity. Risk governance and oversight Most entities had clearly defined the risk responsibilities of the board, Board Risk Committee (BRC) and senior management, with delegated responsibilities regularly reviewed and updated. Good practices included boards having sufficient expertise to oversee all material and emerging risks and some leveraging transferable skills to address gaps. We also saw some entities increasing their board time, refining risk reporting and setting aside time to actively challenge and discuss emerging risks as boards seek more granular, forward-looking risk information. Chief Risk Officers (CROs) had a wide range of risk expertise, from minimal risk experience to highly skilled professionals, and they were not always provided with training and support. Where CROs were dual-hatting there was limited evidence of conflicts of interest being actively assessed. Three lines model and assurance functions Most entities adopted the three-lines model; however, non-bank deposit takers (NBDTs) generally lacked independent assurance from internal audit. We saw good practice in the coordination and integration of assurance planning. Some entities had undertaken independent reviews of their three lines model and risk and internal audit functions to ensure they are operating effectively. However, many entities have had challenges maintaining a clear separation between the first and second lines, primarily due to limited resources and unclear roles and responsibilities. Recommendations We have identified the following key recommendations for deposit takers to support sound risk management. We expect all deposit takers to follow these recommendations in line with their scale, complexity, and risk profile:  Maintain a comprehensive, fit for purpose and forward-looking RMF: the RMF should address all material and emerging risks, define clear risk responsibilities, incorporate forward￾looking tools, and be supported by robust policies and procedures. It should undergo regular independent reviews to ensure alignment with the entity’s evolving risk profile and strategic objectives.  Ensure the RMS and RAS are clearly defined and well-aligned: these should be well understood across the entity, embedded in day-to-day activities and decisions and regularly reviewed. The board should set and approve both the RMS and RAS.

Risk Management: Insights on practices in the deposit taking sector 5  Identify and assess risks proactively: maintain robust, forward-looking processes to identify and assess all material, emerging and cross cutting risks. This includes clear criteria for materiality and well-defined risk taxonomies for consistency.  Ensure robust assessment and oversight of mitigation strategies and controls: these strategies and controls should be robust and regularly assessed for effectiveness, with strong oversight and challenge from the board and senior management.  Continuously monitor and provide timely risk reporting: maintain robust processes and systems to continuously monitor and report risks promptly, ensuring visibility and timely escalation and remediation. Where possible, entities should leverage technology to support proactive and efficient risk monitoring and reporting. Risk reports should be clear, concise, easy to understand and based on accurate and timely information.  Ensure strong risk governance and oversight: Risk responsibilities across the entity should be clearly defined, communicated and well understood. The board and senior management should promote a strong risk culture and actively challenge risk information and decisions. They should ensure adequate risk awareness and expertise exists throughout the entity, supported by ongoing education and training.  Maintain an independent and appropriately resourced risk function: The risk function should operate independently from business operations, with any actual, potential or perceived conflicts of interest actively identified and managed. It should have adequate, qualified resources and receive ongoing investment to maintain effective systems and tools that are adaptive and aligned with the entity’s RMF and reporting requirements.  Maintain a strong risk aware culture with a focus on continuous improvement: Regular training and education is required to embed a robust risk mindset across the entity, combined with a focus on continuous improvement to ensure risk management stays relevant, effective and aligned with good practice. Next steps In line with the Review’s objective to uplift risk management practices and capability across the sector and to inform policy development, the next steps are as follows:  Participating entities: must review specific feedback provided and develop action plans to appropriately address identified weaknesses.  All deposit takers: must undertake a self-assessment against the expectations, findings, good practices and recommendations outlined in this report, and take actions appropriate to their size, nature, and complexity of operations. They should be prepared to discuss any shortfalls identified and their remediation plans with supervisors.  Other RBNZ-regulated entities: although we focused on the deposit taking sector, findings are relevant to all RBNZ-regulated entities. We encourage all entities to consider these and adopt relevant recommendations to strengthen their risk management practices.  Policy development: findings have informed the draft guidance accompanying the Risk Management Standard under the Deposit Takers Act 2023. Exposure drafts of the standard and accompanying guidance will be released in February 2026, and we encourage deposit takers to provide feedback.

Risk Management: Insights on practices in the deposit taking sector 6 Introduction Risk management is the cornerstone of a safe and resilient financial system. It is the process of identifying, assessing and mitigating risks that could affect an entity’s ability to achieve its strategic objectives. By systematically analysing risks and implementing measures to reduce their likelihood or impact, deposit takers can safeguard their operations, protect stakeholders, and support the maintenance of trust and confidence in the financial system. The 2008 global financial crisis highlighted the severe consequences of poor risk management, prompting greater emphasis on sound practices and heightened regulatory scrutiny. Deposit takers today operate in a rapidly evolving risk landscape, with heightened economic uncertainty, escalating geopolitical risk and rapid technological change. This reinforces the need for them to establish robust RMFs, supported by strong governance structures and a highly capable risk function to manage all risks, including emerging risks. This Review examined the risk management practices of nine deposit takers of varying size and business type (licensed banks and NBDTs) to:  gain insight into deposit takers’ RMF and related practices;  share good practices and highlight areas for improvement to uplift sector capability; and  inform the development of guidance supporting the Risk Management Standard for deposit takers, which will take effect from 2028.3 The Review focussed on three key pillars essential for sound risk management: the RMF, risk governance and oversight, and the risk function. 4 A robust RMF, supported by a strong risk culture, forms the foundation of effective risk management. It provides a structured approach for managing risks through comprehensive policies, procedures, and controls designed to help entities to mitigate risks and maintain sound operations. Effective governance ensures accountability and empowers the board and senior management to challenge and provide direction to risk-taking decisions. The risk function adds an independent layer of oversight, including monitoring exposures, providing objective reporting, and challenging mitigation strategies and controls. Risk culture was outside of the scope of this Review; however, it is critical for driving accountability, informed decision making, and embedding risk awareness across entities. The Review also did not assess the full implementation of the RMF and its key components throughout the entities and the management of individual risks. Sound risk management is fundamental to safeguarding the financial health of deposit takers and enhancing operational resilience and long-term sustainability. It should be forward looking and embedded in entities’ decisions, activities and strategic planning. Effective risk management promotes a resilient, confident financial system and ensures regulatory compliance, making it central to the Reserve Bank’s mandate to protect and promote financial stability. We would like to thank all participating entities, along with their board members and senior management, for their time and effort in providing the requested information and openly engaging with us throughout the Review.

---

3 The standard will be issued under the Deposit Takers Act 2023 and is currently being drafted following industry consultation. Deposit Takers Non-Core Standards - Reserve Bank of New Zealand - Citizen Space 4 Additional details on the scope, approach and limitations of the Review are outlined in Appendix A.

Risk Management: Insights on practices in the deposit taking sector 7 The next section presents detailed findings for this review, based on documents provided by participating entities and information gathered during onsite engagement. In each area we begin by outlining our expectations, followed by the findings and good practices observed across the scope of the review. This should form the basis of the self-assessment we expect all deposit takers to undertake to ensure their risk management practices are sound, effective and fit for purpose for their size, nature, and complexity of risk profile. Detailed Findings Risk management framework A comprehensive and effective risk management framework enables deposit takers to anticipate and manage risks proactively, while taking informed, calculated risks aligned with their risk management strategy and appetite. An RMF comprises the policies, processes, systems and people that form the architecture for identifying, managing, monitoring and reporting material risks. It includes an entity’s RMS, RAS and its risk culture. Framework as a whole The RMF should be comprehensive, forward looking and remain fit for purpose. We expect the RMF to:  Be comprehensive, proportionate to entity size, operations and risk profile complexity.  Cover all material risks and be forward looking.  Be independently reviewed as a whole on a regular basis to ensure it is effective and fit for purpose. A comprehensive RMF clarifies roles and responsibilities in risk management and enables deposit takers to manage their risks in a structured and consistent manner. It also needs to be forward looking, including considering different time horizons, monitoring emerging risks and using tools such as stress and scenario testing. Periodically reviewing and updating the RMF ensures it remains effective as the entity’s size, nature, complexity, and operating environment evolve. A holistic review of the RMF ensures that policies, processes, systems and structures in risk management work together as intended and remain relevant and fit for purpose. Changes to the RMF need to be communicated effectively to the right people internally to ensure updates are implemented as intended. What we found  The maturity of RMFs varied across entities, with larger entities having more comprehensive and mature frameworks compared to smaller entities.  RMFs of subsidiaries of overseas banks were generally well aligned to their group, with some components tailored and others adopted wholesale. However, key policies and procedures

Risk Management: Insights on practices in the deposit taking sector 8 taken from the group RMF were not always reviewed and approved through New Zealand governance structures to ensure they were fit for purpose before adoption.  None of the entities had undertaken independent, regular, comprehensive reviews of the RMF as a whole to ensure it is effective and remains fit for purpose. – All entities maintained overarching documents outlining the key components of the RMF, which were reviewed periodically. However, some smaller entities deemed this as a comprehensive review, without the depth needed to assess whether the RMF was effective and fit for purpose. – Banks regularly reviewed individual components of their RMF at separate times as part of the internal audit plan; however, these reviews were not considered collectively to provide insight into the RMF as a whole. – RMFs of the subsidiaries of overseas banks were reviewed by their parents for alignment and adherence to the group framework. However, this did not assess whether the subsidiary’s RMF was fit for purpose in the local environment. – Most banks had either completed or were undertaking large scale changes to their RMFs. Some have scheduled future independent reviews to ensure successful implementation and continuous improvement. It was unclear whether these reviews would be undertaken on an ongoing basis. – Some NBDTs relied on external parties to review some high-risk areas of their frameworks on an ad-hoc basis.  Framework changes were communicated internally through both formal and informal channels, ranging from structured training to team discussions. Larger entities explored additional approaches such as using plain language, shorter training modules, and workshops with case studies. Good practices  There was flexibility to undertake out of cycle reviews of the overarching RMF document, RMS and RAS (see below) if needed. This ensures these key framework components remain relevant and aligned with changes to business strategies and priorities.  Risk maturity self-assessments were undertaken on a regular basis, which were validated by internal audit and challenged by management and board committees. These helped inform areas requiring improvements in risk management practices.  Ensuring staff understand RMFs and any changes, for example through using different channels and approaches to ensure effective communication.

Risk Management: Insights on practices in the deposit taking sector 9 Risk management strategy The RMS should provide structure and clarity on an entity’s approach to and priorities for managing risk. We expect the RMS to:  Align with an entity’s strategic objectives and be tailored to its business model and risk exposure.  Be reviewed and approved by the board annually.  Be communicated clearly across the entity to ensure consistent understanding and application.  Define key roles and responsibilities in risk management and governance and identify all material risks and how they will be managed. The RMS outlines an entity’s approach to managing all its material risks and the supporting policies, procedures and governance arrangements that are in place. It also includes the risk management responsibilities of the senior management, the board, and the risk function. What we found  The level of detail and approach to documenting the RMS was proportionate to entity size and complexity. Larger banks maintained comprehensive, standalone RMS documents, while smaller entities embedded their risk management strategy within their overarching RMF document.  Documented components of risk management strategy, largely included: – Entity-wide approach to risk management, outlining at a high-level how risks are identified, assessed and managed. Some smaller entities provided limited detail on monitoring and reporting strategies. – Material risks, though some strategies lacked detail on how these risks would be managed. However, this was generally covered in detail in the material risk policies. – Roles and responsibilities of key senior management and board and management committees, though some entities did not clearly outline the risk function’s role or integrate the three lines into their risk management strategy.  Entities used various methods such as meetings, training, intranet, and email to communicate their risk management strategy. However, none had a documented communication plan, which may reduce awareness and understanding of the RMS. Good practices  The RMS outlined the importance of considering emerging risks and the use of forward￾looking indicators to promote proactive risk management.  Risk strategy sessions were undertaken alongside annual strategy planning to ensure alignment with business strategy and priorities, enabling early risk identification, better resource allocation, and risk-informed decision making.

Risk Management: Insights on practices in the deposit taking sector 10  The RMS and RAS were reviewed and approved simultaneously by the board, supported by the overarching framework to provide a complete view of risk management. This ensures consistency, alignment and informed decision making.  Risk assessments of the annual business plan were undertaken and the results were used to inform annual planning sessions. Risk appetite statement A RAS should guide and set boundaries around risk-taking activities and decisions. We expect entities to maintain a RAS for each material risk and the entity overall. An effective RAS defines the risk appetite, how it will be measured, monitored and governed, and outlines clear tolerances and limits. This information should be reflected in policies and controls to support the operationalisation of the RAS and guide risk-taking decisions. We expect the board to review and approve the RAS annually to ensure alignment with strategic objectives. An entity’s RAS defines the amount and type of risk it is willing to accept to achieve its strategic objectives. This includes having clearly defined and well-documented appetite, metrics, limits and tolerance levels for each material risk. Metrics could be quantitative or qualitative and form the basis for establishing risk limits and tolerances that can be monitored and used as reporting and escalation thresholds for management and board oversight. The RAS needs to be dynamic, adapting to changes in the external environment, emerging risks, and the entity’s risk profile and performance. An annual board review of the RAS ensures appropriate alignment with business planning and strategy. What we found  Most banks maintained a standalone RAS document, outlining risk appetite, metrics and board approved limits and tolerances for all material risks.  For NBDTs there was limited board involvement in setting and owning the risk appetite. Some practices we observed: – Absence of a clearly defined risk appetite, with some assuming the acceptable residual risk as the risk appetite for all material risks. Such an approach does not appropriately reflect an entity’s risk profile and affects its ability to adequately prioritise, monitor and escalate material risks. – Risk metrics and limits for individual material risks were not clearly linked to risk appetite, and non-financial risks lacked clearly defined, measurable risk metrics and limits. This could lead to inconsistent risk evaluations, and failure to detect and remedy issues in a timely manner. – Key information, such as target residual risk, metrics, regulatory limits and internal limits were spread across the RMF and individual policies, rather than summarised for risk appetite review and board approval. Presenting this information in a consolidated manner would strengthen governance and enable a more comprehensive discussion on risk appetite.

Risk Management: Insights on practices in the deposit taking sector 11 Good practices  The metrics and key risk indicators for non-material risks were included in the RAS, to help support their monitoring and oversight.  Regulatory limits were clearly defined in the RAS to enhance clarity and understanding of risk appetite and aid in escalation and decision making.  The risk owner, metrics, board approved limits and governance committee for each material risk was clearly outlined in the framework to ensure transparency and accountability.  Subsidiaries of overseas banks had the same material risks as their parent and adopted limits and tolerances for a consistent group-wide risk assessment. These were reviewed locally and tailored or supplemented with additional limits where needed to reflect the local risk appetite. Risk management processes Clear, well-governed policies and processes are essential for a consistent approach to risk management across the entity. Risk management policies and procedures enable deposit takers to identify, assess, mitigate, control and monitor risks. They should align with the entity’s RMS and RAS and be proportionate to its size, operational complexity, and risk profile. Risk policies and processes need to be adaptive, evolving with changes in operations, technology, regulatory requirements, and the external environment. Regular review and approval by the appropriate governance body will ensure they remain fit for purpose, with changes communicated to relevant staff. Risk identification and assessment Policies and processes for risk identification and assessment should be robust, clear, consistent and well understood across the entity. We expect entities to ensure the following:  Risk policies and processes are clearly documented, comprehensive and fit for purpose. They are reviewed and updated periodically to reflect any internal and external changes.  Risk assessments are well documented and communicated, including rationale, assumptions and methodologies used.  Criteria for determining material risks are clearly defined.  Risk taxonomies are well defined to enable consistent identification and classification of material risks and to support monitoring and oversight.  Board and senior management are actively involved in reviewing and challenging risk assessments. Risk identification involves recognising threats and vulnerabilities that could impact operations, such as financial performance, reputation and regulatory compliance. Identification of cross￾cutting risks can be challenging, particularly in larger more complex entities, where the risk of silos

Risk Management: Insights on practices in the deposit taking sector 12 is higher. Engaging and leveraging information internally across teams and externally from stakeholders can help to address this. Risk assessment evaluates risks based on impact and likelihood, using both quantitative and qualitative factors to determine inherent risk. Existing mitigations and controls are factored in to determine residual risk. These steps support the identification of material risks, assessment of the effectiveness of mitigations and controls and monitoring the severity of emerging risks. Forward-looking tools such as scenario analysis, stress testing, and horizon scanning help anticipate emerging and cross-cutting risks. Advanced tools such as data analytics and Artificial Intelligence (AI) can further strengthen risk identification and assessment. What we found  Business units led the identification and consideration of risks, reinforcing risk ownership and accountability. The board and senior management challenged and supplemented these risks, sharing insights from internal discussions and external sources.  Most entities considered and identified emerging risks but approaches often varied and lacked structure. A structured approach enables early identification and management of such risks. Some common approaches included PESTLE or SWOT analysis, horizon scanning, workshops, and meetings.  The identification of cross-cutting risks was generally reactive, ad-hoc and lacked clear processes. Such approaches could result in fragmented insights, gaps in risk awareness, and ineffective risk mitigation.  A risk assessment matrix was utilised by all entities to assess the severity of risks and determine whether mitigating strategies and controls are needed or remain effective. While the factors for determining the severity of risks were outlined in the RMF, thresholds and processes for assessing materiality were unclear.  Most entities showed a good understanding of material risks; however, some smaller entities interpreted them inconsistently, which could result in incorrect focus and prioritisation.  Commonly identified material risks were credit risk, market risk, liquidity risk, operational risk, cyber risk and strategic risk, largely driven by entities core business model, environmental factors and regulatory expectation.  Many non-financial risks were grouped under operational risk, reflecting their complex and inter-related nature. This can reduce visibility of individual risks and lead to inconsistent grouping and limited sector compatibility. Good practices  The criteria or factors used for determining material risks were clearly documented in the RMS. These included quantitative and qualitative factors such as impact on business objectives, protection of customer interest, entity reputation and financial and operational stability.  A well-defined risk taxonomy was embedded in the RMF and related risk policies. This enables consistent terminology and uniform understanding, interpretation and classification of risks across the entity.  The risk assessment matrix was used to identify and monitor emerging risks and develop forward-looking metrics.

Risk Management: Insights on practices in the deposit taking sector 13  Forward-looking tools, such as stress testing, scenario analysis and horizon scanning were used to help anticipate emerging and cross-cutting risks and engage boards and senior management. Risk mitigation and control Mitigations and controls should support the management of risks in line with the RMS and RAS. We expect entities to maintain a robust internal control framework that includes:  Implementing effective mitigations and controls aligned with risk appetite and embedded in daily operations.  Documenting, maintaining and regularly reviewing mitigation strategies for all material risks.  Regularly reviewing and assessing controls for functionality and effectiveness, supported by independent assurance. Appropriate and timely actions should be undertaken to address weaknesses.  Clearly delineating responsibilities for control design, implementation, testing and assurance.  Adequate oversight by the board and senior management, including challenging the effectiveness of mitigation strategies and controls. Internal control frameworks provide the structure for how risks are mitigated. They encompass systems, policies, processes and practices that ensure material risks stay within the entity’s risk appetite. Regular review of the internal control framework is essential to ensure that controls and mitigation strategies are functioning as intended and remain effective. Automating controls can enhance the internal control framework by reducing the risk of manual errors and providing real time monitoring and reporting. For smaller, less complex entities, manual processes and tools may be sufficient. However, appropriate checks and controls should be in place and regularly reviewed to reduce the risk of errors. What we found  The use and functionality of automated systems was largely proportionate to the size and complexity of entities, with most maintaining an enterprise risk management system. Some banks were designing and implementing a new system to address gaps and limitations in their existing systems. Most NBDTs used manual tools and Excel based spreadsheets, which was sufficient for their size and operational complexity.  Risk registers were used to record and track risks and were regularly reviewed and updated, providing insight into the entity’s risk profile. Most included details such as risk description, responsible business unit and risk owner, inherent and residual ratings, and control effectiveness. Manual registers typically had more information on mitigations and controls, while software-based registers had more detailed risk descriptions.  Business units were responsible for designing and implementing internal controls, with specialist advice, support and independent challenge from risk personnel. However, where risk

Risk Management: Insights on practices in the deposit taking sector 14 specialists helped design and implement controls, few entities had measures in place to maintain independent challenge.  Most banks tested controls on a regular cycle with multiple layers of assurance, including first line assurance, risk and compliance and internal audit. Roles and responsibilities of independent teams in designing, implementing and testing controls were clearly laid out in the RMF; however, some entities lacked clarity on the approach to coordinating assurance activities.  Most NBDTs had monthly control testing conducted by staff independent of operations and largely focused on lending controls. We saw limited evidence of roles, responsibilities and approach to control testing and planning in the RMF. Good practices  Each material risk in the risk register was linked to its mitigating controls, including control effectiveness, and related policies and procedures.  Risk registers indicated whether a risk overlapped with another material risk, enabling a more transparent and structured approach to considering cross-cutting risks.  Dashboards provided easy access to control testing status and outcomes against targets, enhancing transparency and accountability.  An integrated assurance plan was maintained to ensure transparency, efficiency, and comprehensive coverage of control testing and audits for material risks. These plans were provided to the Board Audit Committee (BAC) and BRC to give a holistic view of the entity’s assurance activities.  The process for developing, reviewing and approving an integrated assurance plan was clearly documented. This included defining the roles and responsibilities of the three lines, senior management and the board audit and risk committees in the process.

Risk Management: Insights on practices in the deposit taking sector 15 Risk monitoring and reporting Robust monitoring and reporting should be in place to enable proactive action and well-informed risk management decisions. We expect entities to maintain robust risk monitoring and reporting mechanisms to support effective and transparent risk management. This includes:  Proactively monitoring all material and emerging risks on an ongoing basis.  Maintaining and periodically reviewing policies, procedures, and systems that enable effective risk monitoring and reporting.  Ensuring risk reports provide clear visibility of the risk profile and a comprehensive, accurate, and timely overview of material risks, breaches, and corrective actions.  Defining board expectations for risk reporting and escalation from management, the risk function, and internal audit.  Promptly escalating material risk issues and breaches of limits, supported by documented procedures outlining timeframes, ownership, and response actions. Risk monitoring involves tracking exposures and trends to ensure they remain within acceptable levels and that mitigation strategies are effective. Proactive monitoring enables early detection of threats and timely corrective action. Having high quality data and appropriate tools allows entities to efficiently and effectively monitor and report on their risks, controls and breaches, supporting good governance and oversight. Reports should provide accessible information at the right level, ensuring well-informed decision making and efficient use of governance. This includes ensuring risk reports are clear, concise and easy to comprehend, with matters requiring discussion and decision clearly drawn out. What we found  Some entities with automated risk systems were able to leverage their systems to enable real time risk monitoring and reporting. However, those using manual processes had less frequent monitoring and reporting due to the absence of automated triggers and dashboards, and the need for manual data aggregation and computation.  Most entities had documented breach procedures requiring escalation of breaches of board limits to the board or BRC. However, escalation timeframes were not always clearly defined. Documenting escalation and timeframes ensures accountability and consistency.  Board risk reporting covered a wide range of matters. Smaller entities generally reported more operational level information, reflecting their size and closer engagement between management and the board. Regular reporting typically included: – Risk profile reporting. All entities provided a report covering their risk profile. – Material risk updates. Larger entities had separate papers on material risks, while smaller entities embedded these within risk profile reports or through updates and deep dives. – Regulatory change and compliance updates. This has been a focus of boards given the large scale of regulatory change.

Risk Management: Insights on practices in the deposit taking sector 16 – Assurance plans, findings and remediations. Audit findings and progress were discussed at the BAC while breaches and remediations were addressed at the BRC. For risk, these were often embedded within material risk updates and risk profile reporting. – Policy review and approvals. Most entities maintained documented policies for material risks that were reviewed on a regular cycle and approved by the board or BRC.  CRO reports were consistently regarded as a key source of insight into the entity’s risk profile. Given the CRO has responsibility for all risk types, they are well placed to present a comprehensive view of risks and highlight key issues requiring focus and visibility.  Most entities used Red-Amber-Green (RAG) dashboards to report their risk profile, highlighting risk status, severity, and any breaches to the board and BRC. Some entities reported only on breaches, with little discussion of the overall risk profile at the board level. This could potentially delay the identification and management of heightened risks.  Some reporting was affected by weaknesses in data quality and governance, and limitations in reporting systems and tools. Manual interventions, additional controls and multiple reviews were required to ensure accuracy. Entities affected are implementing data and system enhancements to support more reliable analysis and reporting in the future. Good practices  Risk dashboards were used to report on material risk metrics and their alignment with risk appetite and tolerances. Trends over multiple periods were included to help drive discussion beyond breaches and encourage proactive risk management and oversight.  Board and management committees had allocated time in their agendas to discuss emerging risks, ensuring dedicated focus.  Emerging risks, such as climate risk, were identified as requiring board oversight and the board proactively challenged whether these risks had become material.  Heightened risks were monitored regularly through a dedicated committee to ensure sufficient time and focus.  When limits were breached, remediation plans were provided to the board and progress was monitored regularly.  Formal processes were established for tracking and reporting remediation of internal audit findings to the BAC, ensuring visibility and transparency.  The timeframes for addressing high and critical rated audit findings and the process for granting extensions to overdue issues were well documented and understood. Risk governance and oversight Effective governance is central to promoting a sound risk culture and ensuring that risk management practices align with the entity’s business strategy, objective and risk appetite. It also provides accountability and supports informed decision making across all levels of the entity.

Risk Management: Insights on practices in the deposit taking sector 17 Good governance is an integral part of sound and effective risk management in an entity. It establishes formal risk frameworks that enable systematic management of risks and promotes oversight, accountability, and transparency. We examined the roles and responsibilities of the board, BRC, and senior management, particularly the CRO, in managing risks within participating entities. We also assessed practices relating to oversight and challenge. Board and BRC Boards should ensure a robust risk management framework is in place, hold management accountable and foster a strong risk culture. We expect boards to ensure:  Risk responsibilities are clearly defined and communicated across the entity.  Delegated risk responsibilities are monitored and periodically reviewed to ensure they remain appropriate.  There is a dedicated board committee to oversee risk management. Some small, less complex entities, may not warrant having a dedicated committee. In these cases, the board should allocate sufficient time for risk oversight and challenge at meetings.  They have appropriate independence, experience, skill and capacity to oversee risk management effectively, including banking and risk experience. Where necessary, they should seek independent advice from internal and external experts.  Management assumptions, recommendations and decisions on risk matters are actively challenged and appropriately documented.  A strong risk culture throughout the entity. The board is ultimately responsible for sound and prudent risk management, including effective risk governance and oversight. 5 The BRC supports this responsibility by providing dedicated focus and expertise on risk matters. It enables the board to maintain thorough oversight and informed decision making on risk management. The responsibilities of the BRC include reviewing and recommending the RMS, RAS and policies for board approval, challenging risk assessments, monitoring emerging risks and trends, overseeing the effectiveness of mitigation strategies and controls, and ensuring timely reporting and escalation of material issues. What we found  Risk responsibilities of the board, the BRC, and senior management were clearly outlined and consistent across key documents within the RMF for most entities. Delegated risk responsibilities were also regularly reviewed and kept up to date.  Discussions highlighted challenges in finding independent directors with both deep banking and broad risk management experience. While subsidiaries of banking groups could draw on

---

5 Refer to our cross-sector thematic review on governance for further information on board and committee expectations: Governance Thematic Review Report.

Risk Management: Insights on practices in the deposit taking sector 18 their parent for non-independent directors, smaller locally incorporated entities faced a limited talent pool.  Most entities had a dedicated BRC, while some had a combined board audit and risk committee (BARC). Only one small entity had no board committee, with the board allocating time for management reports and legal, risk and compliance matters in its agenda.  Most BRCs had quarterly meetings on regular risk reporting, with some scheduling additional meetings for specific topics or urgent issues. Some larger entities devoted the same amount of time to risk as the smaller ones, which was not proportional to their size, complexity, or risk profile.  Board risk reporting has expanded over time and is expected to grow further due to increasing demand for granular, forward-looking risk information, greater board responsibilities and heightened regulatory scrutiny. To manage this, some entities have increased board time and refined reporting, including highlighting key messages up front to balance detail with expectations.  BRC discussions and decisions were regularly communicated to the board through written reports or verbal updates from the committee chair.  It was common practice for all board members to attend BRC meetings, regardless of membership. This increases the risk of non-committee members influencing committee deliberations and decisions, which could lead to unintended outcomes, such as: – blurring of accountability between the board and BRC; and – heavy reliance being placed on committee discussions, with reduced board challenge and scrutiny of committee decisions and endorsements.  In many smaller entities, board and BRC minutes did not adequately capture challenges to risk reporting. Accurately recording these discussions is essential for accountability and transparency. Good practices  The board had sufficient risk expertise to cover all material risks of the entity and leveraged transferable skills to fill gaps and better oversee emerging and cross-cutting risks.  Board and BRCs regularly provided feedback on the quality and length of risk reports and information packs. This ensured the information was appropriately tailored for informed decision making and efficient use of governance time.  Board and BRCs had dedicated “board-only” or “committee-only” time in agendas to support independent judgement.  Management risk committee minutes were provided to the BRC for their information, enhancing transparency and accountability.  BRCs scheduled deep dives on risk topics in their work plans and remained flexible to address urgent issues. These sessions covered emerging risks and included technical meetings to improve understanding of risk management.

Risk Management: Insights on practices in the deposit taking sector 19 CRO and senior managers The CRO should be involved in all material activities and decisions affecting the entity’s risk profile to ensure alignment with sound practices and the RMS and RAS. We expect the CRO to:  Maintain operational independence and manage any actual, potential and perceived conflicts of interest, including those arising from dual-hatting.  Possess the technical skill, experience and capability required for the role and engage in ongoing professional development. Training should also be undertaken to fill any gaps and keep up to date with developments.  Hold sufficient seniority and authority to effectively influence and challenge activities and decisions that may materially affect the entity’s risk profile.  Have a dotted reporting line to the BRC to ensure effective governance.  Engage regularly with the BRC, including private sessions without other management and one-on-one meetings with the committee chair. We expect senior management to actively manage risks within their areas, clearly define and communicate risk responsibilities and collaborate effectively to address cross-cutting risks while promoting a strong risk culture. The responsibility for day-to-day risk management rests with the entity’s senior management. The Chief Executive Officer (CEO) provides strategic oversight, ensures operations align with the RMS and RAS and fosters risk awareness. They also hold senior management accountable for sound risk practices and ensure assurance and compliance functions are operating independently and effectively. The CRO oversees risk management across the entity and provides independent, objective advice to senior management and the board. Their role has evolved from having a compliance focus to a strategic, forward looking one that integrates risk management into business planning. It has also grown in prominence due to increased regulatory expectations and risk complexity, reinforcing its importance in governance and decision making. Small entities may not have a dedicated CRO role and instead assign risk management responsibilities to an executive. This dual role can create actual, potential or perceived conflicts of interest that need to be identified and managed effectively. What we found  Most entities had clearly documented the risk responsibilities delegated to the CEO and sub￾delegations to the CRO and senior management. These were outlined in a range of documents including the entity’s RMF, delegation framework or individual risk policies.  Banks had established management committees to provide oversight of material risks at the senior management level, ensuring dedicated focus. NBDTs did not have formal management committees in place but had regular risk meetings and discussions across management and teams.  All banks had a dedicated CRO role while NBDTs had assigned risk responsibilities to executives who held other roles such as the CEO, CFO and General Counsel. In case of dual-

Risk Management: Insights on practices in the deposit taking sector 20 hatting, entities did not actively assess whether an actual, potential or perceived conflict of interest existed.  CROs had varying levels of risk expertise and experience, ranging from very little prior experience or training to highly skilled risk professionals. Training and additional support for CROs to upskill and perform effectively in their role was not always provided.  All entities had clear consistent processes for appointing the CRO, involving the BRC and the CEO. The process for terminating the CRO’s contract varied, with less clarity on the role of the board in smaller entities. Large banks had more formal robust appointment and termination processes in place.  Dedicated CRO roles reported directly to the CEO and regularly engaged with the BRC through formal and informal interactions. However, CRO reporting lines were not always clearly documented, particularly the secondary line to the BRC, which supports their independence. Good practices  CRO and the Head of Internal Audit had regular access to the BRC and BAC, respectively. This included having dedicated time in committee meetings without other management present and one-on-one sessions with the committee chairs. This allows them to maintain their independence, raise delicate matters and enables the committee to support them in their role.  Committees and forums were established to assist senior management and the CRO in their oversight of material risk areas. Three lines model and risk and assurance functions The three lines model is an effective way for entities to strengthen their risk management, internal control and assurance processes. The three lines model is a widely adopted framework for clarifying roles and responsibilities for managing risks across the entity. It helps to enhance accountability and strengthen independent oversight of the entity’s risk management activities. The implementation of the framework is largely dependent on the entity’s size and operational complexity. Regular communication and coordination across the three lines, supported by strong senior management and board oversight is essential for effectively embedding the framework. We focused primarily on the practices of the risk function and the role of internal audit in supporting effective risk management within entities.

Risk Management: Insights on practices in the deposit taking sector 21 The three lines model promotes clarity of risk responsibilities and enables entities to take a coordinated approach to risk management. Where entities maintain a three lines model, we expect them to ensure:  Roles and responsibilities of each of the three lines are clearly defined, documented, and communicated to all staff.  Awareness and understanding of roles and responsibilities, supported by appropriate training.  The effectiveness of the three lines is periodically assessed, and any identified weaknesses are promptly addressed. We expect the risk function and internal audit to:  Always maintain independence from operations.  Be adequately resourced with the appropriate size, skills, experience and tools, proportionate to the entity’s complexity. Staff should engage in ongoing training and professional development to maintain expertise.  Coordinate internal and external assurance activities to cover all material risks and avoid duplication of efforts.  Have sufficient access to the BRC and BAC respectively, and to the board where appropriate. Key roles within the three lines model include:  Business units (first line): own and manage risks within their areas of accountability. This includes identifying, assessing and mitigating risks; implementing effective controls; ensuring compliance with risk policies and procedures; and escalating breaches and material risk issues. The first line embeds risk management into day-to-day activities and decisions, forming the foundation of a strong risk culture.  Risk and Compliance functions (second line): oversee and challenge risk-taking activities to ensure material risks are identified, monitored and managed effectively. It sets the RMF and policies and evaluates the robustness of controls and mitigation strategies implemented by the first line. The risk function also plays a critical role in strengthening governance through risk reporting and promoting risk awareness across the entity by providing guidance and advice.  Internal audit (third line): provides independent assurance on the effectiveness of the RMF, internal controls and governance processes. It identifies weaknesses and areas for improvement, supporting proactive risk management and compliance with internal policies and regulatory requirements. What we found Three lines  All banks had implemented a three lines model, though maturity and operationalisation of the model varied across entities. Many had been working on their frameworks, structures and resourcing to strengthen the three lines and clarify roles and responsibilities.

Risk Management: Insights on practices in the deposit taking sector 22  NBDTs had not fully adopted the three lines model and showed inconsistent understanding of it, with some viewing the board as the third line in the absence of internal audit. While boards play a critical role in risk management and oversight, they do not substitute for independent assurance.  Some entities introduced a first line assurance function to help strengthen risk ownership and management within business units and to ensure controls are functioning effectively.  Most entities have found it challenging to maintain a clear separation between the first and second lines, which can compromise independence and create conflicts of interest. Despite this risk, many did not actively identify or manage conflicts. The blurring of roles was mainly driven by limited resources and a lack of clarity and understanding among first and second line staff regarding their roles and responsibilities. Risk Function (Second line)  The size and maturity of risk functions was aligned with organizational size and complexity, with larger entities having more established functions and greater resources.  Most risk functions are undergoing or have recently completed significant transformations, primarily focused on enhancing risk frameworks, policies, and systems. However, some entities lacked a robust implementation plan, heightening execution risk.  Subsidiaries of overseas banks leveraged group risk systems and had access to specialist risk personnel when needed. Internal Audit (Third line)  All banks had an internal audit function, largely co-sourced with external providers. However, none of the NBDTs had an internal audit function in place.  Some entities assessed their external provider’s performance, effectiveness, and independence; however, the quality and robustness of these reviews varied.  Banks maintained multi-year, rolling risk-based audit plans, which were reviewed annually to reflect current priorities and risk. In developing audit plans, entities regularly engaged with senior management, business units, the risk function and the BAC to ensure high priority risk and compliance areas were adequately covered.  Some entities had limited flexibility to adjust their audit plans during the year due to resource and budget constraints. This may hinder their ability to address emerging risks promptly and reduces the relevance of the assurance programmes. Good practices  Some actions taken to clarify roles and responsibilities and strengthen independence across lines included: – Reviewing roles and responsibilities of the first and second lines to ensure appropriate separation. – Providing training, workshops, and clear guidance to enhance understanding and awareness. – Regular engagement between the three lines to prevent overlaps, including developing Integrated Assurance Plans to coordinate assurance activity and avoid duplication.

Risk Management: Insights on practices in the deposit taking sector 23 – Ensuring sufficient and adequately experienced staff across all three lines.  Risk champions were appointed within business units to advocate and promote sound risk management practices and provide support, training and guidance to staff on risk related matters and compliance with risk standards.  Independent reviews of the three lines model and the effectiveness of the risk management and internal audit functions were conducted to ensure they are fully embedded and operating effectively.  External consultants and group internal audit were engaged to review and provide input on the internal audit plan, ensuring adequate coverage of material and emerging risks. Next Steps In addition to this report, all participating entities have received detailed feedback on our observations and recommendations. We will continue engaging with them on plans to address identified weaknesses and monitor progress. All deposit taking entities, including those covered in this Review must conduct a self-assessment against the expectations, findings, good practices and recommendations outlined, and take timely actions appropriate to their size, nature, and complexity of risk profile. They should be prepared to discuss any shortfalls identified and their remediation plans with supervisors. Given the relevance of these findings to other RBNZ-regulated entities, we encourage them to incorporate relevant recommendations into their risk management practices. Findings from this Review have informed the draft guidance accompanying the Risk Management Standard issued under the Deposit Takers Act 2023. Exposure drafts of the standard and accompanying guidance will be released in February 2026, and we encourage all deposit takers to provide feedback.

Risk Management: Insights on practices in the deposit taking sector 24 Appendix A: Scope and approach Scope The scope of this Review focused on three core areas essential for effective risk management and a strong risk culture:  risk management framework;  risk governance and oversight; and  risk management function. The Review assessed the policies, processes, and practices within these areas. Further details on the specific aspects covered under each area are provided in Table 1 below. Table 1: Additional details on the scope of the Review Area of focus Sub-focus area Risk management framework  Risk management strategy.  Risk appetite, limits and tolerances.  General risk management processes – identifying, assessing, mitigating, monitoring and managing risks.  Policies and procedures supporting risk management. Risk governance and oversight  Roles and responsibilities of the board, BRC and senior management, particularly the CRO.  Oversight and reporting to board, BRC and senior management, including group reporting where applicable. Risk management function  Three lines model and its implementation, where applicable.  Structure and reporting lines, including independence.  Resourcing – staff and systems. Sample The sample for the Review consisted of nine deposit taking entities, representing a mix of banks and non-bank deposit takers of various size and nature of business. We intend to keep the sample confidential. Approach Our approach consisted of an information request followed by desk-based review and engagement with entities, as detailed below:

Risk Management: Insights on practices in the deposit taking sector 25 Information request Each entity completed a questionnaire and provided documents relating to their RMF, its key components and any related policies and procedures showing the implementation of the framework. Entities also provided documentation relating to the governance and oversight of the framework and reporting of risk information to senior management, board and the BRC. Desk-based review We conducted an in-depth review of the submitted information, assessing current practices against international practices and Basel risk management guidelines. For non-bank deposit takers, we also considered RBNZ’s 2009 risk management programme guidelines. To ensure alignment with upcoming regulatory requirements, we considered provisions in the draft risk management standard for deposit takers, which underwent industry consultation in 2025. Onsite reviews We engaged with thirty-four executives and eighteen directors across the sample, focusing on individuals with core risk management responsibilities. Interviews covered general and specific questions across the key focus areas. Analysis and Reporting Information from desk-based and onsite reviews were analysed to identify entity-specific findings, including good practices and areas for improvement. These informed industry-wide themes for inclusion in this report. Limitations of the Review We focused on policies, procedures, and processes supporting the key components of the RMF, including its governance, oversight, and implementation. We did not assess:  The management of individual material risks or the appropriateness of risk appetite, tolerance, and limits for each of those risks.  The full implementation of the RMF and its key components throughout the entities. Discussions on implementation were largely limited to the development, review and approval of the overarching framework, RMS, RAS and related policies and procedures.  Risk culture or other aspects such as internal capital and liquidity assessments, stress testing, contingency planning, or crisis management. The Review was based solely on documents and information provided by participating entities and insights gathered during onsite engagements.

Risk Management: Insights on practices in the deposit taking sector 26 Appendix B: Legislation and guidance references We reviewed risk management legislation and guidance from various jurisdictions to establish benchmarks for good practice. The key reference materials consulted are summarized in Table 2 below. This list is not exhaustive. Table 2: Key regulatory and supervisory reference materials Organisation Key reference materials Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 220 Risk management, 1 July 2019 Prudential Guidance CPG 220 Risk management, April 2018 Basel Committee on Banking Supervision (BCBS) Basel Framework - Basel Core Principles (BCP), 25 April 2024 BCP 14 – Corporate governance BCP 15 – Risk management process BCP 26 – Internal control and audit Office of the Superintendent of Financial Institutions (OSFI) Corporate Governance – Guideline (2018) Prudential Regulation Authority (PRA) The PRA’s approach to banking supervision, 31 July 2023 Reserve Bank of New Zealand (RBNZ) Deposit Takers Non-core Standards summary of submissions and policy decisions, 8 October 2025 Deposit Takers Non-core Standards consultation paper, 21 August 2024 Deposit Takers Act 2023 Risk Management Programme Guidelines for Non-bank Deposit Takers, July 2009 The US Federal Reserve Commercial Bank Examination Manual, October 2023 Section 4000 - Management activities and internal controls The US Government Accountability Office (GAO) Review of Regulators’ Oversight of Risk Management Systems at a Limited Number of Large, Complex Financial Institutions, 18 March 2009

Risk Management: Insights on practices in the deposit taking sector 27 Appendix C: Glossary Table 3: Glossary Term Meaning Board Risk Committee (BRC) Is any board committee that has responsibility for overseeing risk management. CRO The term CRO refers to the Chief Risk Officer or the executive or senior manager responsible for risk management within the entity. Cross-cutting risks Risks that do not fit into a single, traditional risk category (such as credit or liquidity risk for deposit takers). Cross-cutting risks span across multiple risk categories and often across multiple business units within an entity. Data maturity Includes the quality, governance and use of data in analysis, reporting and decision making. Dual-hatting Dual-hatting is where the person responsible for risk management (CRO) also holds another role at the entity, usually another executive role. Good practice(s) Good practices are examples of good risk management practices we saw from one or more entities. Material risks A material risk includes financial and non-financial risks that could have an impact that is more than minor, on:  the safety and soundness of the deposit taker's business; or  the ability of the deposit taker to comply with its prudential obligations. Risk culture Risk culture refers to the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss and act on the organisation’s current and future risks.

Risk Management: Insights on practices in the deposit taking sector 28 Appendix D: Summary of expectations The table below summarises the expectations we have set out in the detailed findings. These should be read in conjunction with the broader findings and recommendations in the report. Table 4: Summary of expectations Focus area Expectations Risk management framework (RMF) We expect the RMF to:  Be comprehensive, proportionate to entity size, operations and risk profile complexity.  Cover all material risks and be forward looking.  Be independently reviewed as a whole on a regular basis to ensure it is effective and fit for purpose. Risk management strategy (RMS) We expect the RMS to:  Align with an entity’s strategic objectives and be tailored to its business model and risk exposure.  Be reviewed and approved by the board annually.  Be communicated clearly across the entity to ensure consistent understanding and application.  Define key roles and responsibilities in risk management and governance and identify all material risks and how they will be managed. Risk appetite statement (RAS) We expect entities to:  Maintain a RAS for each material risk and the entity overall.  Ensure the RAS defines the risk appetite, how it will be measured, monitored and governed, and outlines clear tolerances and limits. – Reflect these in policies and controls to support the operationalisation of the RAS and guide risk-taking decisions.  Ensure the board reviews and approves the RAS annually in alignment with strategic objectives. Risk identification and assessment We expect entities to ensure:  Risk policies and processes are clearly documented, comprehensive and fit for purpose. They are reviewed and updated periodically to reflect any internal and external changes.  Risk assessments are well documented and communicated, including rationale, assumptions and methodologies used.  Criteria for determining material risks are clearly defined.

Risk Management: Insights on practices in the deposit taking sector 29  Risk taxonomies are well defined to enable consistent identification and classification of material risk and to support monitoring and oversight.  Board and senior management are actively involved in reviewing and challenging risk assessment. Risk mitigation and control We expect entities to maintain a robust internal control framework that includes:  Implementing effective mitigations and controls aligned with risk appetite and embedded in daily operations.  Documenting, maintaining and regularly reviewing mitigation strategies for all material risks.  Regularly reviewing and assessing controls for functionality and effectiveness, supported by independent assurance. Appropriate and timely actions should be undertaken to address weaknesses.  Clearly delineating responsibilities for control design, implementation, testing and assurance.  Adequate oversight by the board and senior management, including challenging the effectiveness of mitigation strategies and controls. Risk monitoring and reporting We expect entities to maintain robust risk monitoring and reporting mechanisms to support effective and transparent risk management. This includes:  Proactively monitoring all material and emerging risks on an ongoing basis.  Maintaining and periodically reviewing policies, procedures, and systems that enable effective risk monitoring and reporting.  Ensuring risk reports provide clear visibility of the risk profile and a comprehensive, accurate, and timely overview of material risks, breaches, and corrective actions.  Defining board expectations for risk reporting and escalation from management, the risk function, and internal audit.  Promptly escalating material risk issues and breaches of limits, supported by documented procedures outlining timeframes, ownership, and response actions. Board and Board Risk Committee (BRC) We expect boards to ensure:  Risk responsibilities are clearly defined and communicated across the entity.  Delegated risk responsibilities are monitored and periodically reviewed to ensure they remain appropriate.  There is a dedicated board committee to oversee risk management. Some small, less complex entities, may not warrant having a dedicated committee. In these cases, the board should allocate sufficient time for risk oversight and challenge at meetings.  They have appropriate independence, experience, skill and capacity to oversee risk management effectively, including banking and risk experience.

Risk Management: Insights on practices in the deposit taking sector 30 Where necessary, they should seek independent advice from internal and external experts.  Management assumptions, recommendations and decisions on risk matters are actively challenged and appropriately documented.  A strong risk culture throughout the entity. Chief Risk Officer (CRO) and senior managers We expect the CRO to:  Maintain operational independence and manage any actual, potential and perceived conflicts of interest, including those arising from dual-hatting.  Possess the technical skill, experience and capability required for the role and engage in ongoing professional development. Training should also be undertaken to fill any gaps and keep up to date with developments.  Hold sufficient seniority and authority to effectively influence and challenge activities and decisions that may materially affect the entity’s risk profile.  Have a dotted reporting line to the BRC to ensure effective governance.  Engage regularly with the BRC, including private sessions without other management and one-on-one meetings with the committee chair. We expect senior management to:  Actively manage risks within their areas and clearly define and communicate risk responsibilities.  Collaborate effectively to address cross-cutting risks while promoting a strong risk culture. Three lines model and risk and assurance functions Where entities maintain a three lines model, we expect them to ensure:  Roles and responsibilities of each of the three lines are clearly defined, documented, and communicated to all staff.  Awareness and understanding of roles and responsibilities, supported by appropriate training.  The effectiveness of the three lines is periodically assessed, and any identified weaknesses are promptly addressed. We expect the risk function and internal audit to:  Always maintain independence from operations.  Be adequately resourced with the appropriate size, skills, experience and tools, proportionate to the entity’s complexity. Staff should engage in ongoing training and professional development to maintain expertise.  Coordinate internal and external assurance activities to cover all material risks and avoid duplication of efforts.  Have sufficient access to the BRC and BAC respectively, and to the board where appropriate.