The German Federal Financial Supervisory Authority (BaFin) plans to unveil an enhanced risk management framework for financial firms sometime this autumn. The framework, Minimum Requirements for Risk Management (MaRisk), is a comprehensive principles-based regime for internal risk management and attaches great importance to the quality of risk management. This will be the fourth enhancement of MaRisk principles since their introduction in 2005. In order to keep MaRisk up to date with changes in market practices, BaFin has set up a Specialist Committee consisting of representatives form the Deutsche Bundesbank and the associations, industry groups, and external and internal auditors that support BaFin in the further development of MaRisk.
The risk management principles embodied in MaRisk give financial firms the necessary organizational latitude to implement a risk management program with individual elements tailored to a particular financial institution, taking into account the scale, complexity and risk activities of a particular firm.
MaRisk is divided into a General Section and a Special Section. The General Section contains fundamental risk management requirements that have no specific reference to a type of business and, thus, are of an overarching nature to be observed irrespective of the type of business being engaged in or the types of risk. The Special Section contains rules for the internal control system, for risk monitoring, and risk control processes. It also renders more precisely the requirements for internal audit.
BaFin noted that the financial crisis demonstrated how rapidly financial stability can be jeopardized if financial firms do not have robust risk management systems in place to identify critical developments and enable firms to react quickly. The MaRisk principles provide firms with an action framework for the organization of their risk management systems and make transparent how risk management may be organized in practice to comply with international and EU law.
MsRisk principles require a financial firm to establish an internal process to ensure its
risk-bearing capacity. A firm’s risk-bearing capacity has to be taken into account when determining strategies and adjusting these strategies. Appropriate processes for identifying, assessing, treating, monitoring and communicating risks also have to be established in order to implement the strategies and guarantee the institution’s risk-bearing capacity.
Senior management has to define a sustainable business strategy and a consistent risk strategy. The risk strategy has to take into account the objectives and plans of the institution’s material business activities as set forth in the business strategy, as well as the risks of material outsourcings. Responsibility for the determination of these strategies
cannot be delegated. Senior management must ensure the implementation of the strategies. The level of detail contained in the strategies depends on the scope and complexity, as well as the risk content of the planned business activities.
Senior management bears sole responsibility for determining the content of the business strategy and this does not form part of audits either by external independent auditors or the internal auditing function. The business strategy is to be used to assess the firm’s risk strategy in order to ensure that both strategies are consistent with each other. The question as to whether or not the risk strategy may be integrated into the business strategy remains in the discretion of the firm.
As a general rule, the internal auditing function has to cover all of an institution’s activities and processes based on a risk-oriented approach. Audit planning has to be risk-oriented. The activities and processes of the firm, even if these are outsourced, have to be audited at appropriate intervals, as a general rule within three years. But auditing has
to be performed annually if particular risks exist. Activities and processes which are deemed to be immaterial from a risk point of view may be exempted from the three-year audit cycle.
In n order to enable it to perform its duties, the internal auditing function has to be granted full and unlimited right to information at all times. In this respect, the internal auditing function has to be immediately provided with the necessary information, the required documents and an opportunity to review the firm’s activities, processes and IT systems
Senior management has to annually review the firm’s risk management strategies and adjust them as appropriate. The supervisory board has to be notified of all risk management strategies and given an opportunity to discuss them. In addition, senior management must submit a quarterly risk report to the supervisory body on a quarterly basis. The risk report has to be written in a form that is comprehensible and meaningful and has to contain both a presentation and an evaluation of the risk situation. The report must deal separately with special risks for business performance.
Appropriate stress tests must be carried out at regular intervals for material risks. This must be done on the basis of the main risk factors identified for the corresponding risks. The stress tests also have to take special account of risk concentrations and risks resulting from off-balance sheet company structures. The suitability of the stress tests as well as their underlying assumptions must be reviewed annually.
BaFin, headed by Dr. Elke König, currently oversees around 1,880 banks, 680 financial services institutions, some 600 insurance undertakings and 30 pension funds as well as almost 6,000 investment funds and 77 investment companies.