Risk management refers to the practice of identifying potential risks in advance to measure, evaluate, record, mitigate and monitor risks in order to reduce the impact of such risks on the business of a Licensed Person. The Risk Management function must recognize the range of risks associated with the business and must mitigate them effectively. This chapter provides standards regarding an effective Risk Management Framework to be implemented by a Licensed Person.

1. 10.1.1The ultimate responsibility for the formulation and implementation of an effective risk management framework lies with the Board of Directors (or with the Owner/Partners where there is no Board of Directors);
2. 10.1.2The Licensed Person must maintain a Risk Management Policy approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors);
3. 10.1.3The Licensed Person must designate a Risk Officer who must be given the overall responsibility of the risk management function;
4. 10.1.4Depending on the nature, size and complexity of the business, the Licensed Person may appoint a dedicated Risk Officer or combine this role with another suitable function subject to the conditions under Paragraphs 7.2.4 (a) of Chapter 7, 16.4.7 (a) and 16.5.1 (g) of Chapter 16; and
5. 10.1.5The Risk Management Policy must be reviewed annually and updated if necessary.

1. 10.2.1The Risk Register is the record where the results of risk analysis, whether qualitative or quantitative, are logged including the mitigating measures and risk ownerships;
2. 10.2.2The Licensed Person must maintain a risk register in the appropriate format with the following information at a minimum:
   1. a)Risk Item;
   2. b)Description of Risk Item;
   3. c)Probability/ Likelihood;
   4. d)Impact/ Consequence;
   5. e)Risk Ranking;
   6. f)Mitigation Measures;
   7. g)Contingency Plan;
   8. h)Risk Ownership; and
   9. i)Deadlines for implementing mitigating measures.
3. 10.2.3The Risk Register must be reviewed at least quarterly to ensure that it is updated with upcoming, relevant risks and appropriate mitigating measures; and
4. 10.2.4Periodical reports on actions initiated to mitigate various risks must be submitted to the Board of Directors (or to the Owner/Partners where there is no Board of Directors).

The risk management function at the Licensed Person must identify, evaluate, mitigate and monitor the following risks at a minimum:

1. 10.3.1Operational Risk
   1. a)Operational risk is defined as the risk of loss, resulting from inadequate or failed processes, people and systems or from external events.
2. 10.3.2Market Risk (Currency Rate Risk)
   1. a)Market risk is the risk that the value of an asset may decrease due to movements of market factors;
   2. b)The most important type of market risk for a Licensed Person is the risk of fluctuation in the foreign currency rates; and
   3. c)The Licensed Person must ensure that all market forces are continuously evaluated for prudent management of market risk.
3. 10.3.3Counterparty Risk
   1. a)The risk that the other party to an agreement may default is the counterparty risk. The Licensed Person must identify, measure, monitor and control counterparty risk prior to establishing the business relationship; and
   2. b)Exposure limits assigned to counterparties must be continuously monitored.
4. 10.3.4Compliance Risk
   1. a)Compliance risk is the exposure to legal penalties, financial penalties and material losses that the Licensed Person faces when it fails to act in accordance with applicable Laws, Rules, Regulations, Notices and the Standards.
5. 10.3.5Reputational Risk
   1. a)Reputational risk is the risk of loss, resulting from damages to a Licensed Person’s reputation, such as loss of revenue or increased operating, capital or regulatory costs; and
   2. b)Reputational risk includes the risk to the country’s image resulting from unacceptable business practices of the Licensed Person.
6. 10.3.6Security Risk
   1. a)Information security risk is caused by unauthorized access to the information or systems which can result in unauthorized use of such information or systems; and
   2. b)A Licensed Person must refer to Chapter 13 on General Security and Chapter 14 on Information Security for illustrative mitigating measures.
7. 10.3.7Money Laundering/Terrorist Financing Risk
   1. a)Money laundering risk is the risk of the Licensed Person being involved in, whether deliberately or not, transforming the proceeds of a crime into apparently legitimate money or other assets. The risk on account of financing terrorism, directly or indirectly, is also included here; and
   2. b)Licensed Persons must refer to Chapter 16 on AML/CFT Compliance to understand the expectations of the Central Bank regarding measures to be implemented in order to prevent money laundering and to combat terrorist financing.