Independent Risk Management Function and Chief Risk Officer
HC-6.6.4
All
Conventional bank licensees must establish an independent Risk Management function and appoint a head of risk management function, referred to as Chief Risk Officer ('CRO') or any equivalent title. The function must be independent of the individual business lines and report directly to the Board of Directors or its Audit or Risk Committees and administratively to the Chief Executive Officer ('CEO'). The role of the CRO must be independent and distinct from other executive functions and business line responsibilities, and there must be no 'dual hatting' (i.e. the chief operating officer, CFO, chief auditor or other senior management personnel must not also serve as the CRO).Added: July 2018HC-6.6.5
For branches of foreign bank licensees, and where no local board of directors exists, all references in this Module to the board of directors should be interpreted as the Head Office/ Regional Office.
Added: July 2018HC-6.6.6
[This Paragraph was deleted in October 2019].
Deleted: October 2019
Added: July 2018HC-6.6.7
Branches of foreign bank licensees operating in Bahrain have the choice of having an in-house risk management function in Bahrain or to outsource such role to their regional or Head offices.Amended: October 2019
Added: July 2018HC-6.6.8
The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. The CRO should also not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions. Interaction between the CRO and the board should occur regularly and be documented adequately. Non-executive board members should have the right to meet regularly — in the absence of
senior management — with the CRO.Added: July 2018HC-6.6.9
The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management framework. This includes the ongoing strengthening of risk management staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board and the Risk Committee, as appropriate, in its engagement with and oversight of the development of the bank's risk strategy, risk appetite statement ('RAS') and for translating the risk appetite into a risk limits structure.
Added: July 2018HC-6.6.10
The risk management function must have access to all business lines that have the potential to generate material risk to the
Conventional bank licensee as well as to relevant risk-bearing subsidiaries.Added: July 2018HC-6.6.11
The CRO, together with management, must be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include participating in key decision-making processes (e.g. strategic planning, capital and liquidity planning, new products and services development and compensation design and operation).
Added: July 2018HC-6.6.12
The CRO must have sufficient organisational stature, authority, seniority within the organisation and necessary skills to oversee the
Conventional bank licensee's risk management activities.Added: July 2018HC-6.6.13
Appointment, dismissal and other changes to the CRO position must be approved by the board or its Risk/ Audit Committee. If the CRO is removed from his or her position for any reason, this must be disclosed publicly. The bank must also discuss the reasons for such removal with the CBB. The CRO's performance, compensation and budget must be reviewed and approved by the board Remuneration Committee.
Added: July 2018
