Operational risks refer to the risk of loss due to incorrect or non-appropriate internal processes and procedures, human errors, incorrect systems or external events, including legal risks.
Operational risks include the following main categories of risk:
- Personnel risks refer to risks linked to the bank’s organisational structure, personnel management, working conditions, failings in the work environment or internal criminal activity.
- Business and process risks refer to risks arising due to weaknesses in the implementation or design of the bank’s significant processes and established procedures related to these processes.
- IT and information security risks refer to risks that affect the availability, integrity or confidentiality of information and communication systems or information used to provide services.
- External risks refer to risk that are outside the banks’ control, for example, criminal action, supplier failings or disasters. This could also involve outsourcing operations and regulatory changes.
The Group manages operational risks, for example, by applying a risk management framework that includes measures for risk identification, assessment, training, control and reporting operational risks. Focus is on managing significant risks by analysing and documenting processes and procedures and by applying risk-mitigating measures. The Group’s processes have been mapped with controls to ensure that identified risks are managed and monitored effectively.
The Group’s risk management capabilities were affected to a certain extent during the pandemic, but the impact was limited due to robust processes. The Group managed the risk of a loss of personnel in critical functions by introducing different zones and remote working. More employees working from home set higher requirements on information security and following up the Group’s control framework.