The Group faces various risks common to companies of similar size, product range, and geographical markets within the industry. The Group adopts a cautious approach to risk, prioritizing their identification and prevention. Risk management is an integral part of the Group’s daily operations and intended to ensure that the risks do not exceed the risk tolerances set by the Board of Directors.
The Group’s ability to manage risks and effectively maintain capital is crucial to its profitability. The Group encounters various risks in its business activities, with the most significant being credit risk, liquidity and financial risks and operational risk. Additionally, other types of risk, such as business/strategic, market risk, sustainability risk and reputational risk, can manifest in different ways for the Group.
The risk management framework aligns the Groups strategic objectives with risk management. This framework encompasses the Group’s functions, strategies, processes, procedures, policies, risk appetite, risk indicators, risk limits, risk mandates, and control and reporting procedures essential for identifying, measuring, monitoring, managing and reporting risks.
In order to balance the Group’s risk exposure and to limit and control risks, the Group companies have produced policies. External regulatory frameworks and policies comprise the basis for the Group’s control environment and management of risks that arise in the operations. The policies also outline the delegation of authorities within specific areas of risk. The board of each Group company stipulates the risk management policies.
Guidelines comprising the level under policies are determined by the CEO or the person responsible for the specific risk area that the guidelines regulate in the specific Group company. These guidelines contain more detailed information about risk management in a specific risk area.
Risk appetite, risk indicators and risk limits are regularly monitored and reported to the Board. The Board of each Group company has established a risk appetite for specific risks based on qualitative and quantitative valuations. Risk appetite indicates the level of risk that the Group can accept in order to achieve its strategic objectives.
The Group has a standardised process for risk identification, risk assessment and risk reporting and has implemented these processes throughout the operations. The Group companies work actively on creating a high level of risk awareness and efficient risk management. Risk management is based on the view of three lines of defence where the combination of these lines will ensure efficient risk management in the day-to-day operations.
The first line of defence is at the operational level. Operational personnel have the best opportunity to identify, monitor and control specific risks arising in the day-to-day operations.
The second line of defence comprises the control function in each Group company, Compliance, and Risk, which independently and autonomously controls the Group’s operations and reports regularly, both in writing and verbally, to the respective CEO, board and certain board committees.
The third line of defence is an independent internal audit function. This function regularly examines the Group’s operations, including activities in the first and second lines of defence, to evaluate that these lines of defence are adequately managed from a risk perspective. The internal audit function reports regularly to the Board, both in writing and verbally.