Control and Mitigation
Principle 9: Banks should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.
47. Internal controls should be designed to provide reasonable assurance that a bank will have efficient and effective operations; safeguard its assets; produce reliable financial reports; and comply with applicable laws and regulations. A sound internal control programme consists of five components that are integral to the risk management process: control environment, risk assessment, control activities, information and communication, and monitoring activities [The Committee’s paper Framework for Internal Control Systems in Banking Organisations, September 1998, discusses internal controls in greater detail.].
48. Control processes and procedures should include a system for ensuring compliance with policies. Examples of principle elements of a policy compliance assessment include:
(a) top-level reviews of progress towards stated objectives;
(b) verifying compliance with management controls;
(c) review of the treatment and resolution of instances of non-compliance;
(d) evaluation of the required approvals and authorisations to ensure accountability to an appropriate level of management; and
(e) tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.