• CTRL Chapter 7 CTRL Chapter 7 Risk management

    • CTRL 7.1.1 CTRL 7.1.1 Application of Chapter 7

      This Chapter applies to all authorised firms.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 7.1.1 Guidance

        In assessing the appropriateness of an authorised firm’s risk management framework, and the firm’s compliance with the provisions of this Chapter, the Regulatory Authority will have regard to the firm’s risk profile, and in particular to:

        • the nature scale and complexity of operations in the QFC
        • whether or not the firm is a branch of a firm established in another jurisdiction
        • whether or not the firm is included in a risk management framework established at head office or group level.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.2 Firms to have risk management framework

      (1) An authorised firm must have a documented risk management framework.
      (2) An authorised firm’s risk management framework must enable the firm to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and must provide the firm’s governing body with a comprehensive firm-wide view of material risks.
      (3) The framework must be appropriate to the nature, scale and complexity of the firm’s business.
      (4) An authorised firm that is a branch may rely on the risk management framework of its head office if the firm has assessed the head office’s risk management framework and decided that it appropriately addresses the firm’s internal and external sources of material risk.
      (5) An authorised firm’s risk management framework must reflect the firm’s business objectives and the business plan approved by the firm’s governing body, and must include all of the following:
      (a) a risk appetite statement;
      (b) a risk management strategy;
      (c) a risk-management function dedicated to the framework;
      (d) a management information system to support the effectiveness of the framework;
      (e) a robust review process to ensure that the framework remains effective.
      Note For the requirement for the governing body to approve the business plan, see rule 3.1.14 (1) (a).

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.3 CTRL 7.1.3 What is risk management?

      Risk management, for an authorised firm, includes some or all of the following, according to the nature, scale and complexity of the firm’s business:

      (a) identifying, assessing and reporting risk management information (including information dealing with issues of corporate strategy, mergers and acquisitions, and major projects and investments) to the firm’s governing body and the firm’s senior executive function and senior management in a timely way;
      (b) assessing risk positions, risk exposures, the steps being taken to manage them and, if appropriate, pre-defined risk limits;
      (c) participating in the process of approving new products or significant changes to existing products;
      (d) preparing periodic reports to the firm’s governing body setting out an overview of risk management during the relevant period, sending a copy of each such report to the firm’s internal auditor and making the report available to the firm’s external auditors;
      (e) assessing risk events and identifying appropriate remedial action;
      (f) assessing changes in the firm’s risk profile;
      (g) identifying available resources to manage the firm’s risks;
      (h) facilitating business continuity planning and disaster recovery for the firm;
      (i) developing and maintaining external relationships relevant to risk management in the firm;
      (j) developing and maintaining effective risk management communication within the firm;
      (k) monitoring and assessing the adequacy and effectiveness of the firm’s risk management policies, procedures and controls.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 7.1.3 Guidance

        Other rules may contain specific requirements as to risk management for firms authorised to carry on particular regulated activities. In particular, operational risk is of particular importance to banking business firms and Islamic banking business firms. (For the meaning of operational risk, see BANK, rule 7.1.1 (2) and IBANK, rule 7.1.1 (2).) For the management of operational risk in banking business firms, see BANK, Part 7.2, and in Islamic banking business firms, see IBANK, Part 7.2.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.4 What is the risk management framework?

      An authorised firm’s risk management framework is the totality of systems, structures, policies, processes and people within the firm that identifies, measures, evaluates, monitors, reports on and controls or mitigates all internal and external sources of material risk. Material risks are risks that could have a material effect, financial or non-financial, on the firm, on its stakeholders or on the interests of its customers.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.5 Risks to be addressed

      An authorised firm’s risk management framework must address, at least, the following risks (where they are material to the firm’s operations):

      (a) credit or asset risk;
      (b) liquidity risk;
      (c) market/investment risk;
      (d) operational risk;
      (e) strategy and planning risk;
      (f) technology risk;
      (g) market conduct risk;
      (h) money laundering and terrorism financing risk;
      (i) compliance, legal, reputational and regulatory risk;
      (j) insurance underwriting;
      (k) any other risks that, singly or in combination, could have a significant effect on the firm.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.6 CTRL 7.1.6 Risk appetite statement

      (1) An authorised firm must have a documented risk appetite statement. A risk appetite statement is a high-level qualitative statement that clearly captures the firm’s attitude to, and its level of acceptance of, different risks.
      (2) The firm’s risk appetite is the aggregate level and types of risk that the firm is willing to assume to achieve its strategic objectives and business plan. In setting its risk appetite, the firm must not breach its obligations or constraints determined by regulatory capital requirements, or liquidity or other needs.
      (3) If appropriate, the statement must specify quantitative measures.
      (4) The firm’s governing body must review and approve the statement annually.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 7.1.6 Guidance

        The qualitative and quantitative measures referred to in this rule should reflect those expressed in the firm’s risk management strategy (see rule 7.1.7 (2) (c)).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.7 Risk management strategy

      (1) An authorised firm’s risk management strategy must be appropriate to the nature, scale and complexity of the firm’s business.
      (2) The strategy:
      (a) must provide for assessing material risks;
      (b) must set out policies and procedures for monitoring, prioritising and managing major risk exposures;
      (c) must include both quantitative and qualitative considerations; and
      (d) must provide for monitoring significant changes to the firm’s risk profile.
      (3) The strategy must include:
      (a) objectives, principles and allocation of responsibility for dealing with risk across the firm, including any branches;
      (b) defining and categorising the types of risk to which the firm is exposed;
      Guidance
      A suggested framework for the definition and categorisation of risks is set out in Schedule 1. The Regulatory Authority will use that framework in its approach to the assessment of risks posed by authorised firms, and the management of those risks. An authorised firm may either adapt this framework to reflect the nature, scale and complexity of its operations, or develop and implement its own risk classification framework.
      (c) processes (covering contingency planning, business continuity, crisis management and fraud) for identifying, assessing, monitoring, managing and reporting on risks;
      (d) a process for obtaining and recording the governing body’s approval for any material change to, or deviation from, the strategy; and
      (e) a process for obtaining a direction by the governing body settling any major question of the interpretation of the strategy.
      (4) The firm must ensure that the strategy:
      (a) is recorded in writing;
      (b) is kept up to date to take into account new internal and external circumstances; and
      (c) is reviewed at least once in every year.
      (5) If the firm is part of a corporate group, the firm’s governing body must know the implications for the firm of any group-wide risk management strategy.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.8 Firms must provide appropriate training

      The firm’s senior management must ensure that appropriate risk management training is available to individuals at all levels throughout the firm. The training that is provided to an individual must be appropriate to the seniority, role and responsibilities of the individual.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 7.1.9 Independence of certain employees

      (1) An authorised firm must ensure that each employee who is allocated responsibilities within the firm’s risk management framework is sufficiently free from influence for the framework to be effective in achieving its purposes.
      (2) The requirement in subrule (1) is satisfied if reasonable measures have been taken to ensure that:
      (a) no such employee is remunerated in a way that would tend to undermine his or her independence and objectivity in performing the duties;
      Note For the requirements relating to a firm’s remuneration policy, see rule 3.1.16.
      (b) no such employee is involved in performing a function that generates, or is intended to generate, revenue for the firm;
      (c) no such employee is limited or restricted as to the matters that he or she can investigate or report on in the exercise of his or her function;
      (d) the reports and conclusions of such an employee can be honest and candid, without fear of reprisal; and
      (e) pressure or influence is not applied to such an employee to modify his or her reports or conclusions.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)