1. Any internal risk-measurement model used for the purposes of this Chapter shall be conceptually sound, shall be calculated and implemented with integrity, and shall comply with all the following qualitative requirements:
(a) any internal risk-measurement model used to calculate capital requirements for market risk shall be closely integrated into the daily risk management process of the institution and shall serve as the basis for reporting risk exposures to senior management;
(b) an institution shall have a risk control unit that is independent from business trading units and that reports directly to senior management; that unit shall be responsible for designing and implementing any internal risk-measurement model; that unit shall conduct the initial and on-going validation of any internal model used for the purposes of this Chapter and shall be responsible for the overall risk management system; that unit shall produce and analyse daily reports on the output of any internal model used to calculate capital requirements for market risk, as well as reports on the appropriateness of measures to be taken in terms of trading limits;
(c) the management body and senior management shall be actively involved in the risk-control process, and the daily reports produced by the risk control unit shall be reviewed at a level of management with sufficient authority to require the reduction of positions taken by individual traders and to require the reduction of the institution's overall risk exposure;
(d) the institution shall have a sufficient number of staff with a level of skills that is appropriate to the sophistication of the internal risk-measurement models, and a sufficient number of staff with skills in the trading, risk control, audit and back-office areas;
(e) the institution shall have in place a documented set of internal policies, procedures and controls for monitoring and ensuring compliance with the overall operation of its internal risk-measurement models;
(f) any internal risk-measurement model, including any pricing model, shall have a proven track record of being reasonably accurate in measuring risks, and shall not differ significantly from the models that the institution uses for its internal risk management;
(g) the institution shall frequently conduct rigorous programmes of stress testing, including reverse stress tests, which shall encompass any internal risk-measurement model; the results of those stress tests shall be reviewed by senior management at least on a monthly basis and shall comply with the policies and limits approved by the management body; the institution shall take appropriate actions where the results of those stress tests show excessive losses arising from the trading's business of the institution under certain circumstances;
(h) the institution shall conduct an independent review of its internal risk-measurement models, either as part of its regular internal auditing process, or by mandating a third-party undertaking to conduct that review, which shall be conducted to the satisfaction of the competent authorities.
For the purposes of point (h) of the first subparagraph, a third-party undertaking means an undertaking that provides auditing or consulting services to institutions and that has staff who have sufficient skills in the area of market risk in trading activities.
2. The review referred to in point (h) of paragraph 1 shall include both the activities of the business trading units and the independent risk control unit. The institution shall conduct a review of its overall risk management process at least once a year. That review shall assess the following:
(a) the adequacy of the documentation of the risk management system and process and the organisation of the risk control unit;
(b) the integration of risk measures into daily risk management and the integrity of the management information system;
(c) the processes the institution employs for approving the risk-pricing models and valuation systems that are used by front and back-office personnel;
(d) the scope of risks captured by the model, the accuracy and appropriateness of the risk-measurement system, and the validation of any significant changes to the internal risk-measurement model;
(e) the accuracy and completeness of position data, the accuracy and appropriateness of volatility and correlation assumptions, the accuracy of valuation and risk sensitivity calculations, and the accuracy and appropriateness for generating data proxies where the available data are insufficient to meet the requirement set out in this Chapter;
(f) the verification process that the institution employs to evaluate the consistency, timeliness and reliability of the data sources used to run any of its internal risk-measurement models, including the independence of those data sources;
(g) the verification process that the institution employs to evaluate back-testing requirements and P&L attribution requirements that are conducted in order to assess the accuracy of its internal risk-measurement models;
(h) where the review is performed by a third-party undertaking in accordance with point (h) of paragraph 1 of this Article, the verification that the internal validation process set out in Article 325bj fulfils its objectives.
3. Institutions shall update the techniques and practices they use for any of the internal risk-measurement models used for the purposes of this Chapter to take into account the evolution of new techniques and best practices that develop in respect of those internal risk-measurement models.