Risk Control

Export part as


Application and definitions


Unless otherwise stated, this Part applies to a CRR firm

  1. (1) with respect to the carrying on of the following from an establishment in the UK:
    1. (a) regulated activities;
    2. (b) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of Regulated Activities Order;
    3. (c) ancillary activities;
    4. (d) in relation to MiFID business, ancillary services; and
    5. (e) unregulated activities in a prudential context;
  2. (2) [deleted.]
  3. (3) in a prudential context with respect to activities wherever they are carried on; and
  4. (4) taking into account any activity of other members of a group of which the firm is a member.


2.1A to 2.2B do not apply to a firm with respect to the carrying on of benchmarking activities except to the extent that before IP completion day, they were made to transpose an EU instrument.


In this Part, the following definitions shall apply:

Article 23 Risk Control Requirements

means requirements and obligations as set out in Article 23 (Risk Management) of the MODR.

other matters

means, in relation to a requirement under the MODR, matters within the scope of 1.1 that are not within the scope of that requirement.


Risk Control


A firm’s risk management procedures must include effective procedures for risk assessment.

[Art. 16(5) second paragraph of MiFID II]


A MiFID investment firm must extend the arrangements required by the Article 23 Risk Control Requirements so they apply with respect to other matters on the following basis:

  1. (1) references to “relevant persons” are references to relevant persons;
  2. (2) references to “investment services and activities” are references to regulated activities;
  3. (3) references to policies and procedures includes the policies and procedures set out in this Part; and
  4. (4) references to provision of reports and advice to senior management includes the provision of report and advice to senior personnel in accordance with General Organisational Requirements 4.1A.


A firm that is not a MiFID investment firm must comply with the Article 23 Risk Control Requirements on the basis set out in 2.2A and as if references to “investment firm” refer to a firm.


A firm must ensure that the management body approves and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

[Note: Art. 76(1) of the CRD]


  1. (1) A firm must ensure the following:
    1. (a) the management body has overall responsibility for risk management and devotes sufficient time to the consideration of risk issues; and
    2. (b) the management body is actively involved in and ensures that adequate resources are allocated to the management of all material risks addressed in the rules implementing the CRD and in the CRR as well as in the valuation of assets, the use of external ratings and internal models related to those risks.
  2. (2) A firm must establish reporting lines to the management body that cover all material risks and risk management policies and changes thereof.

[Note: Art. 76(2) of the CRD]


Risk Committee


  1. (1) A firm that is significant must establish a risk committee composed of members of the management body who do not perform any executive function in the firm. Members of the risk committee must have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the firm.
  2. (2) A firm must ensure that the risk committee advises the management body on the firm’s overall current and future risk appetite and assists the management body in overseeing the implementation of that strategy by senior management.
  3. (3) A firm must ensure that the risk committee reviews whether prices of liabilities and assets offered to clients take fully into account the firm’s business model and risk strategy. Where prices do not properly reflect risks in accordance with the business model and risk strategy, the firm must ensure that the risk committee presents a remedy plan to the management body.

[Note: Art. 76(3) of the CRD]


A firm must ensure that the management body in its supervisory function and, where a risk committee has been established, the risk committee:

  1. (1) have adequate access to information on the risk profile of the firm and, if necessary and appropriate, to the risk management function and to external expert advice; and
  2. (2) determine the nature, the amount, the format, and the frequency of the information on risk which it is to receive.

[Note: Art. 76(4) of the CRD]


In order to assist in the establishment of sound remuneration policies and practices, a firm must ensure that the risk committee, without prejudice to the tasks of the remuneration committee, examines whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings.

[Note: Art. 76(4) of the CRD]


A firm must ensure the following:

  1. (1) the risk management function is independent from the operational functions and has sufficient authority, stature, resources and access to the management body;
  2. (2) the risk management function ensures that all material risks are identified, measured and properly reported, is actively involved in elaborating the firm’s risk strategy and in all material risk management decisions and is able to deliver a complete view of the whole range of risks of the firm; and
  3. (3) the risk management function is able to report directly to the management body in its supervisory function, independent from senior management and that it can raise concerns and warn the management body, where appropriate, where specific risk developments affect or may affect the firm, without prejudice to the responsibilities of the management body in its supervisory and/or managerial functions pursuant to the CRD and the CRR.

[Note: Art. 76(5) of the CRD]


A firm must ensure that the head of the risk management function is an independent senior manager with distinct responsibility for the risk management function. Where the nature, scale and complexity of the activities of the firm do not justify a specially appointed person, another senior person within the firm may fulfil that function, provided there is no conflict of interest. A firm must ensure that the head of the risk management function must not be removed without prior approval of the management body and is able to have direct access to the management body where necessary.

[Note: Art. 76(5) of the CRD]


Group Arrangements


Where an Article 109 undertaking is a member of a consolidation group or a sub-consolidation group, it must ensure that the risk management processes and internal control mechanisms at the level of the consolidation group or sub-consolidation group of which it is a member comply with the obligations set out in 2.3, 2.7 and Chapter 3 on a consolidated basis or a sub-consolidated basis.


Where this Part applies on a consolidated basis or on a sub-consolidated basis, an Article 109 undertaking must carry out consolidation to the same extent and in the same manner as it is required to comply with the obligations laid down in Parts Two to Eight of the CRR on a consolidated basis or sub-consolidated basis.


Compliance with the obligations referred to in 4.1 must enable the consolidation group or sub-consolidation group to have arrangements, processes and mechanisms that are consistent and well integrated and that any data relevant to the purpose of supervision can be produced.

[Note: Art 109(2) of the CRD]