Pillar 2

BNM/RH/CP 005-9

PART A

Development Finance and Enterprise Department

Concept Paper – Guidelines on Risk Governance

OVERVIEW ............................................................................................................ 1

1.

Introduction ................................................................................................................. 1

2.

Scope of the Guidelines.............................................................................................. 2

PART B

PRINCIPLES OF RISK GOVERNANCE .............................................................. 3

3.

Board Practices........................................................................................................... 3

4.

Senior Management Oversight ................................................................................... 7

5.

Risk Management and Internal Controls .................................................................... 8

6.

Remuneration............................................................................................................ 16

7.

Complex and Opaque Corporate Structures ............................................................ 18

8.

Role of Subsidiary and Parent Entities ..................................................................... 20

PART C 9.

IMPLEMENTATION............................................................................................. 21 Implementation Requirements.................................................................................. 21

BNM/RH/CP 005-9

PART A

1.



Page 1/21

OVERVIEW

Introduction

1.1 Safety and soundness of financial institutions rely heavily on the effectiveness of risk oversight and control functions. Events in recent years have highlighted that despite the increased attention to and advancements in risk management by financial institutions across the globe over the last decade, risk management failures continue to recur. This bears symptoms of possible deficiency in the overall conceptual approaches and implementation of the risk management framework as well as weaknesses in the governance of financial institutions. Consequently, standards on governance have been enhanced to reinforce existing principles and to identify practices that contribute towards promoting sound financial institutions.

1.2 Risk governance focuses on applying the principles of sound corporate governance to the assessment and management of risks to uphold the principles of accountability, integrity and transparency within risk-taking activities. Towards this end, the roles of the board, senior management, risk management and control functions as well as the remuneration structures for managing risk effectively, should be carefully aligned to support sound risk governance. Risk governance and risk management practices should also be responsive to changes in the operating environment and developments in the institution’s business strategies. With increasingly complex business operations and activities, the availability of comprehensive and integrated systems to support an enterprise-wide or consolidated view of risks, for both the individual financial institution and for the group, is also critical.

1.3 The Guidelines on Risk Governance (the Guidelines) sets out high-level principles on risk governance to guide the board and senior management in performing their risk oversight function. The Guidelines is an extension of the

BNM/RH/CP 005-9



Page 2/21

“Guidelines on Corporate Governance for Development Financial Institutions” and should therefore be read jointly. The overarching principles provided under these Guidelines are applicable to all financial institutions. Financial institutions are expected to apply these principles taking into account the size, complexity, risk profile and nature of their activities.

1.4 The principles in the Guidelines are a foundation for and complement other guidelines and sound practices papers issued by the Bank on specific risks such as credit, market, operational, and liquidity risks. These guidelines collectively reflect the Bank’s supervisory expectations with regards to financial institutions’ risk management framework and practices, and form the basis for supervisory assessments of individual institutions performed by the Bank.

2.

Scope of the Guidelines

2.1 The Guidelines are applicable to all development financial institutions (DFIs) prescribed under the Development Financial Institutions Act 2002, hereinafter referred to as development financial institutions.

BNM/RH/CP 005-9

PART B

3.



Page 3/21

PRINCIPLES OF RISK GOVERNANCE

Board Practices

Principle 1: The board must ensure that the development financial institution’s corporate objectives are supported by an effective internal risk management framework and sound risk strategy.

3.1 The board’s overall responsibility for governing the development financial institution and ensuring its long-term financial soundness includes determining the development financial institution’s business and risk strategies. The board must approve the development financial institution’s overall risk strategy, including the risk appetite/tolerance1, and oversee its implementation. The board should provide critical challenge to senior management on the appropriateness o f t he risk strategy2 and evaluate whether

the risk

management framework supports effective implementation of the risk strategy.

3.2 Development financial institutions must establish a risk appetite statement which reflects the level and types of risk that the institution is prepared to take in executing its business strategy. Development financial institutions should also be able to demonstrate that the risk appetite has considered all relevant risks, including non-quantifiable risks. The statement should acknowledge the willingness and capacity of the institution to take on risk while considering the mandated roles, financial position, long-term organisational objectives, and ability to meet obligations towards stakeholders, primarily the depositors, as well as skills and resources required to manage and monitor risk exposures in 1

2

Risk appetite is a high level determination of how much risk a firm is willing to accept taking into account risk/return attributes. Risk tolerance is a more specific determination of the level of variations in risk a development financial institution is willing to accept based on its business objectives. The terms are used synonymously in this document. Risk strategy is the plan to ensure that the business is operating within the development financial institution’s risk appetite.

BNM/RH/CP 005-9



Page 4/21

relation to the risk appetite set. The statement should also reflect the desired business mix and risk preferences for the various business lines of the development financial institution.

3.3 The board should also take appropriate steps to ensure that the overall risk appetite is effectively communicated such that decisions made throughout the institution are aligned with the risk appetite. The risk appetite should guide strategy development and business plans (e.g. development of new products, ventures into new market or business activities, product pricing strategies, planning of technology, skills and resources required) and direct the institution’s priorities for putting in place risk management tools and internal controls. The board must review and affirm the risk appetite regularly to ensure that it continues to be relevant and reflects any changes in the board’s expectations.

3.4 A sound control environment must be developed within the institution with the “three lines of defense” firmly established, namely the operational management or business line, the risk management and control functions, and internal audit, each with clearly specified roles within the risk management framework that complement and mutually reinforce one another. The board should ensure that all control functions as well as the internal audit have the proper authority and are properly staffed and resourced in order to carry out their responsibilities independently and effectively.

3.5 The board must receive regular and meaningful reports from management on the effectiveness of the risk management framework in managing the key risks to the institution as well as emerging risks. It is important for the board to ensure the integrity of the essential reporting and monitoring systems such that the reporting structures do not distort or suppress material information to the board. Reporting structures should preserve an appropriate degree of independent oversight by senior management and the board. This includes clearly defined escalation triggers and procedures for significant risk events and regular risk reports from independent control functions.

BNM/RH/CP 005-9



Page 5/21

3.6 The board must be familiar with the operational structure of the development financial institution and ensure that organisational complexity does not hamper effective enterprise-wide risk management of the institution’s activities (see Principles 11 and 12).

3.7 A culture of risk awareness and risk management within the institution should be promoted by the board and senior management. A healthy risk culture should support and provide appropriate norms and incentives for professional and responsible behaviour towards risks. The board should take the lead in establishing the tone-at-the-top and in setting professional standards and corporate values that promote integrity. This should also be embedded within the development financial institution’s corporate policies and code of conduct. The corporate culture should also recognise and promote timely and frank discussions on risk at various levels of the organisation and ensure the timely escalation of material risk developments to senior management and the board for attention and mitigation.

3.8 For institutions with Islamic finance operations, a comprehensive and effective Shariah governance framework must be in place for assuring compliance with Shariah3 principles. The board is ultimately responsible for the establishment of an effective Shariah governance framework within an Islamic financial institution4 and for overall Shariah compliance of the institution. P r i n c i p l e 2 : T h e b o a r d must provide effective

oversight

on senior

management’s actions to ensure consistency with the risk strategy and policies approved by the board, including the risk appetite.

3.9 The board should establish appropriate internal oversight arrangements that would enable it to discharge its duties for effective risk oversight. This should

3 4

This principle should be read together with BNM’s Shariah Governance for Islamic Financial Institution Applicable to DFIs undertake Islamic banking business

BNM/RH/CP 005-9



Page 6/21

include the establishment of a risk management committee of the board5. The board and its risk management committee should regularly obtain information from senior management on the operation of risk management policies, processes, and controls within the institution to ensure their continued effectiveness. This should be supported by reports or assurances from the independent risk management and control functions. It is also important for the board and its risk committee to meet regularly with senior management to question and review critically the risk information and developments affecting the institution.

3.10 The board must collectively possess and maintain, including through continuing education and training, appropriate and sufficient knowledge and competencies in risk management to provide effective oversight guidance to senior management on risk issues. The board should also require and ensure that senior management have the requisite skills, experience and competencies in risk management that are appropriate to the nature, scale and complexity of the development financial institution’s business.

3.11 The board and its risk committee should have the means and ability to seek independent third party views or information on risk implications as appropriate before coming to any conclusion or making any significant policy decisions. This should serve to promote informed and robust decision-making by the board in a manner that complements and adds value to the work of senior management.

5

The roles and responsibilities of the board risk committee should be read together with the ‘Risk Management Committee’ section of BNM’s Guidelines on Corporate Governance for Development Financial Institutions.

BNM/RH/CP 005-9

4.



Page 7/21

Senior Management Oversight

Principle 3: Senior management should ensure that the development financial institution’s activities are consistent with the risk strategy, including the risk appetite, and policies, approved by the board.

4.1 Senior management should establish clear guidance regarding the business and risk strategy, including risk limits, for individual business lines. This is important to ensure that risk taking remains within the established limits for the overall institution, as set by the board. In addition, senior management should also contribute towards promoting a sound risk culture through a clear focus on risk in the activities of the institution and timely and proportionate responses to inappropriate risk-taking behaviour.

4.2 Senior management should implement appropriate systems for managing financial and non-financial risks to which the development financial institution is exposed. This includes an effective and independent risk management function and an effective system of internal controls. The risk management system should be designed and implemented to ensure adherence to the development financial institution’s risk strategy and risk appetite (see Principle 4 below).

4.3 Senior management is responsible for establishing a management structure that promotes accountability and the effective oversight of delegated authority and responsibilities for risk-taking decisions. Reporting lines established should enable deviations from the risk taking boundaries and parameters outlined by the board and senior management to be quickly identified and escalated to the appropriate level of management and the board as appropriate, for prompt corrective action.

BNM/RH/CP 005-9

5.



Page 8/21

Risk Management and Internal Controls

Principle 4: Development financial institutions should establish an integrated risk management framework that is designed and implemented to address all material risks to the institution. Development financial institutions should also embed the risk management practices into

the

culture and business

operations of the institution

5.1 The board should oversee the design and development of the institution’s risk management framework, in particular, to challenge the credibility and robustness of development processes and ensure that there are no material gaps or weaknesses. The risk management framework must be robust in addressing all foreseeable material risks affecting the institution, and responsive to changes in or expansion of business activities, and developments in the operating environment.

5.2 It is essential for board and senior management to ensure that risk management activity is not carried out in isolation but is well integrated throughout the organisation. Risk management should be embedded in the business practices of the development financial institution so as to enable employees and managers to understand risks and take into account risk considerations in their decision-making. The organisational structure and processes should also support a holistic approach for managing risk consistently across the organisation as well as for integrating the management of different risk strands (e.g. credit, market, operational, liquidity) at the institution and group-wide level. Development financial institutions must be able to demonstrate how risk correlations and risk concentrations within the various business lines in the institution or the group have been accounted for under an integrated risk management approach so that the b o a r d a n d senior management is continuously aware of the magnitude of aggregate risks affecting the organisation. This should serve to ensure that the risk-taking activities remain consistent with the overall risk appetite approved by the board.

BNM/RH/CP 005-9



Page 9/21

5.3 The risk management framework should address end-to-end risks in the product life cycle. Accordingly, management must ensure that staff in the distribution and advisory function of financial products have an adequate understanding of risks and appropriate training relevant to their roles in contributing to risk outcomes for the institution6. Principle 5: The risk management framework should be forward looking and enable the identification and continuous monitoring of risks on a group- and firm-wide basis, supported by a robust management information systems that facilitates the timely and reliable reporting of risks and the integration of information across the institution. The sophistication of the development financial institution’s risk management framework should keep pace with any changes to the institution’s risk profile (including its business growth and complexity), and to the external risk environment.

5.4 Risk methodologies employed by development financial institutions should take into consideration quantitative as well as qualitative elements of risks. The approach to risk management employed by development financial institutions should be forward-looking. It should allow development financial institutions to pre-empt, identify and react quickly to new or emerging risks as well as monitor existing risks on an on-going basis. In addition, development financial institutions should also regularly review actual performance after the fact relative to risk estimates (i.e. backtesting) to gauge the appropriateness and effectiveness of risk management policies, processes and methodologies.

5.5 While risk measurement models are important components of risk management, it is important that the board and senior management do not place excessive reliance on such models at the expense of other risk management activities. The board and senior management should be well

6

Further description on the expectations for managing of product risk is provided in BNM’s Guidelines on Introduction of New Products.

BNM/RH/CP 005-9



Page 10/21

informed of the underlying assumptions and potential limitations of the risk models and systems which could impair the accuracy of risk estimates. Risk reports should be read critically by the board, senior management as well as business line managers and be applied with expert judgment and experience. This also applies to the use of external assessments as inputs into internal risk assessment processes, such as external credit ratings. The development financial institution remains ultimately responsible for assessing risk and should therefore view external risk assessments critically and maintain adequate internal processes to validate the appropriateness of their use by the institution.

5.6 To support the ability to make informed and timely risk decisions, the information systems established should provide current, complete and accurate information rapidly to all relevant levels in the development financial institution. For larger and more complex development financial institutions, special attention should be given to ensuring that data can be consolidated rapidly to enable an enterprise-wide view of risks. The sophistication of the development financial institution’s risk management and internal control infrastructures should keep pace with developments in the institution’s risk profile, including increasing business complexity, and new product or business lines.

5.7 When developing strategies or responses to mitigate risks, consideration should be given on whether the risk strategy will enable the development financial institution to maintain its risks within the approved risk levels and the impact of the chosen mitigation strategy on other risks, directly or indirectly. These should be considered and provided for, to avoid giving rise to unaddressed additional risks. The board should also periodically review the effectiveness of risk mitigation strategies post implementation.

5.8 Appropriate governance processes should be established for new business or risk-taking activities, such as new products, new lines of business or entry into new markets, as well as expansions through mergers and acquisitions, to ensure that risks have been properly assessed and that the institution’s risk management systems are able to accommodate and support such activity.

BNM/RH/CP 005-9



Page 11/21

5.9 The risk management framework and culture should impose expectations on functions other than the risk management unit (e.g. business lines, treasury, compliance) to also support the risk management function. Relevant staff should be encouraged to be aware of the market environment and its influence on risk, and to recognize and report when conditions or assumptions change such that assessments can be updated.

Principle

6:

Development financial

institutions

should

establish

an

independent senior risk executive role (chief risk officer or its equivalent) with distinct responsibility for the risk management function and the institution’s risk management framework across the entire organisation. The executive should have sufficient stature, authority and seniority within the organisation to meaningfully participate in and be able to influence decisions that affect the development financial institution’s exposures to risk.

5.10 The role of the chief risk officer (CRO) should be distinct from other executive functions and business line responsibilities. In general, there should be no “dual hatting” of executive functions (e.g. where the chief operating officer, chief financial officer or other senior management also serves as the CRO). However, in some institutions, the CRO’s function may be combined with another control function (other than internal audit7). Such an arrangement must be subject to the board being satisfied that a sound overall control environment will not be compromised by the combination of responsibilities for key control functions in a single individual. In any case, the CRO must not have any management or financial responsibility in respect of any business lines or revenue-generating functions.

7

The CRO must not be primarily responsible for internal audit as this would render the independent review process ineffective.

BNM/RH/CP 005-9



Page 12/21

5.11 The reporting lines should be established to appropriately reflect the importance of the role and accountability of the CRO. Hence, the CRO should be positioned at a sufficiently senior level in the organisation to enable risk considerations to be raised directly to the board and senior management and duly taken into account in management decisions.

5.12 The reporting lines should also safeguard the CRO’s independence. The CRO should report and have direct and unimpeded access to the board and its risk committee. The CRO would also normally have reporting obligations to the CEO to ensure that the CEO is kept informed of and engaged in risk matters. To preserve the CRO’s independence, the appointment, remuneration, resignation and dismissal of the CRO must be subject to the approval of the board or the board-risk committee.

5.13 As a matter of good practice, discussion of risk matters between non-executive board members and the CRO should not be limited to board meetings, and should occur as and when needed, so as to enable continuous engagements and understanding on risk matters.

Principle 7: Development financial institutions should have an effective risk management function with sufficient authority, stature, independence, resources and access to the board.

5.14 The risk management function is responsible for identifying, measuring, monitoring, controlling and reporting on risk exposures. This should encompass risks at firm-wide, group-wide, portfolio and business-line level, as well as both on- and off-balance sheet exposures. The risk management function should also be involved in the business planning process so as to ensure that the institution’s growth strategy is compatible with the institution’s risk appetite with adequate and independent consideration of potential risks.

BNM/RH/CP 005-9



Page 13/21

5.15 The risk management function should have sufficient stature within the development financial institution such that issues raised by risk management receive the necessary attention from the board, senior management and business lines. The risk management function should be able to contribute risk perspectives to business decisions to ensure the alignment of business and risk strategies. It is important that the risk management function be sufficiently independent of the business units whose activities and exposures it reviews, b u t n o t be so isolated from business lines that they lack an in-depth understanding of or access to the business activities and their implications for the risk profile of the institution. The internal relationships of the risk management function with business lines and senior management should be properly defined so as not to diminish its primary responsibility to the board on risk matters.

5.16 The risk management function should be equipped with risk management personnel that possess sufficient experience, and qualifications, including market and product knowledge as well as sound and practical knowledge of risk disciplines to enable them to provide specialised analysis and perform effective risk reviews. These personnel must have the ability, credibility, and willingness to challenge business lines regarding all aspects of risk arising from the institution’s activities.

5.17 The risk management function should also be equipped with adequate resources and support (including IT support) to perform its roles. It must additionally be given full access to internal systems and information for the purpose of performing its role.

BNM/RH/CP 005-9



Page 14/21

Principle 8: The board and senior management should ensure that the institution’s risk management framework is reinforced with robust compliance function and subjected to an independent internal audit review.

5.18 The compliance function is expected to provide oversight of the development financial institution’s compliance with applicable laws and regulations. Development financial institutions should organise its compliance function and set expectations on the compliance function in a way that is consistent with the institution’s risk management strategy8. It is also important that the compliance function interact with other control (e.g. legal) and business functions to avoid gaps in managing compliance risk. 5.19 The internal audit function9 performs a key role in promoting a sound control environment and ensuring that control weaknesses are appropriately dealt with. The internal audit function should provide the board and senior management with reasonable assurance of the effectiveness and adequacy of the risk management and compliance functions. The board must ensure that internal audit staff have skills and competencies that are commensurate with the business activities, risks and level of sophistication of the institution to enable the effective performance of the function.

5.20 The board must ensure that appropriate lines of reporting have been established for the timely escalation of issues from the compliance and internal audit functions to the board and senior management. Additionally, the board and senior management should also support initiatives that are directed at improving and contributing to the effectiveness of these functions and should ensure that the functions are appropriately resourced and staffed.

8

The compliance function in financial institutions can be organised differently in accordance with its risk management framework. In certain development financial institutions, the compliance staff is located within business lines, while in other organisations, it is located within one unit. Separate units have also been established in certain financial institutions for specific purposes such as the prevention of money laundering and terrorist financing. 9 This paragraph should be read in conjunction with the Guidelines on Corporate Governance for Development Financial Institutions and the Guidelines on Internal Audit Function of Licensed Institutions issued by the Bank, which provide further expectations on the role of internal audit.

BNM/RH/CP 005-9



Page 15/21

Principle 9: Effective risk management requires robust internal communication within the development financial institution about risk, both across the organisation and through reporting to the board and senior management.

5.21 Board and senior management should be equipped with timely, complete, meaningful a n d a ccurate information to enable them to make informed decisions. The board should establish the frequency, content and form of the risk reports to be submitted to it so as to ensure the risk reports facilitate understanding and appropriate risk responses. Information provided to the board and senior management should present an accurate, complete and “unfiltered” (i.e. does not hide potentially bad news) view of material risks, but should not be excessively voluminous so as to be counterproductive in supporting informed decisions. The board should institute periodic reviews of the amount and quality of information the board receives or should receive.

5.22 Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should occur across the organisation (at the disaggregated level, as well at the firm-wide and group-wide level), and reporting systems should be clear about deficiencies or limitations of risk estimates as well as any significant embedded assumptions. The systems should provide an integrated perspective on risk and highlight emerging risks that have the potential to become significant.

BNM/RH/CP 005-9

6.



Page 16/21

Remuneration

Principle 10: The employee’s remuneration should be effectively aligned with prudent risk taking and appropriately adjusted for risks. The board should actively oversee the remuneration system’s structure and implementation and should monitor and review the remuneration structure to ensure that it operates as intended. 6.1 Remuneration systems

contribute

to development financial institutions’

performance and risk-taking, and therefore represent an important component of an institution’s governance and risk management framework. The board should ultimately be satisfied that the overall remuneration policy does not induce excessive risk taking and is consistent with the identified risk appetite and the long term strategy of the development financial institution.

6.2 Remuneration structures should reinforce prudent risk taking, and reflect the nature and time horizon of risks. Since the time horizon of performance and associated risks can vary, development financial institutions’ should consider a multi-year framework in the measurement of performance. The board should also consider an appropriate mix of fixed and variable component and how components of remuneration (i.e. the mix of cash, equity and other forms of remuneration) may impact risk taking behaviours and contribute or undermine the institution’s risk management objectives.

Q1.

To what extent does your current practice already incorporate these supervisory expectations? What plans do you have to strengthen your existing remuneration structure?

BNM/RH/CP 005-9



Page 17/21

6.3 Board members who are tasked to review the design and operation of the remuneration system should be independent, non-executive members, and should collectively have an adequate understanding of the institution’s risk measurement and management capabilities, and of how different remuneration practices can impact the institution’s risk profile. The board should also ensure that persons performing control functions have input in setting remuneration for other business areas to promote the alignment of risks and rewards across the organisation.

6.4 Remuneration for employees in control functions should be structured in a way that is principally based on the achievement of their objectives and does not compromise their independence. Due care should be exercised to preserve a clear distinction between performance measures of staff responsible for control functions and the performance of any business unit. Where risk and compliance functions are embedded in the business units, a clear distinction between the remuneration policy applicable to staff undertaking the control functions and other staff in the business unit is important. The board should also be actively involved in the performance reviews of individuals primarily responsible for control functions.

BNM/RH/CP 005-9

7.



Page 18/21

Complex and Opaque Corporate Structures

Principle 11: The board and senior management should be aware of and understand the development financial institution’s operational structure and the risks it poses and be satisfied that it is not overly complex or opaque such that it hampers effective risk management by the development financial institution (i.e. “know-your-structure”). 7.1 The creation of structures in the form of units, branches, subsidiaries or other legal entities to achieve legal, regulatory, or funding needs or for productoffering purposes can increase the complexity of the organisation due to the sheer number of related entities and level of interconnectedness as well as the intra-group transactions.

7.2 The board and senior management must understand the organisational structure of the development financial institution and the group including the business focus of the various entities within the group and the links and relationships among them. Sound and effective measures and systems should be in place to facilitate the generation and exchange of information among the various entities, so as to facilitate the management of risks faced by the development financial institution and the group as a whole.

7.3 For larger and more complex organisations, the effectiveness of the parent company’s board oversight over the entire group can be enhanced by requiring a control function to conduct a formal review of the structures, controls and activities within the group. This review should seek to assess whether they are contributing to the overall efficiency and effective control of the group or increasing risks to the development financial institution. It should also determine if the guidelines, controls and activities of the group are consistent with the board-approved risk strategies both for the development financial institution and the group as a whole. The board and senior management should be informed of the findings of the review.

BNM/RH/CP 005-9



Page 19/21

Principle 12: Where a development financial institution operates through special-purpose structures, its board and senior management should understand the purpose, structure and unique risks of these operations. Appropriate measures should be undertaken to mitigate the risks identified (i.e. “understand-your-structure”). 7.4 Development financial institutions should consider the extent to which operating through structures that are not fully transparent poses financial, legal, reputational or other risks to the development financial institution, or impedes the ability of the board and senior management to conduct appropriate risk oversight. The board and senior management should evaluate the proposed activities of special-purpose structures and carefully consider, prior to operating such structures, how it will ensure effective board and/or senior management oversight.

7.5 The board and senior management should periodically monitor such structures and activities to ensure that they remain consistent with their established purposes. In addition, there should be supporting controls and processes to ensure that structures and arrangements that support regulatory capital relief meet the relevant operational requirements and conditions on legal certainty on a continuing basis.

BNM/RH/CP 005-9

8.



Page 20/21

Role of Subsidiary and Parent Entities

Principle 13: The board and management of subsidiary development financial institutions would be held responsible for effective risk management processes at the subsidiary level and should have appropriate influence in the design and implementation of risk management in the subsidiary 8.1 From the perspective of a development financial institution with operations abroad, the board of the parent company should be responsible for conducting strategic, group-wide risk assessments and management, and prescribing corporate risk policies, while respecting the regulatory requirements of the host country that might apply to subsidiary boards. The parent board should be aware of the material risks and issues in the subsidiary that might affect the development financial institution or group as a whole. The parent company should also ensure that the subsidiaries’ reporting obligations to the head office have been clearly communicated, and are effectively complied with to support group-wide assessment of and responses to risk developments.

Q2.

With regards to Principle 13, please elaborate on what are the necessary infrastructures that should be established for supporting the effective governance and control of subsidiaries by the parent development financial institution.

BNM/RH/CP 005-9

PART C

9.



Page 21/21

IMPLEMENTATION

Implementation Requirements

9.1 The Guidelines are effective immediately. Development financial institutions are required to inform the Bank of material deficiencies in its practices against the Guidelines, together with implementation plans and actions being or to be taken by the institution to achieve full observance of the principles.

Q3. In addition to Q1,and Q2 as provided in this Concept Paper, we welcome any feedback on any areas of this Concept Paper. In particular, what are the foreseeable challenges that may arise from the implementation (including readiness) of the principles in this Concept Paper?