2021-06-28
Added
The Monetary Authority of Singapore issued these July 2021 guidelines to define the corporate governance roles of Boards and senior management in ensuring sound risk management within financial institutions. The document mandates that Boards approve strategic direction, risk appetite, and remuneration policies while maintaining ultimate accountability for oversight and independent risk function resourcing. Senior management is required to implement comprehensive risk systems, conduct regular stress testing, and report material adverse developments or changes in leadership to the Authority.
Monetary Authority of Singapore BOARD AND SENIOR MANAGEMENT July 2021
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
Table of Contents 1 Introduction 1 1.1 Overview 1 1.2 Board Matters 2 1.3 Matters Relating to Senior Management 4 1.4 Reporting to the Authority 5 2 Risk Management 5 2.1 Overview 5 2.2 Risk Culture and Risk Appetite 6 2.3 Risk Management System 6 2.4 Adequate Capital and Liquidity 8 2.5 Periodic Review of Risk Management Framework 8 2.6 Stress Testing 9 2.7 Business Continuity 9 2.8 Review of Transactions 9 2.9 Delegation of Responsibility 9 MONETARY AUTHORITY OF SINGAPORE
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
BOARD AND SENIOR MANAGEMENT MONETARY AUTHORITY OF SINGAPORE 1 1 INTRODUCTION 1.1 Overview 1.1.1 The Board of Directors (Board) and senior management1 of an institution play pivotal roles in ensuring a sound risk management culture and environment. They are entrusted to be the custodians of good corporate governance, the prerequisite for sound risk management. This chapter highlights the corporate governance roles of Board and senior management as they pertain to risk management. It should be read in conjunction with the “Guidelines on Corporate Governance for Banks, Financial Holding Companies and Direct Insurers which are Incorporated in Singapore” 2 . Other relevant regulatory requirements3 and industry standards4 should also be taken into account where appropriate.
1 It is recognised that there are significant differences in legislative and regulatory frameworks across countries between the functions of the Board of Directors and senior management. In some countries, the Board has the main, if not exclusive, function of supervising an executive body (comprising senior and general management) to ensure that the latter fulfils its duties. For this reason it is sometimes known as the Supervisory Board. In such cases, the Board has no executive powers. By contrast, in other countries, the Board has broader responsibilities but delegates many of them to Senior Management. Because of these differences, the terms “Board” and “senior management” are used in these guidelines to identify two decision making functions within an institution but not to identify legal constructs. 2 Issued by the Monetary Authority of Singapore in Sep 2005, and last updated in Dec 2010 3 These include: Section 53A and 57FA of the Banking Act (Cap.19) on appointment of chief executive officer and other persons. 4 These include: the Basel Committee on Banking Supervision (BCBS) Principles for Enhancing Corporate Governance (October 2010), the Organisation for Economic Cooperation and Development (OECD) Guidelines on Insurer Governance (2011), the OECD publication on Corporate Governance and the Financial Crisis – Conclusions and emerging good practices (February 2010), the Financial Stability Board (FSB) Principles for Sound Compensation Practices (September 2009), the BCBS Compensation Principles and Standards Assessment Methodology (January 2010), the BCBS Principles for Sound Stress Testing Practices and Supervisions (May 2009), the Senior Supervisors’ Group (SSG) report on the Risk Management Lessons from the Global Banking Crisis of 2008 (October 2009), the SSG report on Observations on developments in Risk Appetite Frameworks and IT Infrastructure (December 2010), and the FSB Peer Review Report on the Thematic Review on Risk Governance (February 2013).
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
1.2 Board Matters 1.2.1 The Board is collectively accountable to stakeholders, including shareholders, for the long-term success and financial soundness of the institution. To this end, it has the ultimate responsibility to
(a) approve and oversee implementation of the institution’s overall strategic direction, risk appetite and strategy, and related policies; (b) establish and communicate corporate culture and values (eg through a code of conduct); and (c) establish conflicts of interest policies and a strong control environment.
1.2.2 The Board should comprise members who collectively bring a balance of expertise, skills, experience and perspectives. There should be a strong element of independence on the Board with no concentration of power in any particular member or a group of members of the Board.
1.2.3 The Board may delegate the authority to make decisions to a Board committee but bears the ultimate responsibility. The terms of reference for the Board and the Board committees6 should be set out clearly. The Board should establish communication procedures between the Board and Board 5 In the case of a foreign-domiciled institution, the role and responsibilities of the Board may have been delegated to a management committee or body responsible for the supervision and oversight of the institution in Singapore. The implementation of these guidelines by the management committee or body insofar as it affects the institution will be taken into account in assessing the quality of Board and senior management oversight. 6 Depending on the nature, scale and complexity of the institution’s activities, the Board may set up Board committees such as the audit committee, the executive committee, the nominating committee, the remuneration committee and the risk management committee. For more information on the roles and responsibilities of these committees, please refer to the “Guidelines on Corporate Governance for Banks, Financial Holding Companies and Direct Insurers which are Incorporated in Singapore” at http://www.mas.gov.sg/~/media/resource/legislation_guidelines/insurance/guidelines/9%20De c%202010_Guidelines%20on%20Corporate%20Governance.pdf.
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
1.2.4 The Board should approve the institution’s organisational structure and ensure that adequate corporate governance frameworks and systems are in place. It should also understand the institution’s operational structure, including possible impediments to transparency (e.g. special-purpose or related structure), and their inherent risks.
1.2.5 The Board should ensure that senior management formulates policies that promote fair practices and professionalism, with respect to internal dealings and external transactions, including situations where there are real or potential conflicts of interests. 1.2.6 The Board should receive regular training from time to time. It should put in place a continuous professional development programme to ensure that directors are equipped with the appropriate skills and knowledge to perform their roles on the Board and Board committees effectively. Such programmes may include providing the directors with a detailed overview and risk profile of the institution’s significant or new business lines and periodic updates on regulatory developments.
1.2.7 The Board should critically review its own performance and that of the Board committees periodically. The performance criteria applied should include the quality of risk management and adequacy of internal controls, and reflect the responsibility of the Board to also safeguard the interests of its depositors or policyholders.
1.2.8 The Board should oversee the design and operation of the institution’s remuneration policies and ensure that they:
(a) are in line with long-term strategic objectives, financial soundness and corporate values of the institution;
(b) do not give rise to conflicts between the objectives of the institution and the individual interests of directors and senior management; and
(c) do not create incentives for excessive risk-taking behaviour.
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
1.2.10 The Board should establish fit and proper standards in appointing senior management and ensure that there is an adequate succession planning to promote smooth management transition and minimise operational disruptions arising from changes in key personnel. Management of succession planning should be an active ongoing process, integrated within the institution’s strategic plans.
1.2.11 The Board should ensure that the institution’s related party transactions are undertaken on an arm’s length basis. The terms and conditions of such transactions should not be more favourable than transactions with non-related parties under similar circumstances. Transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks should be subject to prior approval by the Board. Board members with conflicts of interest should be excluded from the approval process of granting and managing related party transactions.
1.2.12 The Board and senior management should ensure that the institution’s recordkeeping systems produce adequate and reliable data for the purpose of preparing financial statements that are in line with the relevant accounting standards.
1.2.13 The Board should maintain adequate records of all its meetings, in particular discussions on key issues and the decisions taken.
1.3 Matters Relating to Senior Management 1.3.1 The senior management bears the general executive responsibility for the day-to-day conduct of business and affairs of the institution. It is responsible for creating an accountability framework for the staff, but should be cognisant that it is ultimately accountable to the Board for the performance of the institution.
1.3.2 Where the institution has overseas operations, the senior management should exercise adequate oversight of the institution’s groupwide operations, including its overseas operations and ensure that appropriate reporting structures are put in place and they have access to all material information from foreign branches and subsidiaries.
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
(a) the suitability of a relevant shareholder7 ; and
(b) the fitness and propriety8 of a Board member or a member of the senior management.
2 RISK MANAGEMENT 2.1 Overview 2.1.1 The Board is responsible for overseeing the governance of risk in the institution. The Board should ensure that senior management maintains a sound system of risk management and internal controls to safeguard stakeholders’ interests and the institution’s assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives.
2.1.2 The Board and senior management should understand the institution’s business strategy, nature of the business activities, new products, material modifications to existing products, and major management initiatives 7 “Relevant shareholder” in relation to a financial institution means – (a) a substantial shareholder within the meaning as defined under the relevant Act applicable to the licensing, registration, approval or regulation by the Authority of the financial institution; (b) an indirect controller within the meaning as defined under the relevant Act applicable to the licensing, registration, approval or regulation by the Authority of the financial institution; and (c) a person having effective control or having control of the financial institution within the circumstances as described under the relevant Act applicable to the licensing, registration, approval or regulation by the Authority of the financial institution. 8 Please refer to the “Guidelines on Fit and Proper Criteria” (Guideline No. FSG-G01) issued by the Monetary Authority of Singapore. The guidelines were last revised on 7 August 2012.
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
2.1.3 Senior management should provide the Board with information on all potentially material risks facing the institution, including those relevant to the institution’s risk profile, capital and liquidity needs. Information should be comprehensive, accurate, complete and timely.
2.2 Risk Culture and Risk Appetite The Board should:
(a) set the tone from the top and inculcate an appropriate risk culture throughout the institution;
(b) approve the risk appetite framework which should be comprehensive, actionable and consistent with the institution’s business strategy; and
(c) review, at least annually, the institution’s risk profile, risk tolerance and risk strategy.
2.3 Risk Management System 2.3.1 The Board should ensure that senior management establishes a risk management system for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating risks regularly. In particular,
(a) risk management strategies, policies, processes and limits should be properly documented and communicated within the institution. They should be regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles, capital strength, and market and macroeconomic conditions;
(b) risk management policies and processes should provide a comprehensive “institution-wide” 9 view of the institution’s exposures to material risks, such as credit, market, underwriting, liquidity, country and transfer, interest rate, 9 Institutions should consider the risk exposures of individual business lines, business units, and where applicable, across and within the group of which the institution is a member.
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
(c) risk management processes should assess risks arising from the macroeconomic environment affecting the markets in which the institution operates and to incorporate such assessments into the institution’s risk management process;
(d) exception to policies, processes and limits should receive the prompt attention of, and authorisation by, the appropriate level of management and the Board, where necessary;
(e) the risk management function should be adequately resourced and independent, with clearly delineated authority and responsibilities. The risk management function should have access to the Board to perform their duties effectively. The team performing this function should report the institution’s risk exposures directly to the Board and senior management; and
(f) where models are used to measure components of risk, the Board and senior management should ensure that the models are validated and tested regularly by an independent party. They should also understand the limitations and uncertainties relating to the output of the models and the risks inherent in their use.
2.3.2 Senior management should be responsible for implementing the policies and procedures for conducting the risk strategy and policies approved by the Board.
2.3.3 Senior management should ensure that the institution has effective risk management and control processes, reliable risk measurement and reporting systems, and competent staff for sound risk management.
2.3.4 Depending on the scale, nature and complexity of the institution’s activities, the Board may appoint a chief risk officer (CRO). The CRO should have a reporting line to the Board and full access to information within the institution, relevant affiliates and subsidiaries. The role of the CRO, which should be distinct from other executive functions and business line responsibilities, include:
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
(b) developing, with support from senior management, and managing the risk management system;
(c) seeking information and explanations from senior management; and
(d) participating in key decision-making processes.
2.3.5 The Board should approve the appointment, remuneration, resignation or dismissal of the CRO. The Board should disclose the resignation or dismissal publicly. The institution should discuss the reasons for the removal or resignation of the CRO with the Authority.
2.4 Adequate Capital and Liquidity It is the responsibility of the Board to oversee that senior management has in place processes to ensure that the institution maintains adequate levels of capital and liquidity to support the risk exposures that may arise from its business activities. In this regard, there should be mechanisms to inform the Board and senior management of significant changes in the institution’s activities that would warrant a review of the adequacy of capital and liquidity supporting these activities. The Board and senior management should regularly review and understand the implications and limitations (including the risk management uncertainties) of the risk management information that they receive.
2.5 Periodic Review of Risk Management Framework 2.5.1 The Board should obtain a periodic independent assessment of the design and effectiveness of the institution’s risk governance framework
2.5.2 The Board should, at least annually, review the adequacy and effectiveness of the institution’s risk management and internal control systems, including financial, operational, compliance, internal audit and information technology controls.
2.5.3 Senior management should review periodically the adequacy and appropriateness of the institution's policies and procedures, and risk management processes. The review should cover the methodologies, models and assumptions used to measure risk and limit exposures, performance and
GUIDELINES ON RISK MANAGEMENT PRACTICES JULY 2021
2.7 Business Continuity Senior management should ensure that business continuity and other appropriate contingency plans to deal with disruptions and stress conditions, have been prepared10. These plans should be periodically reviewed and tested so that important changes in the risk environment are assessed and catered for.
2.8 Review of Transactions Senior management should periodically review selected individual transactions, and the aggregate portfolio for compliance with the institution’s risk strategy and policies.
2.9 Delegation of Responsibility While senior management might typically delegate some of its risk management responsibilities to other committees or personnel, its accountability cannot be delegated. Senior management should continue to exercise appropriate oversight to ensure that delegated responsibilities are effectively carried out.
10 Please refer to the “Business Continuity Management Guidelines” issued in June 2003, as well as the “Further Guidance on Business Continuity Management” issued in January 2006, by the Monetary Authority of Singapore, on principles relating to business continuity management.