CTRL 7.1.3 What is risk management?

Risk management, for an authorised firm, includes some or all of the following, according to the nature, scale and complexity of the firm’s business:

(a) identifying, assessing and reporting risk management information (including information dealing with issues of corporate strategy, mergers and acquisitions, and major projects and investments) to the firm’s governing body and the firm’s senior executive function and senior management in a timely way;
(b) assessing risk positions, risk exposures, the steps being taken to manage them and, if appropriate, pre-defined risk limits;
(c) participating in the process of approving new products or significant changes to existing products;
(d) preparing periodic reports to the firm’s governing body setting out an overview of risk management during the relevant period, sending a copy of each such report to the firm’s internal auditor and making the report available to the firm’s external auditors;
(e) assessing risk events and identifying appropriate remedial action;
(f) assessing changes in the firm’s risk profile;
(g) identifying available resources to manage the firm’s risks;
(h) facilitating business continuity planning and disaster recovery for the firm;
(i) developing and maintaining external relationships relevant to risk management in the firm;
(j) developing and maintaining effective risk management communication within the firm;
(k) monitoring and assessing the adequacy and effectiveness of the firm’s risk management policies, procedures and controls.


Derived from QFCRA RM/2020-4 (as from 1st July 2021)