The Risk Management system must address the following:
a.
A Company must have an effective Risk Management function to identify, assess, measure monitor, control, report and mitigate its key risks in a timely manner and to promote and sustain a sound Risk Culture.
b.
The Risk Management function is responsible for assisting the Board, Board committees and Senior Management with developing and maintaining the Risk Governance System.
c.
A Company must have an adequately resourced Risk Management function headed by a Chief Risk Officer (CRO) or equivalent. The function must be independent of the management and decision-making of the Company's risk-taking functions.
2.
The Risk Management function must have direct access to the Board and/or the Board risk committee and must provide them with reports on the following matters, at a minimum:
a.
Assessment of risk positions, exposures and the steps being taken to manage them;
b.
Assessment of changes in the Company's Risk Profile relative to Risk Appetite, including the ORSA;
c.
Assessment of pre-defined Risk Limits;
d.
Risk Management issues resulting from strategic affairs such as corporate strategy, mergers, acquisitions, major projects and investments;
e.
Assessment of risk events and the identification of appropriate remedial actions and the assessment of results after implementation.
3.
In developing the Risk Management system the following must be considered:
a.
The head of the Risk Management function, the CRO or equivalent, must be of sufficient seniority and stature within the Company, to credibly challenge the heads of business lines and functions. The head of the Risk Management function must have the authority and obligation to inform the Board romptly of any circumstance that may have a material effect on the Risk Management system of the Company.
b.
Outsourced activities must remain fully in scope of the Company's Risk Management responsibilities.