The risk management and control systems provide reasonable, but not absolute, assurance regarding the reliability of financial reporting and the preparation and fair presentation of its financial statements.
The risk management objective of Triodos Bank is to create an environment that supports the bank in pursuing its mission and realizing its strategic objectives, by timely identifying and managing the risks the bank is or may be exposed to. From a risk management perspective, this implies that the structural context is provided to identify and manage the risks inherent to the bank’s activities. The intent is to embed risk management in a practical and effective way that is proportionate with the size and complexity of Triodos Bank.
The Three Lines of Defence (LoD) model is a prominent organizational risk concept that is integrated in the internal governance and organization of Triodos Bank. The concept strengthens Triodos Bank’s risk control by consistently assigning and embedding clearly defined risk management roles and responsibilities across the bank. The fundamental rationale behind the three lines concept is that risk management can only be effective when it is embedded and exercised in all constituent parts of the bank. For the same reason that risks may, in principle, surface and manifest themselves anywhere within the bank, risk awareness and consciousness is to be maintained at all levels throughout the bank. Only then can risks be timely identified and adequately responded to. As the management of risks is therefore not reserved to the ‘risk management’ role, the three lines concept offers an effective way of structuring and arming the organisation as a whole against all risks that may jeopardize the realization of the purpose and strategy of the bank. Contributing to a sound risk culture directed at embedding intended norms, attitude and behaviour related to risk awareness, risk-taking and risk management is a shared responsibility of all co-workers.
The first line takes risk and is primarily responsible for managing the risks it incurs in conducting its activities and operations within its span of control. The first line therefore has the ‘ownership’ of these risks. From a functional area perspective, the first line responsibilities are shared by the respective areas (i.e. Business Banking, Retail Banking, Corporate Strategy, Corporate Communications, ICT, Operations, Human Resource Management, Legal, Finance, Group Treasury and Marketing).
The second line contains the Risk Management and Compliance functions. Both functions are present at local business unit level and at group level. Whereas the first line exercises ‘risk ownership’, the second LoD exercises ‘risk control’. In order to control and manage risks accordingly, the second line supports and facilitates a sound risk management and control framework throughout the bank, oversees the control processes and controls in place at the 1st LoD to ensure proper design and effectiveness and actively engages with the 1st LoD to jointly enhance the functioning of the risk management and control framework of the bank.
The third line is the Internal Audit function, which provides ‘risk assurance’ by providing risk-based independent and objective assurance, advice, and insight to the Executive Board, Audit and Risk Committee, senior management and managers at group and business unit level. This is done by a systematic, disciplined and balanced approach of evaluation, reporting and advising with regard to the corporate governance structure, internal control, compliance and risk management functions of the bank.
In view of Triodos Bank’s size, the impact of all new regulations, and the increased attention of supervisory authorities, Triodos Bank has made an important step up in its risk control organisation during the past years. In line with the increased importance of compliance, the Director Compliance reports directly to the Chief Risk Officer. All second line activities and responsibilities are supervised by the Audit and Risk Committee of the Supervisory Board.
The Risk and Compliance functions provide relevant independent information, analyses and expert judgement on risk exposures, and advise on proposals and risk decisions to be made by the Executive Board and business or support units as to whether they are consistent with the institution’s risk appetite. The Risk and Compliance functions recommend improvements to the risk management framework and options to remedy breaches of risk policies, procedures and limits.
The structure of the risk organisation meets banking industry standards and covers all identified relevant risks for Triodos Bank within three main risk categories: Enterprise Risks, Financial Risks and Non-Financial Risks. Each risk category consists of a limited number of risk types (see diagram below).
The essence of Triodos Bank's mission and business model supports the mitigation of its risks. In addition, the risk management framework promotes that co-workers at all levels share the same risk perspective and appreciate the formal structures and policies in a unified and congruent manner across the bank. Triodos Bank strives for a risk culture that is both robust and embedded. An environment of open communication and effective challenge, in which decision- making processes encourage a broad range of views and a constructive critical attitude, such that sound and informed decisions can be made, are important to such a culture. Risk conscious leadership is key in establishing and enhancing the risk attitude and behaviour. Leading by example and setting the tone at the top are preconditional requisites for the aspired risk culture.
The Executive Board (partly) delegated decision-making authority to the following risk committees at a central level:
For Financial Risk, the Central Credit Committee has authority to take decisions on credit risks, both on an individual debtor level and on a credit portfolio level; the Asset & Liability Committee has authority to decide on market risks and liquidity risk;
For Non-financial Risk, the Non-Financial Risk Committee has authority to decide on operational and compliance risk matters. The Group Product Governance Committee has the authority to approve new products and review existing products and the Anti-Money Laundering and Counter-terrorist financing risk Committee oversees the regulatory and associated topics regarding anti-money laundering and counter-terrorist financing risk; and
For Enterprise Risk, the Enterprise Risk Committee has authority to decide on strategic and reputational risk issues.
Each committee is chaired by an Executive Board member or the Director Banking to ensure consistent decision making on material risks within Triodos Bank’s wider strategy.
Business units have local decision-making committees such as a Local Non-Financial Risk Committee and a local Anti-Money Laundering and Counter-terrorist financing risk Committee in place. In addition, the business units that engage in local lending have a Local Credit Committee in place. The processes and mandates for the local decision-making committees are captured in their respective charters.
The Supervisory Board’s Audit and Risk Committee supervises the activities of the Executive Board with respect to the operation and adequacy of internal risk management and control systems. The group heads of Risk and the group director Compliance report directly to the Chief Risk Officer. The head of the Risk function (the CRO) and the head of the compliance function (the group director Compliance), have direct access to the Supervisory Board to raise concerns and escalate issues whenever required.