Article 23
Risk management
1.
Investment firms shall take the following actions relating to risk management:
(a)
establish, implement and maintain adequate risk management policies and procedures which identify the risks relating to the firm’s activities, processes and systems, and, where appropriate, set the level of risk tolerated by the firm. In doing so, investment firms shall take into account sustainability risks;
(b)
adopt effective arrangements, processes and mechanisms to manage the risks relating to the firm's activities, processes and systems, in light of that level of risk tolerance;
(c)
monitor the following:
(i)
the adequacy and effectiveness of the investment firm's risk management policies and procedures;
(ii)
the level of compliance by the investment firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with point (b);
(iii)
the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements, processes and mechanisms or follow such policies and procedures.
2.
Investment firms shall, where appropriate and proportionate in view of the nature, scale and complexity of their business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:
(a)
implementation of the policy and procedures referred to in paragraph 1;
(b)
provision of reports and advice to senior management in accordance with Article 25(2).
Where an investment firm does not establish and maintain a risk management function under the first sub-paragraph, it shall be able to demonstrate upon request that the policies and procedures which it is has adopted in accordance with paragraph 1 satisfy the requirements therein.