Effective and reliable internal control forms the basis for compliance with sound and prudent business practices.
Internal control refers to procedures or practices within an organisation to ensure that the organisation achieves the targets set in the strategy, uses resources economically and that the information in support of management decisions is reliable. Internal control also ensures that risk management, custody of client assets and protection of property is adequately arranged. Conformance to regulations and approved ethical principles, too, are ensured through internal control.
The central cooperative Supervisory Board confirms the Group-level principles of internal control that all OP Financial Group entities follow. OP MB complies with the principles of internal control adopted by the central cooperative Supervisory Board.
The Board of Directors of OP MB is responsible for organising and maintaining adequate and effective internal control. It deals with the guidelines governing OP Financial Group’s internal control, ensures that OP MB has an adequate set of guidelines specifying Grouplevel guidelines, and supervises internal control effectiveness and sufficiency.
Internal controls apply to all operations. The nature and extent of operations and, whenever necessary, special characteristics related to international operations are taken into consideration in specifying internal controls. Internal control covers all organisational levels. Internal control in its most extensive form primarily takes place at the operational level, where internal control is continuous and forms a part of daily activities.
Internal control is complemented by the opportunity of anyone employed by OP Financial Group to report through an independent channel if they suspect that rules or regulations have been violated (whistle blowing).
OP Financial Group has separate and independent Compliance, Risk Management and Internal Audit functions that support OP MB’s business by providing independent supervision and ensuring effective supervision in accordance with risk management’s three lines of defence.
The first line of defence comprises business lines, the second line of defence comprises the risk management function independent of the business lines/divisions and the compliance function and the third line of defence comprises Internal Audit. Each line of defence has its own role in performing risk management duties efficiently.
Compliance activities
Almost all activities involve compliance risk, and responsibility for the management of risks rests with the business lines/divisions. The Managing Director is in charge of the company’s compliance activities. OP Financial Group's Compliance organisation supports the Managing Director. The Group Compliance Officer in charge of the organisation reports to the Supervisory Board (or Supervisory Board committees) and the Chief Legal Officer and Group General Counsel. The Compliance organisation assists Executive Management and senior management as well as business lines/divisions in the management of risks associated with regulatory non-compliance, supervises regulatory compliance and, for its part, develops internal control further. Compliance ensures that regulations are complied with and implemented mainly by means of control and risk assessments of new procedures. Compliance activities, compliance observations and the related recommendations issued to the business lines/divisions are reported regularly to OP Mortgage Bank’s Board of Directors and OP Financial Group’sCompliance organisation. Compliance activities must also be reported to the Executive Board of the central cooperative consolidated and the Audit Committee of the Supervisory Board as part of OP Financial Group level reporting.
OP Financial Group’s Compliance function was reorganised as of the beginning of 2019, and its resources were strengthened substantially. During the year, compliance reporting to management was revised, control methods were developed, for example, in order to better use data as the basis for control, and operating models were systematised.
The Compliance organisation shall annually draw up a compliance action plan which will be discussed and confirmed by OP MB's Board of Directors with respect to the company. Principles and instructions governing compliance shall also be confirmed in the same manner. OP Financial Group’s Compliance function is responsible for advice on and support of Group-level compliance risk management and also controls OP MB’s compliance.
Compliance is aimed at preventing the materialisation of compliance risks. For this purpose, the Compliance organisation shall, for example,
-
prepare and maintain guidelines on key matters related to practices;
-
advise employees on, and train them in, matters related practices;
-
support OP MB’s business in the planning of development measures promoting the management of compliance risks;
-
keep Executive Management and senior management and the business informed of upcoming regulatory changes and monitor the business’s preparation for regulatory changes;
-
supervise compliance within the company with the current regulatory framework, ethical practices and internal guidelines related to practices; and
-
regularly report to both Executive Management and senior management on recommendations and the results of control given to the business and other observations related to compliance risk exposure.
Risk management
OP Financial Group's core values and strategic and financial targets form the basis for OP MB’s risk management.
The Supervisory Board of OP Cooperative, the central cooperative, confirms OP Financial Group’s Risk Appetite Statement and risk management principles which all OP Financial Group companies follow. Together with the strategy, the Risk Appetite Statement provides the basis for the goal-setting of the businesses. The risk policy and other risk management guidelines specify the Statement.
OP Financial Group’s risk appetite determines what risks and risks related to what operations OP MB is ready to take when carrying out its mission within the framework of the strategic targets. In order for OP MB to be able to operate in accordance with our risk appetite, it must have sufficient risk-bearing capacity, which comprises risk capacity and risktaking capacity. OP MB has a moderate attitude towards risk-taking. Its business is based on a well thought-out risk/return approach.
OP MB’s significant risks include credit risks, market risks, liquidity risks, risks associated with future business, and reputational risk and operational risk associated with all business operations, including model risks and compliance risks and risks associated with strategic choices and the implementation of the strategy.
The objective of the risk management process is to secure sufficient risk-bearing capacity and to ensure that any business risks taken do not threaten profitability, capital adequacy, liquidity or the achievement of strategic targets and thereby to secure business continuity. Risk management has been integrated as an integral part of OP MB's business and management.
OP Financial Group’s risk management process contains the following:
- The steering framework prepared and maintained by independent Risk Management
- The Risk Appetite Statement and the Risk Management Principles that guide risk-taking, and the risk policies that specify them and other risk management guidelines
- Determination of the need of risk-taking capacity and allocation to the business lines/divisions based on the strategy
- Creation of methods to identify, assess, measure and limit risks
- Risk management of operational business
- Risk selection and pricing
- Management of risk exposures and the asset-liability position
- Internal control performed by Risk Management
- Supervision of compliance with risk-taking, risk policies and pricing
- Risk exposure analysis and reporting to the management
OP MB’s Board of Directors takes charge of risk management and the adequacy and reliability of the company’s internal control, deals with OP Financial Group’s risk management guidelines and supervises their compliance.
OP MB fulfils OP Financial Group’s strategy, is responsible for planning their own operations and for their internal control. It makes risk decisions within the framework of the restrictions governing risk-taking and risk policy and of other guidelines, applies the risk management framework, supervises its risk exposure and that it remains within the confirmed limits, as well as bears responsibility for the risks it has taken and for the extensiveness and accuracy of data in the systems.
A more detailed description of OP MB’s risk management principles can be found in the note to the financial statements entitled Risk management principles.
OP Financial Group's Risk Management is a function independent of business that provides guidelines for, controls and supervises the overall risk management of the Group and its companies, and is responsible for the fact that the risk management system is adequate and up to date. OP MB’s risk management duties have been centralised in the central cooperative Risk Management.
In 2019, OP Financial Group’s risk management included monitoring of external regulatory changes and continuing to prepare for regulatory changes.
Major risk management development projects included, for example, preparing changes in the financing process caused by a new more detailed definition of default, model risk management and preparation for updating IRB risk models within the schedule set by new regulation.
Risk Management continued to further develop its risk management assessment processes and operational processes in order to ensure that controls related to risk management are automated so as to be part of all business and that risks are assessed proactively and sufficiently when developing new business. Risk Management has strengthened the development and validation process and extended the comprehensiveness of independent model validations. Risk Management has further developed the assessment practices of the sufficiency of capital and liquidity and the management methods of interest rate risk associated with the banking book.
Risk management guidelines, risk reporting and risk limitation have been revised in such a manner that they are based on revenue logic-specific assessments. Stress tests have continued to play an increasing role in risk analyses.
Internal audit
Internal Audit of OP Cooperative (OP MB’s parent entity), or OP Financial Group’s Internal Audit, is responsible for internal audit. Internal audit constitutes independent and objective assessment, verification and consulting activities with a view to generating added value to OP Financial Group and improving its operations. Internal Audit is headed by the Chief Audit Executive who is appointed by OP Cooperative’s Supervisory Board.
The Audit Committee of OP Cooperative’s Supervisory Board confirms the Internal Audit action plan and OP MB's Board of Directors confirms the part of the action plan related to the company. Internal Audit reports its observations and recommendations as well as the implementation of the recommendations to OP MB’s Board of Directors, the management of the auditable entity, the central cooperative’s Executive Board and the Audit Committee of the Supervisory Board.
In its auditing work, Internal Audit complies with the Internal Audit Charter confirmed by the Supervisory Board in June 2019, and the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA). Internal audit performance is subject to external quality assessment about every five years.
The internal audit action plan for 2019 contained one audit applying to OP Mortgage Bank. The audit has been executed. Internal audit has also been performed indirectly as part of audits applying to the centralised functions of OP Financial Group and OP cooperative banks. In its audits, Internal Audit has assessed, for example, the effectiveness of OP Financial Group’s centralised information systems and the controls of operating processes and other internal control, in accordance with its plan prepared on a risk basis.