4

Risk appetite, risk management and internal controls

4.1

The business strategy should be supported by a well-articulated and measurable statement of risk appetite (expressed in terms that can be readily understood by employees throughout the business), which is clearly owned by the board, integral to the strategy the board has signed off and actively used by them to monitor and control actual and prospective risks and to inform key business decisions. All the directors should have the time and opportunity to contribute to the development of the risk appetite, and to provide appropriate challenge, before final approval by the board. The PRA will expect to see evidence of this active oversight of risks according to the risk appetite. The risk control framework should flow from the board’s risk appetite.

4.2

The PRA will also expect to see evidence that the board and its relevant sub-committees exercise effective oversight of risk management and controls, supported with meaningful and well-targeted management information used to inform board discussions. It is the responsibility of the board to ensure that the effectiveness of the risk control framework is kept actively under review, that it remains aligned with the board’s risk appetite, and that the board has the management information it needs.

4.3

Where firms have dedicated risk and/or audit committees, the chairs of these committees will be deemed responsible for safeguarding the independence, and overseeing the performance of the firm’s executive risk and audit functions respectively, including the chief risk officer and head of internal audit. The board also needs to ensure that it has robust arrangements for oversight of other control functions, such as compliance.