The Group is exposed to a number of risks that are typical for companies within the industry that are of a similar size, with a corresponding product range and that operate within the same geographical markets. The Group generally has a low risk tolerance and employs a cautious approach concerning the risks that arise in its operations and prioritises identifying and preventing risk.
The Group’s ability to manage risks and effectively maintain capital is crucial to its profitability. Various types of risks arise in the operations. The following main categories of risk have been identified and can be actualised in different ways for each company.
- Credit risks (including those attributable to the credit portfolio, liquidity and investment portfolio, credit-related concentration risks and counterparty risks)
- Market risks (interest rate risk, currency risk and other exchange risks)
- Liquidity risks
- Operational risks (including business and process risks, personnel risks, IT and information security risks and external risks)
- Other business risks (including strategic risks, business risks, cyclical risks and reputational risks)
- Insurance risks (only relevant to the insurance operations).
Credit risks, liquidity risks and operational risks that arise within the framework of its banking operations are deemed to comprise the most significant risks for the Group. Insurance risk is the most significant risk in the insurance operations.
The risk management framework is an integrated part of its operations and aligns the Group’s strategic objectives with its risk management. The risk management framework includes the Group’s functions, strategies, processes, procedures, policies, risk propensity, risk indicators, risk limits, risk mandates, and control and reporting procedures necessary for identifying, measuring, monitoring, managing and reporting risks.
In order to balance the Group’s risk exposure and to limit and control risks, the Group companies have produced policies in a 3-tiered hierarchy. External regulatory frameworks and policies comprise the basis for the Group’s control environment and management of risks that arise in the operations. The policies also outline the delegation of authorities within specific areas of risk.
The board of each Group company stipulates the risk management policies. A person is appointed in each organisation to take responsibility for each policy who regularly reviews the policy, manages reporting and proposes necessary adjustments to it.
Guidelines comprising the level under policies are determined by the CEO or the person responsible for the specific risk area that the guidelines regulate in the specific Group company. These guidelines contain more detailed information about risk management in a specific risk area. At the operational level, company managers establish the procedures that apply for specific groups of employees. The procedures are more detailed in terms of the management of specific work duties in the daily operations.
Risk propensity, risk indicators and risk limits are regularly monitored and reported to the Board.
The Board of each Group company has established a risk propensity for specific risks based on qualitative and quantitative valuations.
Risk propensity indicates the level of risk that the Group can accept in order to achieve its strategic objectives. These risk limits are well-defined boundaries that regulate the desired risk exposure and are applicable, for example, in defining levels within the various risk categories. The Group has a standardised process for risk identification, risk assessment and risk reporting and has implemented this process throughout the operations. The Group companies work actively on creating a high level of risk awareness and efficient risk management. Risk management is based on the view of three lines of defence where the combination of these lines will ensure efficient risk management in the day-to-day operations.
The first line of defence is at the operational level. Operational personnel have the best opportunity to identify, monitor and control specific risks arising in the day-to-day operations.
The second line of defence comprises the control function in each Group company, Compliance, Information Security and Risk Control, which independently and autonomously controls the Group’s operations and reports regularly, both in writing and verbally, to the respective CEO, board and certain board committees.
The third line of defence is an independent internal audit function. This function regularly examines the Group’s operations, including activities in the first and second lines of defence, to evaluate that these lines of defence are adequately managed from a risk perspective. The internal audit function reports regularly to the Board, both in writing and verbally.