Prudential Regulation Authority Rulebook

2.1

A firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.

[Note: Art. 7(1)(a) of the MiFID implementing Directive, Art. 13(5) second paragraph of MiFID]

2.2

A firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm’s activities, processes and systems, in light of that level of risk tolerance.

[Note: Art. 7(1)(b) of the MiFID implementing Directive]

2.3

The management body of a firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

[Note: Art. 76(1) of the CRD]

2.4

A firm must monitor the following:

1. (1) the adequacy and effectiveness of the firm's risk management policies and procedures;
2. (2) the level of compliance by the firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with 2.2;
3. (3) the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements or processes and mechanisms or follow such policies and procedures.

[Note: Art. 7(1)(c) of the MiFID implementing Directive]

2.5

A firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:

1. (1) implementation of the policies and procedures referred to in 2.1 to 2.4; and
2. (2) provision of reports and advice to senior personnel in accordance with General Organisational Requirements 4.2.

[Note: Art. 7(2) first paragraph of the MiFID implementing Directive]

2.6

Where a firm is not required under 2.5 to maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with 2.1 to 2.4 satisfy the requirements of those rules and are consistently effective.

[Note: Art. 7(2) second paragraph of the MiFID implementing Directive]

2.7

1. (1) The management body of a firm has overall responsibility for risk management. It must devote sufficient time to the consideration of risk issues.
2. (2) The management body of a firm must be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in the rules implementing the CRD and in the CRR as well as in the valuation of assets, the use of external ratings and internal models related to those risks.
3. (3) A firm must establish reporting lines to the management body that cover all material risks and risk management policies and changes thereof.

[Note: Art. 76(2) of the CRD]