A bank shall draw up pertinent risk management policy and process and set up an independent and effective risk management mechanism to evaluate and monitor its risk bearing capacity, current status of risk exposures, risk response strategies and compliance with risk management process.
The aforementioned risk management policy and process shall be approved by the board of directors, and reviewed and modified at opportune time.

A bank shall set up an independent risk control unit that submits a risk control report to the board of directors on a regular basis, and take prompt and proper measures and report to the board of directors upon discovery of material exposure that might imperil the bank’s finance, business or compliance.

A bank’s risk control mechanism shall contain the following principles:
1. Monitoring of capital adequacy by scale of business, the status of credit risk, market risk and operational risk, and future business trends;
2. Establishment of management mechanism for measuring and monitoring liquidity position to measure, monitor and control liquidity risk;
3. Carrying out asset allocation and establishing risk management for each business in consideration of overall exposure, own capital and liability characteristics;
4. Establishing methods for assessing the quality and classification of bank assets, calculating and controlling large-sum exposures, and periodically examining and truthfully setting aside loss provisions; and
5. Establishing information security mechanism and emergency response plan for bank’s businesses, transactions, and use of information.