37.The bank must establish an adequate system for monitoring and reporting risk exposures and assessing how the bank’s changing risk profile affects the need for capital. The bank’s senior management or board of directors must, on a regular basis, receive reports on the bank’s risk profile and capital needs. These reports must allow senior management to:

1. i.Evaluate the level and trend of material risks and their effect on capital levels;
2. ii.Evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system;
3. iii.Determine whether the bank holds sufficient capital against the various risks and is in compliance with established internal capital adequacy requirements; and
4. iv.Assess its future capital requirements based on the bank’s reported risk profile (3 to 5 years) and make necessary adjustments to the bank’s strategic plan accordingly as well as the effect of any anticipated changes to regulatory requirements.

38.A bank’s MIS must provide the board and senior management in a clear and concise manner with timely and relevant information concerning their bank’ risk profile. This information must include all risk exposures, including those that are off-balance sheet. Management must understand the assumptions behind and limitations inherent in specific risk measures.

39.The key elements necessary for the aggregation of risks are an appropriate infrastructure and MIS that (i) allow for the aggregation of exposures and risk measures across business lines and (ii) support customised identification of concentrations and emerging risks. MIS developed to achieve this objective must support the ability to evaluate the impact of various types of economic and financial shocks that affect the whole bank. Further, a bank’s systems must be flexible enough to incorporate hedging and other risk mitigation actions to be carried out on a firm-wide basis while taking into account the various related basis risks.

40.To enable proactive management of risk, the board and senior management need to ensure that MIS is capable of providing regular, accurate and timely information on the bank’s aggregate risk profile, as well as the main assumptions used for risk aggregation. MIS must be adaptable and responsive to changes in the bank’s underlying risk assumptions and must incorporate multiple perspectives of risk exposure to account for uncertainties in risk measurement. In addition, it must be sufficiently flexible so that the bank can generate forward-looking bank-wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions. Third-party inputs or other tools used within MIS (e.g. credit ratings, risk measures, models) must be subject to initial and ongoing validation.

41.Banks are required that their MIS must be capable of capturing limit breaches and there must be procedures in place to promptly report such breaches to senior management, as well as to ensure that appropriate follow-up actions are taken. For instance, similar exposures must be aggregated across business platforms (including the banking and trading books) to determine whether there is a concentration or a breach of an internal position limit.