What are the key changes?
The revised Code will come into force on 1 January 2015. The existing Code remains in force until then. There is a new overarching general requirement in the Code that "the system of governance shall promote and communicate an appropriate risk and compliance culture at all levels of the institution".
Some of the key changes include:
Probability Risk and Impact SysteM ("PRISM"): The revised Code replaces the terms "Major" and "Minor" institution with the Central Bank's PRISM designations, ie High, Medium High, Medium Low and Low Impact. This highlights the Central Bank's increasing focus on its PRISM system of supervision and enforcement.
Chief Risk Officer ("CRO"): Institutions must formally appoint a CRO. The requirements to perform this role include having the relevant expertise, qualifications and / or background or else be required to undertake relevant and timely training. The CRO must challenge decisions that may affect the risk exposure of an institution. The responsibilities of the CRO are also set out in detail in the Code and include maintaining and monitoring the effectiveness of the institutions risk management system, ensuring and maintaining that the institution has effective processes in place in order to identify and manage the risks which may threaten the institution, providing comprehensive and regular information to the board on an institution's risk. This is the CRO's primary responsibility, promoting sound risk management "both on a solo and consolidated basis", and ensuring that throughout all levels of the institution there is an appropriate risk culture. The risk management system will be subject to frequent internal review and helping the board decide how much risk they want to take on (risk appetite). The CRO must also promote and communicate an appropriate risk and compliance culture at all levels of the institution.
Risk Committee: The risk committee must also have a minimum of three members, but can increase in size to "handle the nature, scale and complexity of the business conducted by it". Both the chairman and the members will be comprised of (independent) non-executive directors. There should be relevant risk expertise.
Contingency plans: The board must address identified risks with contingency plans based on, the areas where it considers the institution to be especially vulnerable; the risk appetite of the institution; and the risk management system of the institution. These...