Recognition shall only be given if the competent authority is satisfied that the institution's risk-management system is conceptually sound and implemented with integrity and that, in particular, the following qualitative standards are met ... the institution has a risk control unit that is independent from business trading units and reports directly to senior management.