Operational risks refer to the risk of loss due to incorrect or non-appropriate internal processes and procedures, human errors, incorrect systems or external events, including legal risks. Operational risks include the following main categories of risk:
- Business and process risks refer to risks arising due to weaknesses in the implementation or design of the bank’s significant processes and established procedures related to these processes.
- Personnel risks refer to risks linked to the bank’s organisational structure, personnel management, working conditions, failings in the work environment or internal criminal activity.
- IT and information security risks refer to risks that affect the availability, integrity or confidentiality of information and communication systems or information used to provide services.
- External risks refer to risk that are outside the banks’ control, for example, criminal action, supplier failings or disasters. This could also involve outsourcing operations and regulatory changes.
- Security risks are included in operational risks and refer to the risk of inadequate or incorrect internal processes or external events, including cyber-attacks or in sufficient physical security, that can negatively affect the availability, integrity and confidentiality of information and communication systems or the information used to provide services.
The Group manages operational risks, for example, by applying a risk management framework that includes measures for risk identification, assessment, training, control and reporting operational risks. Focus is on managing significant risks by analysing and documenting processes and procedures and by applying risk-mitigating measures. The Group’s processes have been mapped with controls to ensure that identified risks are managed and monitored effectively.
The Group has a procedure for approving new or significant changes in existing products/services, markets, processes or other major changes in the business operations. The procedure is aimed at enabling the Group to effectively and efficiently manage risks that may arise in connection with, for example, new or significantly changed products or services.
The Group’s risk management capabilities were affected to a certain extent during the pandemic but the impact was limited due to robust processes. The Group managed the risk of a loss of personnel in critical functions by introducing different zones and remote working. More employees working from home set higher requirements on information security and following up the Group’s control framework.