until further notice 1 (5) Applicable to investment firms REGULATION ON RISK MANAGEMENT AND OTHER ASPECTS OF INTERNAL CONTROL IN INVESTMENT FIRMS By virtue of section 29, paragraph 2, of the Investment Firms Act (579/1996), the Financial Supervision Authority issues the following regulation on risk management and other aspects of internal control in investment firms and undertakings belonging to an investment firm's consolidation group. The regulation takes account of the Council Directive 93/22/EEC of 10 May 1993 on investment services in the securities field (OJEC No L 141, 11.06.1993 p. 27). Purpose and scope of the regulation In this regulation, the Financial Supervision Authority lays down minimum requirements for adequate risk management and other aspects of internal control. The basic principle is that the risk management and other aspects of internal control exercised by investment firms and undertakings belonging to an investment firm s consolidation group should be of adequate standard with regard to the nature and scope of operations, that credit institutions and undertakings belonging to a credit institution s consolidation group should refrain from excessive risk-taking in their operations and that they should employ control methods that enable identification, assessment and limitation of the risks inherent in business. For the purposes of implementing risk management and other aspects of internal control, the Financial Supervision Authority has issued Guideline 203.28. In the guideline, the Financial Supervision Authority gives recommendations for the implementation of risk management and other aspects of internal control in accordance with the provisions set out in the present regulation. The provisions in this regulation concerning an investment firm shall also apply, where applicable, to an investment firm s consolidation group. Definition of the concept of internal control Internal control is a process aimed at: a) accomplishment of stated goals and objectives; b) economical and efficient use of resources; c) adequate control of the risks inherent in operations;
until further notice 2 (5) d) reliability and integrity of financial and other management information; e) compliance with laws and regulations, strategies, plans, internal rules and procedures. According to this definition, internal control comprises all such controls, financial or otherwise, as are effected by the board of directors, senior management and other staff. Risk management as an integral part of the internal control system Risk management refers to the identification, assessment, limitation and control of risks that arise from and are essentially related to business 1. In an investment firm, risk management is an integral part of the internal control system. It is essential that the risks inherent in different business functions are identified and policies for their limitation established. Risk management procedures may vary among institutions depending on the scope and nature of the business. The main elements of internal control are: a) management style and control culture; b) identification, assessment, limitation and control of risks; c) control activities and segregation of duties; d) information and communication; e) monitoring procedures and corrective actions. Responsibility for risk management and other internal control An investment firm's board of directors and managing director are responsible for ensuring that internal control is applied in all operations. 1 The use of risk limits for the measurement and limitation of risks applies to measurable risks only.
until further notice 3 (5) Responsibility for the different areas of management is determined by legislation, an investment firm s internal regulations and guidelines and the firm s size. The Financial Supervision Authority takes the view that an investment firm s board of directors has a key role in defining the principles and procedures of internal control and in implementing internal control. The investment firm or financial holding company operating as the parent undertaking of a consolidation group shall be responsible for laying down the group s strategies and policies with regard to risk management and other aspects of internal control. The administrative body exercising supreme decision-making power in the parent undertaking of the consolidation group shall supervise on a comprehensive basis that the controlled organizations adhere to the principles of internal control. Such responsibility of the supreme administrative body does not, however, relieve eg the board of directors of an investment firm operating as a subsidiary of the group of the responsibility for organising internal control within their own organization. General principles of internal control The following principles are common to all aspects of internal control: a) Internal control must promote a corporate culture that accepts internal control as a normal and necessary element of business. b) Internal control must cover all activities of an investment firm. Such control needs to be commensurate with the risks inherent in different operations. Particular attention needs to be focused on new products, new business areas and crossborder operations. c) The parent undertaking of an investment firm s consolidation group must see to it that adequate internal control is exercised by all undertakings in its consolidation group. d) If an investment firm purchases services from others, this must not lead to any deterioration in the investment firm s internal control. e) Internal control must include risk management systems that enable identification, assessment and control of all essential risks relating to the activities of an investment firm. f) Internal control must prevent acts of fraud, embezzlement and other malpractices. g) An investment firm must ensure that it has in place updated guidelines for key operations, including internal control of operations. h) Internal control should also include contingency planning so as to ensure the continuity of the investment firm s operations in the event of disruptions.
until further notice 4 (5) Contingency plans must be tested to ensure they can be implemented when the need arises. i) An investment firm s board of directors has a key role to play in establishing risk management policies and procedures and in implementing internal control, irrespective of the responsibilities that different administrative bodies may have on the basis of legislation, internal regulations and guidelines. An investment firm must pay particular attention to the following aspects of the individual elements of internal control: Management style and control culture 1) determine the investment firm s business strategies, operating principles and organizational structure; ensure an appropriate allocation of responsibilities, reporting relations and decision-making powers; and see to it that risk management and other aspects of internal control cover all activities of the investment firm and are commensurate with the risks inherent in its different operations; 2) establish quantitative and qualitative objectives for each field of operation and monitor their implementation; 3) ensure that staff have the requisite skills and are suitable for their tasks and that they have access to the information required to perform their tasks. Identification, assessment, limitation and control of risks 4) ensure that the risks inherent in the investment firm s business are identified and assessed; 5) approve the investment firm s risk-taking principles; establish policies for risk limitation and supervise compliance with such policies; 6) ensure that the investment firm has a risk control function that is independent of the risk-taking function.
until further notice 5 (5) Control activities and segregation of duties 7) ensure that internal control measures are an integral part of the daily operations of the investment firm and that conflicting duties are appropriately segregated and the procedures for key operations documented in writing; 8) ensure that the investment firm s staff do not handle, in their capacity as representatives of the investment firm, any business transactions of their own or concerning persons with whom they are closely related, or otherwise influence any decisions relating to such business transactions. Information and communication 9) ensure that the investment firm maintains information and communication systems that are adequate for decision-making and assessment of operations; 10) ensure that the investment firm maintains IT systems that are adequate with regard to its activities and organized in an appropriate fashion. Monitoring procedures and corrective actions 11) ensure that the internal audit function is organized in an appropriate fashion and operates in accordance with good internal audit practice; 12) ensure that the board of directors are informed of material findings made by the internal audit function, the auditors and the authorities; 13) review internal control and the adequacy of risk management on a regular basis and always when - operations expand into new markets; - new products are introduced; - there are or will be material changes in the operating environment; or - businesses are reorganized; 14) establish procedures to ensure that control systems are revised when deficiencies are detected. For further information, please contact: Capital Markets Department