Outdated browser

You are using an outdated browser. DNB.nl works best with:

20 April 2020 Supervision Supervision label Supervision Q&A


What is governance of risk management and what aspects does DNB focus on?


In the Financial Supervision Act (Wet op het financieel toezicht), risk management constitutes an important element in the assessment of sound and controlled operations (section 3:17). This has been worked out in more detail in sections 23 and 24 of the Decree on Prudential Rules for Financial Undertakings (Besluit Prudentiële Regels Wft or Bpr). The present Q.A deals with the governance of risk management for banks and insurers (herein: 'undertakings'), which comprises:

  1. the manner in which the undertaking has organised its risk management (cases in point are strategy, policies, processes, procedures, embedment in operations, allocation of capacity and responsibilities, independent review, etc.);
  2. the operation of risk management, centring on the control of all of the various risks/risk areas in their interrelationship (integral risk management).

Main subjects

In the context of its supervision of risk management governance, DNB looks at four main subjects:

  1. the risk culture within the undertaking, with the tone at the top being an important factor;

  2. risk strategy and risk policy, including the undertaking’s risk appetite/tolerance;

  3. the manner in which the risk management function (RM function) has been organised, with the RM function’s operational independence and its access to the Managing Board and the Supervisory Council as important elements, and.

  4. the presence of a holistic approach and integral control of all relevant risks by high-quality risk management processes.

DNB also applied these categories in its thematic examination regarding the quality and governance of insurers' risk management in 2011.

In the thematic examination, a questionnaire was used in which a number of main questions were formulated for each of these four main subjects. For each main question, sub-questions were included, focusing on concrete aspects of the subject concerned. The sub-questions are not exhaustive but seek to set examples or provide guidance. The thematic examination has yielded several 'good practices' as applied by insurers in the field. These good practices are described below the relevant questions.

Use of the questionnaire

  • You may use the questionnaire to help you assess which aspects regarding the governance of risk management within your undertaking require attention. Thus, the questions may help you identify possible shortcomings and effect improvements within your undertaking.

  • Sound governance of risk management is formalised, structured and has been shown to work. Ideally, this is periodically evaluated, giving rise to ever higher levels of control.

Statutory framework for assessing the governance of risk management

In the Financial Supervision Act (Wet op het financieel toezicht or Wft), risk management constitutes an important element in the assessment of ethical and controlled operations (section 3:17). In Sections 17, 23 and 24 of the Decree on Prudential Rules for Financial Undertakings (Besluit Prudentiële Regels Wft or Bpr), this has been worked out as follows:

  • Section 17 Bpr presupposes that a bank or insurer (amongst others) possesses an adequate internal organisation structure aligned with the nature, size, risks and complexity of the activities of the undertaking. This structure includes unambiguous allocation of duties, authorities and responsibilities, well-defined reporting lines and an adequate information and communication system.

  • Section 23 Bpr provides, put briefly, that a bank or insurer must conduct a policy aimed at controlling relevant risks and that this policy should be embedded in procedures and measures to control relevant risks and be integrated into the operating processes. The procedures and measures concerned include authorisation procedures, limits, monitoring of limits and procedures and measures for emergency situations; they must be in line with the nature, size, risk profile and complexity of the firm's operations. The procedures and measures concerned must be laid down in writing and must be communicated to all relevant business units.

  • A bank or insurer must also have an independent risk management function (RM function) in place, which systematically implements independent risk management aimed at identifying, measuring and evaluating the risks to which the undertaking is or may be exposed. Risk management includes the operations of the undertaking as a whole as well as those of the individual business units. The risk management function must be given the required authority and access to all information necessary for the performance of its tasks.

  • Section 24 of the Bpr adds that an insurer must systematically verify whether the procedures and measures referred to in section 23 are observed and must ensure that any identified shortcomings or defects are remedied.

Furthermore, the EBA Guidelines on Internal Governance have been ensconced in the supervision of banks and investment firms through the Policy Rule on Application of EBA Guidelines (Beleidsregel toepassing richtsnoeren EBA Wft 2012). The Guidelines include the governance of risk management in their scope.


  • Banks
  • Insurers
  • Investment firms