What's new

P1.T1.20.6. Risk management governance: limits, functional units, and audit

Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Evaluate the relationship between a firm’s risk appetite and its business strategy, including the role of incentives. Illustrate the interdependence of functional units within a firm as it relates to risk management. Assess the role and responsibilities of a firm’s audit committee.


20.6.1. In regard to limits policies, GARP explains that "optimal risk governance requires the ability to link risk appetite and limits to specific business practices. Accordingly, appropriate limits need to be developed for each business as well as for the specific risks associated with the business (as well as for the entire portfolio of the enterprise)." Most institutions set two types of limits, tier 1 (one) and tier 2 (two) limits. About these limits, which of the following is TRUE?

a. Firms should choose and either adopt tier 1 or tier 2 limits but not both simultaneously
b. Tier 1 (tier one) limit exceedances must be cleared or corrected immediately, while tier 2 (tier two) exceedances are less urgent and can be cleared within a few days or a week.
c. Tier 2 (tier two) limits are specific and often include an overall limit by asset class, an overall stress-test limit, and a maximum drawdown limit
d. Tier 1 (tier one) limits are more generalized and relate to areas of business activity as well as aggregated exposures categorized by credit rating, industry, maturity, and region

20.6.2. Risk management requires interdependence among the function units with a firm. We can refer to four groups: senior management, business line, risk management (staff), and finance and operations (staff). Which of the following is the responsibility of risk management?

a. Sets business-level risk tolerance
b. Monitor limits and control model implementation risks
c. Verify timely, accurate deal capture and affirm official profit and loss (P&L) statements
d. Ensure accuracy and completeness of reported earnings, and reviewing independent valuation methodologies and processes

20.6.3. Which of the following is TRUE about the bank's audit function?

a. Internal audit is necessary because it is virtually impossible to rate (i.e., assign ratings to) the risk management function
b. The firm's operational risk management should report directly to the internal audit function (who will, therefore, oversee risk management)
c. Internal auditors are responsible for reviewing monitoring procedures, tracking the progress of risk management system upgrades, and affirming the efficacy of vetting processes
d. The assistance of internal audit should not be required to the risk governance function: a properly designed risk governance function should be able to ascertain compliance alone

Answers here: