Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.
Internal control refers to procedures or practices within an organisation to ensure that the organisation achieves the targets set in the strategy, uses resources economically and that the information in support of management decisions is reliable. Internal control also ensures that risk management, custody of client assets and protection of property is adequately arranged. Conformance to regulations and approved ethical principles, too, are ensured through internal control.
The central cooperative’s Supervisory Board confirms the Group-level principles of internal control that all OP Financial Group entities follow. OP Corporate Bank complies with the principles of internal control adopted by the central cooperative's Supervisory Board.
Internal controls apply to all operations. The nature and extent of operations and, whenever necessary, special characteristics related to international operations are taken into consideration in specifying internal controls. Internal control covers all organisational levels. Internal control in its most extensive form primarily takes place at the operational level, where internal control is continuous and forms part of daily activities.
Internal control is complemented by the opportunity of anyone employed by OP Financial Group to report through an independent channel if they suspect that rules or regulations have been violated (whistle blowing).
The Board of Directors' role
The Board of Directors is responsible for organising and maintaining adequate and effective internal control. It deals with the guidelines governing OP Financial Group’s internal control, ensures that OP Corporate Bank has an adequate set of guidelines specifying Group-level guidelines, and supervises internal control effectiveness and sufficiency.
Central cooperative consolidated-level risk management and financial reporting are performed in a coordinated way by a function independent of the business lines/divisions. Each Group company’s board of directors is responsible for the top management tasks of the company in question related to internal control. Each Group company’s executive management is responsible for the implementation of internal control and risk management according to the agreed principles and guidelines, and shall regularly report on the company’s business, risk capacity and risk status, in accordance with the Group’s management system.
Compliance activities are tasked with assisting senior management and executive management and business lines/divisions in the management of risks associated with regulatory non-compliance, supervising regulatory compliance and, for its part, developing internal control further. Risk Management, Compliance organisation, Finance and Treasury as well as HR Services are, for their part, in charge of regulatory compliance management.
Almost all activities involve compliance risk, and responsibility for the management of the compliance risks rests with the business lines/divisions. The President and CEO is in charge of the company’s compliance activities. OP Financial Group's Compliance organisation supports the President and CEO. The Group Compliance Officer in charge of the organisation reports to the Supervisory Board (or Supervisory Board committees) and the General Counsel. Compliance activities and the related recommendations issued to the business lines/divisions are subject to regular reporting to OP Corporate Bank plc’s Board of Directors. Compliance activities must also be reported to the Executive Board of the central cooperative consolidated and the Audit Committee of the Supervisory Board as part of OP Financial Group level reporting.
OP Financial Group’s Compliance organisation shall annually draw up a compliance action plan which will be discussed and confirmed by OP Corporate Bank plc’s Board of Directors with respect to the company. The Board of Directors also deals with the principles and instructions governing compliance. OP Financial Group’s Compliance organisation is responsible for advice on and support of Group-level compliance risk management and also controls OP Corporate Bank’s compliance.
Compliance is aimed at preventing the materialisation of compliance risks. For this purpose, the Compliance organisation shall, for example,
prepare and maintain guidelines on key matters related to practices;
advise employees on, and train them in, matters related to practices;
support the business lines/divisions in the planning of development measures promoting internal control and the management of compliance risks;
keep senior and executive management and the business informed of upcoming regulatory changes and monitor the business’s preparation for regulatory changes;
supervise compliance within OP Corporate Bank Group with the current regulatory framework, ethical practices and internal guidelines related to practices; and
regularly report to both senior and executive management on recommendations and the results of control given to the business and other observations related to compliance risk exposure.
OP Financial Group’s core values, strategic goals and financial targets form the basis for OP Corporate Bank’s risk management and capital adequacy management. The purpose of risk management is to identify threats and opportunities affecting strategy implementation. The objective is to help achieve the targets set in the strategy by controlling that risks taken are proportional to risk capacity. Risk capacity is made up of effective risk management that is proportionate to the extent and complexity of operations and of adequate capital resources and liquidity based on profitable business operations. OP Corporate Bank adopts a policy of moderate risk-taking and its business operations are based on a reasoned risk/return approach. Risk management has been integrated as part of OP Corporate Bank Group’s business and management.
OP Financial Group’s principles governing the Risk-taking System and the Risk Appetite Framework, adopted by OP Cooperative’s Supervisory Board, define how the Group’s risk-taking is controlled, restricted and supervised and how the risk management and internal capital adequacy assessment process is organised.
OP Financial Group's risk policy controls OP Corporate Bank's risk-taking. In the risk policy, the central cooperative's Executive Board confirms annually risk-management principles, actions, objectives and limits, to be applied by Group entities, that are used to guide business to implement the policies confirmed in the Group's strategy and the principles of the Risk Appetite Framework (RAF). In addition, Non-life Insurance is guided by non-life insurance guidelines, reinsurance principles, investment plans and the policy governing hedging against interest rate risk associated with insurance liabilities.
The significant risks of OP Corporate Bank Group include credit risks, market risks, liquidity risks, underwriting risks, concentration risks and strategic, reputational and operational risks, including compliance risk associated with all business operations.
More detailed information on significant risks can be found in OP Corporate Bank Group’s most recent Report by the Board of Directors and Financial Statements (see www.op.fi OP Financial Group > To the media > Reports > OP Corporate Bank publications).
Organisation of risk management and capital adequacy management
The Board of Directors decides on, among other things, the business strategy based on the principles issued by the central cooperative’s Executive Board, and approves a business plan and supervises their implementation. It also confirms risk policy, funding plan, capital plan and proactive contingency plan for the capital base, business continuity plan and significant risk management principles.
The Board of Directors also supervises and monitors the implementation of risk and capital adequacy management and the fact that the company’s risk management is in conformity with laws, official regulations and instructions issued by the central cooperative. The Board of Directors is responsible for the sufficiency of risk management systems and supervises their extent and performance. The Board of Directors is also tasked with supervising the company so that it does not take excessive risks which would materially jeopardise the company’s capital adequacy, liquidity, profitability or business continuity. It also supervises the quantity and quality of capital, financial performance, risk exposure and compliance with the risk policy, limits and other instructions.
The Board assesses the appropriateness, extent and reliability of OP Corporate Bank Group’s capital adequacy management on a holistic basis at least once a year.
OP Corporate Bank’s President and CEO takes charge of the overall control of the company in such a way that the company as a whole achieves its profit, risk capacity and other targets and goals by following shared strategies and policies.
OP Cooperative is responsible for OP Financial Group-level risk and capital adequacy management and for ensuring that OP Financial Group’s risk management system is sufficient and kept up to date. OP Financial Group's Risk Management is a function independent of business lines/divisions that defines, steers and supervises the overall risk management of the Group and its entities, and analyses their risk exposure.
The business lines/divisions shall bear primary responsibility for their risk-taking, financial performance and compliance with the principles of internal control and risk management and capital adequacy management. The business lines/divisions have the right to take decisions on risk-taking within the approved decision-making powers, exposure limits and credit limits.
A more detailed description of the company’s risk management and capital adequacy management principles and risk exposure can be found in the Group’s most recent Report by the Board of Directors and Financial Statements (see www.op.fi > OP Financial Group > To the media > Reports > OP Corporate Bank publications).
Internal Audit is tasked with assisting OP Corporate Bank plc’s Board of Directors and the company's management in controlling, supervising and assuring operations by carrying out operational audits.
Internal Audit of OP Cooperative, OP Corporate Bank plc’s parent entity, has been responsible for internal audit. Internal Audit is a function independent of business lines that audits the effectiveness and adequacy of the entire OP Financial Group's internal control system, risk management as well as management and governance processes.
The Supervisory Board of the central cooperative appoints and dismisses the Chief Audit Executive and decides his/her employment terms and conditions and compensation.
The Supervisory Board's Audit Committee confirms the Internal Audit action plan and OP Corporate Bank's Board of Directors confirms the part of the action plan related to the company. Audits in respect of OP Corporate Bank are reported to the Board of Directors and the management as well as to the central cooperative's Executive Board and Audit Committee.
In its auditing work, Internal Audit complies not only with the Internal Audit Charter confirmed in June 2018 by the Supervisory Board but also the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA).
Internal audit performance is subject to external quality assessment approximately every five years.