Risk management remains a vital element within financial services, ensuring that firms can identify, assess, and mitigate risks that could affect their stability and performance. In investment firms, it supports sound governance, protects investor interests, and upholds confidence in the financial system.
The Cyprus Securities and Exchange Commission (CySEC) requires investment firms to maintain robust risk management frameworks that align with their size, complexity, and business activities. These frameworks are not only regulatory obligations but strategic tools that enable firms to anticipate challenges and achieve long-term resilience.
With this blog post, Nikolas Xenofontos, an expert instructor at the institute, explains the Risk Management Function along with its framework and policies. This course includes a comprehensive breakdown of the Risk Management Function, including its reporting obligations and risks. Towards the end of this blog post, we conclude with an overview of the knowledge provided and the skills gained when the course provided with title - "Comprehensive Guide on the Risk Management Function in 2025" - is successfully completed.
Risk Management Regulatory Framework and Reporting Obligations
The risk management framework for investment firms is founded on MiFID II / MiFIR and IFD / IFR, ensuring strong governance, risk identification, and transparency. Firms are required to maintain adequate risk management policies and procedures which can identify risks in relation to the firms’ activities and systems.
Risk Management Function and Risk Manager
The Risk Management Function (RMF) operates as an independent unit within investment firms, responsible for identifying, assessing, and monitoring risks across all areas of operation. CySEC requires that personnel within the RMF possess the necessary knowledge, skills, and experience to apply appropriate risk management techniques and procedures. This ensures that risk assessments are objective, reliable, and proportionate to the firm’s size and complexity.
The Risk Manager plays a central role in ensuring that risks are managed within the firm’s defined tolerance, assists senior management in informed decision-making, and supports compliance with the applicable regulatory framework. This is achieved through the Annual Risk Management Report which is prepared by the Risk Manager, and it is presented to the Board of Directors.
Additionally, the Risk Manager is responsible for preparing and submitting key prudential and supervisory reports, including the ICARA Report and the Pillar III Report, which together provide CySEC with an overview of the firm's risk profile, capital adequacy, and internal control effectiveness.
Through these processes, the Risk Management Function promotes transparency, supports informed decision-making, and reinforces the firm's resilience within an evolving regulatory and operational environment.
How risks can be treated?
Investment Firms are required to adopt strategies and policies that enable the identification, management and monitoring of material risks affecting clients, the market and the firm itself. To ensure effective risk treatment, the management body must approve and periodically review these strategies and policies, devote sufficient time to assess risk matters, and remain fully informed of all material risks and any significant changes.
Once the Risk Management Framework (RMF) is established, it must ensure that all relevant risks are identified, assessed, and reported. These include, among others, IFR/IFD K-Factor risks, operational risks, and Pillar II risks.
After Assessing and measuring the level of each risk, the RMF should design and implement mitigation measures to prevent the risks from materializing or to minimize their impact. These measures must be established and prioritized on a risk-based approach, ensuring that the most significant risks receive appropriate attention and resources. All identified risks should be documented and categorized within the Risk Register, based on both their likelihood of occurrence and their potential financial impact on the company. A well-defined Risk Management Policy outlines this process, in providing a consistent and structured approach for recognizing, assessing and addressing potential risks across the firm's operations.
Complementing this, A Business Continuity and Disaster Recovery (BDCR) Plan ensures operational resilience in case of disruptions, allowing firms to continue essential functions and recover systems effectively.
Together, these components provide a comprehensive framework for effective risk governance and business stability.
What is the “Comprehensive Guide on the Risk Management Function” course and what does it include?
The “Comprehensive Guide on the Risk Management Function in 2025” course has been developed by SALVUS Funds and led by their Managing Director, Nikolas Xenofontos. Nikolas focuses on presenting the key areas any Risk Management Function shall be comprised of, along with a detailed explanation on how to study, review and present the information gathered.
The course is designed to assist employees assigned with the operations of the Risk Management Function for the year 2025. It furnishes them with thorough guidance on the necessary information to be incorporated. Additionally, it aids Boards of Directors members in examining and assessing the reports prior to their presentation to the regulatory body. The SALVUS Regulatory Compliance team possesses extensive expertise in preparing reports for regulated entities operating in investment, cryptocurrency, and payment sectors. This course draws upon their first-hand knowledge of how a Risk Management Function shall operate.
The syllabus of the “Comprehensive Guide on the Risk Management Function in 2025” includes: - Introduction to the Risk Management Regulatory Framework
- Framework overview
- The Markets in Financial Instruments Directive & Regulation
- The Investment Firms Directive & Regulation
- Recovery & Resolution
- Obligations of Ifs towards Risk Management
- The risk Management Function
- The Risk Management Function
- Role of the Risk Manager
- Risks Strategy and Decisions
- Material Changes
- Role of the Risk Management Committee
- Risk Management Function - Recap
- Risk Management Reporting Obligations
- Annual Risk Management Report
- Prudential Supervision Reports
- ICARA Report
- Pillar III Report
- Quarterly Statistics Reports
- Best execution obligations
- Market Abuse obligations
- Assessing & Managing Risks
- Treatment of risks
- Role of the Management Body
- Identifying risks
- Measuring and assessing risks
- Managing and mitigating risks
- Monitoring and reporting risks
- Risk Register & Risk Management Policy
- Risk Register
- The Internal Capital Adequacy and Risk Assessment Process (ICARAP)
- Risk Management Policy
- Disaster Recovery Plan
- Simplified conditions
- Business Continuity Plan
The “Comprehensive Guide on the Risk Management Function in 2025” course offers materials in both PDF slides and online video recordings, allowing for flexible, self-paced learning. Enrolled learners can study anytime and anywhere at their convenience. After completing the course, participants can assess their understanding of the material through a set of knowledge-based questions.
Professionals who complete this course will establish a solid understanding of the provision of Investment Advice and Portfolio Management services under MiFID in addition to acquiring knowledge of the characteristics and requirements of suitability assessment and a comprehensive investment policy.
