1.Member States shall require investment firms to take the following actions:
(a)to establish, implement and maintain adequate risk management policies and procedures which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm;
(b)to adopt effective arrangements, processes and mechanisms to manage the risks relating to the firm's activities, processes and systems, in light of that level of risk tolerance;
(c)to monitor the following:
the adequacy and effectiveness of the investment firm's risk management policies and procedures;
the level of compliance by the investment firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with point (b);
the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements, processes and mechanisms or follow such policies and procedures.
2.Member States shall require investment firms, where appropriate and proportionate in view of the nature, scale and complexity of their business and the nature and range of the investment services and activities undertaken in the course of that business, to establish and maintain a risk management function that operates independently and carries out the following tasks:
(a)implementation of the policy and procedures referred to in paragraph 1;
(b)provision of reports and advice to senior management in accordance with Article 9(2).
Where an investment firm is not required under the first sub-paragraph to establish and maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it is has adopted in accordance with paragraph 1 satisfy the requirements of that paragraph and are consistently effective.