(a) Are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of the licensee's activities. These should pro-actively identify as well as monitor risk. The systems should produce information on a timely basis, and in a form and quality appropriate to the needs of the different recipients;

(b) Are supported by an appropriate control environment. The risk management and financial reporting functions must be independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas; and

(c) Make effective use of the work of internal and external auditors. The internal audit function should be independent of the senior management, reporting to the Board. The Board should ensure that the external audit firm and its partners are truly independent of the licensee and have no financial or other relationship with the licensee. Audit findings should be used as an independent check on the information received from management about the licensee's operations and performance and the effectiveness of internal controls.