1. Member States shall ensure that the management body approves and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the institution is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.
2. Member States shall ensure that the management body devotes sufficient time to consideration of risk issues. The management body shall be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in this Directive and in Regulation (EU) No 575/2013 as well as in the valuation of assets, the use of external credit ratings and internal models relating to those risks. The institution shall establish reporting lines to the management body that cover all material risks and risk management policies and changes thereof.
4. Member States shall ensure that the management body in its supervisory function and, where a risk committee has been established, the risk committee have adequate access to information on the risk situation of the institution and, if necessary and appropriate, to the risk management function and to external expert advice.
The management body in its supervisory function and, where one has been established, the risk committee shall determine the nature, the amount, the format, and the frequency of the information on risk which it is to receive. In order to assist in the establishment of sound remuneration policies and practices, the risk committee shall, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings.
5. Member States shall, in accordance with the proportionality requirement laid down in Article 7(2) of Commission Directive 2006/73/EC ( 1 ), ensure that institutions have a risk management function independent from the operational functions and which shall have sufficient authority, stature, resources and access to the management body.
Member States shall ensure that the risk management function ensures that all material risks are identified, measured and properly reported. They shall ensure that the risk management function is actively involved in elaborating the institution's risk strategy and in all material risk management decisions and that it can deliver a complete view of the whole range of risks of the institution.
Where necessary, Member States shall ensure that the risk management function can report directly to the management body in its supervisory function, independent from senior management, and can raise concerns and warn that body, where appropriate, where specific risk developments affect or may affect the institution, without prejudice to the responsibilities of the management body in its supervisory and/or managerial functions pursuant to this Directive and Regulation (EU) No 575/2013.
The head of the risk management function shall be an independent senior manager with distinct responsibility for the risk management function. Where the nature, scale and complexity of the activities of the institution do not justify a specially appointed person, another senior person within the institution may fulfil that function, provided there is no conflict of interest.
The head of the risk management function shall not be removed without prior approval of the management body in its supervisory function and shall be able to have direct access to the management body in its supervisory function where necessary.
The application of this Directive shall be without prejudice to the application of Directive 2006/73/EC to investment firms.