HC-8.1.7
The CRO must:
(a) Be actively engaged, together with management, in monitoring performance relative to risk-taking and risk limit adherence;
(b) Manage and participate in key decision-making processes (e.g. Strategic planning, capital and liquidity planning, new products and services, compensation design and operation);
(c) Be independent and have duties distinct from other executive function. This means that he must not have managerial or financial responsibility or approval authority related to any business lines or revenue-generating functions, and there must be no “dual hatting”, i.e. other approved persons within senior management must not serve as the CRO.
(d) Have access to any information necessary to perform his duties;
(e) Report directly to the risk committee without impediment, and administratively to the CEO;
(f) Have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the risk committee and senior management in a constructive dialogue on key risk issues;
(g) Meet regularly with the non-executive directors, the board or its risk committee without executive directors and the CEO being present;
(h) Keep the risk committee and senior management apprised of the assumptions used in and potential shortcomings of the licensee’s risk models and analyses;
(i) Consistently remind all staff, through a regular process, under the sponsorship of the CEO, of the risk management requirements to ensure a common understanding of these requirements across the licensee ; and
(j) Ensure that:
i. Risk reporting to the risk committee is carefully designed to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting must accurately communicate risk exposures and results of stress tests or scenario analyses and must provoke a robust discussion of, for example, the bank’s current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting must also include information about the external environment to identify market conditions and trends that may have an impact on the bank’s current or future risk profile;
ii. Material risk-related ad-hoc information that requires immediate decisions or reactions is promptly presented to senior management and, as appropriate, the risk committee, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage; and
iii. The licensee has accurate internal and external data to be able to identify, assess and mitigate risks.
Added: April 2023