Prudential Regulation Authority Rulebook

7.1

Internal Governance of Third Country Branches 2.1 requires a third country branch to have effective processes to identify, classify, manage, monitor and report the risks it is or might be exposed to.

7.2

A third country branch should establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the third country branch’s activities, processes and systems, and where appropriate, set its risk appetite or the level of risk tolerated by the third country branch.

7.3

A third country branch should adopt effective arrangements, processes and mechanisms to identify and manage the risk relating to its activities, processes and systems, in the light of that level of risk tolerance.

7.4

The management body should approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the third country branch is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

7.5

For a firm included within the scope of the Internal Capital Adequacy Assessment 15 (Reverse stress testing), the strategies, policies and procedures for identifying, taking up, managing, monitoring and mitigating the risks to which the firm is or might be exposed include conducting reverse stress tests on its business plan as well. This would further senior personnel’s understanding of the firm’s vulnerabilities and would help them design measures to prevent or mitigate the risk of business failure.

7.6

A third country branch should monitor the following:

• the adequacy and effectiveness of its risk management function, policies and procedures;
• the level of compliance by the third country branch and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with 7.3; and
• the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements, processes and mechanisms or follow such policies and procedures.

7.7

A third country branch should, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the financial services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:

• implementation of the policies and procedures referred to in 7.2 to 7.6; and
• provision of reports and advice to senior personnel in accordance with 4.1.

7.8

Where a third country branch does not maintain a risk management function that functions independently, it should nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with 7.2 to 7.6 satisfy those provisions and are consistently effective.

7.9

In setting the method of determining the remuneration of employees involved in the risk management function, third country branches will need to comply with the Remuneration parts of the PRA Rulebook.

7.10

The term ‘risk management function’ in 7.6 and 7.8 refers to the generally understood concept of risk assessment within a firm or third country branch, that is, the function of setting and controlling risk exposure. The risk management function is not a controlled function itself, but is part of the systems and controls function (SMF4).

7.11

The PRA expects that a third country branch should consider whether in order to fulfil Internal Governance for Third Country Branches 2.1 and the general organisational requirements in this supervisory statement, their risk control arrangements should include:

• the appointment of a branch head of risk; and the
• establishment of a branch risk management oversight team whose role  includes giving risk oversight under an effective risk management structure and framework.

7.12

Where a third country branch has an individual performing the role of head of risk, he or she will need to be pre-approved as the Head of Risk function (SMF4) as explained in SS28/15 Strengthening individual accountability in banking.^[11] This can include individuals performing this role across a range of UK legal entities, such as an regional CRO responsible for this area in the firm’s UK subsidiaries as well as the branch. The PRA expects that an SMF4 should:

• be accountable to the management body of  the firm for oversight of branch-wide risk management;
• be fully independent of a branch’s individual business units;
• have sufficient authority, stature and resources for the effective execution of his/her responsibilities;
• have unfettered access to any parts of the branch’s business capable of having an impact on the branch’s risk profile;
• ensure that the data used by the branch to assess its risks are fit for purpose in terms of quality, quantity and breadth;
• provide oversight and challenge of the branch’s systems and controls in respect of risk management;
• provide oversight and validation of the branch’s reporting of risk;
• ensure the adequacy of risk information, risk analysis and risk training provided to members of the branch’s management team;
• report to the branch’s management team (and, if appropriate, to the management body of a firm) on the branch’s risk exposures relative to its risk appetite and tolerance, and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the branch’s risk appetite and tolerance. The branch head of risk should also alert the branch’s management team and provide challenge on, any business strategy or plans that exceed the branch’s risk appetite and tolerance; and
• provide risk-focused advice and information into the setting and individual application of the branch’s remuneration policy consistent with the Remuneration Part of the PRA Rulebook.

7.13

The PRA expects that a third country branch will structure its arrangements so that a senior management personnel at an appropriate level within the group will exercise functions in 7.12 taking into account group-wide risks.

7.14

Where a third country branch has an individual performing the role of head of risk they should be accountable to a branch’s management team and, in most cases, to the head of the firm or group risk management function. The PRA recognises that in addition, a reporting line should be established for operational purposes. Accordingly, to the extent necessary for effective operational management, the branch head of risk should report into the most senior branch management personnel. In practice, the PRA expects this to be the Head of Overseas Branch (SMF19) or another manager with a reporting line to the SMF19.

7.15

A third country branch should ensure that its branch head of risk’s remuneration is subject to approval by the firm’s management body, or an appropriate sub-committee. A third country branch should also ensure that the branch head of risk may not be removed from that role without the approval of the firm’s management body or its head office.

7.16

The PRA expects that, while a branch’s management team is ultimately responsible for risk governance throughout the business, a third country branch should consider establishing a mechanism for providing risk oversight to the branch’s business activities to provide focused support and advice on risk governance.  Where a third country branch has established a risk oversight team its responsibilities should typically include:

• providing advice to the branch’s management team on risk strategy, including the oversight of current risk exposures of the branch, with particular, but not exclusive, emphasis on prudential risks;
• development of proposals for consideration by the branch management team in respect of overall risk appetite and tolerance, as well as the metrics to be used to monitor the branch’s risk management performance;
• oversight and challenge of the design and execution of stress and scenario testing;
• oversight and challenge of the day-to-day risk management and oversight arrangements of the branch management team;
• oversight and challenge of due diligence on risk issues relating to material transactions and strategic proposals that are subject to approval by the branch management team; and
• providing advice, oversight and challenge necessary to embed and maintain a supportive risk culture throughout the branch.

7.17

In carrying out their risk governance responsibilities, a third country branch’s management team and branch risk oversight function covering the branch should have regard to any relevant advice from the firm’s audit committee concerning the effectiveness of its current control framework. In addition, they should remain alert to the possible need for expert advice and support on any risk issue, taking action to ensure that they receive such advice and support as may be necessary to meet their responsibilities effectively.