Internal control

Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.

Internal control refers to procedures or practices within an organisation to ensure that the organisation achieves the targets set in the strategy, uses resources economically and that the information in support of management decisions is reliable. Internal control also ensures that risk management, custody of client assets and protection of property is adequately arranged. Conformance to regulations and approved ethical principles, too, are ensured through internal control.

The central cooperative’s Supervisory Board confirms the Group-level principles of internal control that all OP Financial Group entities follow. OP Corporate Bank complies with the principles of internal control adopted by the central cooperative's Supervisory Board.

The Board of Directors of OP Corporate Bank is responsible for organising and maintaining adequate and effective internal control. It deals with the guidelines governing OP Financial Group’s internal control, ensures that OP Corporate Bank has an adequate set of guidelines specifying Group-level guidelines, and supervises internal control effectiveness and sufficiency.

Internal controls apply to all operations. The nature and extent of operations and, whenever necessary, special characteristics related to international operations are taken into consideration in specifying internal controls. Internal control covers all organisational levels. Internal control in its most extensive form primarily takes place at the operational level, where internal control is continuous and forms part of daily activities. Internal control is complemented by the opportunity of anyone employed by OP Financial Group to report through an independent channel if they suspect that rules or regulations have been violated (whistle blowing).

OP Financial Group has separate and independent Compliance, Risk Management and Internal Audit functions that support OP Corporate Bank’s business by providing independent supervision and ensuring effective supervision in accordance with risk management’s three lines of defence.

The first line of defence comprises business lines, the second line of defence comprises the risk management function independent of the business lines/divisions and the compliance function and the third line of defence comprises Internal Audit. Each line of defence has its own role in performing risk management duties efficiently.


Managing compliance risks forms part of internal control and good corporate governance practices and, as such, an integral part of business management duties and the corporate culture. Responsibility for regulatory compliance and its monitoring rests with the OP Corporate Bank’s executive and senior management and all supervisors and managers. Each employee is also responsible for compliance with regulation in their own duties.

Almost all activities involve compliance risk and responsibility for the management of the compliance risks rests with the business lines/divisions. The company’s President and CEO is in charge of the company’s compliance activities. OP Financial Group's Compliance organisation supports the President and CEO. The Group Compliance Officer in charge of the organisation reports to the Supervisory Board (or Supervisory Board committees) and the Chief Legal Officer (CLO) and Group General Counsel. The company has designated compliance officers who together with the central cooperative’s compliance officers assist the Group Executive Management and senior management and the business lines/divisions in the management of risks associated with regulatory non-compliance, supervise regulatory compliance and, for their part, develop internal control. Compliance ensures that regulations are complied with and implemented mainly by means of controls and risk assessments of new procedures. Compliance activities, compliance observations and the related recommendations issued to the business lines/divisions are subject to regular reporting to OP Corporate Bank plc’s Board of Directors and OP Financial Group’s Compliance organisation. Compliance activities must also be reported to the Executive Board of the central cooperative consolidated and the Audit Committee of the Supervisory Board as part of OP Financial Group level reporting.

OP Financial Group’s Compliance function was reorganised as of the beginning of 2019, and its resources were strengthened substantially. During the year, compliance reporting to management was revised, control methods were developed, for example, in order to better use data as the basis for control, and operating models were systematised. Compliance was actively engaged in improving and ensuring processes related to anti-money laundering in OP Financial Group. Ensuring compliance with KYC regulation and legislation and official instructions related to the provision of investment services, and with related Group-level guidelines and the performance of processes remained as key focus areas.

The Compliance organisation annually draws up a compliance action plan which is discussed and confirmed by OP Corporate Bank plc’s Board of Directors with respect to the company. The Board of Directors also deals with the principles and instructions governing compliance. OP Financial Group’s Compliance organisation is responsible for advice on and support of Group-level compliance risk management and also controls OP Corporate Bank’s compliance.

Compliance is aimed at preventing the materialisation of compliance risks. For this purpose, the Compliance organisation shall, for example,

  • prepare and maintain guidelines on key matters related to practices

  • advise employees on, and train them in, matters related practices

  • support the business lines/divisions in the planning of development measures promoting internal control and the management of compliance risks

  • keep Group Executive Management and senior management and the business informed of upcoming regulatory changes and monitor the business’s preparation for regulatory changes

  • supervise compliance within OP Corporate Bank Group with the current regulatory framework, ethical practices and internal guidelines related to practices and

  • regularly report to both Group Executive Management and senior management on recommendations and the results of control given to the business and other observations related to compliance risk exposure.

Risk management

OP Financial Group's core values and strategic and financial targets form the basis for OP Corporate Bank’s risk management.

The Supervisory Board of OP Cooperative, the central cooperative, confirms OP Financial Group’s Risk Appetite Statement and Risk Management Principles which all OP Financial Group companies follow. Together with the strategy, the Risk Appetite Statement provides the bases for the goal-setting of the businesses. The risk policy and other risk management guidelines specify the Statement.

OP Financial Group’s risk appetite determines what risks and risks related to what operations OP Corporate Bank Group is ready to take when carrying out its mission within the framework of the strategic targets. In order for OP Corporate Bank Group companies to be able to operate in accordance with the risk appetite, they must have sufficient risk-bearing capacity, which comprises risk capacity and risk-taking capacity. OP Corporate Bank Group adopts a policy of moderate risk-taking. Business is based on a well thought-out risk/return approach.

OP Corporate Bank Group’s significant risks include credit risks, market risks, liquidity risks, non-life insurance risks, counterparty risks, concentration risks, risks associated with future business, and reputational risk and operational risk associated with all business operations, including model risks and compliance risks and risks associated with strategic choices and the implementation of the strategy.

The objective of the risk management process is to secure sufficient risk-bearing capacity and to ensure that any business risks taken do not threaten profitability, capital adequacy, liquidity or the achievement of strategic targets and thereby to secure business continuity. Risk management has been integrated as part of the business and its management of OP Corporate Bank and its Group companies.

OP Financial Group’s risk management process contains the following:

  • The steering framework prepared and maintained by independent Risk Management

    • The Risk Appetite Statement and the Risk Management Principles that guide risk-taking, and the risk policies that specify them and other risk management guidelines

    • Determination of the need of risk-taking capacity and allocation to the business lines/divisions based on the strategy

    • Creation of methods to identity, assess, measure and limit risks

  • Risk management of operational business

    • Risk selection and pricing

    • Management of risk exposures and the asset-liability position

  • Internal control performed by Risk Management

    • Supervision of compliance with risk-taking, risk policies and pricing

    • ​Risk exposure analysis and reporting to the management

OP Corporate Bank’s Board of Directors takes charge of risk management and the adequacy and reliability of the company’s internal control, deals with OP Financial Group’s risk management guidelines and supervises their compliance.

The business lines/divisions fulfil OP Financial Group’s strategy, are responsible for planning their own operations and for their internal control. They make risk decisions within the framework of the restrictions governing risk-taking and risk policy and of other guidelines, apply the risk management framework, supervise their risk exposure and that it remains within the confirmed limits and control limits, as well as bear responsibility for the risks they have taken and for the extensiveness and accuracy of data in the systems.

OP Financial Group's Risk Management is a function independent of business that provides guidelines for, controls and supervises the overall risk management of the Group and its companies, and is responsible for the fact that the risk management system is adequate and up to date. OP Corporate Bank’s and its Group companies’ risk management duties have been centralised in the central cooperative Risk Management.

A more detailed description of OP Corporate Bank Group’s risk management principles can be found in the note to OP Corporate Bank Group’s financial statements called Risk management principles.

In 2019, OP Financial Group’s risk management included monitoring of external regulatory changes and continuing to prepare for regulatory changes.

Major risk management development projects included, for example, preparing for changes in the financing process caused by a new more detailed definition of default, model risk management and preparation for updating IRB risk models within the schedule set by new regulation.

Risk Management continued to further develop its risk management assessment processes and operational processes in order to ensure that controls related to risk management are automated so as to be part of all business and that risks are assessed proactively and sufficiently when developing new business. Risk Management has strengthened the development and validation process and extended the comprehensiveness of independent model validations. Risk Management has further developed the assessment practices of the sufficiency of capital and liquidity and the management methods of interest rate risk associated with the banking book.

Risk management guidelines, risk reporting and risk limitation have been revised in such a manner that they are based on revenue logic-specific assessments. Stress tests have continued to play an increasing role in risk analyses.

Internal audit

Internal Audit of OP Cooperative (OP Corporate Bank’s parent entity), or OP Financial Group’s Internal Audit, is responsible for internal audit. Internal audit constitutes independent and objective assessment, verification and consulting activities with a view to generating added value to OP Financial Group and improving its operations. Internal Audit is headed by the Chief Audit Executive appointed by the central cooperative’s Supervisory Board.

The Supervisory Board's Audit Committee confirms the Internal Audit action plan and OP Corporate Bank's Board of Directors confirms the part of the action plan related to the company. Internal Audit reports its observations and recommendations as well as the implementation of the recommendations to the OP Corporate Bank’s Board of Directors, the management of the auditable entity, the central cooperative’s Executive Board and the Supervisory Board’s Audit Committee.

In its auditing work, Internal Audit complies with the Internal Audit Charter confirmed by the Supervisory Board in June 2019, and the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA). Internal audit performance is subject to external quality assessment about every five years.

In addition to the Internal Audit action plan confirmed by the Board of Directors in 2019, internal audit has been performed indirectly as part of audit applying to the centralised functions of OP Financial Group. Internal Audit has conducted specific audits on a risk-based basis with a view of identifying risk factors and assessing the performance of internal control.