Ihmisiä palaverissa pöydän ympärillä.

Internal and External Control

Internal control

Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.

Internal control refers to procedures or practices within an organisation to ensure that the organisation achieves the targets set in the strategy, uses resources economically and that the information in support of management decisions is reliable. Internal control also ensures that risk management, custody of client assets and protection of property is adequately arranged. Conformance to regulations and approved ethical principles, too, are ensured through internal control.

The central cooperative’s Supervisory Board has confirmed the Group-level principles of internal control that all OP Financial Group entities follow.

Internal controls cover all operations, involving all OP Financial Group entities and sites. The nature and extent of operations and, whenever necessary, special characteristics related to international operations are taken into consideration in specifying internal controls. Internal control covers all organisational levels. Internal control in its most extensive form primarily takes place at the operational level, where internal control is continuous and forms part of daily activities.

Internal control is complemented by the opportunity of anyone employed by OP Financial Group to report through an independent channel if they suspect that rules or regulations have been violated (whistleblowing).

OP Financial Group has separate and independent Compliance, Risk Management and Internal Audit functions that support other functions and their activities by providing independent supervision and ensuring effective supervision in accordance with risk management’s three lines of defence.

Sisa¦êinen ja ulkoinen valvonta infografiikka_EN.svg

The board of directors of each OP Financial Group entity is tasked with ensuring that each entity’s internal control is duly organised, taking account of the Group-level internal control principles and the supplementary central cooperative guidelines. Each entity’s managing director and executive management are responsible for ensuring internal control in practice and that duties are duly segregated.

The centralised Compliance organisation, Risk Management and Finance and Treasury functions assist Group entities in ensuring the effectiveness of their internal control. Furthermore, Internal Audit and external auditors ensure the effectiveness of internal control.

The Board of Directors' Audit Committee, in particular, has a major role in ensuring that internal control performs effectively and in compliance with regulation. Internal control observations, recommendations given to the business line/division concerned and the progress of the implementation of such recommendations are reported to the Committee on a regular basis.

Internal Audit

Internal audit constitutes independent and objective assessment, verification and consulting activities with a view to generating added value to OP Financial Group and improving its operations. Internal Audit has been organised to correspond to business organisations and is responsible for the performance of Group-level, risk-based internal audit in all OP Financial Group entities. Internal Audit is headed by the Chief Audit Executive appointed by OP Cooperative’s Supervisory Board.

The Board of Directors' Audit Committee adopts the Internal Audit action plan. Internal Audit regularly reports its observations and recommendations as well as the implementation of the recommendations to the Audit Committee of OP Cooperative’s Board of Directors, to OP Cooperative’s Executive Management Team, to the management of the auditable entity and to the functions’ management teams.

In its operations, Internal Audit complies with the Internal Audit Charter confirmed by the Supervisory Board in June 2019, and the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA). Internal audit performance is subject to external quality assessment about every five years.


Managing compliance risks forms part of internal control and good corporate governance practices and, as such, an integral part of business management duties and the corporate culture. Responsibility for regulatory compliance and its supervision within OP Financial Group entities rests with the senior and executive management and all supervisors and managers. In addition, everyone employed by OP Financial Group is responsible for their part for regulatory compliance.

The Compliance function assists senior management and executive management and business lines/divisions in the management of risks associated with regulatory non-compliance, supervises regulatory compliance and, for its part, develops internal control further. Guidelines, advice and support concerning compliance within OP Financial Group are the responsibility of the central cooperative’s Compliance organisation that is independent of business lines/divisions. Compliance ensures that regulations are complied with and implemented mainly by means of control and risk assessments of new procedures. OP cooperative banks have their own designated compliance officers. In order to ensure that their operations comply with regulations, OP cooperative banks receive support from the central cooperative’s Retail Banking Steering, which is part of the first line of defence. In addition, the central cooperative’s Compliance organisation controls and supports OP cooperative banks’ compliance measures.

Any observations made within compliance are reported regularly to the business segments, to OP Cooperative’s Executive Management Team and its Steering and Compliance Committee, and to the Board of Directors' Risk and Audit Committees. In addition, the Compliance function reports its key compliance observations to the boards of directors of the central cooperative consolidated’s major subsidiaries on a quarterly basis.

Risk Management

OP Financial Group's operations are based on cooperative values, a strong capital base and capable risk management. Risk-taking is guided by OP Financial Group’s values – People First, Responsibility and Succeeding Together.

The Risk Appetite Statement confirmed by the central cooperative’s Supervisory Board describes the bases and key principles of risk-taking. Together with the strategy, the Risk Appetite Statement provides the bases for the goal-setting of the businesses. OP Financial Group’s risk appetite determines what risks and risks associated with which operations we are ready to take when carrying out our mission within the framework of our strategic targets. In order for the Group companies to be able to operate in accordance with our risk appetite, they must have sufficient risk-bearing capacity, which comprises risk capacity and risk-taking capacity. The majority of the Group’s profits come from customer business and the earnings risks taken and priced in this context. OP Financial Group mainly takes risks related to the carrying out of its mission. The level of risk-taking related to other operations to generate earnings is kept low or temporary.

OP Financial Group’s significant business risks include credit risks, liquidity risks, market risks, insurance risks, counterparty risks, concentration risks, risks associated with future business, and operational risks associated with all business operations, including model risks, compliance risks, reputational risks and risks associated with strategic choices and the implementation of the strategy. OP Financial Group has a policy of moderate risk-taking. The limits and tolerances for risk-taking guide risk-taking and keep it in line with the Risk Appetite Statement.

The objective of the risk management process is to secure OP Financial Group's and its companies' sufficient risk-bearing capacity and to ensure that any business risks taken do not threaten profitability, capital adequacy, liquidity or the achievement of strategic targets and thereby to secure business continuity. Risk management has been integrated as part of the Group’s business and management, constituting a coherent risk management process.

The risk management process contains the following:

  • The steering framework prepared and maintained by independent Risk Management
  • Risk management of operational business
  • Internal control performed by Risk Management.

External control


OP Cooperative has one auditor, which must be a firm of authorised public accountants certified by the Finnish Patent and Registration Office. The auditor shall also audit the consolidated financial statements as referred to in section 9 of the Act on the Amalgamation of Deposit Banks, i.e. the OP Financial Group’s financial statements. The Cooperative Meeting shall elect the auditor.

The term of office of the auditor expires upon the closing of the Annual Cooperative Meeting following its election. The Audit Committee of OP Cooperative’s Supervisory Board puts audit services out to tender at some five years’ interval (last time in 2018), on the basis of which it proposes eligible auditors to the Annual Cooperative Meeting.

The auditors are tasked with auditing the accounting, internal control, accounting policies, management accounting judgements, presentation and structure of the financial statements of OP Financial Group, its entities and sub-groups in order to obtain assurance that the financial statements of the Group and its entities have been prepared in compliance with the rules and regulations in force governing the preparation of financial statements and give OP Cooperative’s shareholders and other stakeholders a true and fair view of the financial position, financial performance and cash flows of the Group. In addition, the auditors regularly issue other statements on the basis of specific regulation applicable to the sector. The Audit Committee of the Board of Directors annually assesses the quality of the auditor’s performance and ancillary services, the independence of auditors and the statement of the ancillary services.

Control within the amalgamation of OP Financial Group cooperative banks

The amalgamation comprises OP Cooperative as the central cooperative together with its member credit institutions and financial institutions and service companies over which they exercise control. OP Cooperative controls the amalgamation’s operations and provides the companies within the amalgamation with guidelines for risk management, good corporate governance and internal control with the aim of safeguarding their liquidity and capital adequacy. The central cooperative may also confirm general principles to be followed by the member credit institutions in operations relevant to the amalgamation.

In addition, the central cooperative supervises its member credit institutions in the manner as referred to in the Act on the Amalgamation of Deposit Banks.

Regulatory supervision

OP Financial Group as a credit institution is supervised by the European Central Bank (ECB). The Finnish Financial Supervisory Authority oversees OP Financial Group’s investment firms and insurance companies in Finland as prescribed in legislation governing financial and insurance markets. OP Financial Group’s operations in Estonia, Latvia and Lithuania are supervised to an applicable extent by the national regulators.