CTRL 7.1.2 Firms to have risk management framework

(1) An authorised firm must have a documented risk management framework.
(2) An authorised firm’s risk management framework must enable the firm to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and must provide the firm’s governing body with a comprehensive firm-wide view of material risks.
(3) The framework must be appropriate to the nature, scale and complexity of the firm’s business.
(4) An authorised firm that is a branch may rely on the risk management framework of its head office if the firm has assessed the head office’s risk management framework and decided that it appropriately addresses the firm’s internal and external sources of material risk.
(5) An authorised firm’s risk management framework must reflect the firm’s business objectives and the business plan approved by the firm’s governing body, and must include all of the following:
(a) a risk appetite statement;
(b) a risk management strategy;
(c) a risk-management function dedicated to the framework;
(d) a management information system to support the effectiveness of the framework;
(e) a robust review process to ensure that the framework remains effective.
Note For the requirement for the governing body to approve the business plan, see rule 3.1.14 (1) (a).


Derived from QFCRA RM/2020-4 (as from 1st July 2021)