Skip to main content Article 2: Risk Governance Framework
- 1. A bank must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risk. The risk governance framework consists of policies, processes, procedures, systems and controls.
- 2. The risk governance framework must be documented and approved by the Board and must provide for a sound and well-defined framework to address the bank's risks.
- 3. The risk governance framework will vary with the specific circumstances of the bank, particularly the risk profile, nature, size and complexity of its business and structure. A bank must incorporate the following minimum elements into its risk governance framework or demonstrate to the Central Bank that its framework meets the requirements for a comprehensive approach to risk management without the presence of all of the elements set out below:
- a. Board: the board must approve, maintain and oversee the bank’s risk governance framework, including the risk appetite statement, risk limits by legal entity, business line or management units consistent with the risk appetite statement and policies and procedures to implement a comprehensive approach to risk management.
- b. Board risk committee: pursuant to a charter or terms of reference approved by the board, the board risk committee must (a) review and recommend the establishment of and revisions to the bank’s risk governance framework and (b) oversee its implementation by senior management.
- c. Board audit committee: pursuant to a charter or terms of reference approved by the Board, the board audit committee must oversee the independent assessment of the risk governance framework by the internal audit function and the internal audit function’s independent assessment of implementation of the bank’s comprehensive approach to risk management.
- d. Management risk committee: the management risk committee must develop and recommend the overall risk strategy, the risk governance framework and the risk appetite statement to the board or to the board risk committee and must be accountable for an effective bank-wide approach to risk management and for the communication of the comprehensive approach to risk management across the bank.
- e. Risk management function: headed by the chief risk officer (CRO) or equivalent, the risk management function must develop metrics relevant to the risk appetite statement, monitor and report on the risk metrics, escalate breaches and conduct stress tests.
- f. Compliance function: the compliance function must verify that compliance policies are observed and must report to senior management or the board, as appropriate, on how the bank is managing its compliance risk.
- g. Internal audit function: the internal audit function must provide independent assurance to the board and senior management on the quality and effectiveness of a bank’s internal control and risk management policies, procedures and systems, including measurement methodologies and assumptions. It reports directly to the board audit committee.
- h. Business line management: must receive and operationalize risk limits, establish procedures to identify and control risks including monitoring and escalation of breaches and report on risk metrics.
- 4. In defining and assessing risks, a bank must consider both the probability of the risk materializing and its potential impact on the bank. In assessing the potential impact of a risk, a bank must assess factors including but not limited to: (a) potential disruption of the bank’s business operations; (b) effect on profitability, liquidity, capital adequacy and regulatory compliance; and (c) ability of the bank to meet its obligations to its customers or other counterparties.
- 5. A Bank’s risk governance framework must address all material risks, which, at a minimum, must include the following items:
- a. Credit risk;
- b. Market risk;
- c. Liquidity risk
- d. Operational risk;
- e. Risks arising from its strategic objectives and business plans; and
- f. Other risks that singly, or in combination with different risks, may have a material impact on the bank.
- 6. A Board is responsible for the implementation of an effective risk culture and internal controls across the bank and its subsidiaries, affiliates and international branches. The board approved risk governance framework must incorporate a “three lines of defense” approach including senior management of the business lines, the control functions of risk management and compliance and an independent and effective internal audit function:
- a. Business line management - identification and control of risks
- i. Manage and identify risks in the activities of the business line;
- ii. Ensure activities are within the bank’s risk appetite, risk management policies and limits;
- iii. Design, implement and maintain effective internal controls; and
- iv. Monitor and report on business line risks.
- b. Risk management function - sets standards and challenges business lines
- i. Headed by the CRO or equivalent;
- ii. Establish bank-wide or, if applicable, group-wide risk and control strategies and policies;
- iii. Provide oversight and independent challenge of business line accountabilities;
- iv. Develop and communicate risk and control procedures; and
- v. Monitor and report on compliance with risk appetite, policies and limits.
- c. Compliance function - assess bank-wide adherence to requirements
- i. Develop and communicate compliance policies and procedures; and
- ii. Monitor and report on compliance with laws, corporate governance rules, regulations, regulatory codes and policies to which the bank is subject.
- d. Internal audit function - independent assurance
- i. Independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; and
- ii. Independently assess the effectiveness of business line management in fulfilling their mandates and managing risk.
- 7. The Board must ensure that the risk management, compliance and internal audit functions are properly staffed and resourced and carry out their responsibilities independently and effectively. This includes unrestrained access to all kinds of information needed for the risk management, compliance and internal audit functions to fulfil their tasks.
- 8. The Board must review policies annually and controls on a regular basis with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues, as well as determine areas that need improvement.
- 9. The Board must provide oversight of senior management. It must hold members of senior management accountable for their actions and enumerate the consequences if those actions are not aligned with the board’s expectations. This includes adhering to the bank’s values, risk appetite and risk culture, regardless of financial gain or loss to the bank.
- 10. Senior management must implement, consistent with the direction given by the board, policies, procedures, systems and controls for managing the risks to which the bank is exposed and for complying with laws, Central Bank regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions, as well as an effective overall system of internal controls.
- 11. Senior management must provide the board with the information it needs to carry out its responsibilities, including the supervision of senior management and assessment of the quality of senior management’s performance.
Risk Appetite Statement
- 12. The risk appetite statement is a written articulation of the aggregate level and types of risk that a bank will accept or avoid in order to achieve its business objectives. At a minimum, it must include the following items:
- a. For each material risk, the maximum level of risk that the bank is willing to operate within, expressed as a limit in terms of:
- i. Quantitative measures expressed relative to earnings, capital, liquidity or other relevant measures as appropriate; and
- ii. Qualitative statements or limits as appropriate, particularly for reputation, compliance and legal risks.
- b. Delineation of any categories of risk the bank is not prepared to assume;
- c. The process for ensuring that risk limits are set at an appropriate level for each risk, considering both the probability of loss and the magnitude of loss in the event that each material risk is realized;
- d. The process for monitoring compliance with each risk limit and for taking appropriate action in the event that it is breached; and
- e. The timing and process for review of the risk appetite and risk limits.
- 13. Quantitative risk limits and metrics may include, but are not limited to:
- a. Capital targets beyond regulatory requirements, such as economic capital or capital-at-risk;
- b. Various liquidity ratios and survival horizons;
- c. Net interest income volatility;
- d. Earnings-at-risk;
- e. Value at risk (VaR);
- f. Risk concentrations by internal or external rating;
- g. Expected loss ratios;
- h. Growth ceilings by asset type, business line or type of exposure;
- i. Economic value added; and
- j. Stressed targets for capital, liquidity and earnings.
Policies and Procedures
- 14. A bank must have a board approved risk management policy, which includes identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating all internal and external sources of material risk. The overarching risk management policy document must reflect an understanding of the risks arising from the bank’s business activities and the relationships among those risks.
- 15. A bank’s documented policies and procedures for risk management must, at a minimum, address the following:
- a. Details of board oversight of risk management, including regular review of risk management policies, review and approval of the risk appetite statement and regular and ad hoc reporting on risk management by senior management, the risk management function, compliance function and internal audit to the Board or committee of the board;
- b. The role and responsibilities of the board risk committee, documented through an appropriate charter or terms of reference;
- c. A process for the identification of material risks, which is likely to be undertaken by a senior management committee overseen by the Board or board risk committee;
- d. A process for ensuring there is a bank-wide or, if applicable, group-wide view that includes identifying, measuring, evaluating, monitoring and controlling risks and that the risk culture is disseminated throughout the bank or, if applicable group, which will involve senior executives, often through a management risk committee or other senior executive committee, as well as the risk management function;
- e. Establishment of an effective control environment including measures embedded in the business lines such as delegated levels of authority, segregation of duties and physical controls such as dual custody, as well as the role of the risk management function in setting standards and challenging the business lines, an independent compliance function to monitor adherence to legal and regulatory requirements as well as internal compliance policies and internal audit to provide independent assurance; and
- f. Ensuring that the bank’s data architecture and information technology systems adequately support the bank’s comprehensive approach to risk management with timely and accurate reporting in readily usable formats.
- 16. A bank must have an appropriate level of granularity in its policies and procedures. Smaller banks with minimal trading activities may address market risks in a single set of policies and procedures, while larger and more complex banks must address market risks in detailed policies and procedures for individual types of market risk. A bank that outsources functions must have specific risk management policies and procedures related to the outsourcing.
Internal Capital Adequacy Assessment Process (ICAAP)
- 17. A bank must have a formal documented process for assessing its overall capital adequacy in relation to its risk profile and a strategy for maintaining its capital levels above regulatory minimum requirements. The assessment must be documented and submitted annually to the Central Bank for review (ICAAP Report).
- 18. A bank must demonstrate the following in its documented ICAAP:
- a. Board and senior management oversight;
- b. Elements of a sound capital assessment process. This includes policies and procedures designed to ensure that the bank identifies, measures and reports all material risks, policies and procedures relating to capital and capital adequacy goals to the level of risk and policies and procedures for internal control to ensure the integrity of the overall management process;
- c. Comprehensive assessment of risks; notably credit, market, operational, interest rate, concentration, liquidity and other;
- d. Monitoring and reporting of risk exposure and related capital needs; and
- e. Internal control review, including the role of internal and external audit where appropriate.