In order to demonstrate compliance with Rule A4.3.23, an Authorised Person should give due regard to the following expectations of the Regulator:

(a) the risk measurement system should be used in conjunction with internal Exposure limits;
(b) the risk management processes of an Authorised Person relating to the use of own-estimate haircuts should be subject to internal audit at least once a year, covering the following areas:
(i) the integration of risk measures into daily risk management;
(ii) the validation of any significant change in the risk management process;
(iii) the accuracy and completeness of position data;
(iv) the verification of the consistency, timeliness and reliability of data sources used to run internal models, including the independence of such data sources; and
(v) the accuracy and appropriateness of volatility assumptions.
(c) such internal audits referred to in (b) are not to be confused with an internal validation of the risk management systems surrounding the use of own-estimate haircuts. All significant risk models employed to support the use of own-estimate haircuts should be validated at least once a year. The internal audits serve as an independent process check to help ensure that the validation is sufficiently robust and effective.