.svg){kind=small}
But the messaging is sharper. It’s not just having risk management documented, it’s making it work (which is afterall, the point).
Reading the paper is time well spent for all deposit-takers (and those aspiring), as is proceeding with the “self-assessment against the expectations, findings, good practices and recommendations outlined” in the report. Which RBNZ make clear is a “must” do supervisory expectation.
A few observations:
RBNZ observed that institutions now have risk frameworks in place. But what stood out in the review were organisations that could demonstrate:
Gaps included non-financial risk and having fit-for-purpose tools in place.
Risk appetite remains one of the weakest areas. The RBNZ is clear that risk appetite and risk management strategy should be:
If risk appetite doesn’t affect how decisions are made, supervisors are unlikely to view it as effective, no matter how well written it is.
The review highlights better practice where boards:
The report also notes variation in CRO effectiveness, particularly where CRO roles are “dual-hatted”, calling out the need to ensure development is strong and teams are sufficiently resourced.
Most organisations say they operate a three lines model. Though, in practice RBNZ found:
RBNZ’s expectations for risk reporting are simple, it needs to be clear; timely; accurate and decision useful. To achieve this, firms need better use of technology and data.
The RBNZ review feeds into the upcoming Risk Management Standard under the Deposit Takers Act (DTA), with exposure drafts expected in 2026 and implementation from 2028.
The institutions that will be best placed are the ones using this time to review their existing frameworks for effectiveness and who are putting in place programmes for continuous improvement now.
Mosaic is always happy to talk with clients about their DTA and Risk Management needs.
Read the RBNZ Risk Management Thematic Report.
But the messaging is sharper. It’s not just having risk management documented, it’s making it work (which is afterall, the point).
Reading the paper is time well spent for all deposit-takers (and those aspiring), as is proceeding with the “self-assessment against the expectations, findings, good practices and recommendations outlined” in the report. Which RBNZ make clear is a “must” do supervisory expectation.
A few observations:
RBNZ observed that institutions now have risk frameworks in place. But what stood out in the review were organisations that could demonstrate:
Gaps included non-financial risk and having fit-for-purpose tools in place.
Risk appetite remains one of the weakest areas. The RBNZ is clear that risk appetite and risk management strategy should be:
If risk appetite doesn’t affect how decisions are made, supervisors are unlikely to view it as effective, no matter how well written it is.
The review highlights better practice where boards:
The report also notes variation in CRO effectiveness, particularly where CRO roles are “dual-hatted”, calling out the need to ensure development is strong and teams are sufficiently resourced.
Most organisations say they operate a three lines model. Though, in practice RBNZ found:
RBNZ’s expectations for risk reporting are simple, it needs to be clear; timely; accurate and decision useful. To achieve this, firms need better use of technology and data.
The RBNZ review feeds into the upcoming Risk Management Standard under the Deposit Takers Act (DTA), with exposure drafts expected in 2026 and implementation from 2028.
The institutions that will be best placed are the ones using this time to review their existing frameworks for effectiveness and who are putting in place programmes for continuous improvement now.
Mosaic is always happy to talk with clients about their DTA and Risk Management needs.
Read the RBNZ Risk Management Thematic Report.
