Governing Body responsibilities
1. The GEN rules contain Rules and Guidance regarding corporate governance requirements for Authorised Persons, including the responsibilities of an Authorised Person regarding risk management.
2. In developing, implementing and maintaining an effective Operational Risk framework, an Authorised Person's Governing Body should:
a. approve and review a risk appetite and tolerance for Operational Risk that articulates the nature, types and levels of Operational Risk that the Authorised Person is willing to assume;
b. consider all relevant risks, the Authorised Person's level of risk appetite, its current financial condition and its strategic direction. The Governing Body should monitor management adherence to the risk appetite and tolerance and provide for timely detection and remediation of breaches;
c. encourage a management culture, and develop supporting processes, which help to engender within the Authorised Person an understanding by relevant Employees of the nature and scope of the Operational Risk inherent in the Authorised Person's strategies and activities;
d. provide senior management with clear guidance and direction regarding the principles underlying the Authorised Person's Operational Risk management framework and approve the corresponding policies developed by senior management;
e. regularly review the Authorised Person's Operational Risk policy to ensure that the Authorised Person has identified and is managing the Operational Risk arising from external market changes and other environmental factors, as well as those Operational Risks associated with new strategies, products, activities, or systems, including changes in risk profiles and priorities (e.g. changing business volumes). Such review should also take into account the Operational Risk loss experience, the frequency, volume or nature of limit breaches, the quality of the control environment and the effectiveness of risk management or mitigation strategies;
f. ensure that the Authorised Person's Operational Risk policy and framework is subject to effective independent review by audit or other appropriately-trained Persons;
g. ensure that management is incorporating industry best practice in managing Operational Risk; and
h. establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties between Operational Risk control functions, business lines and support functions.