CTRL 7.1.7 Risk management strategy

(1) An authorised firm’s risk management strategy must be appropriate to the nature, scale and complexity of the firm’s business.
(2) The strategy:
(a) must provide for assessing material risks;
(b) must set out policies and procedures for monitoring, prioritising and managing major risk exposures;
(c) must include both quantitative and qualitative considerations; and
(d) must provide for monitoring significant changes to the firm’s risk profile.
(3) The strategy must include:
(a) objectives, principles and allocation of responsibility for dealing with risk across the firm, including any branches;
(b) defining and categorising the types of risk to which the firm is exposed;
A suggested framework for the definition and categorisation of risks is set out in Schedule 1. The Regulatory Authority will use that framework in its approach to the assessment of risks posed by authorised firms, and the management of those risks. An authorised firm may either adapt this framework to reflect the nature, scale and complexity of its operations, or develop and implement its own risk classification framework.
(c) processes (covering contingency planning, business continuity, crisis management and fraud) for identifying, assessing, monitoring, managing and reporting on risks;
(d) a process for obtaining and recording the governing body’s approval for any material change to, or deviation from, the strategy; and
(e) a process for obtaining a direction by the governing body settling any major question of the interpretation of the strategy.
(4) The firm must ensure that the strategy:
(a) is recorded in writing;
(b) is kept up to date to take into account new internal and external circumstances; and
(c) is reviewed at least once in every year.
(5) If the firm is part of a corporate group, the firm’s governing body must know the implications for the firm of any group-wide risk management strategy.


Derived from QFCRA RM/2020-4 (as from 1st July 2021)