Non-financial risk includes all the risks faced in Triodos Bank’s regular activities and processes, that are not categorised as enterprise risk or financial risk. Triodos Bank has subdivided non-financial risk into operational risk and compliance risk. Monitoring these risks is particularly important to ensure that Triodos Bank can continue to offer quality financial services to its stakeholders.
Operational risks relate to losses that Triodos Bank could incur as a result of inadequate or failing internal processes, systems, human behaviour or external events. Triodos Bank limits these risks with clear policies, procedures and controls for all business processes.
Operational risk management (ORM) consists of identifying, managing and monitoring the risks within several subcategories including information security, business continuity, tax risk and financial reporting risk.
Activities to manage risks related to these subjects are, from a second-line perspective, executed under the responsibility of the Chief Risk Officer (CRO) in line with the ORM framework. At Triodos Bank Head Office, the Group Head of ORM reports to the CRO. The Group risk management function is mirrored locally in each business unit. At business unit level, the local Head of ORM reports hierarchically to the local Head of Risk and functionally to the Group Head of ORM. The local Head of Risk reports hierarchically to the Managing Director and functionally to the Chief Risk Officer.
The Non-financial Risk Committee is a Group-level decision-making risk committee delegated by the Executive Board to take decisions related to the non-financial risk profile and mitigating measures. When it comes to the non-financial risk appetite the EB remains the final decision-making body. This committee meets both locally and at a Group level on a monthly basis. In 2022, appetite levels of the non-financial key risk indicators were reviewed, updated and cascaded to the business units.
The ORM framework follows the principles set out by the Bank for International Settlements in 'Sound Practices for the Management and Supervision of Operational Risk', which provides guidelines for the qualitative implementation of ORM.
The ORM framework uses several tools and technologies to identify, measure and monitor risks and monitors the level of control on an operational, tactical and strategic level. In 2022, control testing and key control management measures were extended to support the monitoring of the deposit guarantee scheme related control objectives. The ORM department performs analyses on a continuous basis according to a risk event management process and maintains strong reporting and communication lines between local Operational Risk departments and Group ORM.
The In-Control Statement framework describes the methodology and process to achieve this objective. Next to the ability to demonstrate control, the bank recognises and appreciates the inherent value that comes with performing the control assessments and processes underlying the actual In-Control Statement, such as the conversation on how to further improve on controlling risks of relevant processes and value chains.
The In-Control Statement (ICS) methodology adopted by Triodos Bank originates from the COSO framework; the most widely adopted control framework. The COSO control components, as embodied in the ‘key responsibilities’ of each role description, form the basis for the control assessment(s) within Triodos Bank. Depending on the role, specific control components may be more emphasised than other components. The control components: ‘risk assessment’ (risk identification) and ‘control activities’ (risk mitigation) play a predominant role in the control framework of the bank.
Cyber threats are considered to be at a high level in the financial sector. Triodos Bank performs periodic cyber-threat assessments and risk self-assessments to determine the adequacy of its information security strategy and to further strengthen its security controls. The information security management system is set up in line with the European Banking Authority (EBA) Guidelines on ICT and security risk management. A Security Operations Centre (SOC) detects and responds to cyber-security events. The roll-out of a security awareness and behaviour programme in all business units supports co-worker security awareness. Triodos Bank performs the periodic threat intelligence based ethical red-teaming (TIBER) test as part of ICT and security management. The IT risk management process is fully aligned with the operational risk management framework. Key controls are defined and tested accordingly.
Business continuity management (BCM) is the management process that identifies potential threats to business processes of Triodos Bank and the impact on business operations if those threats materialise. BCM provides a framework for building organisational resilience by developing an effective preparation and response capability that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities in case identified threats occur. The purpose of BCM is to ensure that Triodos Bank’s critical processes can be maintained or recovered in a timely way after a disruption or incident, to minimise negative personal, operational, financial, legal and/or reputational impact. Within the Risk Management framework, the governance of the BCM process is described in the Group BCM policy. The policy is written in line with the applicable regulations and guidelines.
Triodos Bank is subject to international tax risks due to its operations in a number of Western European countries. The local tax risks are managed by the respective local Triodos Bank business units in close cooperation with the Tax department at Group level. Triodos Investment Management investment funds operate worldwide. All tax-risk-related issues are handled by a dedicated tax department in close cooperation with Group Tax.
Triodos Bank performs a yearly Systematic Integrity Risk Analysis (SIRA) to assess its vulnerabilities to, amongst others, fraud.
The number of internal fraud incidents within Triodos is relatively low. Controls like internal training and awareness are in place and Triodos has pre- and in-employment procedures resulting in a low-risk culture in relation to fraud. The number of incidents has been limited in the last years and the impact minimal.
External fraud is much more common, as it is with peers in the sector. Triodos has implemented a number of extra fraud monitoring controls over the past years. More specifically, the number of (generic) rules to recognise social engineering attacks has increased significantly in the last years. In addition, there have been adjustments at the product level to mitigate fraud risk. For instance, the default online payment limits have been decreased and the duration after a limit adjustment was deliberately lengthened. Moreover, the information on our secure banking webpage has been updated, further expanded, made more easily available and better explained in short videos. And lastly, we invested more in warning our customers even more specifically about fraud attacks.
The impact of fraud on the annual results is limited. Within Triodos, a central KYC and Financial Crime domain has been set-up with a Group Director to functionally steer Triodos Bank's policy and practice on financial crime at Group level.
Triodos Bank is subject to financial reporting risk which relates to interpretation of regulations, data quality and estimations and assumptions applied as disclosed in the financial statements. Triodos Bank is continuously improving its reporting and the risk and control frameworks surrounding the reporting processes. Projects and improvement programmes have been set up to ensure effective and efficient usage and analysis of data to support its decision-making processes.
Triodos Bank defines compliance risk as the risk of legal or regulatory sanctions, material financial loss or loss to reputation that Triodos Bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory standards and codes of conduct applicable to its banking activities. Internal policies, procedures and awareness activities are in place to guarantee that co-workers in all functions comply with relevant laws and regulations.
The compliance function independently monitors and challenges the extent to which Triodos Bank complies with laws, regulations and internal policies, with an emphasis on customer due diligence, anti-money laundering, treating customers fairly, preventing and managing conflicts of interest, data protection and the integrity of co-workers.
Triodos Bank has a Group compliance team which is led by the MT Compliance chaired by the Group Director Compliance, who is also the Group Data Protection Officer. Compliance Officers and Data Protection Officers are appointed in every banking business unit with a functional line to the central Compliance department. The Heads of Compliance from all entities form the MT Compliance. The Group Director Compliance reports to the Chief Risk Officer. An escalation line to the Chair of the Audit and Risk Committee supports the independence of the compliance function.
Triodos Bank aims to serve the interests of all stakeholders by actively fulfilling its role as a gatekeeper in the financial system and by countering money laundering and terrorism financing. The bank applies various procedures and measures in this respect.
In October 2022 Stichting Certificaathouders Triodos Bank filed with the Enterprise Chamber in Amsterdam a request for an inquiry into the policy and affairs of Triodos Bank. Triodos Bank asked the Enterprise Chamber to reject the request in December 2022. Shortly after finalisation of this Annual Report, the decision by the Enterprise Chamber will probably be announced. Some individual DR holders have decided to pursue legal actions leading to court cases. We refer to the Annual Accounts for more information about this.
Triodos Bank was not involved in any other material legal proceedings or any other further sanctions associated with non-compliance with legislation or regulations in terms of financial supervision, corruption, advertisements, competition, data protection or product liability.