Member States shall ensure that the management body approves and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the institution is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

Member States shall ensure that the management body devotes sufficient time to consideration of risk issues. The management body shall be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in this Directive and in Regulation (EU) No 575/2013 as well as in the valuation of assets, the use of external credit ratings and internal models relating to those risks. The institution shall establish reporting lines to the management body that cover all material risks and risk management policies and changes thereof.

Member States shall ensure that institutions that are significant in terms of their size, internal organisation and the nature, scope and complexity of their activities establish a risk committee composed of members of the management body who do not perform any executive function in the institution concerned. Members of the risk committee shall have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the institution.

The risk committee shall advise the management body on the institution's overall current and future risk appetite and strategy and assist the management body in overseeing the implementation of that strategy by senior management. The management body shall retain overall responsibility for risks.

The risk committee shall review whether prices of liabilities and assets offered to clients take fully into account the institution's business model and risk strategy. Where prices do not properly reflect risks in accordance with the business model and risk strategy, the risk committee shall present a remedy plan to the management body.

Competent authorities may allow an institution which is not considered significant as referred to in the first subparagraph to combine the risk committee with the audit committee as referred to in Article 41 of Directive 2006/43/EC. Members of the combined committee shall have the knowledge, skills and expertise required for the risk committee and for the audit committee.

Member States shall ensure that the management body in its supervisory function and, where a risk committee has been established, the risk committee have adequate access to information on the risk situation of the institution and, if necessary and appropriate, to the risk management function and to external expert advice.

The management body in its supervisory function and, where one has been established, the risk committee shall determine the nature, the amount, the format, and the frequency of the information on risk which it is to receive. In order to assist in the establishment of sound remuneration policies and practices, the risk committee shall, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings.

Member States shall, in accordance with the proportionality requirement laid down in Article 7(2) of Commission Directive 2006/73/EC31, ensure that institutions have a risk management function independent from the operational functions and which shall have sufficient authority, stature, resources and access to the management body.

Member States shall ensure that the risk management function ensures that all material risks are identified, measured and properly reported. They shall ensure that the risk management function is actively involved in elaborating the institution's risk strategy and in all material risk management decisions and that it can deliver a complete view of the whole range of risks of the institution.

Where necessary, Member States shall ensure that the risk management function can report directly to the management body in its supervisory function, independent from senior management, and can raise concerns and warn that body, where appropriate, where specific risk developments affect or may affect the institution, without prejudice to the responsibilities of the management body in its supervisory and/or managerial functions pursuant to this Directive and Regulation (EU) No 575/2013.

The head of the risk management function shall be an independent senior manager with distinct responsibility for the risk management function. Where the nature, scale and complexity of the activities of the institution do not justify a specially appointed person, another senior person within the institution may fulfil that function, provided there is no conflict of interest.

The head of the risk management function shall not be removed without prior approval of the management body in its supervisory function and shall be able to have direct access to the management body in its supervisory function where necessary.

The application of this Directive shall be without prejudice to the application of Directive 2006/73/EC to investment firms.