• INMA Schedule 1 INMA Schedule 1 Guidance about risk management

    (see rule 4.2.1)

    • INMA Part S1.1 Introduction

      This guidance provides detail on what the Regulatory Authority expects to see in an INMA firm’s risk management policy. It has been prepared to assist the directors and senior managers of INMA firms and others concerned in applying these rules. The authority recognises that the exact content of each firm’s risk management policy will be determined by what is appropriate in the light of the nature, scale and complexity of the firm’s business.

      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA Part S1.2 INMA Part S1.2 Risks to be addressed in risk management policy

      • INMA S1.2.1 Operational risk

        (1) Operational risk is the risk of loss resulting from:
        (a) inadequate or failed internal processes, people and systems; or
        (b) external events.
        (2) The management of operational risk typically addresses legal risk, fraud risk, economic and political risk, business continuity risk, technology risk, human resources risk, outsourcing risk, project management risk and strategic risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.2.2 Reputational risk

        (1) Reputational risk is the risk of loss resulting from damage to a firm’s good reputation.
        (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating reputational risk. The policy should include:
        (a) processes for identifying events that might lead to reputational damage, the likelihood of those events occurring, and their consequences; and
        (b) procedures for handling such events, and for mitigating reputational damage.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.2.3 Liquidity risk

        (1) Liquidity risk is the risk of not having sufficient cash or liquid assets to meet cash outflows as they fall due.
        (2) An INMA firm's risk management policy should include processes and controls to monitor the liquidity and realisability of the firm's assets and the level of liquid assets it holds, to ensure that it complies at all times with the net liquid assets requirement in these rules.

        Note For that requirement — see rule 3.3.4.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA Part S1.3 INMA Part S1.3 Risks to be addressed in managing operational risk

      • INMA S1.3.1 Legal risk

        (1) Legal risk is the risk of loss resulting from:
        (a) regulatory or legal action;
        (b) disputes; or
        (c) failure to comply with, or the inadequate management of, legal or regulatory obligations.
        (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating legal risk. The policy should include:
        (a) processes for identifying events that might generate legal risk (for example, new products or processes, new documentation), the likelihood of those events occurring and their consequences; and
        (b) procedures to ensure that:
        (i) all contractual, legal, regulatory and other documentation is accurate and complete;
        (ii) the firm complies with all its legal, regulatory, contractual and prudential requirements and obligations; and
        (iii) the firm’s insurances (for example, professional indemnity insurance) are renewed in good time and remain effective.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.3.2 Fraud risk

        (1) Fraud risk is the risk of loss from:
        (a) unauthorised activities such as those that breach the controls, procedures, limits and other restrictions in an INMA firm’s policies and procedures or legal or regulatory requirements;
        (b) deceptive acts or omissions intended to gain advantage for the parties committing the acts or other parties; or
        (c) intentional acts undertaken for personal gain or to tamper with or manipulate the financial or operational aspects of the firm’s business.
        (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating fraud risk. The policy should include:
        (a) internal controls and mitigation strategies;
        (b) segregation of duties at an operational level and in relation to functional reporting lines;
        (c) financial accounting controls;
        (d) staff training and awareness; and
        (e) appropriate processes for monitoring compliance with the firm’s procedures, controls, limits and other restrictions.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.3.3 Economic and political risk

        (1) Economic and political risk is the risk of loss resulting from factors such as the following:
        (a) macroeconomic policy, government regulation and social policy;
        (b) events related to political instability.
        (2) An INMA firm’s risk management policy should include a process for identifying and assessing how political and economic factors might affect its business and its ability to meet its liabilities as they fall due, and procedures for managing and mitigating that risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.3.4 Business continuity risk

        (1) Business continuity risk is the risk of loss (both financial and non-financial) resulting from disruptions to critical business operations. Critical business operations are the business functions, resources and infrastructure that would, if disrupted, have a significant effect on a firm’s business functions, reputation, profitability and customers.

        Note CTRL, rule 3.1.17 (3), requires an INMA firm’s governing body to review its business continuity procedures at least once every 18 months.
        (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating business continuity risk. The policy should include::
        (a) processes for identifying and analysing:
        (i) events that might lead to a disruption in business continuity;
        (ii) the likelihood of those events occurring;
        (iii) the processes most at risk; and
        (iv) the consequences of those events;
        (b) a plan (business continuity plan or BCP) describing:
        (i) objectives and procedures for crisis management and recovery to minimise the consequences from the disruption of its business;
        (ii) detailed procedures for carrying out the BCP, including manual processes, the activation of an off-site recovery site (if needed), the persons responsible for activating the BCP, and pre-assigned responsibilities of staff;
        (iii) a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities, major customers, the media and other key people;
        (iv) a schedule of critical systems covered by the BCP and the timeframe for restoring those systems;
        (v) procedures for staff awareness and training on all aspects of the BCP; and
        (vi) procedures for regular (at least annual) testing, review and reporting on the BCP to the governing body and senior management; and
        (c) procedures for backing up important data regularly and storing the data off-site.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015)
        Amended by QFCRA RM/2021-1 (as from 1st July 2021).

      • INMA S1.3.5 Technology risk

        (1) Technology risk is the risk of loss resulting from inadequate or failed technology used in business operations, or the unauthorised use of such technology.
        (2) An INMA firm’s risk management policy should include processes and procedures to maintain the secure and effective use of technology in its business operations and for identifying, managing and mitigating technology risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.3.6 Human resources risk

        (1) Human resources risk is the risk of loss resulting from inadequate human resources.
        (2) An INMA firm’s risk management policy should include processes and procedures for identifying, managing and mitigating human resources risk. The policy should include processes and procedures for:
        (a) risk identification and assessment of the firm’s human resources requirements;
        (b) ensuring that it has an appropriate number of suitably qualified and trained staff in accordance with the nature, scale, and complexity of its business;
        (c) managing and mitigating the loss of key personnel; and
        (d) monitoring and supervising its staff.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.3.7 Outsourcing risk

        (1) Outsourcing risk is the risk of loss resulting from the non-performance, or poor performance, by a service provider of a function outsourced to the service provider under a material outsourcing arrangement (within the meaning of CTRL).

        Note 1 For the meaning of material outsourcing — see CTRL, glossary.

        Note 2 An INMA firm must assess the risks that a material outsourcing arrangement poses to its business (see CTRL, rule 8.2.2 (2) (a)) and the governing body of the firm must review, at least once every year, the firm’s outsourcing arrangements for assessing the feasibility of a proposed outsourcing arrangement and the risks that the outsourcing poses to the firm’s business (see CTRL, rule 8.1.3 (4) (a) (i)).
        (2) Outsourcing can bring significant benefits in terms of efficiency, cost reduction and risk management. However, the process of implementing outsourcing arrangements and the outsourcing relationship itself may expose an INMA firm to additional risk. Therefore, it is important that INMA firms supervise outsourced activities.

        Note CTRL, rule 8.2.4 (1) requires an INMA firm to inform the Regulatory Authority before entering into a material outsourcing arrangement.
        (3) Intra-group outsourcing might be thought to be subject to lower risks than using service providers from outside a corporate group. However, it is not risk-free, and an INMA firm should still assess the associated risks and make appropriate arrangements to manage them.
        (4) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating outsourcing risk. The risk management policy should include processes and procedures for:
        (a) negotiating contracts for outsourcing;
        (b) identifying, assessing and managing risks that may arise from the outsourcing;
        (c) procedures for managing the outsourcing service providers; and
        (d) mitigating any associated risks.
        (5) In negotiating a contract with a service provider or in assessing an existing contract, an INMA firm should consider matters that are relevant to risk management, including the following:
        (a) setting and monitoring authority limits and referral requirements;
        (b) the identification and assessment of performance targets;
        (c) procedures for evaluation of performance against targets;
        (d) provisions for remedial action;
        (e) the reporting requirements imposed on the service provider (including the content and frequency of reports);
        (f) the ability of the firm and its external auditors to obtain access to the service provider and their records;
        (g) the protection of intellectual property rights;
        (h) the protection of customers’ and the firm’s confidentiality;
        (i) the adequacy of any guarantees, indemnities or insurance cover that the service provider agrees to provide;
        (j) the ability of the service provider to provide continuity of business;
        (k) the arrangements to change, or terminate, the agreement.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015)
        Amended by QFCRA RM/2021-1 (as from 1st July 2021).

      • INMA S1.3.8 Project management risk

        (1) Project management risk is the risk of loss resulting from projects not achieving the desired objectives or having a negative effect on the adequacy of a firm’s resources.
        (2) If an INMA firm is likely to be exposed to project management risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk. The policy may also set out processes and procedures for:
        (a) establishing and managing a project, including setting a business case, cost-benefit analysis, stakeholder sign-offs, monitoring the project objectives, deliverables, timeframes and post-implementation review;
        (b) clearly defined and appropriate authorities for project approvals and sign-offs; and
        (c) clearly defined and appropriate levels of delegation of authority.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.3.9 Strategic risk

        (1) Strategic risk is the risk of loss resulting from the pursuit of an unsuccessful business plan. Strategic risk might arise from making poor business decisions, from the substandard execution of decisions, from inadequate resource allocation, or from a failure to respond well to changes in the business environment.
        (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating strategic risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA Part S1.4 INMA Part S1.4 Other risks that may be addressed in risk management policy

      • INMA S1.4.1 Market risk

        (1) Market risk is the risk of loss resulting from adverse movement in the relative values of assets and liabilities because of changes in general market factors, such as interest rates, inflation and foreign exchange rates. Market risk includes asset-liability management risk.
        (2) If an INMA firm is likely to be exposed to market risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.4.2 Concentration risk

        (1) Concentration risk is the risk of loss resulting from:
        (a) large exposures to a single counterparty, market or geographical area; or
        (b) exposures to large or one-off transactions.
        (2) If an INMA firm is likely to be exposed to concentration risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk. The policy may set out limits for credit exposures, at individual and consolidated levels, to:
        (a) single counterparties and groups of related counterparties;
        (b) subsidiaries and related entities;
        (c) single industries or markets; and
        (d) single regions.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.4.3 Credit risk

        (1) Credit risk is the risk of loss resulting from:
        (a) default by debtors and other counterparties; and
        (b) assets losing value because their credit quality has deteriorated.
        (2) If an INMA firm is likely to be exposed to credit risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.4.4 Group risk

        (1) Group risk is the risk of loss resulting from membership of a corporate group or linkages with related parties. Related parties includes not only other members of a firm’s corporate group but individuals who are in a position to exercise significant influence over it.
        (2) Corporate group membership and linkages with related parties can be a source of both strength and weakness.
        (3) If an INMA firm is likely to be exposed to group risk it should include, in its risk management policy, processes and procedures for identifying, assessing, managing and mitigating that risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.4.5 Settlement risk

        (1) Settlement risk is the risk of loss resulting from a counterparty not delivering a security (or its value in cash) in accordance with an agreement to do so.
        (2) If an INMA firm is likely to be exposed to settlement risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).

      • INMA S1.4.6 Valuation risk

        (1) Valuation risk is the risk of loss resulting from an asset being overvalued and, when it matures or is sold, being worth less than was expected. Factors contributing to valuation risk include incomplete data, market instability, uncertainties in financial modelling and poor data analysis by the people responsible for determining the value of the asset.
        (2) If an INMA firm is likely to be exposed to valuation risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk.
        Derived from QFCRA RM/2014-4 (as from 1st January 2015).