As a financial institution with a European footprint and focus on values-based banking, Triodos Bank is exposed to a variety of risks. These risks are managed through a comprehensive risk management framework, which integrates risk management into strategic planning and daily business activities. This approach ensures that risk management is embedded within the entire bank by identifying, measuring and controlling risks at all levels of the organisation.
Triodos Bank’s risk management function is embedded within the organisation based on the Three Lines Model. Business managers (the first line) are primarily responsible for a sound business and risk approach. They are supported and challenged by risk managers (the second line) with local business knowledge to identify, assess and manage risks. The third line consists of the internal audit function, that provides risk assurance through risk-based independent advice and insight to the Executive Board, Audit and Risk Committee of the Supervisory Board, the Supervisory Board, senior management and managers at Group and business unit level. The risk appetite process allows Triodos Bank’s risk profile to be managed within the defined risk tolerance levels to achieve Triodos Bank's strategic objectives.
Periodically, each business unit performs a strategic risk assessment to identify and manage potential risks that could impede the realisation of business objectives. The results of these assessments are consolidated and used as input for the Executive Board’s own risk assessment. The strategic risk assessment is an integral part of the business plan cycle.
External developments may influence the strategy of the bank and therefore pose a strategic risk. In particular, the Ukraine crisis, that developed over 2022, has been consequential. First and foremost in humanitarian terms, but also because of economic knock-on effects such as rising energy prices and disrupted supply chains, which have led to increasing inflation and interest rates. Our primary attention is on managing these challenges by carefully analysing how Triodos Bank may be impacted and defining the most appropriate management response, based on our mission.
The strategic risk environment forms one of the starting points for determining the corporate strategy, the assessment of the capital and liquidity requirements in relation to the risk appetite and the recovery plan. Business units are assessed on their sensitivity to risks to determine the input for scenarios used to stress test Triodos Bank’s solvency, liquidity and profitability.
Scenario impacts were calculated and assessed in relation to profitability, capital and liquidity. The results evidenced that Triodos Bank's solid capital and liquidity buffers are adequate to absorb unexpected losses.
As a value-based bank environmental, social and governance (ESG) considerations are shared at all levels of Triodos Bank and are an integral part of its management. ESG related aspects are taken into account in all day-to-day business decisions. ESG related risk factors all have their specific characteristics and are captured in internal policies and procedures. Triodos Bank employs strict criteria, to ensure the sustainability of its products and services. It employs both positive criteria to ensure it is actively doing good, and negative criteria for exclusion, to ensure it does not do any harm. The positive criteria identify leading businesses and encourage their contributions to a sustainable society. The negative criteria exclude loans and investments in sectors or activities that are damaging to society and environment.
Triodos Bank’s reputation is a valuable asset, which is vital to its ability to perform its activities and realise its mission. Triodos Bank may be exposed to reputational risk events. Unlike other risk types, reputational risk is not confined to a specific, defined source. Reputational risk may be driven by internal and/or external developments. Such developments may be directly damaging to Triodos Bank's reputation. It is also possible that they trigger further developments (e.g. litigation), which in turn could have (additional) adverse impact on Triodos Bank's reputation.
An integrated enterprise risk management report presents Triodos Bank's risk profile, regarding all identified risk types, in relation to its risk appetite. The report is an important risk monitoring tool, which also contains analyses on specific risk-type developments and topics. This report is distributed quarterly and discussed with the full Supervisory Board and in more detail with the Audit and Risk Committee.
The Enterprise Risk Committee proposes the risk appetite, monitor the actual risk profile against the risk appetite. The organisation's risk appetite is determined by the Executive Board and approved by the Supervisory Board.
The Executive Board has (partly) delegated decision-making authority to the following risk committees at a central level:
For enterprise risk, the Enterprise Risk Committee has authority to decide on strategic, model and reputational risk issues.
For financial risk, the Central Credit Committee has authority to take decisions on credit risks, both on an individual debtor level and on a credit portfolio level; the Asset and Liability Committee has authority to decide on market risks and liquidity risk;
For non-financial risk, the Non-financial Risk Committee has authority to decide on operational and compliance risk matters. The Group Product Governance Committee has the authority to approve new products and review existing products. The Anti-Money Laundering and Countering Terrorist Financing Risk Committee oversees management of risks related to the regulation and associated measures to combat money laundering and counter the financing of terrorism. The Regulatory Change Committee steers, monitors and takes decisions on regulatory change management to ensure a timely and traceable implementation of regulatory changes across Triodos Bank Group.
The Risk management section of Triodos Bank’s Annual Report provides a description of the main risks related to the strategy of the bank. It includes a description of the design and effectiveness of the internal risk management and control systems for the main risks during the financial year. The developments in the own organisation over the past years, in combination with new regulatory demands and in the context of the external landscape, requires the bank to continuously review, assess and adapt its internal organisation and governance structure.
The new Governance Risk & Compliance (GRC) tool implementation is ongoing with the first two processes in the place (Business Lending and Know Your Customer). The GRC tool should ensure an increase in data quality by creating standardised risks and controls over the different business units in order to 1) facilitate oversight, 2) to increase comparability between the different BUs/ OUs and 3) enhance data-driven way of working.
Fraud risk is a common risk in the financial sector. Triodos Bank performs a yearly systematic integrity risk analysis (SIRA) to assess its vulnerabilities to, among other risks, fraud. Again in 2022, the number of internal fraud cases within Triodos has been relatively low. Controls like internal training and awareness are in place and Triodos Bank has pre- and in-employment procedures. Further controls are in place related to first and second line, first and second line segregation of duties, controls to detect unauthorised access to internal systems and four-eyes principle for key controls, as well as governance policies.
The number of incidents has been limited in the last years and the impact minimal. The number of external fraud incidents is higher than the number of internal fraud incidents, as it is with peers in the sector. Triodos has implemented a number of fraud monitoring controls over the past years. The impact of fraud on the annual results is limited. Within Triodos a central KYC and Financial Crime domain has been set up with a Group Director to functionally steer Triodos Bank's policy and practice on financial crime at Group level.
Measures taken for mitigating fraud risk are:
• The periodically executed Risk and Control self-assessments are also focused on mitigating fraud risk (e.g. embedding four-eyes principles in key controls).
• Audit findings might be followed up by Risk and Control self assessments, if needed, to improve e.g. key controls.
• Periodically testing of key controls (including updating test scripts, if needed).
• Periodically updating the Key Control Management policy.
Capital and liquidity requirements
Regulators are demanding a more resilient banking sector by strengthening the solvency of banks and introducing strict liquidity requirements developed by the Basel Committee on Banking Supervision. Triodos Bank complies with the capital and liquidity requirements based on the Capital Requirements Regulation.
Triodos Bank’s capital strategy is focusing on a sound and resilient capital base. Triodos Bank’s capital strategy is focusing on a sound and resilient capital base. The quality of capital as well as the solvency rate are important. Triodos Bank aims for a Common Equity Tier 1 capital (CET1) ratio of at least 15%, well above its own internal economic capital adequacy levels, to guarantee a healthy and safe risk profile. In 2021, Triodos Bank issued a subordinated debt instrument (green bond) of EUR 250 million which qualifies as Tier 2 capital in line with prudential regulations. Therefore of the amount that is used to calculate the total capital ratio, the so-called Own Funds, 82% consists of CET1 and the subordinated debt instrument makes up the remaining part.
Economic capital is the amount of risk capital held to enable the organisation to survive stress events, e.g. resulting from market or credit risks. Economic capital is calculated periodically and supports Triodos Bank’s own view of capital adequacy for the purpose of the yearly Internal Capital Adequacy Assessment Process (ICAAP), which is subject to the supervisory review and evaluation process.
In 2022, the bank’s Tier 1 capital base marginally increased by EUR 21 million to EUR 1,165 million per end of December 2022 due to profit retention. The bank’s CET1 ratio decreased from 17.5% to 17.3% per end of December 2022 due to conscious growth of sustainable lending in our well diversified portfolio. The bank’s TCR decreased from 21.3% to 21.0% per end of December 2022.
The liquidity buffer mainly consists of liquid assets with central banks (55% at the end of 2022) and liquid investments in bonds (close to 37% of total liquidity). There is a small amount of liquidity at sight with commercial banks (3% of total liquidity), mainly for payment services, and some investments (around 1% of total liquidity) are made in cash loans (<1-year maturity) with Dutch and German municipalities. Around 20% of the bond investments are in central government bonds and 80% are invested in regional government and agency bonds. The other bond investments were made in green bonds of corporates and banks for diversification and to optimise risk-return. Due to the change in market interest rates in the UK and the eurozone, the opportunities to invest in bonds have grown. Consequently, the percentage of liquidity at the current account at central banks has decreased from about 70% end-2021 to 55% at the end of 2022.
The liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR) are both well above the minimum limits of Basel III and above our internal limits. More detailed information about Triodos Bank’s approach to risk is included in the Annual Accounts section on Risk management.
Minimum Requirements for own funds and Eligible Liabilities (MREL)
The European Banking Union provides regulation for financial stability and helps build crisis resilience and enhance risk monitoring and assessment. The Banking Union is based on three pillars. The first pillar, the Single Supervisory Mechanism, provides regulation for supervision and amongst others capital and liquidity requirements. The second pillar, the Single Resolution Mechanism, ensures orderly resolution of failing banks. The third pillar, the European Deposit Insurance Scheme, is still under construction and builds on the current system of national deposit guarantee schemes, which have been harmonised to ensure that deposits are protected across the EU up to EUR 100,000 per person and bank.
The second pillar has been translated into the Single Resolution Mechanism Regulation and the Bank Recovery and Resolution Directive. Based on these regulations, De Nederlandsche Bank, in its role as Resolution Authority, decided that Triodos Bank should be resolved after a possible failure. They have informed us about their intention to set requirements and we expect a decision this year.
Compliance and integrity
Triodos Bank has internal policies, rules and procedures to ensure all co-workers (including all management levels and Executive Board) comply as well as the members of the Supervisory Board, comply with relevant laws and regulations regarding customers and business partners. In addition, the Compliance department and Internal Audit independently monitors the extent to which Triodos Bank complies with internal policies and procedures.
The external aspects of the Compliance department's role primarily concern oversight on accepting new customers, monitoring financial transactions and preventing money laundering. Internal aspects primarily concern checking private transactions by co-workers, preventing and, where necessary transparently managing, conflicts of interest and safeguarding confidential information. In addition, it is concerned with raising and maintaining awareness of, for example, financial regulations, compliance procedures, fraud and anti-corruption measures, and compliance with good governance standards such as the Dutch Corporate Governance Code.
Triodos Bank's compliance team is led by the MT Compliance and chaired by the Group Director Compliance, who is also the Group Data Protection Officer. Compliance and data protection officers are appointed in every banking entity. The heads of Compliance from all entities form the MT Compliance. The Group Director Compliance reports to the Chief Risk Officer and has an escalation line to the Chair of the Audit and Risk Committee, which supports the independence of the compliance function.
In 2018, De Nederlandsche Bank (DNB) conducted a thematic, sector-wide survey among Dutch banks, focusing on the measures that banks have taken to prevent money laundering and terrorism financing. Following this survey, DNB concluded that Triodos Bank is required to implement enhanced measures concerning customer due diligence and the monitoring of customer transactions.
On 6 March 2019, DNB imposed a formal instruction (aanwijzing) on Triodos Bank N.V. to remedy shortcomings in compliance with provisions of the anti-money laundering and countering the financing of terrorism legislation and with financial supervision laws. Triodos Bank accepted this instruction and implemented mitigating measures. Following the formal instruction Triodos Bank received an administrative penalty on 14 December 2020 that was paid without delay. In 2022, Triodos Bank finalised its last remedial actions and is awaiting formal closure by DNB, this is expected in 2023.
In 2020, DNB performed an on-site inspection regarding the compliance function. The first purpose was to obtain assurance that the compliance function was sufficiently empowered to provide independent advice and to adopt a challenging role to the first line and to management. The second purpose was to assess whether the management body had an adequate role in overseeing the implementation of a documented compliance framework. Regarding the first purpose, DNB recognised the improvements that were made but concluded that the functioning of the compliance function was not in all aspects sufficiently effective and that the existing improvement plan needed more detailed guidance. Regarding the management oversight, DNB concluded that the management body was not sufficiently involved in overseeing the compliance function.
Based on both findings a remediation plan was prepared at the beginning of 2021. In 2022, seven out of the nine high-level finding were closed and finalisation is expected end of Q3 2023.
In October 2022, Stichting Certificaathouders Triodos Bank filed with the Enterprise Chamber in Amsterdam a request for an inquiry into the policy and affairs of Triodos Bank. Triodos Bank asked the Enterprise Chamber to reject the request in December 2022. Shortly after finalisation of this Annual Report, the decision by the Enterprise Chamber will probably be announced. Some individual DR holders have decided to pursue legal actions leading to court cases. Refer to the Annual Accounts for more information about this.
Triodos Bank was not involved in any other material legal proceedings or any other further sanctions associated with non-compliance with legislation or regulations in terms of financial supervision, corruption, advertisements, competition, data protection or product liability.
The Executive Board is responsible for designing, implementing and maintaining an adequate system for internal controls over financial reporting. Financial reporting is the product of a structured process carried out by various functions and banking entities under the direction and supervision of the financial management of Triodos Bank.
The Executive Board is responsible for the risk management and compliance functions. The risk management function works together with management to develop, embed and monitor adherence to risk policies and procedures involving identification, measurement, assessment, mitigation and monitoring of financial and non-financial risks. The compliance function plays a key role in monitoring Triodos Bank’s adherence to internal policies and external rules and regulations. The adequate functioning of the risk management and compliance functions as part of the internal control system are frequently discussed in the Audit and Risk Committee of the Supervisory Board. It is further supported by Triodos Bank's risk culture as a key element of the bank's risk management framework.
Triodos Bank’s internal audit function provides independent and objective assurance of Triodos Bank’s corporate governance, internal controls, compliance and risk management systems. The Executive Board, under the supervision of the Supervisory Board and its Audit and Risk Committee, is responsible for determining the overall internal audit annual plan and for monitoring the integrity of risk management systems.
The risk management framework is an important element in the in-control statement process (see also Risk management on page Risk management). The continuously changing environment that Triodos Bank operates in requires regular review and update to its control framework.
The risk management and control structures provide reasonable, but not absolute, assurance regarding the reliability of financial reporting and the fair presentation of Triodos Bank's financial statements.
For more detailed information on the relevant risks for Triodos and the risk appetite, please refer to the risk management chapter in the annual accounts on page Risk management.
Driebergen-Rijsenburg, 15 March 2023
Triodos Bank Executive Board
Jeroen Rijpkema, Chair
Kees van Kalveen
- Marjolein Landheer temporarily replaces the current CRO, Carla van der Weerdt, who is recovering from the health impact of long COVID-19.