03 February 2014
The revised version of the Code will apply to institutions from 1 January 2015. Institutions will continue to be subject to the existing version of the Code until that date.
The publication of the revised Code follows a consultation process during 2013.
The key changes to the Code are:
Each institution must appoint a Chief Risk Officer (CRO) who will have distinct responsibility for the risk management function and for maintaining and monitoring the effectiveness of the institution’s risk management system. The CRO must have relevant expertise, qualifications and background. He or she must have sufficient seniority and independence to influence proposals or challenge decisions which might affect the institution’s exposure to risk. The CRO will have responsibility for ensuring that the institution has effective processes in place to identify and manage the risks to which the institution is or might be exposed. Other responsibilities include maintaining effective monitoring processes, promoting sound and effective risk management, facilitating risk appetite by the board, and providing timely and comprehensive information on the institution’s material risks, to enable the board to understand the overall risk profile of the institution.
The CRO’s primary responsibility will be to the board. He or she must report to the board periodically and to the board risk committee on a regular basis;
The existing provisions relating to risk committees have been amended to require that (a) the Chairman of the committee is a non-executive director and (b) the committee be composed of a majority of non-exec¬utive directors. This is a significant change from the current requirement of an ‘appropriate representation’ of non-executive and executive directors. The risk committee will be required, as a whole, to have relevant risk experience;
The audit and risk committees will be required to have a minimum of three members under the revised Code, unlike the current position where no specified number is required. The Bank was of the view that a minimum committee size of three was desirable because (a) it would not be possible to reach a majority vote if a smaller number were permitted, (b) it reduces the potential risk that one individual might domi¬nate the agenda, and (c) it may facilitate the committee having a more robust debate and discussion with a greater potential for a variety of views being discussed;
Institutions will be required to have at least one shared member between the risk and audit committees. High Impact Institutions will be required to have at least one shared member between the risk and remu¬neration committees;
The board, or nomination committee if it exists, must establish a written diversity policy for consideration in future board appointments. There was a broad support for the principle of diversity in the boardroom during the consultation, including the recognition that gender is only one factor in the context of board selection. Interestingly, the Bank reported that there was no support during the consultation process for a prescriptive approach such as quotas or targets to be applied or mandated by the Code;
The minimum number of board meetings to be held by a High Impact Institution has been reduced from 11 to six annually. Three of these meetings must be held in every six month period. This reflects the feed¬back received during the consultation that a requirement to hold 11 meetings per year may impose an administrative burden on directors and senior managers;
The Chairman will be permitted to hold the role of Chairman in another credit institution or insurance/ reinsurance undertaking within the group, subject to prior Bank approval. In addition, the CEO of a Medium-Low or Low Impact institution will be permitted to hold up to two additional CEO positions pro¬vided they are in Medium-Low or Low Impact institutions, also subject to prior Bank approval;
Where physical presence at a board meeting is not possible due to the location of some directors, vide¬oconferencing or teleconferencing will be permitted;
The board must ensure that new non-executive directors are provided with adequate induction training about the operations and performance of the institution;
The board must ensure that it identifies risks to be addressed by contingency plans based on (a) the areas where it considers the institution to be especially vulnerable; (b) the risk appetite of the institution and (c) the risk management system of the institution. Contingency plans must be reviewed, updated and tested on a regular basis;
This new requirement provides that the audit committee ‘as a whole’ must have relevant financial experi¬ence and at least one member must have ‘an appropriate qualification’. The Bank, in its response to the consultation, stressed that the audit committee as a whole is required collectively to have relevant finan¬cial experience and therefore not every member is required to have relevant financial experience. The Bank also stated that it is for each individual institution to decide what it believes to be an ‘appropriate qualifi¬cation’.
In order to maintain a consistent approach with its supervisory regime, the Bank has re-defined the category of ‘Major Institution’ as used in the 2010 Code to that of the Bank’s Probability Risk Impact SysteM (PRISM) category of ‘High Impact’ institution. The Bank also uses the terminology of other PRISM