A Company must use measurement methodologies commensurate with the Risk Profile, nature, size and complexity of the business and the structure of the Company, including, but not limited to, scenario analysis and Stress Testing. Common metrics must be employed on a Company (or Group)-wide basis to foster a Company (or Group)-wide approach and effective identification and monitoring of risks across the Company (or Group).
2.
Risk measurement and modelling techniques must be used in addition to qualitative risk analysis and monitoring. The comprehensive approach to risk management must include policies and procedures for the development and internal approval for the use of Models or other risk measurement methodologies. Where the Models, or data for the Models, are supplied by a third party, there must be a process for the validation of the Model and data relative to the specific circumstances of the Company.
3.
A Company must perform regular validation and testing of Models. This must include evaluation of the conceptual soundness, ongoing monitoring including process verification and benchmarking and outcomes analysis, including back-testing. Stress Testing and scenario analysis must be used to take into account the risk of Model error and uncertainties associated with valuations and concentration risks.
4.
Model-based approaches must be supplemented by other measures. These include qualitative assessment of the logic, judgement and types of information used in Models, as well as assessment of policies, procedures, Risk Limits and exposures, especially with respect to difficult to quantify risks such as operational, compliance and reputational.