Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.
Internal control refers to procedures or practices within an organisation to ensure that the organisation achieves the targets set in the strategy, uses resources economically and the information in support of management decisions is reliable. Internal control also ensures that risk management, custody of client assets and protection of property is adequately arranged. Conformance to regulations and approved ethics principles, too, are ensured through internal control.
OP Financial Group’s internal control principles shall be approved by the central cooperative’s Supervisory Board. OP Corporate Bank complies with the principles of internal control adopted by the central cooperative's Supervisory Board.
Internal controls apply to all operations. The nature and extent of operations and, whenever necessary, special characteristics related to international operations are taken into consideration in specifying internal controls. Internal control covers all organisational levels. Internal control in its most extensive form primarily takes place at the operational level, characterised by continuous processes and forming part of daily routines.
Internal control is complemented by the opportunity of anyone employed by OP Financial Group to report through an independent channel if they suspect that rules or regulations have been violated (whistle blowing).
The Board of Directors' role
The Board of Directors is responsible for organising and maintaining adequate and effective internal control. It shall, for example,
- confirm the internal control principles and supervise the performance and adequacy of internal control in line with principles adopted by the central cooperative's Executive Board;
- annually adopt the Company’s capital adequacy management principles, risk policies/risk strategies, funding plan, capital plan, investment plan and significant operating principles governing risk management in line with principles adopted by the central cooperative;
- decide on principles for ensuring that the Company and its consolidation group operate in compliance with external regulation and internal instructions (compliance) in line with principles adopted by the central cooperative Executive Board;
- confirm the principles of internal audit and an action plan in line with principles adopted by the central cooperative Supervisory Board;
- confirm the principles and procedures for ensuring the fitness and propriety of the Company’s and its consolidation group’s management in line with principles adopted by the central cooperative Executive Board; and
- decide on the organisational structure and management system for the Company and its functions in line with principles adopted by the central cooperative Executive Board.
Central cooperative consolidated-level risk management and financial reporting are performed in a coordinated way by a function independent of the business lines/divisions. Each Group company’s board of directors is responsible for the top management tasks of the company in question related to internal control. Each Group company’s executive management is responsible for the implementation of internal control and risk management according to the agreed principles and guidelines, and shall regularly report on the company’s business, risk-bearing capacity and risk status, in accordance with the Group’s management system.
Internal control in 2016
The Board of Directors is responsible for considering issues related to the Group's governance and is in charge of internal control effectiveness and ensuring regulatory compliance.
The executive management and the Board of Directors assessed the performance of good corporate governance and internal control.
The Compliance function is tasked with assisting senior management and executive management and business lines/divisions in the management of risks associated with regulatory non-compliance, supervising regulatory compliance and, for its part, developing internal control further. Finance and Treasury as well as HR Services are, for their part, in charge of regulatory compliance management.
Almost all activities involve compliance risk and responsibility for the management of risks rests with the business lines/divisions. The President and CEO is in charge of the Company's compliance activities. OP Financial Group's Compliance, whose director reports to the OP Financial Group's CRO, supports the President and CEO in this respect. Compliance activities and the related recommendations issued to the business lines/divisions are subject to regular reporting to OP Corporate Bank plc's Board of Directors. Compliance activities must also be reported to the Executive Board of the central cooperative consolidated and the Audit Committee of the Supervisory Board as part of OP Financial Group level reporting.
As part of the annual risk management plan, OP Financial Group’s Compliance function shall annually draw up a compliance action plan which will be discussed and confirmed by OP Corporate Bank plc’s Board of Directors with respect to the Company. Principles and instructions governing compliance shall also be confirmed in the same manner. OP Financial Group’s Compliance function is responsible for advice on and support of Group-level compliance risk management and also controls OP Corporate Bank’s compliance.
Compliance is aimed at preventing the materialisation of compliance risks. For this purpose, the Compliance function shall, for example,
- prepare and maintain guidelines on key matters related to practices;
- advise employees on, and train them in, matters related practices;
- support the business lines/divisions in the planning of development measures promoting the management of compliance risks;
- keep senior and executive management and the business lines/divisions informed of upcoming regulatory changes and monitor the business lines’/divisions’ preparation for regulatory changes;
- supervise compliance within OP Corporate Bank Group with the current regulatory framework, ethical practices and internal guidelines related to practices; and
- regularly report to both senior and executive management on recommendations and the results of control given to the business lines/divisions and other observations related to compliance risk exposure.
OP Financial Group’s core values, strategic goals and financial targets form the basis for OP Corporate Bank’s risk management and capital adequacy management. The purpose of risk management is to identify threats and opportunities affecting strategy implementation. The objective is to help achieve the targets set in the strategy by controlling that risks taken are proportional to risk-bearing capacity. Risk-bearing capacity is made up of effective risk management that is proportionate to the extent and complexity of operations and of adequate capital resources and liquidity based on profitable business operations. OP Corporate Bank adopts a policy of moderate risk-taking and its business operations are based on a reasoned risk/return approach.
OP Corporate Bank applies integrated risk management aimed at identifying, assessing and mitigating all major business-related risks to an acceptable level. Risk management has been integrated as part of OP Corporate Bank Group’s business and management.
OP Financial Group’s principles governing the risk-taking and risk tolerance system, adopted by OP Cooperative’s Supervisory Board, define how the Group’s risk-taking is controlled, restricted and supervised and how the risk management and internal capital adequacy assessment process is organised.
OP Financial Group’s risk policy controls OP Corporate Bank’s risk-taking. In the risk policy, the central cooperative's Executive Board confirms annually risk-management principles, actions, objectives, limits to be applied by all Group business segments and entities that are used to guide business to implement the policies confirmed in the Group's strategy and the principles of the risk tolerance system. In addition, Non-life Insurance is guided by risk policies applied to private and corporate customers, reinsurance principles, investment plans and the policy governing hedging against interest rate risk associated with insurance liabilities.
The most significant risks of OP Corporate Bank Group include credit risks, market risks, liquidity risks, underwriting risks, concentration risks and strategic, reputational and operational risks, including compliance risk associated with all business operations.
More detailed information on major risks can be found in OP Corporate Bank Group's most recent Report by the Board of Directors and Financial Statements (see OP Financial Group > To the media > Publications > OP Corporate Bank publications).
Organisation of risk management and capital adequacy management
The Board of Directors decides on the business strategy based, among other things, on the principles issued by the central cooperative’s Executive Board and approves a business plan and supervises their implementation. In line with the principles adopted by the central cooperative’s Executive Board, it also confirms risk policy, funding plan, capital plan and proactive contingency plan for capital base, business continuity plan and significant risk management principles.
The Board of Directors supervises and monitors the implementation of risk and capital adequacy management and the fact that the company’s risk management is in conformity with laws, official regulations and instructions issued by the central cooperative. The Board of Directors is responsible for the sufficiency of risk management systems and supervises their extent and performance. The Board of Directors is also tasked with supervising the Company so that it does not take excessive risks which would materially jeopardise the Company’s capital adequacy, liquidity, profitability or business continuity. It also supervises the quantity and quality of capital, financial performance, risk exposure and compliance with the risk policy, limits and other instructions.
The Board assesses the appropriateness, extent and reliability of OP Corporate Bank Group’s capital adequacy management on a holistic basis at least once a year.
OP Corporate Bank’s President and CEO takes charge of the overall control of the Company in such a way that the company as a whole achieves its profit, risk-bearing capacity and other targets and goals by following shared strategies and policies. The President and CEO is tasked with analysing, coordinating and controlling the Company's asset/liability management in accordance with laws, official regulations and the risk policy.
OP Cooperative is responsible for OP Financial Group-level risk and capital adequacy management and for ensuring that OP Financial Group’s risk management system is sufficient and kept up to date. OP Financial Group's Risk Management is a function independent of business lines/divisions that defines, steers and supervises the overall risk management of the Group and its entities, and analyses their risk exposure. Risk Management also assists in decision-making and controls the quality of the credit decision process. It also assesses risks associated with the introduction of new products and business models/concepts.
The business lines/divisions shall bear primary responsibility for their risk-taking, financial performance and compliance with the principles of internal control and risk management and capital adequacy management. The business lines/divisions have the right to take decisions on risk-taking within the approved decision-making powers, exposure limits and credit limits.
A more detailed description of the Company’s risk management and capital adequacy management principles and risk exposure can be found in the Group’s most recent Report by the Board of Directors and Financial Statement (see OP Financial Group > To the media > Publications > OP Corporate Bank publications).
Risk management in 2016
In risk management of the central cooperative, 2016 included monitoring external regulatory changes and continuing to prepare for regulatory changes. Significant changes included the EU Solvency II Directive applying to insurance companies and the EBA technical guideline on the management of interest rate risk in the banking book, effective since the beginning of 2016.
The Group continued to further develop its risk management assessment processes and operational processes in order to ensure that risk management has been integrated as part of all business. In addition, the Group updated its risk management guidelines, risk reporting and risk limitation. Risk Management has also developed significantly OP Financial Group’s internal stress testing methods.
Internal Audit is tasked with assisting OP Corporate Bank plc’s Board of Directors and the Company's management in controlling, supervising and assuring operations by carrying out operational audits. Internal audit is based on an independent and objective assessment, assurance and consulting activities. It supports the management in their efforts to achieve objectives by providing a systematic, disciplined approach to assessing and upgrading the efficiency of the organisation’s risk management, control and management and governance processes, with the focus on the identification of risk factors and the assessment of the performance of internal control.
Responsibility for internal audit rests with two Internal Audit functions within Audit of OP Corporate Bank plc’s parent institution, OP Cooperative, whose heads report to the Chief Audit Executive of OP Financial Group. The Chief Audit Executive reports audit observations applying to the Company to OP Corporate Bank plc's Board of Directors and the President and CEO.
OP Cooperative’s Supervisory Board has confirmed the instructions governing the organisation and operating principles of internal audit. The Audit Committee of OP Cooperative’s Supervisory Board annually approves the Internal Audit action plan that is confirmed by the Company’s Board of Directors. Internal Audit produces special reports at the senior management’s request, if need be.
Internal Audit is a function independent of the business lines/divisions. Internal Audit shall prepare a report on each audit and deliver it to the President and CEO, auditors, the Compliance function and those in charge of the business line concerned. These reports may contain recommendations aimed at improvements. Internal Audit shall monitor the implementation of the recommended improvements. Internal Audit shall annually report to the Board of Directors on its major observations and the implementation of the action plan.
Internal audit is conducted in compliance with good internal auditing practice. The International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors, and professional standards, issued by the Information Systems Audit and Control Association, and the code of ethics provide the conceptual framework for good internal auditing practice and the independence of objectivity of internal activities. The planning, implementation and reporting of audit is an independent function. Internal audit performance is subject to external quality assessment every five years. Internal Audit reports on audits to the Audit Committee of the central cooperative’s Supervisory Board. It has no operational responsibility or powers with respect to the functions subject to auditing.
Internal audit in 2016
The internal audit action plan for 2016, confirmed by the Board of Directors, contained seven audits applying to OP Corporate Bank plc. Audits based on the action plan were performed. The year 2016 also involved two reported audits which were included in the Internal Audit action plan for 2015. These audits involved assessing the effectiveness of OP Corporate Bank plc’s controls and internal control in various operating processes and information systems, as well as the effectiveness of risk management and its procedures.