3.1.1 While risk management systems vary among AIs, there are four basic elements contributing to a sound risk management environment.
• active Board and senior management oversight;
• organisational policies, procedures and limits that have been developed and implemented to manage business activities effectively;
• adequate risk measurement, monitoring and management information systems that are in place to support all business activities; and
• established internal controls and the performance of comprehensive audits to detect any deficiencies in the internal control environment in a timely fashion.
3.1.2 These are discussed in turn below.
3.2 Board and senior management oversight
3.2.1 The quality of Board and senior management oversight is evaluated in relation to the following elements:
• whether the Board and senior management have identified and have a clear understanding of the types of risk inherent in business lines and whether they have taken appropriate steps to ensure continued awareness of any changes in the levels of risk;
• whether the Board and senior management have been actively involved in the development and approval of policies to limit the risks, consistent with the AI's risk appetite;
• whether the Board and senior management are knowledgeable about the methods available to measure risks for various activities;
• whether the Board and senior management carefully evaluate all the risks associated with new activities and ensure that the proper infrastructure and internal controls are in place; and
• whether the Board and senior management have provided adequate staffing for the activity and designated staff with appropriate credentials to supervise the activity.
3.3 Policies, procedures and limit structure
3.3.1 The following key factors are to be considered in evaluating the adequacy of policies, procedures and limits:
• whether policies, procedures and limits are properly documented, drawn up after careful consideration of the risks associated with the activity and reviewed and approved by management at the appropriate level;
• whether policies assign full accountability and clear lines of authority for each activity and product area; and
• whether compliance monitoring procedures have been developed. These procedures should include internal compliance checks for adherence to all policies, procedures and limits by an independent function within an AI such as an internal control unit.
3.4 Risk measurement, monitoring and management reporting systems
3.4.1 Effective risk monitoring requires AIs to identify and measure all quantifiable and material risk factors.
Consequently, risk monitoring activities must be supported by information systems that provide the management with timely and accurate reports on the financial condition, operating performance and risk exposure of the AI.
3.4.2 Management information systems should provide regular and sufficiently detailed reports for line managers engaged in the day-to-day management of the AI's business activities.
3.4.3 All AIs are expected to have risk monitoring and management information systems that provide senior management with a clear understanding of the AI's positions and risk exposures.
3.4.4 The following factors should be considered in assessing the effectiveness of the risk measurement, monitoring and management reporting systems:
• the adequacy, on a historical basis, of the risk monitoring practices and reports addressing all material risks of the organisation;
• the adequacy and appropriateness of the key assumptions, data sources and procedures used to measure and monitor risk, including the adequacy of analysis, documentation and reliability testing of the system on a continuing basis;
• any material changes in the AI's lines of business or products that might require changes in the measuring and monitoring systems;
• any changes in the information technology or management information system environment that have significantly changed the production process for reports or the assumptions on which reports are based;
• how consistently management information reports and other forms of communication monitor all
meaningful exposures, check compliance with established limits, goals or objectives and compare actual with expected performance; and
• the adequacy, accuracy and timeliness of reports to the Board and senior management and whether such reports contain sufficient information for them to identify any adverse trends and to evaluate the level of risks fully.
3.5 Internal controls and comprehensive audits
3.5.1 A critical element of an AI's ability to operate in a safe and sound manner and to maintain an acceptable risk management system is the adequacy of its internal control environment. Establishing and maintaining an effective system of controls, including the enforcement of official lines of authority and the appropriate segregation of duties, is one of management's most important responsibilities. Serious lapses or deficiencies in internal controls such as inadequate segregation of duties may warrant supervisory action.
3.5.2 When properly structured, a system of internal controls promotes effective operations, provides for reliable financial reporting, safeguards assets and helps to ensure compliance with relevant laws, regulations and internal policies. An independent internal auditor should test internal controls and the results of these audits, including management’s response to the findings, should be properly documented.
3.5.3 The following factors should be considered in evaluating the adequacy of the internal control environment:
• the appropriateness of the system of internal controls in relation to the type and level of risks posed by the nature and scope of the AI's business activities and products;
• whether the AI's organisation structure establishes adequately clear lines of authority and responsibility for monitoring compliance with policies, procedures and limits;
• whether reporting lines provide for sufficient independence of the control functions from the business areas, as well as adequate segregation of duties throughout the organisation (such as those relating to trading, custodial and back-office operations or loan origination, marketing and processing);
• whether the official organisational structure reflects actual operating practices;
• the reliability, accuracy and timeliness of all financial, operational and regulatory reports;
• the adequacy of procedures for ensuring compliance with applicable laws, regulations and internal policies and procedures;
• the effectiveness, independence and objectivity of internal audit or other control and review procedures in providing adequate coverage of the AI’s operations;
• whether internal controls and information systems are adequately tested and reviewed;
• whether the coverage, procedures, findings and management responses to audits are adequately documented; and
• whether identified material weaknesses are given appropriate and timely high-level attention and management’s actions to correct material deficiencies are objectively verified and reviewed.