Internal and External Control

Internal control

Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.

Internal control is a continuous process implemented by the management and other personnel with the aim of providing reasonable assurance of the achievement of targets related to functions, reporting and compliance. It consists of continuous advance guidance and retrospective assurance tasks and functions, which seek to ensure high-quality operations and compliance with guidelines and regulations. These actions apply to all operations, including outsourced services.

At OP Financial Group, OP Cooperative’s Board of Directors confirms the Group-level principles of internal control that all OP Financial Group entities follow.

The aim of internal control at OP Financial Group is to promote and ensure that the key functions:

  • implement the strategy and achieve the goals
  • manage risks and capital adequacy
  • operate effectively and reliably
  • have reliable financial and other reporting
  • comply with instructions and regulations.

Internal control involves all of the internal guidance exercised to ensure that OP Financial Group’s operations are directed towards its targets. It includes all of the operating methods intended to ensure high-quality leadership, risk prevention and management, operational development, the assessment of profitability, accurate reporting and regulatory compliance in operations. Internal control seeks to ensure that the management lays the foundations for high-quality operations.

The roles and responsibilities related to internal control and risk management are arranged into three lines of defence. The first line of defence, the business and centralised functions, are the risk owners. Therefore, they are responsible for compliance with the principles of the confirmed risk management framework – the risk limits and moderate risk appetite – as well as the principles of internal control.

The business is primarily responsible for implementing and monitoring internal control in the processes it owns. The business must perform internal control on an ongoing basis as part of its daily routines, with the aim of ensuring that its operations are in line with the objectives. The business is responsible for ensuring that the reported information is correct and sufficient.

The second line of defence, the functions independent of the business, is responsible for maintaining the internal control framework and for monitoring the implementation of the related policies and procedures. The central cooperative’s Risk Management is responsible for OP Financial Group’s risk management framework, assessment, monitoring and reporting. The central cooperative’s Compliance is responsible for monitoring and ensuring compliance with internal and external rules throughout the organisation, as well as the process for managing compliance risks.

The third line of defence, the central cooperative’s Internal Audit, which is independent of the business and the second line of defence, performs independent internal audit activities directed at governance, risk management and control processes and reports to the Group entities’ boards of directors and other management. Furthermore, external auditors ensure the effectiveness of internal control.

Every line of defence is responsible for the organisation, adequacy and implementation of the internal control of its own activities.

In the central cooperative’s governance, the Audit Committee of the Board of Directors, in particular, has a major role in ensuring that internal control performs effectively and in compliance with regulation. Internal control observations, recommendations given to the business line/division concerned and the progress of the implementation of such recommendations are reported to the Committee on a regular basis.

The board of directors of each OP Financial Group entity is tasked with ensuring that each entity’s internal control is duly organised, taking account of the Group-level internal control principles and the supplementary central cooperative guidelines. Each entity’s managing director and senior management are responsible for ensuring internal control in practice and that duties are duly segregated.

Internal control is complemented by the opportunity of anyone employed by an OP Financial Group entity to report through an independent channel if they suspect that rules or regulations have been violated (whistleblowing).


Managing compliance risks forms part of internal control and good corporate governance practices and, as such, an integral part of business management duties and the corporate culture. Responsibility for regulatory compliance and its supervision within OP Financial Group entities rests with the senior and executive management and all supervisors and managers. In addition, everyone employed by OP Financial Group is responsible for their part for regulatory compliance.

The Compliance function assists senior and executive management and business lines/divisions in the management of risks associated with regulatory non-compliance, supervises regulatory compliance and, for its part, develops internal control further. Guidelines, advice and support concerning compliance within OP Financial Group are the responsibility of the central cooperative’s Compliance organisation that is independent of business lines/divisions. Compliance ensures that regulations are complied with and implemented mainly by performing compliance supervision, by drawing up compliance risk assessments and by participating in the risk assessment of operating models related to new products and services. OP cooperative banks have their own designated compliance officers. In order to ensure that their operations comply with regulations, OP cooperative banks receive support from the central cooperative’s Retail Banking Steering, which is part of the first line of defence. In addition, the central cooperative’s Compliance organisation controls and supports OP cooperative banks’ compliance measures. In part of the business segments, the first line of defence includes a Risk & Compliance Lead organisation that supports regulatory compliance and internal control.

Any observations made within compliance are reported regularly to the business segments, to OP Cooperative’s Executive Management Team and its Steering and Compliance Committee, and to the Risk Committee and Audit Committee of the Board of Directors. In addition, the Compliance function reports compliance matters required by regulation to the boards of directors of the central cooperative consolidated’s major subsidiaries on a quarterly basis, including its key compliance observations, compliance recommendations and the progress in implementing such recommendations.

Risk Management

At OP Financial Group, OP Cooperative’s Board of Directors is the most important decision-making body for duties related to risk management. OP Cooperative’s Supervisory Council confirms the decisions by the Board of Directors that apply to OP Financial Group’s risk appetite. The Risk Committee of the Board of Directors assists the Board of Directors in performing duties related to risk-taking and risk management (for further information, see section 4.7.2). Based on the decision by the President and Group Chief Executive Officer, the Executive Management Team has set up a Risk Management Committee, Steering and Compliance Committee and Banking ALM Committee that approve instructions and policy descriptions specifying the Risk Appetite Statement and the Risk Appetite Framework. Entities’ risk management-related tasks are described in more detail in the entities’ charters.
The bases for the arrangement of OP Financial Group’s risk management prepared by OP Cooperative’s senior management and set by the Board of Directors are as follows:
  • Senior management prepares business divisions’ strategic choices that, in terms of risk-taking, are based on OP Financial Group’s Risk Appetite Statement (RAS) document, confirmed by OP Cooperative’s Supervisory Council. The Risk Appetite Statement outlines and gives grounds for what risks each business unit is ready to take and to what extent. Businesses are obliged to operate within the limits of these restrictions.
  • Senior management decides on the division of responsibilities as regards risk-taking. The Group defines what risks different earnings logics (product and service packages) can take and any potential elaborations on what risks legal entities and various functions can take within the earnings logics.
  • Senior management must ensure the maintenance and development of sufficient resourcing and expertise in internal control functions, including the first, second and third line of defence. The governance structure provides the basis for the fact that the key principles guiding
  • operations and the related policies and operating instructions have been prepared and resolved appropriately and that each activity is assessed and supervised in an appropriate manner in view of its nature, extent and complexity by expert parties that are independent of the business, in addition to monitoring performed by the business concerned.
  • OP Financial Group’s remuneration schemes are built in line with the Group’s mission, values and targets, while ensuring regulatory compliance. Remuneration must not incentivise unnecessary risk-taking or the taking of actions against the customer’s interests. The Compliance and Risk Management functions are involved in the preparation of the remuneration principles, remuneration policy and remuneration schemes, and in the determination of supervisory practices related to remuneration processes.
  • The principles of corporate governance as required by joint and several liability define and determine the bank-specific corporate governance of the central cooperative and its member cooperative banks, as required under joint and several liability.
  • In addition, the principles of internal control, good corporate governance, good business practices and corporate security set preconditions for practices.

Internal Audit

Internal audit constitutes independent and objective assessment, verification and consulting activities with a view to generating added value to OP Financial Group and improving its operations. The central cooperative’s Internal Audit is responsible for the performance of Group-level, risk-based internal audit in all OP Financial Group entities. Internal Audit is headed by the Chief Audit Executive appointed by OP Cooperative’s Supervisory Council. The Chief Audit Executive reports on the audit activities to the President and Group Chief Executive Officer in administrative terms and to the Audit Committee of OP Cooperative’s Board of Directors in operational terms.

Internal Audit annually draws up an action plan based on the Internal Audit assessment of current risks and significant future risks associated with OP Financial Group’s operations. The action plan and its changes, if any, are discussed by OP Cooperative’s Executive Management Team and the Audit Committee of the Board of Directors and approved by OP Cooperative’s Board of Directors. Internal Audit regularly reports its audit observations and the implementation status of its recommendations to OP Financial Group’s executive and senior management.

In its operations, Internal Audit complies with the Internal Audit Charter confirmed by OP Cooperative’s Board of Directors, and the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA). Internal audit performance is subject to external quality assessment about every five years. 

External control


OP Cooperative has one auditor, which must be a firm of authorised public accountants certified by the Finnish Patent and Registration Office. The auditor also audits the consolidated financial statements as referred to in section 9 of the Act on the Amalgamation of Deposit Banks, i.e. the OP Financial Group’s financial statements. The Cooperative Meeting elects the auditor.
The term of office of the auditor expires upon the closing of the Annual Cooperative Meeting following its election. The Audit Committee of OP Cooperative’s Board of Directors puts audit services out to tender at some five years’ interval, on the basis of which it makes a recommendation to the Board of Directors on the auditor to be appointed. The Board of Directors makes a proposal to the Cooperative Meeting regarding the appointment of an auditor.
The audit firm’s auditors are tasked with auditing the accounting, internal control, accounting policies, management accounting judgements, presentation and structure of the financial statements of OP Financial Group, its entities and sub-groups in order to obtain assurance that the financial statements of the Group and its entities have been prepared in compliance with the rules and regulations in force governing the preparation of financial statements, and that they give OP Cooperative’s members and other stakeholders a true and fair view of the financial position, financial performance and cash flows of the Group. In addition, the auditors regularly issue other statements on the basis of specific regulation applicable to the sector. 
The Audit Committee of the Board of Directors deals with and assess matters related to audit and auditors:
  • by regularly consulting the auditor
  • by discussing and assessing the audit plan, auditor’s reports and other relevant reports issued by the auditor
  • by monitoring and assessing audits
  • by assessing the auditor’s independence of mind
  • by assessing the provision of non-audit (ancillary) services and monitoring their use
  • by approving special assignments given to the auditor.
KPMG Oy Ab, an audit firm, has acted as OP Cooperative’s auditor since 2002, with authorised public accountant Juha-Pekka Mylén as the Chief Auditor since 2019. KPMG Oy Ab acts as the auditor of entities belonging to OP Cooperative Consolidated, or the central cooperative consolidated, with auditors appointed by KPMG Oy Ab acting as chief auditors. PricewaterhouseCoopers, an audit firm, also acts as auditor of OP Financial Group member cooperative banks, in addition to KPMG Oy Ab.
OP Cooperative Consolidated has used KPMG Oy Ab’s advisory services in fields such as comfort letters for bond programmes, restructuring arrangements and tax services and counselling.
Audit fees for statutory audit are based on an annual plan.
In 2022, audit fees paid to auditors totalled EUR 3.4 million (3.0), whereas assignments as referred to in chapter 1, section 1(1)(2) of the Auditing Act totalled EUR 0.1 million (0.2), fees for tax advisory services EUR 0.2 million (0.3) and fees for other services EUR 1.1 million (1.0). Non-audit services provided by KPMG Oy Ab to OP Financial Group entities totalled EUR 1.3 million (1.3) (excl. VAT). The corresponding figures for 2021 are shown in brackets.

Control within the amalgamation of deposit banks

The amalgamation of deposit banks is formed by OP Cooperative (the central cooperative), companies belonging to its consolidation group, the central cooperative’s member credit institutions and companies belonging to the consolidation groups of such institutions, as well as credit institutions, financial institutions and service companies in which the aforementioned institutions jointly hold more than half of the voting rights. OP Cooperative controls the amalgamation’s operations and provides the companies within the amalgamation with guidelines for risk management, good corporate governance and internal control with the aim of safeguarding their liquidity and capital adequacy. The central cooperative may also confirm general principles to be followed by the member credit institutions in operations relevant to the amalgamation.
In addition, OP Cooperative supervises the amalgamation entities in the manner referred to in the Act on the Amalgamation of Deposit Banks.

Regulatory supervision 

OP Financial Group as a credit institution is supervised by the European Central Bank (ECB). The Finnish Financial Supervisory Authority oversees OP Financial Group’s investment firms and insurance companies in Finland as prescribed in legislation governing financial and insurance markets. OP Financial Group’s operations in Estonia, Latvia and Lithuania are supervised to an applicable extent by the national regulators.