Skip to main content
Version date: 30 June 2011 - onwards

Control and Mitigation

Principle 9: Banks should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.

47. Internal controls should be designed to provide reasonable assurance that a bank will have efficient and effective operations; safeguard its assets; produce reliable financial reports; and comply with applicable laws and regulations. A sound internal control programme consists of five components that are integral to the risk management process: control environment, risk assessment, control activities, information and communication, and monitoring activities [The Committee’s paper Framework for Internal Control Systems in Banking Organisations, September 1998, discusses internal controls in greater detail.].

48. Control processes and procedures should include a system for ensuring compliance with policies. Examples of principle elements of a policy compliance assessment include:

(a) top-level reviews of progress towards stated objectives;

(b) verifying compliance with management controls;

(c) review of the treatment and resolution of instances of non-compliance;

(d) evaluation of the required approvals and authorisations to ensure accountability to an appropriate level of management; and

(e) tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.