Title 12

SECTION 653.3

653.3 Risk management.

§ 653.3 Risk management.

(a) Risk management program. The Corporation's board of directors must establish, maintain, and periodically update an enterprise-wide risk management program addressing how the Corporation's activities are exercised in a safe and sound manner. The implementation of the risk management program may reside with senior management. The risk management program at a minimum must:

(1) Periodically assess and document the Corporation's risk profile.

(2) Align the Corporation's risk profile with the board-approved risk appetite and the Corporation's operational planning strategies and objectives.

(3) Specify management's authority to carry out risk management responsibilities.

(4) Integrate risk management and control objectives into management goals and compensation structures.

(5) Comply with all applicable FCA regulations and policies.

(b) Risk committee. The Corporation's board-level risk committee assists the full board of directors in the oversight of the enterprise-wide risk management program of the Corporation.

(1) The risk committee must have at least one member with an understanding of risk management commensurate with the Corporation's capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors.

(2) The responsibilities of the risk committee include, but are not limited to:

(i) Periodically assessing management's implementation of the enterprise-wide risk management program;

(ii) Recommending changes to the risk management program to keep the program commensurate with the Corporation's capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors; and

(iii) Receiving and reviewing regular reports directly from personnel responsible for implementing the Corporation's risk management program.

(c) Management of risk. The Corporation must have a risk officer, however styled, who is responsible for implementing and maintaining the enterprise-wide risk management practices of the Corporation. The risk officer must have risk management experience commensurate with the Corporation's capital structure, risk appetite, complexity, activities, and size. The responsibilities of the risk officer include, but are not limited to:

(1) Identifying and monitoring compliance with risk limits, exposures, and controls;

(2) Implementing risk management policies, procedures, and risk controls;

(3) Developing appropriate processes and systems for identifying and reporting risks, including emerging risks;

(4) Reporting on risk management issues, emerging risks, and compliance concerns; and

(5) Making recommendations on adjustments to the risk management policies, procedures, and risk controls of the Corporation.

---