Skip to main content
Entire section Custom print Text Only Rich Text Print

Article (2): Systems of Risk Management and Internal Controls

C 25/2022 Effective from 30/12/2022
1.A Company must have comprehensive and effective systems of Risk Management and Internal Controls that provide a Company-wide and, if applicable, Group-wide view of all material risks to which they are or could be exposed, and their interdependencies. This includes strategies, policies, processes, procedures, and controls to identify, assess, measure, monitor, control, report and mitigate material sources of risk, on a timely basis. A Company's definition and assessment of material risks must take into account its Risk Appetite, Risk Profile, nature, size and the complexity of its business and structure.
 
2.The Board must be in control of the Company and bears ultimate responsibility for ensuring that there are effective systems of Risk Management and Internal Controls appropriate to the Risk Profile, nature, size and complexity of the Company's business and structure
 
3.Senior Management is responsible for the implementation of sound policies, effective procedures and robust systems consistent with Board-approved systems of Risk Management and Internal Controls. The Board remains ultimately accountable, notwithstanding specific responsibilities delegated to Senior Management
 
4.A Company's organisational structure must incorporate a "three lines of defence" approach comprising of :
 
a.The business lines;
 
b.The risk, actuarial and compliance functions;
 
c.Independent internal audit function.
 
5.The Board must provide oversight of Senior Management. It must hold members of Senior Management accountable for their actions if they are not aligned with the Company's strategy and objectives.
 
6.Companies who have Group relationships must ensure the following:
 
a.Companies, for which the Central Bank is the primary regulator, who have significant Group relationships including Subsidiaries, Affiliates, or international branches must develop and maintain processes to coordinate the identification, assessment, measurement, evaluation, monitoring, reporting and control or mitigation of all internal and external sources of material risks across the Group. The process must provide the Board with a solo and Group-wide view of all material risks, including the roles and relationships of other Group entities to one another and to the Company.
 
b.The methods and procedures applied by Subsidiaries, Affiliates and international branches must support Risk Management on a Group-wide basis. Companies must conduct Group-wide Risk Management and prescribe Group policies and procedures, while Boards and Senior Management of Subsidiaries and Affiliates must have input with respect to the local and regional application of these policies and procedures and the assessment of local and regional risks.