HC-8.1.4
Key activities of the risk management function must include:
(a) Implementing an enterprise-wide risk governance framework that includes appropriate policies, procedures and limits;
(b) Identifying material individual, aggregate and emerging risks, including risks arising from potential mergers and acquisitions and hard to quantify risks, such as reputational risk;
(c) Regularly and on an ad-hoc basis, evaluating the risks faced by the licensee and its overall risk profile. The risk assessment process must include ongoing analysis of existing risks as well as the identification of new or emerging risks. The results of such assessments must be reported to both the Risk Committee and senior management;
(d) Ongoing monitoring of the risk-taking activities and risk exposures in line with the Board-approved risk policies and appetite;
(e) Establishing an early warning or trigger system for breaches of the licensee’s risk appetite or limits;
(f) Using risk measurement and modelling techniques in addition to qualitative risk analysis and monitoring;
(g) Evaluating possible ways to mitigate risk exposures;
(h) Reporting regularly to the risk committee and senior management on risks, including but not limited to, material exemptions and risk-mitigating actions;
(i) Regularly comparing actual performance against risk estimates (i.e. Backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments; and
(j) Challenging decisions that give rise to material risk.
Added: April 2023