(a) The bank should have an independent risk control unit that is responsible for the design and implementation of the bank's risk management system. The unit should produce and analyse daily reports on the output of the bank's risk measurement model, including an evaluation of the relationship between measures of risk exposure and trading limits. This unit must be independent from business trading units and should report directly to senior management of the bank.

(b) The unit should conduct a regular back-testing programme, i.e., an ex-post comparison of the risk measure generated by the model against actual daily changes in portfolio value over longer periods of time, as well as hypothetical changes based on static positions.

(c) Board of directors and senior management should be actively involved in the risk control process and must regard risk control as an essential aspect of the business to which significant resources need to be devoted. In this regard, the daily reports prepared by the independent risk control unit must be reviewed by a level of management with sufficient seniority and authority to enforce both reductions of positions taken by individual traders and reductions in the bank's overall risk exposure.

(d) The bank's internal risk measurement model must be closely integrated into the day-to-day risk management process of the bank. Its output should accordingly be an integral part of the process of planning, monitoring and controlling the bank's market risk profile.

(e) The risk measurement system should be used in conjunction with internal trading and exposure limits. In this regard, trading limits should be related to the bank's risk measurement model in a manner that is consistent over time and that is well-understood by both traders and senior management.

(f) A routine and rigorous programme of stress testing should be in place as a supplement to the risk analysis based on the day-to-day output of the bank's risk measurement model. The results of stress testing should be reviewed periodically by senior management and should be reflected in the policies and limits set by management and the board of directors. Where stress tests reveal particular vulnerability to a given set of circumstances, prompt steps should be taken to manage those risks appropriately (e.g., by hedging against that outcome or reducing the size of the bank's exposures).

(g) Banks should have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operation of the risk measurement system. The bank's risk measurement system must be well documented, for example, through a risk management manual that describes the basic principles of the risk management system and that provides an explanation of the empirical techniques used to measure market risk.

(h) An independent review of the risk measurement system should be carried out regularly in the bank's own internal auditing process. This review should include both the activities of the business trading units and of the independent risk control unit. A review of the overall risk management process should take place at regular intervals (ideally not less than once a year) and should specifically address, at a minimum:

• the adequacy of the documentation of the risk management system and process;
• the organisation of the risk control unit;
• the integration of market risk measures into daily risk management;
• the approval process for risk pricing models and valuation systems used by front and back-office personnel;
• the validation of any significant change in the risk measurement process;
• the scope of market risks captured by the risk measurement model;
• the integrity of the management information system;
• the accuracy and completeness of position data;
• the verification of the consistency, timeliness and reliability of data sources used to run internal models, including the independence of such data sources;
• the accuracy and appropriateness of volatility and correlation assumptions;
• the accuracy of valuation and risk transformation calculations;
• the verification of the model's accuracy through frequent back-testing as described in (b) above and in the accompanying document: Supervisory framework for the use of backtesting in conjunction with the internal models approach to market risk capital requirements.