1.   Member States shall require IORPs, in a manner that is proportionate to their size and internal organisation, as well as to the size, nature, scale and complexity of their activities, to have in place an effective risk-management function. That function shall be structured in such a way as to facilitate the functioning of a risk-management system for which the IORPs shall adopt strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report to the administrative, management or supervisory body of the IORP regularly the risks, at an individual and at an aggregated level, to which the IORPs and the pension schemes operated by them are or could be exposed, and their interdependencies.

That risk-management system shall be effective and well-integrated into the organisational structure and in the decision-making processes of the IORP.

2.   The risk-management system shall cover, in a manner that is proportionate to the size and internal organisation of IORPs, as well as to the size, nature, scale and complexity of their activities, risks which can occur in IORPs or in undertakings to which tasks or activities of an IORP have been outsourced, at least in the following areas, where applicable:

(a)	underwriting and reserving;

(b)	asset–liability management;

(c)	investment, in particular derivatives, securitisations and similar commitments;

(d)	liquidity and concentration risk management;

(e)	operational risk management;

(f)	insurance and other risk-mitigation techniques;

(g)	environmental, social and governance risks relating to the investment portfolio and the management thereof.

3.   Where, in accordance with the conditions of the pension scheme, members and beneficiaries bear risks, the risk management system shall also consider those risks from the perspective of members and beneficiaries.