Purpose and organisation
The aim of Triodos Bank’s risk management activities is to ensure the long term resilience of the business. These activities create an environment in which Triodos Bank can pursue its mission to its fullest potential in a safe way. Risk management provides the structural means to identify, prioritise and manage the risks inherent in its business activities. The intention is to embed risk management in such a way that it fits the complexity and size of the organisation and is designed to also allow future growth. In order to ensure that such an environment can exist and prosper, a Risk Governance Framework has been put in place which underpins the risk processes.
The Three Lines of Defense
Triodos Bank manages its business using a Three Lines of Defense Model. This approach ensures that each co-worker is fully aware of their responsibilities in the management of risk, irrespective of whether their role is in a commercial, policy-making or control function. The model ensures that responsibilities are properly aligned and makes clear that all co-workers have a role to play in managing risk.
First line functions are Triodos Bank’s branches, business units and departments, which are responsible for managing the risks of their operations. Second line functions are located in the bank branches, business units and departments, and ensure that risks are appropriately identified and managed. Second line functions are also established at the Head Office. They create and maintain the corporate Risk Governance Framework, and the policies and procedures which provide the boundaries for the local and consolidated business activities.
The third line of defense is the Internal Audit function providing independent and objective assurance of Triodos Bank’s corporate governance, internal controls, compliance and risk management systems. This includes the effectiveness and efficiency of the internal controls in the first and second lines of defense.
In light of Triodos Bank’s growth, the impact of all new regulations, and the increased attention of supervisory authorities, Triodos Bank has made an important step up in its risk management organisation during the past years. The Director Risk and Compliance (CRO) is taking full responsibility for all the second line risk management and compliance activities, and reports directly to the Chief Financial Officer and its activities are supervised by the Audit and Risk Committee of the Supervisory Board.
The structure of the risk organisation meets banking industry standards and covers all relevant risks for Triodos Bank within the three following risk categories: Enterprise Risks, Financial Risks and Non-Financial Risks. Each risk type covers a number of risk categories (see diagram on the next page).
The current governance structure of Triodos Bank facilitates the Executive Board to delegate decision-making authority to the following risk committees at a central level:
- For Financial Risk, the Central Credit Committee has authority to take decisions on credit risks, both on an individual debtor level and on a credit portfolio level; the Asset & Liability Committee has authority to decide on market risks and liquidity risk;
- For Non-financial Risk, the Non-Financial Risk Committee has authority to decide on operational and compliance risk matters. This committee also functions as the Product Approval Committee for new products; and
- For Enterprise Risk, the Enterprise Risk Committee has authority to decide on strategic, business and reputational risk issues.
Each committee is chaired by an Executive Board member to ensure consistent decision making on material risks within Triodos Bank’s wider strategy.
Branches also have a decision-making committee for their lending activities: the Local Credit Committee. This local credit committee decides on loans under the responsibility of the local Managing Director within delegated credit approval limits. This committee also monitors the credit risks of the local credit portfolio and monitors alignment with relevant credit risk policies.
The Supervisory Board’s Audit and Risk Committee supervises the activities of the Executive Board with respect to the operation and adequacy of internal risk management and control systems. The CRO reports to the Executive Board and has an escalation line to the Chair of the Audit & Risk Committee (that supports the independency of the Risk Control Function as countervailing power to the business).