The risk management and control framework provides reasonable assurance regarding the reliability of financial reporting and the fair presentation of financial statements.
The risk management objective of Triodos Bank is to maintain an environment that supports the bank in pursuing our mission and in realising our strategic objectives. This implies that a structural context is provided to effectively identify and manage the risks inherent in the bank’s activities, proportionate to its size and complexity.
The Three Lines of Defence (LoD) model is an industry-wide applied organisational risk concept that is integrated in the internal governance and organisation of Triodos Bank. The concept strengthens Triodos Bank’s risk control by consistently assigning and embedding clearly defined risk management roles and responsibilities within the organisation. The rationale behind the three lines concept is that risk management can only be effective when it is embedded and exercised in all constituent parts of the bank. For the same reason that risks may, in principle, surface and manifest themselves anywhere within the bank, risk awareness is to be maintained at all levels throughout the bank. The Risk Management department is not solely responsible for the management of risk. All co-workers share responsibility for risk taking and risk management. The three lines concept offers an effective framework to identify and adequately address the risks that may jeopardise the realisation of the bank’s strategic objectives in a timely way. This contributes to a sound risk culture in line with Triodos Bank’s mission and values.
The first line is primarily responsible for managing the risks it incurs in conducting business activities and operations within its span of control. The first line therefore has the ‘ownership’ of these risks. From a functional area perspective, the first-line responsibilities are shared by the respective functional areas.
The second line consists of the risk management and compliance functions. Both functions are present at local business unit level and at Group level. Whereas the first line exercises ‘risk ownership’, the second line exercises ‘risk control’. The second line supports and facilitates a sound risk management and control framework throughout the bank, oversees the control processes and controls in place at the first line to ensure proper design and effectiveness and actively engages with the first line to jointly enhance the functioning of the risk management and control framework of the bank.
The third line consists of the internal audit function, which provides ‘risk assurance’ by providing risk-based independent and objective assurance, advice, and insight to the Executive Board, Audit and Risk Committee, senior management and managers at Group and business unit level. This is done by a structured and balanced approach of evaluation, reporting and advising regarding the corporate governance structure, internal control, compliance and risk management functions of the bank.
The risk management and compliance functions provide relevant independent information, analyses and expert judgement on risk exposures, and advise on whether proposals and risk decisions to be made by the Executive Board and business or support business units are consistent with the institution’s risk appetite. The risk management and compliance functions recommend improvements to the risk management framework and monitor breaches of risk policies, procedures and limits.
The structure of the risk organisation meets banking industry standards and covers all identified relevant risks for Triodos Bank within three main risk categories: Enterprise Risk, Financial Risk and Non-financial Risk. Each risk category consists of a number of risk types (see diagram below).
The Executive Board (partly) delegated decision-making authority to the following risk committees at a central level:
for Financial Risk, the Central Credit Committee has authority to take decisions on credit risks, both on an individual debtor level and on a credit portfolio level; the Asset and Liability Committee has authority to decide on market risks and liquidity risk;
for Non-financial Risk, the Non-financial Risk Committee has authority to decide on operational and compliance risk matters. The Group Product Governance Committee has the authority to approve new products and review existing products. The Anti-Money Laundering and Countering Terrorist Financing Risk Committee oversees management of risks related to the regulatory and associated measures to combat money laundering and counter the financing of terrorism;
for Enterprise Risk, the Enterprise Risk Committee has authority to decide on strategic, model and reputational risk issues.
Business units have local decision-making committees in place, such as a local Non-financial Risk Committee and a local Anti-Money Laundering and Countering Terrorist Financing Risk Committee. In addition, the business units that engage in local lending have a local Credit Committee in place. The processes and mandates for the local decision-making committees are captured in their respective charters.
The Supervisory Board’s Audit and Risk Committee supervises the activities of the Executive Board with respect to the operation and adequacy of internal risk management and control systems. The Group Heads of Risk and the Group Director Compliance report directly to the Chief Risk Officer. The head of the risk function (the CRO) and the head of the compliance function (the Group Director Compliance), have direct access to the Supervisory Board to raise concerns and escalate issues whenever required.