Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board.

105. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include:

• identifying material individual, aggregate and emerging risks;

• assessing these risks and measuring the bank's exposure to them;

• subject to the review and approval of the board, developing and implementing the enterprise-wide risk governance framework, which includes the bank's risk culture, risk appetite and risk limits;

• ongoing monitoring of the risk-taking activities and risk exposures in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning);

• establishing an early warning or trigger system for breaches of the bank's risk appetite or limits;