Risk management and governance

The risk management and control framework provides reasonable assurance regarding the reliability of financial reporting and the fair presentation of financial statements.

The risk management objective of Triodos Bank is to maintain an environment that supports the bank in pursuing its mission and in realising its strategic objectives. This implies that a structural context is provided to effectively identify and manage the risks inherent in the bank’s activities, proportionate to its size and complexity.

The Three Lines Model is an industry-wide applied organisational risk concept that is integrated in the internal governance and organisation of Triodos Bank. The concept strengthens Triodos Bank’s risk control by consistently assigning and embedding clearly defined risk management roles and responsibilities within the organisation. The rationale behind the three lines concept is that risk management can only be effective when it is embedded and exercised in all constituent parts of the bank. For the same reason that risks may, in principle, surface and manifest themselves anywhere within the bank, risk awareness is to be maintained at all levels throughout the bank. The risk function is not solely responsible for the management of risk. All co-workers share responsibility for risk taking and risk management. The three lines concept offers an effective framework to identify and adequately address the risks that may jeopardise the realisation of the bank’s strategic objectives in a timely way. This contributes to a sound risk culture in line with Triodos Bank’s mission and values.

The first line is primarily responsible for managing the risks it incurs in conducting business activities and operations within its span of control. The first line therefore has the ‘ownership’ of these risks. From a functional area perspective, first-line responsibilities are shared by the respective functional areas.

The second line consists of the risk management and compliance functions. Both functions are present at local business unit level and at Group level. Whereas the first line exercises ‘risk ownership’, the second line exercises ‘risk oversight’. The second line supports and facilitates a sound risk management and control framework throughout the bank, oversees the control processes and controls in place at the first line to ensure proper design and effectiveness and actively engages with the first line to jointly enhance the functioning of the risk management and control framework of the bank.

The third line consists of the internal audit function, which provides ‘risk assurance’ by providing risk-based independent and objective assurance, advice and insight to the Executive Board, Supervisory Board, senior management and managers at Group and business unit level. This is done by a structured and balanced approach of evaluation, reporting and advising regarding the corporate governance structure, internal control, compliance and risk management functions of the bank.

The risk management and compliance functions provide relevant independent information, analyses and expert judgement on risk exposures, and advise on whether proposals and risk decisions to be made by the Executive Board and business or support business units are consistent with the institution’s risk appetite. The risk management and compliance functions recommend improvements to the risk management framework and monitor breaches of risk policies, procedures and limits.

The structure of the risk organisation meets banking industry standards and covers all identified relevant risks for Triodos Bank within three main risk categories: enterprise risk, financial risk and non-financial risk. Each risk category consists of a number of risk types (see diagram below).

The Executive Board has (partly) delegated decision-making authority to the following risk committees at a central level:

• for enterprise risk, the Enterprise Risk Committee has authority to decide on strategic, model and reputational risk issues;

• for financial risk, the Central Credit Committee has authority to take decisions on credit risks, both on an individual debtor level and on a credit portfolio level; the Asset and Liability Committee has authority to decide on market risks and liquidity risk;

• for non-financial risk, the Non-financial Risk Committee has authority to decide on operational and compliance risk matters. The Group Product Governance Committee has the authority to approve new products and review existing products. The Anti-Money Laundering and Countering Terrorist Financing Risk Committee oversees management of risks related to the regulation and associated measures to combat money laundering and counter the financing of terrorism.The Regulatory Change Committee steers, monitors and takes decisions on regulatory change management to ensure a timely and traceable implementation of regulatory changes across Triodos Bank Group.

Business units have local decision-making committees in place, such as a local Non-financial Risk Committee and a local Anti-Money Laundering and Countering Terrorist Financing Risk Committee. In addition, the business units that engage in local lending have a local Credit Committee in place. The processes and mandates for the local decision-making committees are captured in their respective charters.

The Supervisory Board’s Audit and Risk Committee supervises the activities of the Executive Board with respect to the operation and adequacy of internal risk management and control systems. The task of the Audit and Risk Committee is to prepare the discussions and decision-making of the Supervisory Board on financial reporting, audit issues and risk management. The (entire) Supervisory Board remains responsible for decisions prepared by the Audit and Risk Committee. The Audit and Risk Committee consists of at least three members of the Supervisory Board, appointed by the Supervisory Board. Members of this Committee are Sebastien D’Hondt (Chair), Danielle Melis and Susanne Hannestad. The Audit and Risk Committee met eight times in 2022. The Group Directors of Risk and the Group Director Compliance report directly to the Chief Risk Officer. The head of the risk function (the CRO) and the head of the compliance function (the Group Director Compliance), have direct access to the Supervisory Board to raise concerns and escalate issues whenever required.

Risk mitigation is an essential component of Triodos Bank's mission and business model. In addition, the risk management framework ensures co-workers at all levels have the same risk perspective and that formal structures and policies are addressed in a unified and congruent manner across the bank. Triodos Bank strives for a risk culture that is both robust and embedded. An environment of open communication and effective challenge, in which decision-making processes encourage a broad range of views and a constructive critical attitude such that sound and informed decisions can be made, is important to such a culture. Risk-conscious leadership is key to establishing and enhancing the risk attitude and behaviour. Leading by example and setting the tone at the top are prerequisites for the aspired risk culture.