1. 1. A bank for which the Central Bank is the primary regulator is required to meet the objectives of the Regulation and Standards on a solo and group-wide basis. Subsidiaries and affiliates, including non-bank entities, must be captured by the bank’s comprehensive approach to risk management and must be part of the overall risk governance framework to ensure that the policies, business strategies, procedures and controls of the subsidiaries and affiliates are aligned with those of the group.
2. 2. The boards and senior management of subsidiaries and affiliates remain responsible for their entities’ risk management. The methods and procedures applied by subsidiaries and affiliates must support risk management on a group-wide basis. Parent banks must conduct group-wide risk management and prescribe group policies and procedures, while the boards and senior management of subsidiaries and affiliates must have input with respect to the local or regional application of these policies and procedures and the assessment of local or regional risks.
3. 3. Parent banks are responsible for ensuring that the risk management function in subsidiaries and affiliates is adequately resourced and that group reporting lines support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines throughout the group. Parent banks are responsible for ensuring that reporting to the group by subsidiaries and affiliates is sufficiently detailed and timely to support effective group-wide risk management.
4. 4. Where the Central Bank is not the primary regulator of a bank that operates a branch in the U.A.E., the branch must have a risk governance framework and risk management function that meets the requirements of the Regulation and Standards. The “three lines of defense” approach must be incorporated within the branch. This will require a senior risk officer, compliance officer and senior internal audit officer with stature within the branch comparable to the business line managers².
5. 5. Reporting relationships between officers of the branch and group business lines and functions must support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines. These branches must provide the Central Bank with unfettered access to any staff of the group involved in the risk management of the branch and any group reports or data that the Central Bank may request.

² Considering the principle of proportionality and the role of group functions in overseeing the branch, a bank may demonstrate to the Central Bank that it meets the requirements of the Regulation and Standards in some other way.