Principle 7: Risk identification, monitoring and controlling
Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice.
112. The bank's risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank's risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank's size, complexity and risk profile.
113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment.
114. Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk.