The German Federal Financial Supervisory
Authority (BaFin) plans to unveil an enhanced risk management framework for
financial firms sometime this autumn. The framework, Minimum Requirements for
Risk Management (MaRisk), is a comprehensive principles-based regime for
internal risk management and attaches great importance to the quality of risk
management. This will be the fourth enhancement of MaRisk principles since their introduction in 2005. In order to keep MaRisk up to date with changes in market
practices, BaFin has set up a Specialist Committee consisting of
representatives form the Deutsche Bundesbank and the associations, industry
groups, and external and internal auditors that support BaFin in the further
development of MaRisk.
The
risk management principles embodied in MaRisk give financial firms the
necessary organizational latitude to implement a risk management program with
individual elements tailored to a particular financial institution, taking into
account the scale, complexity and risk activities of a particular firm.
MaRisk
is divided into a General Section and a Special Section. The General Section
contains fundamental risk management requirements that have no specific
reference to a type of business and, thus, are of an overarching nature to be observed
irrespective of the type of business being engaged in or the types of risk. The
Special Section contains rules for the internal control system, for risk
monitoring, and risk control processes. It also renders more precisely the
requirements for internal audit.
BaFin
noted that the financial crisis demonstrated how rapidly financial stability
can be jeopardized if financial firms do not have robust risk management
systems in place to identify critical developments and enable firms to react
quickly. The MaRisk principles provide firms with an action framework for the
organization of their risk management systems and make transparent how risk
management may be organized in practice to comply with international and EU
law.
MsRisk
principles require a financial firm to establish an internal process to ensure
its
risk-bearing
capacity. A firm’s risk-bearing capacity has to be taken into account when
determining strategies and adjusting these strategies. Appropriate processes
for identifying, assessing, treating, monitoring and communicating risks also
have to be established in order to implement the strategies and guarantee the
institution’s risk-bearing capacity.
Senior
management has to define a sustainable business strategy and a consistent risk
strategy. The risk strategy has to take into account the objectives and plans
of the institution’s material business activities as set forth in the business
strategy, as well as the risks of material outsourcings. Responsibility for the
determination of these strategies
cannot
be delegated. Senior management must ensure the implementation of the
strategies. The level of detail contained in the strategies depends on the scope and
complexity, as well as the risk content of
the planned business activities.
Senior
management bears sole responsibility for determining the content of the
business strategy and this does not form part of audits either by external
independent auditors or the internal auditing function. The business strategy
is to be used to assess the firm’s risk strategy in order to ensure that both
strategies are consistent with each other. The question as to whether or not
the risk strategy may be integrated into the business strategy remains in the
discretion of the firm.
As
a general rule, the internal auditing function has to cover all of an
institution’s activities and processes based on a risk-oriented approach. Audit
planning has to be risk-oriented. The activities and processes of the firm,
even if these are outsourced, have to be
audited at appropriate intervals, as a general rule within three years. But auditing
has
to
be performed annually if particular risks exist. Activities and processes which
are deemed to be immaterial from a risk point of view may be exempted from the three-year audit cycle.
In
n order to enable it to perform its duties, the internal auditing function has
to be granted full and unlimited right to information at all times. In this
respect, the internal auditing function has to be immediately provided with the
necessary information, the required documents and an opportunity to review the
firm’s activities, processes and IT systems
Senior
management has to annually review the firm’s risk management strategies and
adjust them as appropriate. The supervisory board has to be notified of all
risk management strategies and given an opportunity to discuss them. In
addition, senior management must submit a quarterly risk report to the
supervisory body on a quarterly basis. The risk report has to be written in a
form that is comprehensible and meaningful and has to contain both a
presentation and an evaluation of the risk situation. The report must deal
separately with special risks for business performance.
Appropriate
stress tests must be carried out at regular intervals for material risks. This
must be done on the basis of the main risk factors identified for the
corresponding risks. The stress tests also have to take special account of risk
concentrations and risks resulting from off-balance sheet company structures. The
suitability of the stress tests as well as their underlying assumptions must be
reviewed annually.
BaFin,
headed by Dr. Elke König, currently oversees around 1,880 banks, 680 financial
services institutions, some 600 insurance undertakings and 30 pension funds as
well as almost 6,000 investment funds and 77 investment companies.