Internal control

Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.

Internal control refers to procedures or practices within an organisation to ensure that the organisation achieves the targets set in the strategy, uses resources economically and the information in support of management decisions is reliable. Internal control also ensures that risk management, custody of client assets and protection of property is adequately arranged. Conformance to regulations and approved ethical principles, too, are ensured through internal control.

The central cooperative’s Supervisory Board confirms the Group-level principles of internal control that all OP Financial Group entities follow. OP MB complies with the principles of internal control adopted by the central cooperative’s Supervisory Board.

Internal controls apply to all operations. The nature and extent of operations and, whenever necessary, special characteristics related to international operations are taken into consideration in specifying internal controls. Internal control covers all organisational levels. Internal control in its most extensive form primarily takes place at the operational level, where internal control is continuous and forms part of daily activities.

Internal control is complemented by the opportunity of anyone employed by OP Financial Group to report through an independent channel if they suspect that rules or regulations have been violated (whistle blowing).

The Board of Directors’ role

The Board of Directors of OP MB is responsible for organising and maintaining adequate and effective internal control. It deals with the guidelines governing OP Financial Group’s internal control, ensures that OP MB has an adequate set of guidelines specifying Group-level guidelines, and supervises internal control effectiveness and sufficiency.

Central cooperative consolidated-level risk management and financial reporting are performed in a coordinated way by a function independent of the business lines/divisions. Each Group company’s board of directors is responsible for the top management tasks of the company in question related to internal control. Each Group company’s executive management is responsible for the implementation of internal control and risk management according to the agreed principles and guidelines, and shall regularly report on the company’s business, risk capacity and risk status, in accordance with the Group’s management system.

Compliance activities

Compliance activities are tasked with assisting senior management and executive management and business lines/divisions in the management of risks associated with regulatory non-compliance, supervising regulatory compliance and, for its part, developing internal control further. Risk Management, Compliance organisation, Finance and Treasury as well as HR Services are, for their part, in charge of regulatory compliance management.

Almost all activities involve compliance risk and responsibility for the management of risks rests with the business lines/divisions. The Managing Director is in charge of the company’s compliance activities. OP Financial Group's Compliance organisation supports the Managing Director. The Group Compliance Officer in charge of the organisation reports to the Supervisory Board (or Supervisory Board committees) and the General Counsel. Compliance activities and the related recommendations issued to the business lines/divisions are subject to regular reporting to OP MB’s Board of Directors. Compliance activities must also be reported to the Executive Board of OP Cooperative Consolidated and the Audit Committee of the Supervisory Board as part of OP Financial Group level reporting.

OP Financial Group’s Compliance organisation shall annually draw up a compliance action plan which will be discussed and confirmed by OP MB's Board of Directors with respect to the company. Principles and instructions governing compliance shall also be confirmed in the same manner. OP Financial Group’s Compliance organisation is responsible for advice on and support of Group-level compliance risk management and also controls OP MB’s compliance.

Compliance is aimed at preventing the materialisation of compliance risks. For this purpose, the Compliance organisation shall, for example,

  • prepare and maintain guidelines on key matters related to practices;

  • advise employees on, and train them in, matters related practices;

  • support OP MB’s business in the planning of development measures promoting the management of compliance risks;

  • keep senior and executive management and the business informed of upcoming regulatory changes and monitor the business’s preparation for regulatory changes;

  • supervise compliance within the company with the current regulatory framework, ethical practices and internal guidelines related to practices; and

  • regularly report to both senior and executive management on recommendations and the results of control given to the business and other observations related to compliance risk exposure.

Risk management

OP Financial Group’s core values, strategic goals and financial targets form the basis for OP MB’s risk management and capital adequacy management. The purpose of risk management is to identify threats and opportunities affecting strategy implementation. The objective is to help achieve the targets set in the strategy by controlling that risks taken are proportional to risk capacity. Risk capacity is made up of effective risk management that is proportionate to the extent and complexity of operations and of adequate capital resources and liquidity based on profitable business operations. OP MB has a moderate attitude towards risk-taking.

OP Financial Group’s principles governing the risk-taking system and the Risk Appetite Framework, adopted by OP Cooperative’s Supervisory Board, define how the Group’s risk-taking is controlled, restricted and supervised and how the risk management and internal capital adequacy assessment process is organised.

In OP Financial Group's risk policy, the central cooperative's Executive Board confirms annually risk-management principles, actions, objectives, limits and control limits, to be applied by Group entities, that are used to guide business to implement the policies confirmed in the Group's strategy and the principles of the risk-taking system and the Risk Appetite Framework (RAF).

Risk and capital adequacy management falls under internal control. Its purpose is to ensure OP MB’s risk capacity and liquidity and, thereby, ensure business continuity. The risk management and ICAAP process consists of the continuous identification and assessment of risks associated with business and the operating environment. Risk and capital adequacy management has been integrated as an integral part of the company’s business and management.

OP MB’s Board of Directors makes decisions on its risk and capital adequacy management in line with the principles adopted by the central cooperative Executive Board. In addition, the Board of Directors deals with, in terms of quality and extent, far-reaching and important matters in principle from the perspective of the company’s operations, and any unusual matters. The Board of Directors decides on principles and procedures to ensure that the company operates in compliance with external regulation and OP Cooperative’s guidelines.

The Managing Director is responsible for the implementation of risk and capital adequacy management according to the principles and guidelines that have been agreed on and reports regularly on the company’s business to the Board of Directors.

The central cooperative is responsible for risk and capital adequacy management at OP Financial Group level and for ensuring that the Group’s risk management system is adequate and up to date. OP Financial Group’s Risk Management is a function independent of business that defines policy and steers and supervises the overall risk management of the Group and its entities and analyses their risk exposure. OP MB’s risk and capital adequacy tasks are centralised within OP Financial Group’s Risk Management.

OP MB’s significant risks include credit risks, interest income risk (the effect of change in interest rates on net interest income airing from market risks) and market risks of investments, liquidity risks as well as strategic risks, reputational risk, operational risks and compliance risks associated with business.

A more detailed description of the company’s risk management and capital adequacy management principles and risk exposure can be found in the company’ most recent Report by the Board of Directors and Financial Statements (see www.op.fi > To the media > Reports > OP Mortgage Bank publications).

Internal audit

Internal Audit is tasked with assisting OP MB's Board of Directors and the company's management in controlling, supervising and assuring operations by carrying out operational audits.

Internal Audit of OP Cooperative, OP MB’s parent entity, has been responsible for internal audit. Internal Audit is a function independent of business lines that audits the effectiveness and adequacy of the entire OP Financial Group's internal control system, risk management as well as management and governance processes.

The Supervisory Board of the central cooperative appoints and dismisses the Chief Audit Executive and decides his/her employment terms and conditions and compensation.

The Supervisory Board's Audit Committee confirms the Internal Audit action plan and OP MB's Board of Directors confirms the part of the action plan related to the company. Audits in respect of OP MB are reported to the Board of Directors and the management as well as to the central cooperative's Executive Board and Audit Committee.

In its auditing work, Internal Audit complies not only with the Internal Audit Charter confirmed in June 2018 by the Supervisory Board but also the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA).

Internal audit performance is subject to external quality assessment about every five years.