Comprehensive Guide on the Risk Management Function

1. Risk Management Regulatory Framework

The regulatory framework governing risk management in investment firms is built upon two foundational pillars: 

MiFID & MiFIR 

Directive 2014/65/EU and Regulation (EU) No 600/2014  

• Focused on market transparency, investor protection, and supervisory authority. 

IFD & IFR 

Directive (EU) 2019/2034 and Regulation (EU) 2019/2033  

• Introduced a tailored prudential regime for investment firms, emphasizing risk quantification and disclosure. 

In 2014, the European Union adopted Directive 2014/59/EU to establish a framework for the recovery and resolution of credit institutions and investment firms. In Cyprus, this framework was transposed into national law through Law 20(I)/2016. Its purpose is to ensure that when firms face serious financial distress, there is a structured framework to support recovery where possible and resolution where necessary, thereby protecting clients, preserving market stability, and reducing broader economic disruption.  

As part of their reporting obligations, firms are required to establish and maintain adequate risk management policies and procedures to identify the risks relevant to their activities, processes, and systems, and to adopt effective arrangements to manage those risks. Furthermore, investment firms must monitor the effectiveness of those policies and procedures, assess the level of compliance, and maintain an independent risk management function, responsible for implementing the firm’s risk management framework. 

2. Risk Management Function and Risk Manager 

The Risk Management Function (RMF) is an independent unit within an investment firm that ensures financial and operational integrity by systematically identifying, assessing, monitoring, and reporting risks. It helps the firm operate within its defined risk tolerance and meet regulatory obligations across operational, market, credit, and liquidity domains. 

The Risk Manager is the person responsible for helping a company identify, assess, and manage potential threats that could impact its operations, finances, or reputation. 

The below are some of the key tasks and responsibilities assigned to personnel involved in risk management: 

• To provide comprehensive information on risks 
• To advise the management body to understand the investment firm’s overall risk profile. 
• To challenge decisions taken by the firm’s senior management and management body. 
• Preparation of Risk reports. 

In addition, the Risk Management Committee: 

• Oversees the implementation of strategies for the management of capital and liquidity adequacy, client, market, operational, and reputational risks. 
• Provides recommendations to the management body regarding adjustments to the risk strategy, changes to the business model, and market developments. 
• Advises on the appointment of external consultants for the provision of advice or support. 
• Reviews various possible scenarios to assess the firm’s risk profile and its response to external and internal events. 
• Additionally, oversees the alignment between material financial instruments and the services offered to clients. 

Beyond regulatory compliance, the Risk Management Function plays a pivotal role in enabling firms to: 

• Proactively anticipate and respond to emerging risks 
• Align risk appetite with overarching business strategy 
• Promote transparency and strengthen investor confidence 
• Foster long-term resilience and sustainable growth 

3. Risk Management Reporting Obligations  

CIFs are subject to a range of ongoing reporting obligations designed to support prudent supervision, transparency, and investor protection. These include the: 

• Annual Risk Management Report,  
• Prudential Supervision Reports, 
• ICARA Report,  
• Pillar III Report, and  
• Quarterly Statistics Reports,  

Each with specific submission timelines and regulatory purposes. In parallel, firms must also comply with broader conduct-related obligations, such as best execution and market abuse requirements. Taken together, these reporting duties help CySEC assess a firm’s financial soundness, risk framework, governance arrangements, and overall compliance culture. 

4. Risk Management Policy, Business Continuity and Disaster Recovery Plan  

A risk management policy serves as a structured framework that outlines the principles, procedures, and responsibilities for identifying, assessing, and addressing potential risks within an organization. It ensures a consistent and proactive approach to managing uncertainty, enabling all stakeholders to operate with clarity and confidence. 

The Risk Manager holds primary responsibility for drafting and updating the risk management policy. Once finalized, the policy is presented to the Risk Management Committee for thorough review and discussion, ensuring alignment with the organization’s strategic objectives and regulatory requirements. 

A Business Continuity and Disaster Recovery (BCDR) Plan is a comprehensive strategy designed to help organizations prepare for, respond to, and recover from unexpected disruptions. Such disruptions may include natural disasters, cyberattacks, system failures, or human error. Its purpose is to ensure that critical business operations continue with minimal interruption and that key systems and data are restored promptly and securely.

Business Continuity focuses on maintaining essential operations during a disruption, while Disaster Recovery focuses on restoring IT systems, infrastructure, and data following an incident. Together, they form an integrated approach to organizational resilience and recovery. 

In essence, the Risk Management Policy outlines how an organization identifies and addresses potential risks, while the Business Continuity and Disaster Recovery (BCDR) Plan provides the practical steps to maintain operations and recover systems when those risks occur. Together, they form a unified strategy for resilience and preparedness. 

In this respect, SALVUS Funds, in collaboration with the Institute for Professional Excellence (IforPE), offers an online self-paced course entitled “Comprehensive Guide on the Risk Management Function.” cornerstone of our support is conducting thorough compliance assessments. SALVUS Regulatory Compliance Team works closely with firms to establish and uphold strong policies and procedures aligned with MiFID II and other key regulations. From evaluating the suitability and appropriateness of investment services to effectively managing conflicts of interest, SALVUS helps CIFs build systems that go beyond regulatory compliance, driving greater operational clarity and efficiency. 

This online self-study program constitutes a comprehensive guide and grants 5 Continuous Professional Development (CPD) units counting towards the annual requirements of CySEC Advanced and CySEC Basic certification holders.   

Please contact us at compliance@salvusfunds.com  if you require support with strengthening your risk management frameworks, enhancing your internal risk governance arrangements, or if you have any questions about our Comprehensive Guide on the Risk Management Function  course with IforPE. 

#StayAhead

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.