HC-3.5.7
The risk committee must, at minimum:
(a) Recommend the appointment or removal of the Chief Risk Officer (CRO) or equivalent. The licensee must also discuss the reasons for removal with the CBB;
(b) Discuss all risk strategies on both an aggregated basis and by type of risk and make recommendations to the Board, and on the risk appetite;
(c) Ensure that:
i. Risks are identified, measured, aggregated, controlled, mitigated, monitored and reported on an ongoing basis across all business lines, the licensee as a whole, its subsidiaries and overseas branches (if any);
ii. Risk identification and measurement include both quantitative and qualitative elements;
iii. Each key risk has a policy, process and controls;
iv. The licensee has sufficient and robust management information system and policies, supported by appropriate control procedures and processes, designed to ensure that the licensee’s risk identification, measurement, aggregation, controlling, mitigation, monitoring and reporting capabilities are commensurate with the licensee’s size, complexity and risk profile. The sophistication of the licensee’s risk management information system and internal control infrastructure must keep pace with changes to the licensee’s risk profile, the external risk landscape and industry practices;
v. The licensee’s risk management infrastructure, including a sufficiently robust data infrastructure, data governance and architecture and information technology infrastructure keeps pace with developments such as balance sheet and revenue growth, increasing complexity of the licensee’s business, risk configuration or operating structure, geographical expansion, mergers and acquisitions, or the introduction of new products or business lines;
vi. Senior management has in place processes to promote the licensee’s adherence to the approved risk policies and risk appetite;
vii. The licensee’s policies must determine the key management decisions that must be taken by more than one person;
viii. The licensee has an adequate communication within the licensee about risk, both across the organisation and through reporting to the Board and senior management;
ix. The licensee has a strong risk culture that promotes risk awareness and encourages open communication and challenge about risk-taking across the organisation as well as vertically to and from the Board and senior management; and
x. The licensee has adequate escalation procedures on risks related matters.
(d) Advise the Board on the licensee’s risk appetite, overseeing senior management’s implementation of the RAS, reporting on the state of risk culture in the licensee , and interacting with and overseeing the CRO;
(e) Oversee the strategies for capital and liquidity management as well as for all relevant risks of the licensee , such as credit, market, operational, interest rate risk in the banking book and reputational risks, to ensure that they are consistent with the stated risk appetite;
(f) Commission every five years a quality review of the effectiveness and efficiency of the risk management framework and function by a third-party consultant, other than the external auditor. The results of such independent review must be provided to the CBB by 31st May of the relevant year. More specifically, a conventional bank licensee must undertake reviews referred to above with regards to the following individual areas that are relevant to the risk management framework:
i. ICAAP Framework referred to in Module IC;
ii. Capital adequacy requirements under Module CA;
iii. Recovery and resolution planning (RRP) and related documents referred to in Module DS;
iv. Credit risk management framework and compliance with Module CM;
v. Operational risk management framework and compliance with Module OM;
vi. Stress testing framework included in Module ST;
vii. Liquidity risk management framework and compliance with Module LM; and
viii. Compliance with Module RR.
(g) Receive regular reporting and communication from the CRO and other relevant functions about the licensee’s current risk profile, current state of the risk culture, utilisation against the established risk appetite and limits, limit breaches and mitigation plans.
Added: April 2023