Non-financial risk includes all the risks faced in Triodos Bank’s regular activities and processes, that are not categorised as enterprise or financial risk. Triodos Bank has sub-divided this into operational and compliance risk. Monitoring these risks is particularly important to ensure Triodos Bank can continue to offer quality financial services to its stakeholders.
Operational risks relate to losses Triodos Bank could incur as a result of inadequate or failing internal processes, systems, human behaviour or external events. Triodos Bank limits these risks with clear policies, procedures and controls for all business processes. Operational Risk Management consists of identifying, managing and monitoring the risks within several subcategories including Information Security, Business Continuity, Tax risk and Financial reporting risk.
Activities to manage risks related to these subjects are, from a second line perspective, executed under the responsibility of the Chief Risk Officer (CRO) in line with the operational risk framework. At Triodos Bank HO, the Group Head of Operational Risk reports to the CRO. The Group Risk Management function is mirrored locally in each of the BUs as much as possible, taking into account the level of proportionality. At BU level, the Local Head of Operational Risk reports hierarchically to the Local Head of Risk and functionally to the Group Head of Operational Risk. The Local Head of Risk reports hierarchically to the Managing Director and functionally to the Chief Risk Officer.
The Non-Financial Risk Committee, a decision-making risk committee at Group level with delegated decision-making power by the Executive board to take decisions on the non-financial risk appetite and other non-financial risks aspects (including Compliance), meets both locally and at a group level on a monthly basis. During 2020 the non-financial risk appetite KRI's were reviewed, updated and cascaded to the BU's.
The Operational Risk Framework follows the principles mentioned in the Sound Practices for the Management and Supervision of Operational Risk. These sound practices provide guidelines for the qualitative implementation of operational risk management and are advised by the Bank of International Settlements. The Operational Risk policy framework includes:
Operational Risk Management Framework which describes guiding principles for the management of operational risk within Triodos Bank.
Non-Financial Scenario Analysis policy which describes the methodology of the ORM instrument “Scenario Analysis” within Triodos Bank.
Risk and Control Self-Assessment policy which formalizes and explains the definition and positioning of the Risk & Control Self-Assessment (RCSA) methodology within Triodos Bank.
Key Control Management policy which formalizes positioning of key controls and the management of these key controls within Triodos Bank. This means the identification of key controls, and the testing, reviewing and evaluation of the operating effectiveness of these key controls.
Risk Acceptance and Waiver policy which describes the process of waiving policy implementations as well as the process of accepting risks for which it has been decided that it is not feasible to avoid, transfer or mitigate the risk to a low residual risk
Risk Event Management policy which describes how risk events are managed, captured and reported within Triodos Bank.
Action Tracking policy which describes Action Tracking as an ORM instrument to monitor actions, which intends to mitigate the identified risks within Triodos Bank.
The Operational Risk Framework uses several tools and technologies to identify, measure and monitor risks and monitors the level of control on an operational, tactical and strategic level. During 2020 control testing and key control management was extended to also support the monitoring DGS related control objectives. The Operational Risk Management department performs analyses on a continuous basis due to a risk event management process and strong reporting and communication lines between the Local Operational Risk departments and Group Operational Risk Management.
Cyber threats are still high across the financial sector. Triodos Bank performs periodic cyber threat assessments to determine its strategy to limit these risks. The information security management system includes the Dutch Central Bank (DNB)’s framework for Information Security which is based on COBIT. In order to detect and respond to cybersecurity events a Security Operations Centre (SOC) is in place within Triodos Bank. Business Units follow both the central security plan but also have their own responsibility when setting up awareness training specific to local needs as strong security awareness among co-workers is also an essential part of security.
Triodos Bank is subject to international tax risks due to its operations in several West-European countries. The local tax risks are managed by the respective local Triodos Bank business units, in close cooperation on tax matters supported by the tax department at group level.
Triodos Bank is subject to financial reporting risk which is mainly related to estimates and assumptions applied as further disclosed in the financial statements. Triodos Bank is continuously working on improving its reporting. Projects and improvement programs have been set up to ensure effective and efficient usage and analysis of data in order to support its decision processes.
Triodos Bank defines compliance risk as the risk of legal or regulatory sanctions, material financial loss or loss to reputation that Triodos Bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory standards, and codes of conducts applicable to its banking activities. Internal policies, procedures and awareness activities are in place to guarantee that co-workers in all functions comply with relevant laws and regulations.
The compliance function independently monitors and challenges the extent to which Triodos Bank complies with laws, regulations and internal policies, with an emphasis on customer due diligence, anti-money laundering, treating customers fairly, preventing and managing conflicts of interest, data protection and the integrity of co-workers.
Triodos Bank has a European compliance team which is led by the Group Director Compliance, who is also the Group Data Protection officer. Compliance officers and Data Protection officers are appointed in every banking entity with a functional line to the central compliance department. The Director of Compliance reports to the Chief Risk Officer and has an escalation line to the Chair of the Audit and Risk Committee, that supports the independence of the Compliance Function.
Triodos Bank aims to serve the interests of all stakeholders, including society, by actively fulfilling its role as a gatekeeper in the financial system and to counter money laundering and terrorism financing. The bank applies various procedures and measures in this respect.
In 2018, the DNB conducted a thematic, sector wide survey among Dutch banks, focussing on the measures that the banks have taken to prevent money laundering and terrorism financing. Following this survey, DNB concluded that Triodos Bank is required to implement enhanced measures concerning customer due diligence and monitoring of customer transactions. On 6 March 2019 the Dutch Central Bank imposed on Triodos Bank N.V. a formal instruction (aanwijzing) to remedy shortcomings in the compliance with provisions of the anti-money laundering and counter-terrorist financing laws and the financial supervision laws. Triodos Bank accepted this instruction and is implementing mitigating measures. Following the formal instruction Triodos Bank received an administrative penalty on 14 December 2020 that was paid without delay.
Triodos Bank was not involved in any other material legal proceedings or any other further sanctions associated with non-compliance with legislation or regulations in terms of financial supervision, corruption, advertisements, competition, data protection or product liability.