Licensees must have adequate risk management and approval processes for new or expanded products or services, lines of business and markets, outsourcing arrangements as well as for large and complex transactions. If such processes are not in place, a new product, service, business line or third-party relationship or major transaction must be delayed. There must also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. The risk management function must provide input on risks as part of such processes and on the outsourcer’s ability to manage risks and comply with legal and regulatory obligations. Such processes must entail the following:
(a) A full assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the licensee’s risk management and internal controls to effectively manage associated risks; and
(b) An assessment of the extent to which the licensee’s risk management, legal and regulatory compliance, information technology, internal control and business functions have adequate tools and the expertise necessary to measure and manage related risks.
Added: April 2023
