1This chapter provides additional guidance on risk-centric governance arrangements for effective risk management. It expands upon the general organisational requirements in SYSC 2, SYSC 3, SYSC 4,5 SYSC 7 and FUND 3.75, and so applies to the same extent as SYSC 3.1.1 R (for insurers, managing agents and the Society),5 SYSC 4.1.1 R (for every other firm) and FUND 3.7 (for a full-scope UK AIFM of an authorised AIF)5.55
Firms should, taking account of their size, nature and complexity, consider whether in order to fulfil the general organisational requirements in SYSC 2, SYSC 3, SYSC 4,5 SYSC 7 and (for a full-scope UK AIFM of an authorised AIF) FUND 3.75 their risk control arrangements should include:5
appointing a Chief Risk Officer; and
establishing a governing body risk committee.
The functions of a Chief Risk Officer and governing body risk committee are explained further in this section.
The appropriate regulator considers that banks and insurers that are included in the FTSE 100 Index are examples of the types of firm that should structure their risk control arrangements in this way. However, this guidance will also be relevant to some similar sized firms (whether or not listed) and some smaller firms, by virtue of their risk profile or complexity.
The chief risk function is having responsibility for overall management of the risk management system specified in PRA Rulebook: Solvency II firms: Conditions Governing Business, rule 3. 8
A Chief Risk Officer should:
be fully independent of a firm's individual business units;
have sufficient authority, stature and resources for the effective execution of his responsibilities;
ensure that the data used by the firm to assess its risks are fit for purpose in terms of quality, quantity and breadth;
provide oversight and challenge of the firm's systems and controls in respect of risk management;
provide oversight and validation of the firm's external reporting of risk;
report to the firm's governing body on the firm's risk exposures relative to its risk appetite and tolerance, and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the governing body's risk appetite and tolerance. The Chief Risk Officer should also alert the firm's governing body to and provide challenge on, any business strategy or plans that exceed the firm's risk appetite and tolerance;
provide risk-focused advice and information into the setting and individual application of the firm's remuneration policy (Where 4 the Remuneration Code applies, see in particular SYSC 19A.3.15 E. Where the BIPRU Remuneration Code applies, see in particular SYSC 19C.3.15 E4. Where the dual-regulated firms Remuneration Code applies, see in particular SYSC 19D.3.16E. Where the remuneration part of the PRA Rulebook applies, see the PRA’s Supervisory Statement on Remuneration).6
[Note: The PRA’s Supervisory Statement on remuneration is available on the PRA website at http://www.bankofengland.co.uk/pra/Pages/default.aspx.] 6426
The appropriate regulator expects that where a firm is part of a group it will structure its arrangements so that a Chief Risk Officer at an appropriate level within the group will exercise functions in (1) taking into account group-wide risks.
The appropriate regulator recognises that in addition to the Chief Risk Officers primary accountability to the governing body, an executive reporting line will be necessary for operational purposes. Accordingly, to the extent necessary for effective operational management, the Chief Risk Officer should report into a very senior executive level in the firm. In practice, the appropriate regulator expects this will be to the chief executive, the chief finance officer or to another executive director.
The appropriate regulator considers that, while the firm's governing body is ultimately responsible for risk governance throughout the business, firms should consider establishing a governing body risk committee to provide focused support and advice on risk governance.
development of proposals for consideration by the governing body in respect of overall risk appetite and tolerance, as well as the metrics to be used to monitor the firm's risk management performance;
oversight and challenge of the design and execution of stress and scenario testing;
oversight and challenge of the day-to-day risk management and oversight arrangements of the executive;
oversight and challenge of due diligence on risk issues relating to material transactions and strategic proposals that are subject to approval by the governing body;
providing advice, oversight and challenge necessary to embed and maintain a supportive risk culture throughout the firm.
Where a governing body risk committee is established, its chairman should be a non-executive director, and while its membership should predominantly be non-executive it may be appropriate to include senior executives such as the chief finance officer.
In carrying out their risk governance responsibilities, a firm's governing body and governing body risk committee should have regard to any relevant advice from its audit committee or internal audit function concerning the effectiveness of its current control framework. In addition, they should remain alert to the possible need for expert advice and support on any risk issue, taking action to ensure that they receive such advice and support as may be necessary to meet their responsibilities effectively.