Principle 4: Senior management should ensure that the internal and external factors that could adversely affect the achievement of the bank's objectives are being identified and evaluated. This assessment should cover all the various risks facing the bank (for example, credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk).

21. Effective risk assessment identifies and considers internal factors (such as the nature of the bank's activities, the quality of personnel, organisational changes and employee turnover) as well as external factors (such as fluctuating economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of the bank's objectives. This risk assessment should be conducted at the level of individual businesses and across the wide spectrum of activities and subsidiaries of the consolidated banking organisation. This can be accomplished through various methods. Effective risk assessment addresses both measurable risks (such as credit, market and liquidity risk) and non-measurable risks (such as operational, legal and reputational risk).

22. The risk assessment process also includes evaluating the risks to determine which are controllable by the bank and which are not. For those risks that are controllable, the bank must assess whether to accept those risks or whether to mitigate the risk through control procedures. For those risks that cannot be controlled, the bank must decide whether to accept these risks or to withdraw from or reduce the level of business activity concerned.

Principle 5: Senior management should ensure that the risks affecting the achievement of the bank's strategies and objectives are continually being evaluated. Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks.

23. In order for risk assessment, and therefore the system of internal control, to remain effective, senior management needs to continually evaluate the risks affecting the achievement of its goals and react to changing circumstances and conditions. Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks. For example, as financial innovation occurs, a bank needs to evaluate new financial instruments and market transactions and consider the risks associated with these activities. Often these risks can be best understood when considering how various scenarios (economic and otherwise) affect the cash flows and earnings of financial instruments and transactions. Thoughtful consideration of the full range of possible problems, from customer misunderstanding to operational failure, will point to important control considerations.