19.Firm-wide risk management programmes must include detailed policies that set specific firm-wide prudential limits on the principal risks relevant to a bank’s activities. Additionally, a bank must have a clearly defined risk appetite for market conduct risk (non-prudential risks). A bank’s policies and procedures must provide specific guidance for the implementation of broad business strategies and must establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. These limits must consider the bank’s role in the financial system and be defined in relation to the bank’s capital, total assets, and earnings or, where adequate measures exist, its overall risk level.

20.A bank’s policies, procedures and limits must:

1. i.Provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks (prudential and market conduct risks) posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and firm wide levels;
2. ii.Ensure that the economic substance of a bank’s risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank’s risk management processes;
3. iii.Be consistent with the bank’s stated requirements and objectives, as well as its overall financial strength;
4. iv.Clearly define accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk management function;
5. v.Escalate and address breaches of internal position limits;
6. vi.Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and
7. vii.Include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate.