SYSC 7.1 Risk control
1SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to.
3A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.
[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]
3Other firms should take account of the risk management policies and procedures rule (SYSC 7.1.2 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G4.
A common platform firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance.
[Note: article 7(1)(b) of the MiFID implementing Directive]
The senior personnel of a common platform firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.
[Note: annex V paragraph 2 of the Banking Consolidation Directive]
For a common platform firm included within the scope of SYSC 20 (Reverse stress testing), the strategies, policies and procedures for identifying, taking up, managing, monitoring and mitigating the risks to which the firm is or might be exposed include conducting reverse stress testing in accordance with SYSC 20. A common platform firm which falls outside the scope of SYSC 20 should consider conducting reverse stress tests on its business plan as well. This would further senior personnel's understanding of the firm's vulnerabilities and would help them design measures to prevent or mitigate the risk of business failure.6
66Other firms should take account of the risk management rules (SYSC 7.1.3 R and SYSC 7.1.4 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.
A common platform firm must monitor the following:
- (1)
the adequacy and effectiveness of the firm's risk management policies and procedures;
- (2)
the level of compliance by the firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with SYSC 7.1.3 R;
- (3)
the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements or processes and mechanisms or follow such policies and procedures.
[Note: article 7(1)(c) of the MiFID implementing Directive]
A common platform firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:
- (1)
implementation of the policies and procedures referred to in SYSC 7.1.2 R to SYSC 7.1.5 R; and
- (2)
provision of reports and advice to senior personnel in accordance with SYSC 4.3.2 R.
[Note: MiFID implementing Directive Article 7(2) first paragraph]
Where a common platform firm is not required under SYSC 7.1.6 R to maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with SYSC 7.1.2 R to SYSC 7.1.5 R satisfy the requirements of those rules and are consistently effective.
[Note: article 7(2) second paragraph of the MiFID implementing Directive]
3Other firms should take account of the risk management rules (SYSC 7.1.5 R to SYSC 7.1.7 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G4.
- (1)
SYSC 4.1.3 R requires a BIPRU firm to ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times. In complying with this obligation, a BIPRU firm should document the organisation and responsibilities of its risk management function and it should document its risk management framework setting out how the risks in the business are identified, measured, monitored and controlled.2
- (2)
The term 'risk management function' in SYSC 7.1.6 R and SYSC 7.1.7 R refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure.The risk management function is not a controlled function itself, but is part of the systems and controls function (CF28).29
3
Credit and counterparty risk
A BIPRU firm must base credit-granting on sound and well-defined criteria and clearly establish the process for approving, amending, renewing, and re-financing credits.
[Note: annex V paragraph 3 of the Banking Consolidation Directive]
A BIPRU firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.
[Note: annex V paragraph 4 of the Banking Consolidation Directive]
A BIPRU firm must adequately diversify credit portfolios given its target market and overall credit strategy.
[Note: annex V paragraph 5 of the Banking Consolidation Directive]
The documentation maintained by a BIPRU firm under SYSC 4.1.3 R should include its policy for credit risk, including its risk appetite and provisioning policy and should describe how it measures, monitors and controls that risk. This should include descriptions of the systems used to ensure that the policy is correctly implemented.
Residual risk
A BIPRU firm must address and control by means of written policies and procedures the risk that recognised credit risk mitigation techniques used by it prove less effective than expected.
[Note: annex V paragraph 6 of the Banking Consolidation Directive]
Market risk
A BIPRU firm must implement policies and processes for the measurement and management of all material sources and effects of market risks.
[Note: annex V paragraph 10 of the Banking Consolidation Directive]
Interest rate risk
A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRU firm's non-trading activities.
[Note: annex V paragraph 11 of the Banking Consolidation Directive]
Operational risk
A BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.
[Note: annex V paragraph 12 of the Banking Consolidation Directive]