A Bank must have an adequately resourced Risk Management Function headed by a chief risk officer or equivalent. The function must be independent of the management and decision-making of the Bank’s risk-taking functions and have a direct reporting line to the Board or a board risk committee.
The Risk Management Function must include policies, procedures, systems and controls for monitoring and reporting risk and to ensure that risk exposures are aligned with the Bank’s strategy and business plan and consistent with the board-approved risk appetite statement and individual risk limits.
Exceptions to the Bank’s risk management policies, procedures or limits must be immediately addressed by the appropriate level of management or the Board.
A Bank must immediately notify the Central Bank when it becomes aware of a significant deviation from its board-approved risk appetite statement, risk management policies or procedures, or that a material risk has not been adequately addressed.