191. The RMF should ensure that there is an appropriate risk management framework and that all risks are identified, assessed, measured, monitored, managed and properly reported on by the relevant units in the institution.

192. The RMF should ensure that identification and assessment are not based only on quantitative information or model outputs, but also take into account qualitative approaches. The RMF should keep the management body informed of the assumptions used in and potential shortcomings of the risk models and analysis.

193. The RMF should ensure that transactions with related parties are reviewed and that the risks they pose for the institution are identified and adequately assessed.

194. The RMF should ensure that all identified risks are effectively monitored by the business units.

195. The RMF should regularly monitor the actual risk profile of the institution and scrutinise it against the institution’s strategic goals and risk appetite to enable decision-making by the management body in its management function and challenge by the management body in its supervisory function.

196. The RMF should analyse trends and recognise new or emerging risks and risk increases arising from changing circumstances and conditions. It should also regularly review actual risk outcomes against previous estimates (i.e. back testing) to assess and improve the accuracy and effectiveness of the risk management process.