14.A bank must have a board approved risk management policy, which includes identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating all internal and external sources of material risk. The overarching risk management policy document must reflect an understanding of the risks arising from the bank’s business activities and the relationships among those risks.
15.A bank’s documented policies and procedures for risk management must, at a minimum, address the following:
a.Details of board oversight of risk management, including regular review of risk management policies, review and approval of the risk appetite statement and regular and ad hoc reporting on risk management by senior management, the risk management function, compliance function and internal audit to the Board or committee of the board;
b.The role and responsibilities of the board risk committee, documented through an appropriate charter or terms of reference;
c.A process for the identification of material risks, which is likely to be undertaken by a senior management committee overseen by the Board or board risk committee;
d.A process for ensuring there is a bank-wide or, if applicable, group-wide view that includes identifying, measuring, evaluating, monitoring and controlling risks and that the risk culture is disseminated throughout the bank or, if applicable group, which will involve senior executives, often through a management risk committee or other senior executive committee, as well as the risk management function;
e.Establishment of an effective control environment including measures embedded in the business lines such as delegated levels of authority, segregation of duties and physical controls such as dual custody, as well as the role of the risk management function in setting standards and challenging the business lines, an independent compliance function to monitor adherence to legal and regulatory requirements as well as internal compliance policies and internal audit to provide independent assurance; and
f.Ensuring that the bank’s data architecture and information technology systems adequately support the bank’s comprehensive approach to risk management with timely and accurate reporting in readily usable formats.
16.A bank must have an appropriate level of granularity in its policies and procedures. Smaller banks with minimal trading activities may address market risks in a single set of policies and procedures, while larger and more complex banks must address market risks in detailed policies and procedures for individual types of market risk. A bank that outsources functions must have specific risk management policies and procedures related to the outsourcing.