Nordiska's three lines of defence
Three lines of defence
The Board of Directors has the ultimate responsibility for limiting and monitoring risk exposure within Nordiska. In order for us to have an effective organisation with clear roles and areas of responsibility within risk management and internal control, we follow the principle of three lines of defence.
Together, the three lines of defence form the framework for internal control, which will develop and maintain systems so as to ensure:
- Effective and efficient business operations
- Adequate risk control
- Business governance
- Reliable financial and non-financial reporting (both internal and external)
- Compliance with applicable regulations
The first line of defence
The first line of defence consists of the CEO and the employees of the who are involved in the creation and selling of products and services, or operationally supporting customers, products and services. They are responsible for ensuring that operations are managed within the framework of established risk exposure and internal control, as well as in accordance with established external and internal rules that apply to Nordiska.
The first line of defence has a well-functioning governance model and an effective process to identify, measure, evaluate, monitor, minimise and report risk.
The second line of defence
The second line of defence consists of the Risk Control and Compliance.
Compliance shall constitute a support for the Board of Directors, the CEO and the operational activities to ensure the regulatory compliance within Nordiska. Risk Control is responsible for checking that all significant risks to which Nordiska is exposed to, or may be exposed to, are identified and managed by the relevant functions and controls. They are also responsible for ensuring that the internal regulations are appropriate and effective and that changes are proposed where necessary.
Furthermore, the Risk Control must support and verify that the business implements the requirements set out in external regulations and continuously work for and contribute to a good risk awareness within the organisation.
The independence of the functions is ensured by the fact that they are not carried out by those whom are involved in the day to day business activities. This means that the functions may not be part of Nordiska's business operations.
The risk control function
The risk control function is responsible for providing relevant and independent analyses, advice and expert opinions on Nordiska's risks. In addition, the function is responsible for continuously evaluating and further developing Nordiska's risk management framework to ensure that it is appropriate. The risk control function is responsible for:
- On the one hand, checking that all significant risks that Nordiska is exposed to or can be expected to be exposed to are identified and managed by the functions concerned, and on the other hand, identifying risks that arise due to deficiencies in Nordiska's risk management, and check that each business unit monitors all of the functions' significant risks in an effective manner.
- Monitor and control Nordiska's risk management.
- Check and analyse Nordiska's significant risks and their development and identify new risks that may arise as a result of changed conditions, and risks that arise from the degree of complexity in the company's legal structure.
- Ensure that information about Nordiska's risks is regularly submitted to the Board and that, at least quarterly, a report of the assessment is presented in writing and orally to the Board.
- When the company submits proposals or makes decisions that that Nordiska's risks may increase significantly, assess whether these are compatible with Nordiska's decided accepted level of risk.
- When Nordiska develops or changes its risk strategy and acceptable level of risk, provide all relevant information that may form the basis for decisions in these matters and assess proposed risk strategy and make a recommendation before a final decision is made.
- Check that the relevant internal regulations, processes and routines meet Finansinspektionen's requirements that these contain the strategies, processes, routines, internal rules, limits, controls and reporting routines needed for to ensure that Nordiska's can continuously identify, measure, control, report internally and have control over the risks to which it is or can be expected to be exposed, that they are appropriate and effective and propose changes to these if necessary.
- Identify, control and report risks of errors in Nordiska's assumptions and assessments that form the basis for Nordiska's financial reporting.
- Before Nordiska decides on new, or significantly changed, products, services, markets, processes and IT systems and in the event of major changes in Nordiska's operations and organisation, evaluate risks and how these can be expected to occur.
- To influence the company's weighted risk.
The function for compliance complies
The function for compliance complies with a support for the Board, CEO and the operational activities to ensure compliance with the Nordic regulations that require a permit. The function for regulatory compliance is independent and is not involved in Nordiska's business operations. The function for compliance is part of the second line of defence and is directly subordinate to the CEO and reports directly to the CEO and to the Board.
This means that the function for compliance must:
- Partly identify the risks that exist for Nordiska not fulfilling its obligations under applicable regulations, external and internal, and monitor and check that the risks are managed by the functions concerned.
- Monitor and check compliance with the applicable regulations, internal and external.
- Provide advice and support to Nordiska's employees, CEO and Board of Directors on both the external and internal regulations.
- Inform and educate relevant people about new or changed external regulations.
- Check that new, or significantly changed, products, services, markets, processes, IT systems and major changes in Nordiska's operations and organisation comply with the external regulations.
- Monitor and check that the internal regulations and that Nordiska has appropriate internal regulations and routines to be able to identify the risks that exist for Nordiska not fulfilling its obligations under the applicable regulations, both external and internal. Furthermore, the function shall check that Nordiska has appropriate and effective routines and takes appropriate measures to minimise the risk of external regulations that are not being complied with.
- Make recommendations to the persons concerned based on the observations made by the function.
The third line of defence
The third line of defence consists of the function for internal audit.
The function for internal audit is the Board's tool for meeting the requirements for a good and effective internal governance and control and is in this context organisationally separate from Nordiska's other functions and operations.
The internal audit function is responsible for reviewing and regularly evaluating whether internal control is effective and appropriate. Within the framework of the assignment, the function for internal audit shall, among other things, review and regularly evaluate the company's risk management, compliance with regulations, financial information and the second line of defence.
The function for internal audit
The function for internal audit is responsible for ensuring that there is an independent review and that the supervision of work is carried out within both the first and second line of defence. This means that the internal audit function works according to a current and risk-based audit plan established by the Board, where it reviews and regularly evaluates:
- Whether Nordiska's organisation, governance processes, IT systems, models and routines are appropriate and effective.
- If Nordiska's internal control is appropriate and effective.
- If the business is conducted in accordance with Nordiska's internal regulations.
- Nordiska's risk management based on the decided risk strategy and appropriate level of risk.
- If Nordiska's internal regulations are appropriate and compatible with external regulations.
- Reliability in Nordiska's financial reporting, including commitments off the balance sheet.
- Evaluate the reliability and quality of the work performed within Nordiska's control functions in the second line of defence.
- Makes recommendations to the persons concerned, based on the observations made by the internal audit, and follows up on measures that have been implemented.