14.It is the responsibility of the Board of Directors and senior management to define the bank’s risk appetite and to ensure that the bank’s risk management framework includes detailed policies and methodologies that set specific firm-wide prudential limits on the bank’s activities, which are consistent with its risk taking appetite and capacity. In order to determine the overall risk appetite, the board and senior management must first have an understanding of risk exposures on a firm-wide basis. To achieve this understanding, senior management must bring together the perspectives of the key business and control functions. In order to develop an integrated firm-wide perspective on risk, senior management must overcome organisational silos between business lines and share information on market developments, risks and risk mitigation techniques. Senior management must establish a risk management process that is not limited to credit, market, liquidity and operational risks, but incorporates all material risks. This includes reputational, legal, anti-money laundering, conduct risk and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses. The analysis of a bank’s current and future capital requirements in relation to its strategic objectives is a vital element of the strategic planning process. The strategic plan must clearly outline the bank’s capital needs, anticipated capital depletion expenditures, minimum internally assessed required capital level, and external capital sources. Senior management and the board must view capital planning as a crucial element in being able to achieve its desired strategic objectives.

15.The board of directors and senior management must possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls and risk monitoring systems are effective. They must have the necessary expertise to understand the capital markets activities in which the bank is involved – such as securitisation and off-balance sheet activities – and the associated risks. The board and senior management must remain informed on an on-going basis about these risks as financial markets, risk management practices and the bank’s activities evolve. In addition, the board and senior management must ensure that accountability and lines of authority are clearly defined.

16.With respect to new or complex products and activities, senior management must understand the underlying assumptions regarding business models, valuation and risk management practices. In addition, senior management must evaluate the potential risk exposure if those assumptions fail.

17.Before embarking on new activities or introducing products new to the bank, the board and senior management must identify and review the changes in firm-wide risks arising from these potential new products or activities and ensure that the infrastructure and internal controls necessary to manage the related risks are in place. In this review, a bank must also consider and address the possible difficulty in valuing the new products and how they might perform in a stressed economic environment. It is also the responsibility of the banks to assess prudential and market conduct risks when reviewing new products or activities.

18.A bank’s risk function and its Chief Risk Officer (CRO) or equivalent position must be independent of the individual business lines and report directly to the bank’s Board of Directors. In addition, the risk function must highlight to senior management and the board risk management concerns, such as risk concentrations, violations of risk appetite limits as well as violations of minimum internally set capital requirements.