Our Ref : B1/21C The Chief Executive All Authorized ... · supports the Board and senior management...

Our Ref : B1/21C B1/15C 31 December 2010 The Chief Executive All Authorized Institutions Dear Sir / Madam, Supervisory Policy Manual (SPM) IC-1 “General Risk Management Controls” I am writing to inform you that, following consultation with the two industry Associations, the Monetary Authority is issuing today a revised version of the above-mentioned SPM module as a statutory guideline by notice in the Gazette under section 7(3) of the Banking Ordinance. As part of the process to enhance its supervisory framework and guidelines in the aftermath of the global financial crisis, the HKMA has updated the SPM module to reflect changes in international standards and practices in response to lessons learned from the crisis. The changes to the module mainly relate to general risk management issues that have firm-wide implications, having regard to relevant risk management deficiencies identified in relation to those banks more adversely affected by the crisis. These include, for example, the lack of a comprehensive approach to managing firm-wide risks; ineffective risk management oversight by the Board of Directors and senior management in risk identification, analysis and monitoring; and inadequate information and system infrastructure to support the broad management of financial risks. Other risk-specific issues have been or are being addressed in the relevant SPM modules for individual risks (including counterparty credit risk, liquidity risk, and market risk). Highlighted below are the major areas of change in the module, many of which build upon existing guidance and concepts already embedded within it. Risk management governance

The revised module reinforces the risk management responsibilities of the Board and senior management of an AI and the need for them to put in place sound risk governance arrangements. Members of the Board and senior management are expected to possess adequate knowledge and understanding of the material risks faced by the AI (including those associated with any complex and high risk activities); dedicate sufficient time and effort to overseeing and participating in the AI’s risk management process; maintain continued

awareness of the AI’s risk profile and of developments that may lead to emerging risks; and ensure the effectiveness of independent risk management and control functions. The Board and senior management of an AI should also promote continuous and robust dialogue and information sharing among members of senior management, business lines, and risk management and control functions so that sources of significant risk to the institution as a whole can be promptly identified, analysed and mitigated. Firm-wide risk management

The revised module stresses the importance of an AI having a sound firm-wide risk management framework which enables the AI to set its risk appetite and tolerance, and supports the Board and senior management both in managing risk from an integrated, firm-wide perspective and in identifying and reacting to emerging and growing risks in a timely and effective manner. More guidance is provided, in particular, on the following aspects: (i) the articulation of, and the monitoring of adherence to, the risk appetite approved by

the Board;

(ii) the establishment of a comprehensive and independent risk management function to coordinate risk management activities across the institution;

(iii) the development and implementation of firm-wide risk management policies and

procedures that provide for –

• objective and consistent risk identification and measurement approaches; • sound valuation and stress-testing practices; and • effective risk monitoring measures and controls;

(iv) the process and procedures for approving new products and services as well as

significant changes to existing products and services;

(v) the key elements of an effective risk management information system to support firm-wide risk oversight; and

(vi) the use of risk measurement models or methodologies for risk assessment and

analysis, bearing in mind their practical and conceptual limitations as well as inherent assumptions.

Information system and infrastructure

AIs are expected to have in place a management information system with sufficient technological support and processing capacity (including in times of stress) to effectively measure and report on the risks of major functions, products or business activities within the institution. To enable proactive risk management, the system should be adaptable and responsive to changes in the assumptions used for risk management and aggregation; be capable of incorporating multiple perspectives of risk exposure to account for uncertainties in risk measurement; and be sufficiently flexible to allow for the generation of forward-looking firm-wide scenario analyses that capture management’s interpretation of evolving market

conditions and stressed conditions. Internal audit and compliance functions The revised module provides expanded guidance on the key attributes and responsibilities of the internal audit and compliance functions, the effectiveness of which is important for ensuring the integrity of an AI’s overall risk management process. The standards laid down in the revised module will be applied to all AIs on a proportionate basis, having regard to their size, nature and complexity of operations. Given that the changes incorporated into the module are crucial for effective risk management, AIs will be expected to bring themselves in line with the revised module without delay. Nevertheless, if individual AIs need more time to complete system and process changes for implementing specific aspects of the guidance, they may discuss and agree with the HKMA an implementation plan and timetable for the aspects concerned. On-line access to the SPM module is available to AIs under the icon for “Supervisory Policy Manual” on the HKMA’s public (http://www.info.gov.hk/hkma) and private (http://www.stet.finnet.hk/index.htm) websites. Should you have any questions relating to the module, please contact Rita Yeung at 2878-1388 or Polly Yan at 2878-1528. Yours faithfully, Karen Kemp Executive Director (Banking Policy) c.c. The Chairman, Hong Kong Associations of Banks The Chairman, The DTC Association FSTB (Attn : Ms Natalie Li)

Supervisory Policy Manual

IC-1 General Risk Management Controls

V.2 – 31.12.2010

1

This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue underlined headings to activate hyperlinks to the relevant module.

—————————

Purpose

To specify the general controls which the MA expects AIs to have in place in their risk management systems

Classification

A statutory guideline issued by the MA under the Banking Ordinance, §7(3)

Previous guidelines superseded

IC-1 “General Risk Management Controls” (V.1) dated 25.04.03

Application

To all AIs

Structure

1. Introduction

1.1 Background

1.2 Scope and overview

2. Board and senior management oversight

2.1 Risk management role and governance

2.2 Setting of risk appetite

2.3 Firm-wide risk management

2.4 Use of specialised committees

3. Risk management policies, procedures and limits



V.2 – 31.12.2010

2

3.1 Policies and procedures

3.2 Risk limits

3.3 New products and services

4. Risk management systems and processes

4.1 Risk management function

4.2 Risk management information system

4.3 Risk measurement and assessment systems

4.4 Risk-adjusted performance measurement

4.5 Sensitivity analysis and stress-testing

5. Internal controls, audits and contingency planning

5.1 Internal control system

5.2 Internal audit function

5.3 Compliance function

5.4 Contingency and business continuity planning



V.2 – 31.12.2010

3

1. Introduction

1.1 Background

1.1.1 Risk-taking is an integral part of banking business. Each AI has to find an appropriate balance between the level of risk the AI is willing and able to take and the level of return it seeks to attain, without undermining its overall financial soundness and viability. An effective risk management system that is commensurate with the size and complexity of an AI’s operations needs to be in place to help ensure that the risks undertaken are well managed within the AI’s risk appetite and that the system achieves its intended results.

1.1.2 According to the “Core Principles for Effective Banking Supervision” issued by the Basel Committee in October 2006, banking supervisors should be satisfied that banks have in place a comprehensive risk management process (including Board and senior management oversight) to identify, measure, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile.

1.1.3 Consistent with the Basel Core Principles, the HKMA requires AIs, under its risk-based supervisory approach, to establish a sound and effective system to manage each of the eight inherent risks (viz. credit, market, interest rate, liquidity, operational, reputation, legal and strategic) to which they are exposed (see section 2 of SA-1 “Risk-based Supervisory Approach”). Locally incorporated AIs are also required to have adequate internal systems for assessing capital adequacy in relation to the risks they assume (as prescribed in CA-G-5 “Supervisory Review Process”).

1.1.4 For the purposes of this module, “risk management” refers broadly to the policies, systems and procedures adopted by AIs in identifying, measuring, monitoring, controlling or mitigating, and reporting the various types of risk they face.



V.2 – 31.12.2010

4

1.2 Scope and overview

1.2.1 This module is intended to cover general systems and controls relating to risk management. Some of the specific systems and controls associated with various inherent risks specified in para. 1.1.3 above are separately described in the relevant modules, including:

• CR-G-1 “General Principles of Credit Risk Management”;

• CR-G-13 “Counterparty Credit Risk Management”;

• TA-1 “Market Risk Management”;1

• TA-2 “Foreign Exchange Risk Management”;

• IR-1 “Interest Rate Risk Management”;

• LM-2 “Sound Systems and Controls for Liquidity Risk Management”;2

• OR-1 “Operational Risk Management”;

• RR-1 “Reputation Risk Management”; and

• SR-1 “Strategic Risk Management”.

1.2.2 In addition, this module stresses the importance of each AI having a sound firm-wide risk management framework that enables the AI to set its appetite and tolerance for risks, and supports the Board and senior management in managing its risks from an integrated, firm-wide perspective and in identifying and reacting to emerging and growing risks in a timely and effective manner.3

1 The module is under development.

2 The module is under industry consultation.

3 For a banking group, the concept of firm-wide risk management will similarly apply on a group-wide

basis, i.e. through managing the relevant risks of the parent bank and its group entities as a whole.



V.2 – 31.12.2010

5

1.2.3 While risk management systems may vary among AIs, the basic elements contributing to a sound risk management environment are:

• appropriate Board and senior management oversight (see section 2 below);

• adequate organisational policies, procedures and limits to identify and manage all relevant risks across business activities (see section 3 below);

• adequate risk measurement, monitoring and reporting systems to support all business activities and related risks (see section 4 below);

• well-established internal controls and comprehensive audits to detect any deficiencies in the internal control environment in a timely fashion (see section 5 below); and

• sufficient arrangements to deal with contingency or emergency situations (see section 5 below).

1.2.4 An overview of how the elements above fit together is illustrated below. This illustration is not intended to be prescriptive but is indicative of the elements of a sound risk management system.



V.2 – 31.12.2010

6

Elements of a sound risk management system

Board of Directors

Ultimately responsible for risk management

Specialised Committees

Responsible for overseeing risk management

Executive Committee / Risk Management Committee4

Remuneration Committee

Audit Committee

Asset and Liability Committee

Credit Committee

Operational Risk Management Committee

Other Risk Management Committees

Senior Management

Responsible for overseeing day-to-day risk management

Individual Business Units / Activities

Risk Management

Unit

Compliance Unit

Internal Audit Unit

Responsible for compliance with policies, procedures and limits

(front office)

Responsible for day-to-day risk management (middle office)

Responsible for legal and regulatory

compliance

Responsible for independent

checking

Cre

dit R

isk

Mark

et R

isk

Inte

rest R

ate

Ris

k

Liq

uid

ity R

isk

Opera

tional R

isk

Oth

er

Ris

ks

Ris

k M

easure

ment &

A

ssessm

ent

Lim

its M

onitori

ng

Ris

k C

ontr

ol &

Report

ing

4 In some cases, a Risk Management Committee is established specifically to take up the function of

overseeing the various aspects of risk management on an integrated basis.



V.2 – 31.12.2010

7

1.2.5 The standards laid down in this module will be applied to AIs on a proportionate basis, having regard to their size, nature and complexity of operations. AIs will also be expected to apply similar risk management systems and processes to their subsidiaries and, to the extent practicable, associated companies and joint ventures which may expose them to significant potential risk5.

1.2.6 Failure to adhere to the general requirements set out in this module may call into question whether an AI continues to satisfy the minimum criteria for authorization in the Banking Ordinance and cast doubt on the fitness and propriety of its directors, chief executives and senior management.

2. Board and senior management oversight

2.1 Risk management role and governance

2.1.1 The Board and senior management of an AI have the primary responsibility to understand the risks run by the AI and ensure that these risks are properly managed.

2.1.2 In fulfilling this responsibility, the Board and senior management should, among other things:

• have knowledge and expertise sufficient to understand all material risks faced by the AI, including the risks associated with new or complex products and high risk activities, and the interaction of these risks under stressed conditions;

• have direct involvement in setting, and monitoring adherence to, the AI’s risk appetite, which should be commensurate with its operations and strategic goals;

5 Whether the standards should be applied to associated companies or joint ventures will also depend on

the extent of an AI’s affiliation to the entities and the level of control it can exercise over the entities.



V.2 – 31.12.2010

8

• create a strong corporate and risk management culture and ensure that the AI’s risk appetite is well enshrined within the culture;

• dedicate sufficient time, effort and resources to overseeing and participating in the AI’s risk management process, with a full and ongoing commitment to risk control;

• maintain continued awareness of the AI’s business profile and risks as well as changes in the operating environment and financial markets that may give rise to emerging risks;

• ensure that the necessary infrastructure, systems and controls are developed and maintained to support effective risk management and governance;

• establish an organisation and management structure with a sound control environment, adequate segregation of duties and clear accountability and lines of authority;

• set up effective controls to ensure the integrity of the AI’s overall risk management process and to monitor the AI’s compliance with all applicable laws, regulations, supervisory standards, best practices and internal policies and guidelines; and

• ensure that the AI’s remuneration systems are consistent with, and promote, effective risk management and do not incentivise imprudent or excessive risk-taking (see CG-5 “Guideline on a Sound Remuneration System”).

2.1.3 In order to ensure sound risk governance, the Board and senior management should establish a comprehensive and independent risk management function 6 to monitor and

6 Some AIs may refer to this function as the “risk control function”.



V.2 – 31.12.2010

9

coordinate risk management activities across the entire organisation (see subsection 4.1 below).

2.1.4 The Board and senior management should also promote the establishment of regular and transparent communication mechanisms within the organisation, so that there is continuous and robust dialogue and information sharing among members of senior management7, business line risk owners, and independent risk management and control functions in respect of firm-wide risk measurement, analysis and management issues. Consideration should be given to forming a Risk Management Committee for this purpose.

2.1.5 Risk governance arrangements (including responsibilities, structure, risk appetite, etc.) should be documented and updated as appropriate. All relevant staff (including business units) should be informed of these arrangements and their respective roles in the oversight and management of risk.

2.2 Setting of risk appetite

2.2.1 An AI’s risk appetite (or risk tolerance) describes the level of risk the AI is willing to take, having regard to its financial capacity, strategic direction and regulatory constraints (e.g. capital and liquidity requirements).

2.2.2 The Board is responsible for setting the overall risk appetite of the AI and approving its risk appetite statements. While there is no common way of expressing risk appetite, an AI’s risk appetite statements should be comprehensive, include appropriate risk targets8 that are consistent with one other, and reflect a suitably wide range of measures and actionable elements that clearly articulate the AI’s intended responses to a range of possible events, e.g. a loss of capital or a breach in risk limits. Management actions documented in the statements should be realistic and

7 These include the Chief Executive, the Chief Risk Officer and other members at that level.

8 Examples of risk targets include target credit ratings and target rates of return on equity.



V.2 – 31.12.2010

10

feasible for restoring capital or reducing risk in adverse situations.

2.2.3 In setting the risk appetite, the Board should ensure that all relevant risks of the AI are taken into account, including those that are less quantifiable (e.g. reputation risk) or arise from off-balance sheet transactions. The AI should be able to express its overall risk appetite in a manner that is suitable for the nature and complexity of its business. This process may involve, for example, assessing both the financial and non-financial implications of all relevant risks (through quantitative analysis, stress-testing, reference to historical experience, exercise of judgement or otherwise), setting individual risk limits for more quantifiable risks and determining an overall cap to govern the aggregate level of risk exposures that the AI is willing to assume.

2.2.4 The Board should be satisfied that robust procedures and controls are in place for setting and monitoring the AI’s risk appetite. Sufficient information should be compiled to facilitate regular assessment of the risk appetite by the Board and senior management, such as (i) relevant measures of risk (e.g. based on economic capital or stress tests); (ii) a view of how risk levels compare with limits; (iii) the level of capital that the AI would need to maintain after sustaining a loss of the magnitude of the risk measure; and (iv) the actions that management could take to restore capital after sustaining a loss.

2.2.5 When faced with market demand for increased risk-taking or the need to react promptly to changes in the external environment (e.g. due to competition or deterioration in economic conditions), the Board’s direction is critical to sustaining a disciplined risk appetite for the AI. In these circumstances, the Board should adopt a prudent approach, and should thoroughly understand the AI’s current risk position relative to its risk appetite and how the position would be changed if the risk appetite was changed. In this regard, stress tests may be used to generate a dynamic view of the AI’s capital and risk positions.



V.2 – 31.12.2010

11

2.2.6 The Board should approve any changes to the AI’s risk appetite statements. The justification for change should be adequately documented.

2.3 Firm-wide risk management

2.3.1 The Board and senior management should ensure that an effective risk management framework is in place to facilitate an integrated approach to managing the AI’s firm-wide risks (e.g. credit, market and other major risks).

2.3.2 This framework should enable the identification and management of all major risks across business activities, whatever the nature of the exposure (which may be non-contractual, contingent or off-balance sheet in nature).

Specific responsibilities of the Board

2.3.3 To ensure adequate oversight of firm-wide risks, the Board should, among other things, be responsible for:

• approving a firm-wide definition for different types of risk faced by the AI;

• identifying, understanding and assessing the risks inherent in the AI’s business activities or in new products or services to be launched (see also subsection 3.3 below);

• laying down risk management strategies, and approving a risk management framework developed by senior management based on these strategies which is consistent with the AI’s business goals and risk appetite;

• determining that the risk management framework is properly implemented and maintained by senior management;



V.2 – 31.12.2010

12

• reviewing the risk management framework periodically to ensure that it remains adequate and appropriate under changing business and market conditions;

• ensuring that the information systems and infrastructure are sufficiently resourced and supportive of the AI’s risk management and reporting needs; and

• ensuring that independent risk management and control functions are robust, truly independent from the AI’s risk-taking functions (both in terms of decision-making and reporting structure), and have sufficient authority, resources, expertise and competence to carry out their functions.

Specific responsibilities of senior management

2.3.4 Senior management should be responsible for:

• formulating detailed policies, procedures and limits for managing different aspects of risk arising from the AI’s business activities, based on the risk management strategies laid down by the Board;

• designing and implementing a risk management framework to be approved by the Board and ensuring that the relevant control systems within the framework work as intended. The framework should be implemented throughout the whole organisation and all levels of staff should understand their responsibilities with respect to risk management;

• putting in place processes for reviewing the AI’s risk exposures and ensuring that they are kept within the risk limits set, and that those limits are consistent with the AI’s overall risk appetite, even under stressed conditions;



V.2 – 31.12.2010

13

• identifying and acting on emerging risks and, where appropriate, reporting any material risks to the Board promptly; and

• ensuring the competence of managers and staff responsible for business or risk management functions, with appropriate programmes to recruit, train and retain employees with suitable skills and expertise.

2.4 Use of specialised committees

2.4.1 While the Board is ultimately responsible for risk management, it may delegate authority to one or more than one specialised committee such as a Credit Committee or Asset and Liability Committee (see also section 4 of CG-1 “Corporate Governance of Locally Incorporated Authorized Institutions”) to carry out some of the functions described in para. 2.3.3 above. Delegation of authority should be made on a formal basis, e.g. with a clear mandate. Appropriate reports should be submitted regularly to the Board by the committee or committees to which such authority has been delegated.

2.4.2 Such delegation of authority, however, does not absolve the Board and its members from their risk management responsibilities and the need to oversee the work of the specialised committee(s) exercising delegated authority. Moreover, individual members of the Board will still be expected to have an adequate understanding of the nature of the AI’s business activities and the associated risks as well as the framework, including the major controls (e.g. limits), used to manage the risks.9 If existing members lack the relevant expertise, bringing in new members with such knowledge or appointing external consultants should be considered.

9 For example, some members should preferably have had practical experience in financial markets or

have obtained, from their business activities, sufficient professional experience directly linked to such type of activity.



V.2 – 31.12.2010

14

3. Risk management policies, procedures and limits

3.1 Policies and procedures

3.1.1 AIs should have clearly defined policies and procedures that enable firm-wide risks to be managed in a proactive manner10, with emphasis on achieving:

• objective and consistent risk identification and measurement approaches;

• comprehensive and rigorous risk assessment and reporting systems;

• sound valuation and stress-testing practices; and

• effective risk monitoring measures and controls.

These documents should be approved by the Board or its designated committee(s).

3.1.2 The risk management policies and procedures should be developed based on a comprehensive review of all business activities of an AI, and cover all material risks, both financial and non-financial (e.g. reputation risk) associated with the AI’s activities. They should be prepared on a firm-wide basis and, where applicable, on a group-wide basis.

3.1.3 The development of risk management policies and procedures should take account of the following factors:

• an AI’s overall business strategy and activities;

• the appropriateness to the size, nature and complexity of the AI’s business activities;

• the risk appetite of the AI;

10 Overseas incorporated AIs may, to a large extent, apply the firm-wide policies and procedures set by

their head offices to their Hong Kong operations, provided that such documents are customised to take account of local market conditions.



V.2 – 31.12.2010

15

• the level of sophistication of the AI’s risk monitoring capability, risk management systems and processes;

• the AI’s past experience and performance;

• the economic substance of the AI’s risk exposures (including reputation risk and valuation uncertainty);

• the results of sensitivity analysis and stress tests;

• anticipated internal or external changes (e.g. planned operational changes or expected changes in market conditions); and

• any legal and regulatory requirements.

3.1.4 Accountability and the lines of authority for each business line or unit, should be spelled out clearly in the policies and procedures, and updated as appropriate.

3.1.5 The risk management policies and procedures should keep pace with the changing environment. The Board or its designated committee(s) should review these documents on a regular basis (e.g. at least annually). If the review is carried out by the committee(s) or senior management, any material amendment to the policies and procedures should be submitted to the Board for adoption and formal ratification.

3.1.6 Where appropriate, the risk management policies and procedures should also cover the use of risk-mitigating techniques (e.g. hedging, buying insurance protection or using credit derivatives). If AIs employ risk-mitigating techniques, they should understand the risk to be mitigated and the potential effects of that mitigation (including its effectiveness and enforceability), and have in place appropriate measures to control the risks associated with these techniques.

3.2 Risk limits



V.2 – 31.12.2010

16

3.2.1 A set of limits should be put in place to control an AI’s exposure to various quantifiable risks associated with its business activities (e.g. credit risk, market risk, interest rate risk and liquidity risk). Limits should also be used to control different sources of risk concentration, including (i) those arising directly from exposures to borrowers and obligors or indirectly through investments backed by a particular asset type, e.g. collateralised debt obligations, and (ii) those resulting from similar exposures across different business activities. These limits should be documented and approved by the Board or its designated committee(s).

3.2.2 Risk limits should be set in line with an AI’s risk appetite. To ensure consistency between risk limits and business strategies, the Board may wish to approve limits as part of the overall annual budget process.

3.2.3 Risk limits should be suitable to the size and complexity of an AI’s business activities and compatible with the sophistication of its products and services. Excessively high limits may fail to trigger prompt management action while overly restrictive limits that are frequently exceeded may undermine the purpose of the limit structure.

3.2.4 Risk limits may be set at various levels, e.g. individual business lines or units, the firm or the group as a whole. AIs should have a clearly documented methodology for allocating overall risk limits across business lines and units.

3.2.5 The Board or its designated committee(s) should ensure that limits are subject to regular review and are reassessed in the light of changes in market conditions or business strategies.

3.2.6 Risk limits should be clearly communicated to the business units and understood by the relevant staff.

3.2.7 Limit utilisation should be closely monitored. Any excesses or exceptions should be reported promptly to senior management for necessary action.



V.2 – 31.12.2010

17

3.3 New products and services

3.3.1 AIs should have in place an internally approved and well-documented “new product approval policy” which addresses not only the development and approval of entirely new products and services but also significant changes in the features of existing products and services. The approach to determining whether changes to existing products and services are considered to be “significant” should also be documented.

3.3.2 The new product approval policy of an AI should, at a minimum, cover the following areas:

• all aspects of the decision to enter new markets or deal in new products or services, including the definition of new product, market, service or business to be adopted by the AI;

• the internal functions involved in the decision (either through a standing or ad hoc committee);

• other issues involved in undertaking a new activity. These may relate, for example, to pricing models, profit margin, software and technology, risk management tools, and control procedures; and

• the process and procedures for approving significant changes to existing products or services.

3.3.3 New products or services should be subject to a careful evaluation or pre-implementation review to ensure that:

• all relevant parties, including the Board or its designated committee(s), senior management and other managers as appropriate, fully understand the risk characteristics; the underlying assumptions regarding business models, valuation and risk management practices; the potential risk exposure if those assumptions fail; and the possible difficulty in



V.2 – 31.12.2010

18

valuing the product involved, especially in times of stress; and

• there are adequate staffing, technology and financial resources to launch the product or service, as well as adequate internal tools and expertise to monitor the risks associated with it.

3.3.4 Proposals to introduce new products or services should generally include:

• a description of the new product or service;

• a detailed risk assessment;

• a cost and benefit analysis;

• consideration of the related risk management implications and identification of the resources required to ensure effective risk management of the product or service (e.g. system enhancement);

• an analysis of the proposed scale of new activities in relation to the AI’s overall financial condition and capital strength; and

• the procedures to be used for measuring, monitoring, controlling or mitigating, and reporting the risks.

3.3.5 All relevant departments, e.g. risk control, accounting, operations, legal and compliance, should be consulted as appropriate, before a new product or service is launched. New products or services which could have a significant impact on an AI’s risk profile should be brought to the attention of the Board or its designated committee(s) before the launch.

3.3.6 AIs should perform a post-implementation evaluation of new products or services, the results of which should be taken into account for the development of any similar products or services in the future.



V.2 – 31.12.2010

19

3.3.7 The risk management function should participate in the process of approving new products or services (or significant changes to existing products or services). It should also have a clear overview of the roll-out of new products or services (or significant changes to existing products or services) across different business activities. Where appropriate, it should have the power to require that significant changes to existing products or services go through the formal approval process applicable to new products or services.

4. Risk management systems and processes

4.1 Risk management function

Key responsibilities and attributes

4.1.1 AIs should establish a dedicated risk management function to carry out day-to-day risk management activities across the whole organisation.

4.1.2 An effective risk management function should:

• have clearly defined responsibilities;

• have a direct reporting line to the relevant Risk Management Committee or senior management;

• be independent from the risk-taking and operational units the activities of which it reviews, and have unfettered access to information from these units that is necessary for carrying out its duties;

• be supported by an effective management information system (see subsection 4.2 below); and

• be given adequate authority, management support and resources to perform its duties, and be staffed by persons with the relevant expertise and knowledge.



V.2 – 31.12.2010

20

4.1.3 The responsibilities of an AI’s risk management function include:

• ensuring that all relevant risks of the AI are identified, well understood, and adequately measured and assessed;

• ensuring that the AI’s risk management framework, and all related policies and control procedures, are adequately implemented and complied with;

• being actively involved, at an early stage, in the AI’s decision-making on business strategies and developments that may have implications for risk management;

• monitoring the use of risk limits and ensuring that quantifiable risks are within the structure of approved limits. This will include ensuring that the risk exposures of individual business units in respect of various risks are properly aggregated and monitored against the aggregate limits for the AI as a whole;

• overseeing and approving risk assessment models and internal rating systems (where applicable), and analysing the risks of new products and services and exceptional transactions;

• ensuring that all relevant risks of the AI are properly measured and controlled, and all identified risk management issues or concerns are promptly reported to the Board and the relevant Risk Management Committee or senior management; and

• alerting the Board and the relevant Risk Management Committee or senior management to any other matters that may have a significant impact on the AI’s financial position and risk profile (e.g. engagement in high risk activities that are not aligned with the AI’s risk appetite).



V.2 – 31.12.2010

21

Chief Risk Officer

4.1.4 AIs are expected to appoint a person to be responsible for the risk management function (commonly known as the Chief Risk Officer), who will also coordinate the risk management activities of other units within the organisation. In exceptional cases where, for example, an AI’s size and complexity do not justify specifically appointing a person for such responsibility, one of the senior executives (such as the person in charge of internal control) may share this responsibility.

4.1.5 The Chief Risk Officer (or equivalent) should have sufficient independence and seniority to enable him to challenge an AI’s decision-making process. He should be able to communicate directly with senior management and, where appropriate, report to the Board or its designated committee(s), about adverse developments that may not be consistent with the AI’s risk appetite and business strategy.

4.1.6 The Chief Risk Officer (or equivalent) should have skills and experience which are relevant and appropriate to the nature and complexity of an AI’s business activities, and should play a key role in enabling the Board and senior management to understand the AI’s overall risk profile.

4.2 Risk management information system

4.2.1 AIs should establish and maintain a management information system with adequate technological support and processing capacity (even in times of stress) to effectively measure and report on the risks of major business activities within the organisation.

4.2.2 An effective risk management information system should produce timely, accurate and reliable reports for the Board, senior management and line managers to support decision-making at the different levels, and to enable early identification of emerging risks.



V.2 – 31.12.2010

22

4.2.3 The level of sophistication of the system should depend on the nature, scale and complexity of an AI’s business activities. Generally, it should be capable of:

• measuring the risks of a product or an activity in accordance with the measurement methods or models adopted;

• aggregating data on a product, functional, geographical and group basis and, to the extent necessary, all sources of relevant risks by business line, portfolio and entity;

• supporting customised identification and aggregation of risk concentrations within the AI (based on individual, or a set of closely related, risk drivers);

• incorporating hedging and other risk-mitigating actions to be carried out on a firm-wide basis while taking into account various related basis risks;

• reporting excesses in limits and policy exceptions, and alerting management of risk exposures approaching pre-set limits;

• producing information at appropriate intervals. In times of stress, the system should be capable of generating reports at more frequent intervals as required by management;

• facilitating the allocation of capital charges to business activities according to the level of risk-taking;

• conducting variance analysis against annual budget or business targets, and calculating risk-adjusted performance (see subsection 4.4 below);

• providing adequate system support for fair valuing exposures; and



V.2 – 31.12.2010

23

• conducting sensitivity analysis and stress-testing (see subsection 4.5 below).

4.2.4 To enable proactive risk management, the system should be adaptable and responsive to changes in the assumptions used for risk measurement and aggregation, be capable of incorporating multiple perspectives of risk exposure to account for uncertainties in risk measurement, and be sufficiently flexible to allow for generation of forward-looking firm-wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions.

4.2.5 If AIs use third-party inputs or other tools (e.g. credit ratings, risk measures and models, etc.) to produce risk management information, they should have adequate procedures in place to ensure that such inputs and tools are subject to initial and ongoing validation.

4.2.6 To remain effective, the system should be subject to regular upgrade and modification.

4.3 Risk measurement and assessment systems

4.3.1 AIs should have in place effective systems and tools for the measurement of various types of quantifiable risk and for the assessment of other risks which are not easily quantifiable (e.g. reputation risk).

4.3.2 Different methods or models may be used to assess or measure each type of risk. For example, a number of value-at-risk (“VaR”) approaches such as historical simulation, variance/co-variance method or Monte Carlo simulation can be used to estimate the exposure of an AI to various types of market risk. An AI may also choose to use a risk mapping process11, key risk indicators or scorecards as a means of assessing its operational risk. Detailed

11 In this process, various business units, organisational functions or process flows are mapped by risk

type. This exercise can reveal areas of weakness and help prioritise subsequent management action.



V.2 – 31.12.2010

24

guidance on the measurement or assessment of individual risks can be found in the relevant modules listed in para. 1.2.1 above.

4.3.3 In determining the methods or models to be adopted for risk measurement or assessment, an AI should, among other things, consider the following factors:

• the nature, scale and complexity of its business activities;

• its business needs (e.g. for pricing);

• the assumptions of the methods or models;

• data availability;

• the sophistication of its management information system; and

• staff expertise.

4.3.4 The Board or its designated committee(s) and senior management should recognise the biases and assumptions embedded in, and the constraints of, the methods or models chosen (including associated valuation and pricing methodologies) in order to better assess the results generated from those methods or models. They should also satisfy themselves as to the adequacy and appropriateness of the key assumptions, data sources and procedures used to measure or assess the risks.

4.3.5 The accuracy and reliability of a risk measurement method or model should be verified against the actual results through regular back-testing. The measurement method or model (including the underlying assumptions) should also be subject to periodic update to reflect changing market conditions.

4.3.6 AIs should avoid over reliance on any specific risk methodology or model. Modelling and risk management



V.2 – 31.12.2010

25

techniques should always be tempered by expert judgement. For example, models that project very high returns on economic capital may arouse concern as to whether this is in fact caused by a deficiency in the models (such as failure to take into account all relevant risks). Where practicable, AIs should use a range of risk measures or tools to provide different views of risk on the same exposures.

4.3.7 Similarly, decisions which determine the level of risks taken should not only be based on quantitative information or model outputs, but should also take into account the practical and conceptual limitations of the methods and models adopted, using a qualitative approach which includes expert judgement and critical analysis. In addition, relevant macroeconomic trends and data should explicitly be addressed to identify their potential impact on particular business activities. Such assessments should be formally integrated in material risk decisions.

4.3.8 AIs should use stress tests to complement risk management models that are based on complex, quantitative models using backward looking data and estimated statistical relationships. In particular, stress-testing outcomes for a specific portfolio can provide insights about the validity of statistical models (e.g. VaR) at high confidence intervals. However, AIs should recognise that stress-testing results are highly dependent on the limitations and assumptions of the scenarios used, namely the severity and duration of the shock and the underlying risks.

4.3.9 For risk measurement purposes, AIs should be able to value their positions (including those associated with complex products and financial instruments), especially in times of stress, based on sound valuation practices. For exposures that represent material risk, AIs should have the capacity to produce valuations using alternative methods in the event that primary inputs and approaches become unreliable, unavailable or not relevant due to market disruptions or



V.2 – 31.12.2010

26

illiquidity. See CA-S-9 “Financial Instrument Fair Value Practices” for more details.12

4.4 Risk-adjusted performance measurement

4.4.1 AIs are expected to adopt a system for measuring the performance of their business units on a risk-adjusted basis to enable them to compare the financial performance of individual business units, taking into account the risks associated with their activities. This ensures that business units are not rewarded for taking on excessive risks.

4.4.2 To enable efficient allocation of capital and other financial resources to individual business units and to provide these units with incentives for controlling the risks generated from their activities, the performance measurement system (including internal pricing mechanisms) used by AIs should be able to comprehensively measure the risks associated with their business activities. Management information systems should be able to attribute risk and earnings to their appropriate sources and to measure earnings against capital allocated to the activity, after adjusting for various risks (such as the expected loss on credit facilities).

4.4.3 Data inputs and information used for the purpose of calculating remuneration payable to an AI’s senior management and staff should be subject to independent review to ensure their appropriateness and accuracy.

4.5 Sensitivity analysis and stress-testing

4.5.1 AIs should have adequate systems and capability to measure the sensitivity of earnings to a change in individual risk factors (e.g. interest rates) and conduct stress tests to:

• identify possible events or market changes that could have serious adverse effects or a significant impact on their overall risk profiles and financial positions;

12 This module is under industry consultation.



V.2 – 31.12.2010

27

• address existing or potential risk concentrations; and

• facilitate the development of risk mitigating measures or contingency plans across a range of stressed conditions.

4.5.2 The sensitivity analyses and stress tests should be conducted regularly on major business activities, and on a firm-wide basis. Stress scenarios should be comprehensive and forward-looking, and include risk factors that can significantly affect an AI or its individual business activities.

4.5.3 The Board and senior management should have direct involvement in setting stress-testing objectives, defining stress scenarios, discussing the results of sensitivity analyses and stress tests, assessing potential actions and making relevant decisions. The stress-testing outcomes should be taken into account in the setting of policies and limits.

4.5.4 See IC-5 “Stress-testing” for more guidance on the use of stress tests for risk management purposes.

5. Internal controls, audits and contingency planning

5.1 Internal control system

5.1.1 A critical element to support an effective risk management system is the existence of a sound internal control system.

5.1.2 A properly structured internal control system should:

• help to promote effective and efficient operation;

• provide reliable financial information;

• safeguard assets;

• minimise the operating risk of loss from irregularities, fraud and errors;



V.2 – 31.12.2010

28

• ensure effective risk management systems; and

• ensure compliance with relevant laws, regulations and internal policies.

5.1.3 An AI’s internal control system should, at a minimum, cover the following:

• high level controls, including clear delegation of authority, written policies and procedures, separation of critical functions (e.g. marketing, risk management, accounting, settlement, audit and compliance);

• controls relating to major functional areas, including, retail banking, corporate banking, institutional banking, private banking and treasury. Such controls should include segregation of duties, authorization and approval, limit monitoring, physical access controls, etc.;

• controls relating to financial accounting (e.g. reconciliation of nostro accounts and review of suspense accounts), annual budgeting, management reporting and compilation of prudential returns to the regulators;

• controls relating to information technology (see TM-G-1 “General Principles for Technology Risk Management”);

• controls relating to outsourced activities, where applicable (see SA-2 “Outsourcing”);

• controls relating to compliance with statutory and regulatory requirements (see subsection 5.3 below); and

• controls relating to the prevention of money laundering (see Guideline on Prevention of Money Laundering,



V.2 – 31.12.2010

29

Supplement to the Guideline, and interpretative notes issued in July 2010).

5.1.4 An effective internal control system requires a strong control environment13 to which the Board and senior management provide their full support, and an internal audit function to evaluate its performance on a regular basis (see subsection 5.2 below).

5.2 Internal audit function

5.2.1 AIs’ internal audit function (see also IC-2 “Internal Audit Function”) should, among other things, perform independent periodic checking on whether the risk management framework approved by the Board is properly implemented and the established policies and control procedures in respect of risk management are complied with.

5.2.2 The risk management process and related internal controls should be examined and tested periodically. The scope and frequency of audit may vary but should be increased if there are significant weaknesses or major changes or new products or services are introduced.

5.2.3 To carry out their function effectively, internal auditors should:

• preserve objectivity and impartiality by avoiding any conflict of interest in performing their duties;

• have unfettered power to choose which business or operating units to be audited and to access records and documents;

• have appropriate independence and status within the AI to ensure that senior management reacts to, and acts upon, their recommendations;

13 “Control environment” means the overall attitude, awareness and actions of directors and management

regarding the internal control system and its importance in the entity.



V.2 – 31.12.2010

30

• have sufficient resources, be suitably trained, and possess relevant expertise and experience to understand the risk management process and measurement models or methods employed; and

• employ a methodology that identifies the key risks run by the AI and allocates their resources accordingly.

5.2.4 All identified risk management deficiencies and weaknesses (including any non-compliance with internal policies and procedures as well as stipulated regulatory requirements on risk management) should be directly and promptly reported to the Board (or the Audit Committee) and senior management for early rectification.

5.3 Compliance function

5.3.1 The compliance function plays an important role with respect to a sound risk management system, but should not be considered as a substitute for regular and frequent internal audit coverage.

5.3.2 The primary role of an AI’s compliance function is to ensure that the AI is in compliance with the statutory provisions, regulatory requirements and codes of conduct applicable to its banking or other regulated activities14.

5.3.3 Other responsibilities of the compliance function include15:

• identifying, measuring and assessing compliance risk;

• advising senior management on the laws, rules and standards with which an AI is required to comply;

14 AIs should note that non-compliance with other areas not directly related to banking or regulated

activities (e.g. breach of labour or company laws) could also give rise to legal or regulatory sanctions, material financial loss, or loss of reputation. If not the AI’s compliance function, there should be other parties, such as the AI’s Legal Department, responsible for providing advice on, or monitoring the legal implications associated with, such areas.

15 If some of these responsibilities (e.g. legal advice on laws, rules and standards) are carried out by staff

in other departments, the allocation of responsibilities to each department should be clear.



V.2 – 31.12.2010

31

• providing compliance-related guidance and training to staff;

• monitoring and testing compliance, and reporting regularly to senior management on compliance matters; and

• establishing a compliance programme that sets out its planned activities.

5.3.4 AIs are expected to have a separate, independent compliance function. In exceptional cases where, for example, an AI’s scale of operations may not justify having such a function, other arrangements (such as hiring an external lawyer to provide legal advice on a need basis or an appropriate allocation of duties among departments) may be acceptable.

5.3.5 An effective compliance function should:

• be staffed by an appropriate number of competent staff who are sufficiently independent of the business and operating units;

• be given appropriate standing and authority within an AI, with a direct reporting line to a designated committee (e.g. Audit Committee) or senior management; and

• be able to carry out its duties on its own initiative in all business and operating units of the AI in which compliance risk exists, with unfettered access to any records or files necessary to enable it to conduct its work.

5.3.6 In addition, compliance staff, in particular the Head of Compliance, should not be placed in a position where there is a possible conflict of interest between their compliance responsibilities and any other responsibilities they may have.



V.2 – 31.12.2010

32

5.3.7 To ensure effective management of compliance risk, the Board should approve the AI’s compliance policy, which should document the organisation, status and responsibilities of the compliance function as well as other measures to manage compliance risk, and oversee the implementation of the policy by senior management (with the assistance of the compliance function) through regular review of the extent to which the policy is observed. The Board may direct an appropriate board level committee (e.g. the Audit Committee) to establish the compliance policy and conduct regular review of how the policy has been implemented. In such a case, the Board should monitor the committee’s performance to ensure that its directives are properly followed.16

5.4 Contingency and business continuity planning

5.4.1 Each AI should have in place contingency and business continuity plans, having regard to the nature, scale and complexity of its business activities, to ensure that it has adequate arrangements to deal with emergency or crisis situations (see LM-2 “Sound Systems and Controls for Liquidity Risk Management” and RR-1 “Reputation Risk Management”) and can continue to function and meet its regulatory obligations in the event of an unforeseen interruption (see TM-G-2 “Business Continuity Planning”). These plans should be regularly updated and tested to ensure their effectiveness.

—————————

Contents Glossary Home Introduction

16 In the case of a foreign bank operating a branch in Hong Kong, the head office of the bank may

authorize the branch to establish the compliance policy for the local operations, provided that the completed policy is approved by the head office before it is implemented and there is a process for the head office to oversee how the policy has been implemented.

監管政策手冊監管政策手冊監管政策手冊監管政策手冊

IC-1 風險管理的一般措施風險管理的一般措施風險管理的一般措施風險管理的一般措施

V.2 – 31.12.2010

1

本章應連同引言與收錄本手冊所用縮寫語及其他術語的辭彙一起細閱。若使用手冊的網上版本，請按動其下劃有藍線的標題，以接通有關章節。

—————————

目的目的目的目的訂明金管局預期認可機構的風險管理制度應具備的一般措施

分類分類分類分類金融管理專員根據《銀行業條例》第7(3)條發出的法定指引

取代舊有指引取代舊有指引取代舊有指引取代舊有指引

IC-1 「風險管理的一般措施」(V.1) (發出日期25.04.03)

適用範圍適用範圍適用範圍適用範圍所有認可機構

結構結構結構結構

1. 引言

1.1 背景

1.2 範圍及概覽

2. 董事局及高級管理層的監察

2.1 風險管理的職責及管治

2.2 風險偏好水平的設定

2.3 整體機構的風險管理



V.2 – 31.12.2010

2

2.4 專責委員會的運用

3. 風險管理政策、程序及限額

3.1 政策及程序

3.2 風險限額

3.3 新產品及服務

4. 風險管理制度及過程

4.1 風險管理部門

4.2 風險管理資訊系統

4.3 風險計量及評估制度

4.4 就風險作出調整的表現評估

4.5 敏感度分析及壓力測試

5. 內部管控、審計及應變規劃

5.1 內部管控制度

5.2 內部審計部門

5.3 法規遵行部門

5.4 應變及持續業務運作規劃



V.2 – 31.12.2010

3

1.1.1.1. 引言引言引言引言 1.11.11.11.1 背景背景背景背景 1.1.1 承受風險是經營銀行業務不可分割的一部分。每間認可機構都要在其願意及能承受的風險水平與致力取得的回報水平之間取得適當平衡，以免損害機構整體的財政穩健程度及持續經營能力。認可機構應具備與其業務規模及複雜程度相符的有效風險管理制度，以助確保在其可接受風險水平內妥善管理所承擔的風險，並且確保該制度能發揮應有的作用。

1.1.2 根據巴塞爾委員會於2006年10月發出的《有效監管銀行業的主要原則》，銀行業監管機構須確定銀行備有全面的風險管理程序（包括由董事局及高級管理層所進行的監察），以識別、計量、監察及管控或緩減所有主要風險，並因應銀行的風險狀況而評估其整體資本充足程度。

1.1.3 正如巴塞爾委員會的上述主要原則要求，金管局在以風險為本的監管模式下規定認可機構須設立穩健及有效的制度，以管理其面對的8種潛在風險（即信貸風險、市場風險、利率風險、流動資金風險、業務操作風險、信譽風險、法律風險及策略風險）（見SA-1「風險為本監管制度」第2節）。本地註冊的認可機構須進一步設立適當的內部制度，以因應其所承擔的風險而評估其資本充足情況（如同 CA-G-5「監管審查程序」所要求）。

1.1.4 在本章內，「風險管理」泛指認可機構為識別、計量、監察、管控或緩減，以及匯報其面對的不同類型風險而採取的政策、制度及程序。



V.2 – 31.12.2010

4

1.2 範圍及概覽範圍及概覽範圍及概覽範圍及概覽

1.2.1 本章旨在說明風險管理的一般制度及管控措施。有關上文第1.1.3段提及的各類潛在風險的具體相關制度及管控措施，分別載於《監管政策手冊》的各有關章節內，包括：

• CR-G-1 「信貸風險管理的一般原則」；

• CR-G-13 「對手方信用風險管理」；

• TA-1「市場風險管理」；1

• TA-2「外匯風險管理」；

• IR-1「利率風險管理」；

• LM-2「穩健的流動資金風險管理系統及管控措施」；2

• OR-1「業務操作風險管理」；

• RR-1「信譽風險管理」；以及

• SR-1「策略風險管理」。

1.2.2 此外，本章強調每間認可機構須設有一套適用於整體機構的穩健風險管理架構的重要性，以便讓該機構能設定其可接受風險的水平和承受風險的能力，以及能協助董事局及高級管理層從綜合和整體機構的角度管理該認可

1 此章仍未完成。

2 此章正進行業界諮詢。



V.2 – 31.12.2010

5

機構的風險，並能盡早和有效地識別與應對新增及逐漸加劇的風險。3

1.2.3 認可機構的風險管理制度或會各不相同，但穩健的風險管理環境的基本元素仍包括：

• 董事局及高級管理層的適當監察（見下文第 2節）；

• 適當的政策、程序及限額，以識別及管理各項業務的所有相關風險（見下文第3節）；

• 適當的風險計量、監察與匯報制度，以支援所有業務及相關風險（見下文第4節）；

• 行之有效的內部管控措施及全面審計，以盡早察覺內部管控方面存在的任何問題（見下文第5節）；以及

• 處理突發或緊急情況的足夠安排（見下文第 5節）。

1.2.4 下圖顯示上述各項元素如何互相配合。此圖目的並不是作為規範，而是反映穩健的風險管理制度應具備的元素。

3 若為銀行集團，整體機構風險管理的概念將會同樣適用於整個集團，即從整體層面管理母行及旗下分支成員的有關風險。



V.2 – 31.12.2010

6

穩穩穩穩健的風險管健的風險管健的風險管健的風險管理制度的元素理制度的元素理制度的元素理制度的元素

董事局董事局董事局董事局

對風險管理負有最終責任

專專專專責委員會責委員會責委員會責委員會

負責監察風險管理工作

執行委員會 / 風險管理委員會4 薪酬委員會審計委員會

資產及負債委員會信貸委員會

業務操作風險管理委員會

其他風險管理委員會

高高高高級管理層級管理層級管理層級管理層

負責監察日常風險管理工作

個別業務部門個別業務部門個別業務部門個別業務部門 / 活動活動活動活動

風風風風險管理部門險管理部門險管理部門險管理部門法法法法規遵行規遵行規遵行規遵行部門部門部門部門

內內內內部審計部審計部審計部審計部門部門部門部門

負責遵守政策、程序及限額（前線部門）負責日常風險管理（中間部門）

負責遵行法律規定及監管要求

負責獨立查核

信貸風險市場風險利率風險流動資金風險業務操作風險其他風險

風險計量及評估限額監察風險管控及匯報

4 在某些情況下，特設風險委員會是負責綜合監察各個範疇的風險管理工作。



V.2 – 31.12.2010

7

1.2.5 本章所訂標準會以認可機構的業務規模、性質及複雜程度按比例應用。同時認可機構須應用其風險管理制度及程序於其附屬機構，在可行範圍內將這些風險管理制度及程序應用於可能會使其承受重大風險的聯營公司及合資企業。5 1.2.6 認可機構如未能遵守本章所載的一般規定，可能會令金管局懷疑該機構是否仍然符合《銀行業條例》所載的最低認可準則，以及其董事、行政總裁及高級管理層是否適當人選。

2. 董事局及高級管理層的監察董事局及高級管理層的監察董事局及高級管理層的監察董事局及高級管理層的監察

2.1 風險管理的職責及管治風險管理的職責及管治風險管理的職責及管治風險管理的職責及管治

2.1.1 認可機構的董事局及高級管理層有基本責任了解該機構承擔的風險及確保這些風險得到妥善管理。

2.1.2 在履行這項職責時，除其他事項外，董事局及高級管理層應做到的要點包括：

• 具備足夠的認識及專長，以了解認可機構面對的所有主要風險，包括嶄新或複雜產品及高風險業務牽涉的風險，以及這些風險在受壓情況下的互動關係；

• 直接參與設定與認可機構的業務及策略目標相符的風險偏好水平，並監察該風險水平的遵行情況；

• 建立穩固的企業及風險管理文化，並確保認可機構的風險偏好水平充分反映於該文化內；

5 本章所訂標準能否應用於聯營公司或合資企業，還需要視乎認可機構與這些公司及企業的聯繫程度和認可機構對這些公司及企業的管治程度。



V.2 – 31.12.2010

8

• 投入足夠時間、精力及資源，並全力以赴及持續無間地監察及參與認可機構的風險管理過程；

• 時刻掌握認可機構的業務狀況、風險，以及營運環境與金融市場方面可能構成新增風險的轉變；

• 確保設立及維持所需的基建、制度及管控措施，以支援有效的風險管理及管治；

• 設立適當的組織及管理架構，以提供穩健的管控環境，並且明確劃分職務及訂明清晰的問責與權力；

• 制訂有效的管控措施，以確保貫徹遵守認可機構的整體風險管理程序，並監察認可機構對所有適用法規、監管標準、最佳執行手法及內部政策與指引的遵行情況；以及

• 確保認可機構的薪酬制度符合及促進有效的風險管理，並且不會變相鼓勵不審慎或過度的承受風險（見CG-5「穩健的薪酬制度指引」）。

2.1.3 為確保符合穩健的風險管治，董事局及高級管理層應設立全面及獨立的風險管理部門 6，負責監察及協調整個機構的風險管理工作（見下文第4.1分節）。

2.1.4 董事局及高級管理層亦應推動在機構內設立定期及具透明度的溝通機制，以使高級管理層成員 7、不同業務的風險負責人與獨立的風險管理及管控部門之間能就公司整體的風險計量、分析及管理事項進行持續及穩健的對話和資訊交流。認可機構為此應考慮成立風險管理委員會。

6 部分認可機構或會將此稱為「風險管控」部門。

7 包括行政總裁、風險總監及該層面的其他成員。



V.2 – 31.12.2010

9

2.1.5 風險管治的安排（包括職責、架構、風險偏好等）應有文件適當記錄及更新。所有相關員工（包括業務部門）應獲通知有關安排及各自的風險監察與管理職責。

2.2 風險風險風險風險偏好偏好偏好偏好水平水平水平水平的的的的設定設定設定設定

2.2.1 認可機構的風險偏好（或風險承受能力）指其因應本身的財政能力、策略性方向及監管限制（如資本及流動資金要求）而願意承受的風險水平。

2.2.2 董事局負責設定認可機構的整體風險承受能力及批核其願意承受風險程度的聲明。儘管並無劃一陳述承受風險程度的方法，但認可機構的風險承受程度聲明應該是全面，包含適當而互相貫徹的風險目標 8，並反映適當廣泛系列的指標及可行元素，以清楚說明認可機構擬對一系列可能出現的事件（如資本虧損或違反風險限額）採取的對策。該聲明所載的管理層行動應切實可行，以能在逆境中修復資本或降低風險。

2.2.3 在設定風險偏好時，董事局應確保顧及認可機構的所有有關風險，包括較難量化的風險（例如信譽風險）或由資產負債表以外交易所產生的風險。認可機構應以符合其業務性質及複雜程度的方式表達其整體風險偏好。例如，整個過程可能涉及利用量化分析、壓力測試、參考過往經驗、運用判斷或其他方法來評估對所有相關風險的財政及非財政方面的影響，對較易量化的風險設定個別風險限額，及設定整體風險上限管轄認可機構願意承擔的風險的總合水平。

2.2.4 董事局須確保有穩健的程序及管控措施，以設定及監察認可機構的風險承受能力。認可機構應編製足夠資料，以供董事局及高級管理層定期評估其風險承受能力，其中包括(i)相關的風險指標（如根據經濟資本或壓力測試

8 風險目標的例子包括信貸評級目標及股本回報率目標。



V.2 – 31.12.2010

10

所定的指標）； (i i)實際風險水平與風險限額比較的分析； (i i i )認可機構在出現了相當於風險指標所訂幅度的虧損後須要維持的資本水平；以及 (iv)管理層在虧損出現後可採取的行動去修復資本。

2.2.5 若基於市場需求而需要增加承受風險或迅速回應外部環境的變化（如競爭或經濟形勢轉差），由董事局主導的方向會對認可機構能保持克制的風險承受能力有發揮關鍵的作用。在這些情況下，董事局應維持審慎，並徹底了解認可機構的風險承受能力與當前實際風險相比的狀況，以及若風險承受能力出現變化會如何改變其風險狀況。在這方面，可以利用壓力測試得出對認可機構的資本及風險狀況的最新分析。

2.2.6 董事局應負責批核認可機構的承受風險能力聲明的任何變動。有關變動的理由應有適當文件說明。

2.3 整體整體整體整體機構機構機構機構的風險管理的風險管理的風險管理的風險管理

2.3.1 董事局及高級管理層應確保設立有效的風險管理架構，以便綜合管理認可機構的整體風險（如信貸、市場及其他主要風險）。

2.3.2 這個架構應有助識別及管理不同業務涉及的所有主要風險，而不論承受的風險屬於何種性質（即可能屬於非合約、或然、或資產負債表以外等性質）。董事局的具體職責

2.3.3 為確保適當監察整體機構的風險，除其他事項外，董事局的職責應包括：

• 就認可機構面對的不同類別的風險核准一個整體機構通用的定義；



V.2 – 31.12.2010

11

• 識別、了解及評估認可機構的業務或將要推出的新產品或服務的潛在風險（另見下文第3.3分節）；

• 制訂風險管理策略，並且批核由高級管理層根據這些策略而設立與認可機構的業務目標與風險承受能力相符的風險管理架構；

• 確定該風險管理架構由高級管理層妥善實施及維持；

• 定期檢討風險管理架構，以確保在面對不斷轉變的經營及市場環境時該制度仍然足夠及適當；

• 確保資訊系統及基建獲配備足夠資源，並能應付認可機構的風險管理及匯報需要；以及

• 確保獨立的風險管理及管控部門保持穩健及確切地獨立於認可機構的承受風險部門（不論從決策及匯報架構的角度而言均如是），並擁有足夠權力、資源、專門知識及專業能力執行職務。高級管理層的具體職責

2.3.4 高級管理層應負責：

• 根據董事局所定的風險管理策略，制訂詳細的政策、程序及限額，以管理認可機構的業務所引起的不同範疇的風險；

• 設計及推行由董事局批核的風險管理架構，並確保在風險管理架構內的相關管控制度能發揮應有作用。風險管理架構應在整個機構內全面推行，而各層面的職員都應了解本身在風險管理方面的責任；

• 制訂程序以檢討認可機構承擔的風險，並確保這些風險不會超出風險限額，以及即使在受壓情況下風險限額仍然符合認可機構的整體風險承受能力；



V.2 – 31.12.2010

12

• 識別及處理新增的風險，以及在適當情況下即時向董事局匯報任何重大風險；以及

• 確保負責業務或風險管理部門的經理及員工具備專業能力，並有適當程序招聘、培訓及留任具備適合技能及專門知識的僱員。

2.4 專責委員會專責委員會專責委員會專責委員會的運用的運用的運用的運用

2.4.1 儘管董事局對風險管理負有最終責任，但仍可授權一個或多於一個專責委員會（如信貸委員會、資產與負債委員會等）（另見 CG-1「本地註冊認可機構的企業管治」第4節）執行以上第2.3.3段所述的部分職責。授權應依照正式程序進行 (如應具備清晰的權限)。獲授權的專責委員會應定期向董事局提交報告。

2.4.2 然而，授權安排並非免除董事局及其成員對風險管理所負的責任或對監察專責委員會如何行使所獲授權的需要。無論如何，董事局成員仍須要對認可機構的業務性質、相關風險及風險管理架構（包括主要風險管控措施如風險限額）有足夠了解。 9 若董事局現有成員缺乏有關的專門知識，應考慮引入具備有關知識的新成員或委任外聘顧問。

3. 風險管理政策風險管理政策風險管理政策風險管理政策、、、、程序及程序及程序及程序及限限限限額額額額

3.1 政策及程序政策及程序政策及程序政策及程序

9 例如，董事局部分成員應已具備金融市場的實際經驗，或因本身從事的業務的關係已汲取了與認可機構業務直接相關的足夠專業經驗。



V.2 – 31.12.2010

13

3.1.1 認可機構應具備清晰的風險管理政策及程序，使整體機構的風險能獲得主動方式管理10，當中着重達到下列各點：

• 識別及計量風險的客觀及貫徹方法；

• 全面及嚴格的風險評估及匯報制度；

• 穩健的估值及壓力測試方法；及

• 有效的風險監察指標及管控措施。以上文件應由董事局或其指定的委員會批核。

3.1.2 制訂風險管理政策及程序時應以認可機構所有業務的全面檢討作為基礎，並涵蓋與認可機構業務有關的所有不論財政及非財政性質（如信譽風險）的主要風險。上述政策及程序應從整體機構及（如適用）整體集團的層面來制訂。

3.1.3 制訂風險管理政策與程序時應考慮下列因素：

• 認可機構的整體業務策略及活動；

• 適合於認可機構的業務規模、性質與複雜程度；

• 認可機構可承受風險的能力；

• 認可機構的風險監察能力、風險管理制度及程序的複雜程度；

• 認可機構以往的經驗及表現；

10 境外註冊認可機構在很大程度上可以將總辦事處制訂的機構整體政策及程序套用到香港的業務上。然而，有關文件應作出修訂，以配合本地市場情況。



V.2 – 31.12.2010

14

• 認可機構的風險承擔的經濟實質（包括信譽風險及估值的不明朗因素）；

• 敏感度分析及壓力測試結果；

• 預計的內部或外部變動（如計劃的運作變動或預期市場環境的變動）；以及

• 任何法律與監管規定。

3.1.4 各業務或部門的問責安排及權力架構應在有關政策及程序內清楚訂明，並按適當情況更新。

3.1.5 風險管理政策與程序應與時並進，配合不斷轉變的經營環境。董事局或其指定的委員會應定期檢討這些文件（如至少每年一次）。若檢討是由委員會或高級管理層進行，政策與程序上的任何重大修訂都應提交董事局採納及正式認可。

3.1.6 在適當情況下，風險管理政策及程序亦應涵蓋風險緩減方法（如對沖、購買保險或利用信貸衍生工具）的使用。若認可機構使用風險緩減方法，應了解擬緩減的風險及緩減過程的潛在影響（包括其成效及是否可以執行），並設立適當措施控制緩減方法涉及的風險。

3.2 風險風險風險風險限限限限額額額額

3.2.1 認可機構應設立一套限額，以控制其業務涉及的各種可量化風險（如信貸風險、市場風險、利率風險及流動資金風險）。認可機構亦應利用限額來控制不同風險集中的來源，包括 (i)對借款人及債務人直接承擔的風險或透過以某特定資產類別作為抵押的投資而間接承擔的風險，例如債務抵押證券；以及(i i)在不同業務承擔的類似風險。風險限額應以文件形式訂明，並經董事局或其指定委員會核准。



V.2 – 31.12.2010

15

3.2.2 風險限額應與認可機構可承受風險的能力相符。為確保風險限額與業務策略保持一致，董事局可考慮核准限額以作為其整體年度預算程序的一部分。

3.2.3 風險限額應符合認可機構的業務規模及複雜程度，並與其產品或服務的先進程度相稱。風險限額過高可能無法觸動管理層迅速行動；風險限額過嚴以致經常出現超額的情況，卻又可能會令限額制度無法發揮應有作用。

3.2.4 認可機構可以在不同層面設定風險限額，例如個別業務或部門、機構或集團整體。認可機構應以文件形式清楚列明如何在各個業務及部門之間分配整體風險限額的方法。

3.2.5 董事局或其指定委員會應確保定期檢討限額，並因應市場環境或業務策略的轉變進行重新評估。

3.2.6 認可機構應向各業務部門清楚傳達風險限額，並使有關人員明白這些限額。

3.2.7 認可機構應密切監察限額的使用情況。任何超越限額或特殊情況都應迅速向高級管理層匯報，以採取必要行動。

3.3 新產品及服務新產品及服務新產品及服務新產品及服務

3.3.1 認可機構應設立經內部核准及以文件清楚訂明的新產品批核政策。該政策不單訂明全新產品及服務的發展及批核程序，亦涵蓋現有產品及服務的特性的重大變動。對於何謂現有產品及服務的特性的重大變動，亦應以文件訂明界定的方法。

3.3.2 認可機構的新產品批核政策至少應涵蓋以下範疇：



V.2 – 31.12.2010

16

• 有關決定加入新市場或經營新產品或服務所涉及的所有事項，包括認可機構將會對新的產品、市場、服務或業務採取的定義；

• 參與該決定的內部職能（透過常設或臨時委員會方式）；

• 從事一項新業務所牽涉的其他事項，當中可能包括定價模式、邊際利潤、軟件及技術、風險管理工具，以及管控程序；以及

• 批核現有產品或服務的重大變動的流程及程序。

3.3.3 對於任何新產品或服務，認可機構都應進行仔細評估或在推出前進行審慎分析，以確保：

• 有關各方（包括董事局或其指定委員會、高級管理層及按需要加其他經理）充分了解涉及的風險特性，有關業務模式、估值及風險管理實施的基本假設，基本假設失效可能產生的風險承擔，以及為有關產品進行估值的潛在困難（尤其在受壓情況下）；以及

• 有足夠人手、技術及財政資源開展有關產品或服務，並且有足夠的內部工具及專門知識監察所涉及的風險。

3.3.4 推出新產品或服務的建議書一般應包括：

• 新產品或服務的說明；

• 詳細的風險評估；

• 成本與效益分析；



V.2 – 31.12.2010

17

• 對有關風險管理的影響的考慮，及對所需資源的識別（例如系統的提升）以確保能有效管理新產品或服務的風險；

• 因應認可機構的整體財政狀況與資本實力對新業務的擬定規模的分析；以及

• 計量、監察、管控或緩減、及匯報有關風險所用的程序。

3.3.5 在推出新產品或服務前，應按需要諮詢所有有關部門，例如風險管控、會計、運作、法律及法規遵行部門。如新產品或服務可能會對認可機構的風險狀況造成重大影響，應在推出前通知董事局或其指定委員會。

3.3.6 認可機構應在推出新產品或服務後再進行評估，有關的評估結果應在日後發展任何類似產品或服務時予以考慮。

3.3.7 風險管理部門應參與新產品或服務（或現有產品或服務的重大變動）的批核程序，亦應就新產品或服務（或現有產品或服務的重大變動）的推出對不同業務的影響有清楚的概覽。在適當情況下，風險管理部門應有權要求現有產品或服務的重大變動如同新產品或服務一樣，依循正式的批核程序。

4. 風險管理制度及風險管理制度及風險管理制度及風險管理制度及過過過過程程程程

4.1 風險管理部風險管理部風險管理部風險管理部門門門門主要職責及特性

4.1.1 認可機構應設立專責的風險管理部門，以執行整體機構的日常風險管理工作。

4.1.2 有效的風險管理部門應：



V.2 – 31.12.2010

18

• 有清晰明確的職責；

• 與有關的風險管理委員會或高級管理層有直接匯報渠道；

• 獨立於承受風險部門及業務運作部門（兩者的活動須經由風險管理部門查核），並為執行職務不受限制地取覽這些部門的必要資料；

• 獲有效的管理資訊系統提供支援（見下文第4.2分節）；以及

• 獲賦予足夠權力、管理層支持及資源以履行職務，並獲配備擁有相關專門技術與知識的人員。

4.1.3 認可機構風險管理部門的職責包括：

• 確保識別、充分了解、適當計量及評估認可機構的所有相關風險；

• 確保認可機構的風險管理架構及所有相關政策與管控制度獲得貫徹推行及遵守；

• 在起初階段積極參與認可機構在可能影響風險管理的業務策略及發展方面的決策過程；

• 監察風險限額的實際使用情況，並確保可量化風險在核准的限額內，當中包括確保妥善計算個別業務部門所承擔的各類風險合計總額，並按照認可機構整體的有關風險總額對這些部門所承擔的風險進行監察；

• 監察及批核風險評估模式及內部評級制度（如適用），並分析新產品、新服務及特殊交易的風險；

• 確保妥善計量及控制認可機構的所有有關風險，並迅速向董事局及相關風險管理委員會或高級管理層



V.2 – 31.12.2010

19

匯報所有被確認的風險管理問題或要關注的事項；以及

• 提請董事局及相關風險管理委員會或高級管理層注意可能對認可機構的財政及風險狀況帶來重大影響的任何其他事項（如從事與認可機構的承受風險能力不相稱的高風險業務）。風險總監

4.1.4 認可機構須要委任一名人員（一般稱為風險總監）負責風險管理部門及協調機構內不同部門的風險管理工作。在特殊情況下，如以認可機構的規模及複雜程度而言無需委任一名特定人員來執行上述職責，可由其中一名高級行政人員（如負責內部管控的人員）分擔。

4.1.5 風險總監（或等同人員）應有足夠的獨立性及年資，使其可以挑戰認可機構的決策過程。風險總監應可與高級管理層直接溝通，如屬適當亦可向董事局或其指定委員會匯報可能與認可機構的承受風險能力及業務策略不相符的不利發展。

4.1.6 風險總監（或等同人員）應具備與認可機構的業務性質及複雜程度相符的技術及經驗，並擔當主導角色讓董事局及高級管理層了解認可機構的整體風險狀況。

4.2 風險管理資訊系統風險管理資訊系統風險管理資訊系統風險管理資訊系統

4.2.1 認可機構應設立及維持一個具備適當技術支援及運作能力（即使在受壓情況下）的管理資訊系統，以有效地計算及匯報機構內主要業務的風險。

4.2.2 有效的風險管理資訊系統應能向董事局、高級管理層及部門經理提交適時、準確及可靠的報告，作為不同層面的決策參考，並協助盡早識別新增的風險。



V.2 – 31.12.2010

20

4.2.3 該系統的先進精密程度應視乎認可機構的業務性質、規模及複雜程度而定。一般來說，該系統應能：

• 按照所採用的計算方法或模式計算某產品或業務的風險；

• 在產品、部門、地理或集團層面整合數據，並視乎需要按部門、業務組合及機構實體整合計算所有來源的相關風險；

• （根據個別或一套密切相關的風險因素）支援對認可機構的風險集中情況的特訂識別及整合計算；

• 在考慮各項相關的息率基準風險下，併入將在整體機構實施的對沖及其他風險緩減措施；

• 匯報超出限額及不遵守政策的特殊情況，並在承擔的風險額已接近預設限額時提請管理層注意；

• 每隔一段適當時間編製資料，在受壓情況下更應按管理層要求提交更頻密的報告；

• 協助按照承受風險水平向不同業務分配資本要求；

• 針對年度預算或業務目標進行差異分析，並計算就風險作出調整的表現（見下文第4.4分節）；

• 提供適當的系統支援，以得出已承擔風險額的公平值；以及

• 進行敏感度分析及壓力測試（見下文第 4.5分節）。

4.2.4 為使認可機構能進行主動的風險管理，該系統應可靈活調節，以配合計算及整合風險所用的假設的變動；能夠融入風險承擔的多重角度，以能考慮到風險計算方面的不明朗因素；以及有足夠靈活性，以能對整體機構進行



V.2 – 31.12.2010

21

具前瞻性的設定情況分析，從而反映管理層對不斷轉變的市場環境及受壓情況的看法。

4.2.5 若認可機構使用第三方提供的資料或其他工具（如信貸評級、風險計量及模式等）來製作風險管理資料，認可機構應有適當程序，以確保有關資料及工具須受首次及持續的驗證。

4.2.6 為確保該系統維持有效運作，認可機構應定期提升及修改系統。

4.3 風險計風險計風險計風險計量量量量及評估制度及評估制度及評估制度及評估制度

4.3.1 認可機構應設立有效的制度及工具，以計量各類可量化風險及評估其他較難量化的風險（如信譽風險）。

4.3.2 每類風險均可以用不同方法或模式來評估或計量。如歷史模擬法、方差／協方差法或蒙特卡羅模擬法等各種估計虧損風險值方法，可用來估計認可機構所承受的各種市場風險的數額。認可機構亦可選擇利用風險配對程序11、主要風險指標或記分卡等方法來評估業務操作風險。有關計量或評估個別風險的詳細指引，載於以上第1.2.1段所列《監管政策手冊》有關各章。

4.3.3 認可機構在決定採用哪種方法或模式計量或評估風險時，除其他事項外應考慮以下因素：

• 業務性質、規模及複雜程度；

• 業務需要（如定價）；

• 有關方法或模型所作的假設；

11 根據這個程序，各業務單位、部門或流程會按風險類別配對。此舉可顯現不善之處及有助管理層定出跟進行動的優先次序。



V.2 – 31.12.2010

22

• 是否具備有關數據；

• 管理資訊系統的先進精密程度；以及

• 職員的專門知識。

4.3.4 董事局或其指定委員會及高級管理層應了解所選方法或模式（包括相關估值及定價方法）本身既有的偏差、假設及限制，以能更好地評估從這些方法或模式得出的結果。他們也應該確保其本身滿意用作計量或評估風險的主要假設、數據來源及程序的準確性及適當程度。

4.3.5 認可機構應定期進行回溯測試，將實際結果與風險計算方法或模式所得結果比較，以核實有關方法或模式的準確性及可靠程度。計算方法或模式（包括相關假設）亦應定期更新，以反映不斷轉變的市場環境。

4.3.6 認可機構應避免過度倚賴任何特定的風險方法或模式。模式及風險管理技術應參照專家意見不斷完善。例如，若某模式預測經濟資本會取得極高回報，或會令人關注此項預測其實是否因為模式本身有問題（如未能考慮到所有相關風險）而得出。在切實可行的情況下，認可機構應使用一系列風險計算或工具，以能對相同的風險承擔額得出不同的風險分析。

4.3.7 同樣地，在決定可承受風險水平時，不應只單純以量化資料或模式數據結果作為依據，而應同時考慮到所採用的方法及模式的實際和概念限制，以及採取質量模式方法評估，包括考慮專家意見及批判性分析。此外，應明確檢討相關的宏觀經濟趨勢及數據，以確定它們對特定業務可能造成的影響。這些評估應正式併入重大的風險決策之中。

4.3.8 認可機構應進行壓力測試，以配合採用以複雜量化模式（有關模式是採用滯後式數據及估算的統計關係）作為基礎的風險管理方法。特定業務組合得出的壓力測試結



V.2 – 31.12.2010

23

果，可有助認可機構了解運用統計模式（如用以估計虧損風險值）在高水平置信區間的有效性。然而，認可機構應明白壓力測試結果高度倚賴設定情況的限制及假設，即衝擊的嚴重程度與持續時間及相關風險。

4.3.9 就計算風險而言，尤其在受壓情況下，認可機構應能按照穩健的估值方法為所持倉盤（包括複雜產品及金融工具相關的持盤）估值。就反映重大風險的風險額而言，若因市場受到干擾或流通性極低，致使主要數據結果及方法變得不可靠、無法提供或不再相關，認可機構應能以其他方法進行估值。詳見CA-S-9 「金融工具公平值處理手法」（暫譯）。12

4.4 就風險作出調整的就風險作出調整的就風險作出調整的就風險作出調整的表現表現表現表現評估評估評估評估

4.4.1 認可機構應實施就風險作出調整的業務部門的表現評估制度，以能按照個別業務部門所涉及的風險比較它們的財政表現。此舉可確保業務部門不會因過度承受風險而得到獎勵。

4.4.2 為能向個別業務部門有效分配資本與其他財政資源，並鼓勵它們控制本身業務所產生的風險，認可機構採用的表現評估制度（包括內部定價機制）應能全面計算各項業務涉及的風險。管理資訊系統應能在按照各項風險作出調整後（如信貸融資的預期虧損）分辨風險與盈利的相應來源，並因應各業務所獲分配的資本計算盈利。

4.4.3 為計算認可機構高級管理層及員工的薪酬而採用的數據輸入及資料，應接受獨立查核，以確保這些數據輸入及資料是適當及準確。

4.5 敏感度分析及壓力測試敏感度分析及壓力測試敏感度分析及壓力測試敏感度分析及壓力測試

12 此章正進行業界諮詢。



V.2 – 31.12.2010

24

4.5.1 認可機構應有適當制度及能力計算盈利對個別風險因素（如利率）的變化的敏感度，並進行壓力測試，以達致以下各項：

• 識別潛在事件或市場變化對認可機構的整體風險及財政狀況可能構成的重大不利影響；

• 處理已有或潛在的風險集中情況；以及

• 促使因應一系列受壓情況制訂風險緩減措施或應變計劃。

4.5.2 敏感度分析及壓力測試應就主要業務及整體機構定期進行。設定壓力情況應該全面、具前瞻性，以及包含可嚴重影響認可機構或個別業務的風險因素。

4.5.3 董事局及高級管理層應直接參與制訂壓力測試目標、設定壓力情況、商討敏感度分析及壓力測試結果、評估可採取的行動，以及作出相關決定。制訂政策及限額時應顧及壓力測試結果。

4.5.4 見 IC-5「壓力測試」有關為風險管理目的使用壓力測試的詳細指引。

5. 內部管控內部管控內部管控內部管控、、、、審計及應變規劃審計及應變規劃審計及應變規劃審計及應變規劃

5.1 內部管控制度內部管控制度內部管控制度內部管控制度

5.1.1 設立穩健的內部管控制度是維持有效的風險管理制度的關鍵因素。

5.1.2 結構妥善的內部管控制度應：

• 有助促進有效的業務運作；

• 提供可靠的財務資料；



V.2 – 31.12.2010

25

• 保障資產；

• 將因不正常情況、欺詐及錯誤而引致的營運風險的損失減至最低；

• 確保風險管理制度的成效；及

• 確保遵守有關的法律、規例及內部政策。

5.1.3 認可機構的內部管控制度至少應包含以下各項：

• 高層次管控，包括清晰的授權、明文規定的政策及程序、主要職能的分隔（如市場推廣、風險管理、會計、結算、審計及法規遵行）；

• 主要運作環節的管控，包括零售銀行、企業銀行、機構銀行、私人銀行及財政管理。這些管控措施應包括職責劃分、授權與批核、限額監察，以及實體進出管控等；

• 財務會計（如往來帳的對帳及暫記帳的檢討）、編製年度預算、管理匯報及填報提交監管機構的申報表等方面的管控；

• 資訊科技的管控（見TM-G-1「科技風險管理的一般原則」）；

• 外判業務的管控（如適用）（見 SA-2 「外判」）；

• 遵守法律及監管規定的管控（見下文第 5.3分節）；以及

• 防止清洗黑錢活動的管控（見 2010年7月發出的《防止清洗黑錢活動指引》，以及《防止清洗黑錢活動指引》的補充文件和闡釋備註）。



V.2 – 31.12.2010

26

5.1.4 有效的內部管控制度必須有健全而獲得董事局及高級管理層全力支持的管控環境13配合，並有內部審計部門定期評估其表現（見下文第5.2分節）。

5.2 內部審計部門內部審計部門內部審計部門內部審計部門

5.2.1 認可機構的內部審計部門（另見 IC-2 「內部審計」）除其他事項外應定期獨立查核董事局核准的風險管理架構是否得到妥善實施，以及機構有否遵行既定的風險管理政策與管控程序。

5.2.2 風險管理程序及有關的內部管控措施應定期作出審查及測試。審計的範圍及次數可能有所不同，但若出現嚴重問題、重大變動或引入新產品或服務，便應擴大審計範圍及增加審計次數。

5.2.3 為有效履行職能，內部審計人員應：

• 執行職務時避免任何利益衝突，以保持客觀及公正不阿；

• 具有不受限制的權力，可自由選擇審核任何業務或營運部門及取覽記錄與文件；

• 在認可機構內具有適當獨立性及地位，確保高級管理層會回應審計人員的建議及採取相應行動；

• 獲配備足夠資源、曾受適當培訓，以及擁有相關專門知識與經驗，以了解所採用的風險管理程序及計算模式或方法；以及

• 採用可識別認可機構面對的主要風險的方法，並相應分配資源。

13 「管控環境」指董事及管理層對內部管理制度與該制度在機構內的重要性的整體態度、警覺性及行動。



V.2 – 31.12.2010

27

5.2.4 所有被識別的風險管理缺點及不足之處（包括若有不遵守風險管理的內部政策及程序與監管要求的規定）應直接及即時向董事局（或審計委員會）及高級管理層匯報，冀能盡早糾正。

5.3 法規遵行部門法規遵行部門法規遵行部門法規遵行部門

5.3.1 法規遵行部門對穩健的風險管理制度發揮重要的作用，但不應被視作可以取代定期及密切的內部審計工作。

5.3.2 認可機構法規遵行部門的基本職責，是確保認可機構遵守適用其銀行業務或其他受規管活動的法律規定、監管要求及行為守則14。

5.3.3 法規遵行部門其他職責包括15：

• 識別、計量及評估違規風險；

• 就認可機構所需遵守的法規及標準向高級管理層提供意見；

• 為員工提供法規遵行相關的指導及培訓；

• 監察及測試法規遵行情況，並定期向高級管理層匯報相關事項；以及

• 設立法規遵行計劃，訂下擬進行的活動。

5.3.4 認可機構須設立獨立的法規遵行部門。若屬特殊情況（如就認可機構的規模而言無需設立該部門），其他安

14 認可機構應注意，不遵守與銀行業務或其他受規管活動沒有直接關連的地方（如違反勞工或公司法）也能帶來法律或監管制裁、重大財政損失或信譽受損。如非認可機構的法規遵行部門，亦應有其他各方（如認可機構的法律部門）負責提供與這些地方有關的法律意見或監察與這些地方相連的法律影響。

15 若當中某些職責（如就法規及標準提供法律意見）由其他部門的員工執行，應清楚訂明這些部門的職責分擔安排。



V.2 – 31.12.2010

28

排（如按需要聘用外間的律師提供法律意見，或在各部門中適當分配職責）或可被接受。

5.3.5 有效的法規遵行部門應：

• 由適當數目及具備相關能力的職員組成，他們應充分獨立於各業務及營運部門；

• 在認可機構內獲授適當的權力及地位，並直接向指定委員會（如審計委員會）或高級管理層匯報；以及

• 能夠在認可機構所有業務及營運部門內存在違規風險的地方主動執行職務，並擁有不受限制的權力為執行職務而取覽任何所需的記錄或檔案。

5.3.6 此外，法規遵行職員（尤其法規遵行主管）不應被置於可能要面對其法規遵行職責與其他職責之間出現利益衝突的處境。

5.3.7 為確保有效管理違規風險，董事局應批核認可機構的法規遵行政策，當中應訂明法規遵行部門的組織、地位及職責，以及其他管理違規風險的措施，並透過定期檢討該政策的執行情況而監察高級管理層（借助法規遵行部門）對該政策的實施。董事局可指示局內一合適委員會（如審計委員會）制訂及進行定期檢討該政策如何實施。在這情況下，董事局應監察有關委員會的表現，以確保其指示能妥善遵行。16 5.4 應變及持續業務運作應變及持續業務運作應變及持續業務運作應變及持續業務運作規規規規劃劃劃劃

5.4.1 每間認可機構都應因應業務的性質、規模及複雜程度，制訂應變計劃及持續業務運作計劃，以確保有適當安排

16 如外資銀行在本港以分行形式經營，其總行可授權該分行為本地業務制訂法規遵行政策。但該政策在實施前，必須得到總行的核准，並具備程序以使總行監察該政策如何實施。



V.2 – 31.12.2010

29

處理緊急或危機情況（見LM-2「穩健的流動資金風險管理系統及管控措施」及RR-1「信譽風險管理」），並在出現不可預見的事故時仍能繼續運作及符合監管要求（見TM-G-2「持續業務運作規劃」）。上述計劃應定期更新及測試以確保其成效。

————————— 目錄辭彙首頁引言

Date post:	03-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Our Ref : B1/21C The Chief Executive All Authorized ... · supports the Board and senior management...

Documents