Non-financial risk includes all the risks faced in Triodos Bank’s regular activities and processes, that are not categorised as enterprise risk or financial risk. Triodos Bank has subdivided non-financial risk into operational risk and compliance risk. Monitoring these risks is particularly important to ensure that Triodos Bank can continue to offer quality financial services to its stakeholders.
Operational risks relate to losses that Triodos Bank could incur as a result of inadequate or failing internal processes, systems, human behaviour or external events. Triodos Bank limits these risks with clear policies, procedures and controls for all business processes.
Operational Risk Management (ORM) consists of identifying, managing and monitoring the risks within several subcategories including information security, business continuity, tax risk and financial reporting risk.
Activities to manage risks related to these subjects are, from a second-line perspective, executed under the responsibility of the Chief Risk Officer (CRO) in line with the ORM Framework. At Triodos Bank Head Office, the Group Head of ORM reports to the CRO. The Group risk management function is mirrored locally in each business unit. At business unit level, the local Head of ORM reports hierarchically to the local Head of Risk and functionally to the Group Head of ORM. The local Head of Risk reports hierarchically to the Managing Director and functionally to the Chief Risk Officer.
The Non-financial Risk Committee is a Group-level decision-making risk committee delegated by the Executive Board to take decisions on the non-financial risk appetite and other non-financial risk aspects (including compliance). This committee meets both locally and at a Group level on a monthly basis. In 2021, the non-financial risk appetite key risk indicators were reviewed, updated and cascaded to the business units.
The ORM Framework follows the principles set out by the Bank for International Settlements in Sound Practices for the Management and Supervision of Operational Risk, which provides guidelines for the qualitative implementation of ORM.
The ORM policy framework includes:
The ORM Framework which describes guiding principles for the management of operational risk within Triodos Bank.
The Non-financial Scenario Analysis policy describes the methodology of the ORM instrument ‘Scenario Analysis’ within Triodos Bank.
The Risk and Control Self-Assessment (RCSA) policy formalises and explains the definition and positioning of the RCSA methodology within Triodos Bank.
The Key Control Management policy formalises positioning of key controls and the management of these key controls within Triodos Bank. This includes the identification of key controls, and the testing, reviewing and evaluation of their effectiveness.
The Non-financial Risk Acceptance and Waiver policy describes the process of waiving policy implementations as well as the process of accepting risks for which it has been decided that it is not feasible to avoid, transfer or mitigate the risk to a low residual risk.
The Operational Risk Event Management policy describes how risk events are managed, captured and reported within Triodos Bank.
The Action Tracking policy describes action tracking as an ORM instrument that aims to mitigate identified risks within Triodos Bank.
The ORM Framework uses several tools and technologies to identify, measure and monitor risks and monitors the level of control on an operational, tactical and strategic level. In 2021, control testing and key control management measures were extended to support the monitoring of the deposit guarantee scheme related control objectives. The ORM department performs analyses on a continuous basis according to a risk event management process and maintains strong reporting and communication lines between local Operational Risk departments and Group ORM.
Cyber threats are considered to be at a high level in the financial sector. Triodos Bank performs periodic cyber threat assessments and risk self-assessments to determine the adequacy of its information security strategy and to further strengthen its security controls. The information security management system is set up in line with the European Banking Authority (EBA) Guidelines on ICT and security risk management. A Security Operations Centre (SOC) detects and responds to cyber security events. The roll-out of a security awareness and behaviour programme in all business units supports co-worker security awareness. Triodos Bank performs the periodic threat intelligence based ethical red teaming (TIBER) test as part of ICT and security management. The IT risk management process is fully aligned with the operational risk management framework. Key controls are defined and tested accordingly.
Business continuity management (BCM) is the management process that identifies potential threats to business processes of Triodos Bank and the impact on business operations if those threats materialise. BCM provides a framework for building organisational resilience by developing an effective preparation and response capability that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities in case identified threats occur. The purpose of BCM is to ensure that Triodos Bank’s critical processes can be maintained or recovered in a timely way after a disruption or incident, to minimise negative personal, operational, financial,legal and/or reputational impact. Within the Risk Management Framework, the governance of the BCM process is described in the Group BCM policy. The policy is written in line with the applicable regulations and guidelines.
Triodos Bank is subject to international tax risks due to its operations in a number of West-European countries. The local tax risks are managed by the respective local Triodos Bank business units, in close cooperation with the tax department at Group level. Triodos Investment Management operates worldwide with her investment funds. All tax risk-related issues are handled by a dedicated tax department in close cooperation with Group Tax.
Fraud risk is a common risk in the financial sector. Triodos Bank performs a yearly Systematic Integrity Risk Analysis (SIRA) to assess it vulnerabilities to, amongst others, fraud. Internal fraud within Triodos is relatively low compared to the sector. Controls like internal training and awareness are in place and Triodos has pre- and in-employment procedures resulting in a low-risk culture in relation to fraud. The number of incidents has been limited in the last years and the impact minimal. External fraud is much more common as it is with peers in the sector. Triodos has implemented a number of fraud monitoring controls over the past years. In 2021, a major step was taken by implementing the stop payment functionality in Triodos Bank Netherlands. The impact of fraud on the annual results is limited. Within Triodos Bank a central KYC and Fraud domain has been set-up with a Group Director to functionally steer the Triodos Bank policy and practice on financial crime at Group level.
Triodos Bank is subject to financial reporting risk which relates to interpretation of regulations, data quality; and estimations and assumptions applied as disclosed in the financial statements. Triodos Bank is continuously improving its reporting and the risk and control frameworks surrounding the reporting processes. Projects and improvement programmes have been set up to ensure effective and efficient usage and analysis of data to support its decision-making processes.
Triodos Bank defines compliance risk as the risk of legal or regulatory sanctions, material financial loss or loss to reputation that Triodos Bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory standards, and codes of conduct applicable to its banking activities. Internal policies, procedures and awareness activities are in place to guarantee that co-workers in all functions comply with relevant laws and regulations.
The compliance function independently monitors and challenges the extent to which Triodos Bank complies with laws, regulations and internal policies, with an emphasis on customer due diligence, anti-money laundering, treating customers fairly, preventing and managing conflicts of interest, data protection and the integrity of co-workers.
Triodos Bank has a Group compliance team which is led by the Group Director Compliance, who is also the Group Data Protection officer. Compliance officers and Data Protection officers are appointed in every banking business unit with a functional line to the central Compliance department. The Group Director Compliance reports to the CRO. An escalation line to the Chair of the Audit and Risk Committee supports the independence of the compliance function.
Triodos Bank aims to serve the interests of all stakeholders by actively fulfilling its role as a gatekeeper in the financial system and by countering money laundering and terrorism financing. The bank applies various procedures and measures in this respect.
In 2018, De Nederlandsche Bank (DNB) conducted a thematic, sector-wide survey among Dutch banks, focusing on the measures that the banks have taken to prevent money laundering and terrorism financing. Following this survey, DNB concluded that Triodos Bank is required to implement enhanced measures concerning customer due diligence and monitoring of customer transactions. On 6 March 2019, DNB imposed a formal instruction (aanwijzing) on Triodos Bank N.V. to remedy shortcomings in compliance with provisions of the anti-money laundering and countering the financing of terrorism legislation and with financial supervision laws. Triodos Bank accepted this instruction and implemented mitigating measures. Following the formal instruction Triodos Bank received an administrative penalty on 14 December 2020 that was paid without delay.
In 2020, DNB performed an on-site inspection regarding the compliance function. The first purpose was to obtain assurance that the compliance function is sufficiently empowered to provide independent advice to and assume a challenging role to the first line and management. The second purpose was to assess whether the management body has an adequate role in overseeing the implementation of a documented compliance framework. Regarding the first purpose DNB recognised the improvements that were made but concluded that the functioning of the compliance function is not in all aspects sufficiently effective and that the existing improvement plan needs more detailed guidance. Regarding the management oversight, DNB concluded that the management body is not sufficiently involved in overseeing the compliance function.
Based on both findings a remediation plan was prepared at the beginning of 2021 and progress with the remediation of the findings is on track.
Triodos Bank was not involved in any other material legal proceedings or any other further sanctions associated with non-compliance with legislation or regulations in terms of financial supervision, corruption, advertisements, competition, data protection or product liability.