An Authorised Person must develop, implement and maintain policies and procedures to manage the risks to which the Authorised Person and where applicable, its customers or users, are exposed.