- 1. A covered institution shall establish a risk management program under the oversight of the board of directors of the institution or other body established pursuant to subsection 2 of NRS 645F.780.
2. A risk management program established pursuant to subsection 1 must:
- (a) Identify, measure, monitor and control risk sufficient for the level of sophistication of the covered institution.
- (b) Have appropriate processes and models in place to measure, monitor and mitigate financial risks and changes to the risk profile of the covered institution and assets being serviced.
(c) Be scaled to the complexity of the organization, but be sufficiently robust to manage risks in several areas, including, without limitation:
- (1) Compliance risk;
- (2) Credit risk;
- (3) Legal risk;
- (4) Liquidity risk;
- (5) Market risk;
- (6) Operational risk; and
- (7) Reputation risk.
- (d) Be available to the Commissioner upon request.
3. A covered institution shall:
- (a) Annually conduct a risk management assessment;
- (b) Prepare a formal report of the risk management assessment conducted pursuant to paragraph (a), to include, without limitation, the evidence maintained pursuant to paragraph (e);
- (c) Provide the formal report prepared pursuant to paragraph (b) to the board of directors of the covered institution or other body created pursuant to subsection 2 of NRS 645F.780;
- (d) Make the formal report prepared pursuant to paragraph (b) available to the Commissioner upon request; and
- (e) Maintain evidence of activities to manage risk performed throughout the year, including, without limitation, findings of issues and the responses to address those issues, and include that evidence in a formal report prepared for that year pursuant to paragraph (b).
4. As used in this section:
- (a) “Compliance risk” means the risk of regulatory sanctions, fines, penalties or losses resulting from failure to comply with laws, rules, regulations or other supervisory requirements applicable to the covered institution.
- (b) “Legal risk” means the potential that actions against the covered institution that result in unenforceable contracts, lawsuits, legal sanctions or adverse judgments can disrupt or otherwise negatively affect the operations or condition of the covered institution.
- (c) “Market risk” means the risk to the condition of the covered institution resulting from adverse movements in market rates or prices.
(d) “Operational risk” means the risk resulting from:
- (1) Inadequate or failed internal processes, persons and systems; or
- (2) External events.
- (e) “Reputation risk” means the risk to earnings and capital arising from negative publicity regarding the business practices of the covered institution.
(Added to NRS by 2025, 243)