A Company must have systems, including information technology capabilities, which are commensurate with the Risk Profile, nature, size and complexity of its business and structure, in order to identify, measure and monitor risk.
2.
The Board must have sufficient expertise to understand and oversee the risk measurement systems, including any use of Models.
3.
Where a Company uses Models to measure components of risk, it must have appropriate internal processes for the development and approval of use of such Models and must perform regular and independent validation and testing of the Models. The Board remains ultimately accountable whether the approval for use of such Models is provided by the Board or through authority delegated to management.