Risk Management
HC-6.5.33
Internal audit must include in its scope the following aspects of risk management:
(a) The organisation and mandates of the risk management function including market, credit, liquidity, interest rate and operational risks;(b) Evaluation of risk appetite, escalation and reporting of issues and decisions taken by the risk management function;(c) The adequacy of risk management systems and processes for identifying, measuring, assessing, controlling, responding to, and reporting on all the risks resulting from the bank's activities;(d) The integrity of the risk management information systems, including the accuracy, reliability and completeness of the data used;(e) The approval and maintenance of risk models including verification of the consistency, timeliness, independence and reliability of data sources used in such models;(f) Information technology and information security;(g) The bank's system for identifying and measuring its regulatory capital and assessing the adequacy of its capital resources in relation to the bank's risk exposures and established minimum ratios; and(h) The review of management's process for stress testing its capital levels, taking into account the frequency of such exercises, their purpose (e.g., internal monitoring vs. regulator imposed), the reasonableness of scenarios and the underlying assumptions employed, and the reliability of the processes used.Added: April 2018HC-6.5.34
When the risk management function has not informed the board of directors about the existence of a significant divergence of views between
senior management and the risk management function regarding the level of risk faced by the bank, the head of internal audit must inform the audit committee about this divergence.Added: April 2018
