The PRA has published an updated version of Supervisory Statement 21/15: Internal governance (SS21/15).
In SS21/15, the PRA sets out its expectations in relation to how firms should comply with the rules in the following parts of the PRA Rulebook:
- General Organisational Requirements;
- Knowledge and Expertise;
- Compliance and Internal Audit;
- Risk Controls; and
- Outsourcing and Record Keeping.
SS21/15 was updated to include a section on ‘Risk control and governance’ relating to the expectations of the Chief Risk Officer and risk committee following Consultation Paper 17/15: The PRA Rulebook: Part 3.
Among other things the updated version of SS21/15 states that the PRA expects that a Chief Risk Officer should:
- ensure that the data used by the firm to assess its risks are fit for purpose in terms of quality, quantity and breadth;
- provide oversight and challenge of the firm’s systems and controls in respect of risk management;
- provide oversight and validation of the firm’s external reporting of risk;
- ensure the adequacy of risk information, risk analysis and risk training provided to members of the firm’s governing body;
- report to the firm’s governing body on the firm’s risk exposures relative to its risk appetite and tolerance, and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the governing body’s risk appetite and tolerance. The Chief Risk Officer should also alert the firm’s governing body to and provide challenge on, any business strategy or plans that exceed the firm’s risk appetite and tolerance; and
- provide risk-focused advice and information into the setting and individual application of the firm’s remuneration policy.
The PRA expects that where a firm is part of a group it will structure its arrangements so that a Chief Risk Officer at an appropriate level within the group will exercise the functions mentioned above taking into account group-wide risks.
View Supervisory Statement 21/15: Internal governance, 28 April 2017