Risk and risk management

The Group works actively to prevent and identify circumstances that may have a negative impact on the business. Knowledge of risk management is a prioritised focus and competence area in the Group.

The Group’s ability to effectively manage risks and capital is crucial to its profitability. Different types of risks arise in the Group’s business operations.

The risks can be actualised in different ways for each Group company.

  • credit risks (including those attributable to the credit portfolio, credit-related concentration risks and counterparty risks)
  • market risks (interest rate, currency and exchange-rate risks)
  • liquidity risks
  • operational risks (including process risks, personnel risks, IT and system risks and external risks)
  • other business risks (including strategic risks, business risks, cyclical risks and reputational risks)
  • insurance risks (only relevant to Solid).

The Group estimates credit risks, liquidity risks and operational risks as the most significant risks that arise within the framework of its banking operations. Insurance risk is the most significant risk in the insurance operations. In order to balance the Group’s risk exposure and to limit and control risks, the Group companies have produced policy documents in a 3-tiered hierarchy. The board of each Group company stipulates the risk management policies to be applied, which also include the delegation of authorisation rights as regards specific risk areas. A person is appointed in each organisation to take responsibility for each policy and monitor compliance, manage reporting and propose necessary adjustments to the policies. The next level comprises guidelines established by the CEO or the person responsible for that specific area.

In general, these guidelines include relevant information to help employees manage and identify solutions for a variety of risk management issues. On the operational level, company managers establish the procedures that apply for specific groups of employees. The procedures are more detailed in terms of risk management in the daily operations.

The Group’s risk management framework is an integrated part of its operations and aligns the Group’s strategic objectives with its risk management. The risk management framework includes the Group’s functions, strategies, processes, procedures, internal rules, limits, risk propensity, risk mandates, control, and reporting procedures necessary for identifying, measuring, monitoring, managing and reporting risks.

Risk propensity, risk indicators and risk limits are determined by the Board and are regularly monitored and reported to the Board. Risk propensity can be defined in terms of qualitative and quantitative values, and indicate the level of risk that the Group can accept in order to achieve its strategies. The established limits are well-defined boundaries regulating the desired risk exposure as laid down in the Group’s policy documents. These limits are applicable, for example, in defining levels within the various risk categories.

The Group has standardised the risk identification process, assessment and reporting. This has been implemented throughout the business as part of efforts to create risk awareness and improve the effectiveness of risk management.

The Group uses three lines of defence to manage operational risk.

The first line of defence is operational personnel, who are familiar with the business and the operational risks that may arise. The personnel closest to the actual business are also closest to the risks, and are thus in a good position to identify risks and work proactively on risk awareness. The operational activities own and manage risks in their daily operations.

The second line of defence comprises the control function in each Group company, Compliance and Risk Control, and the Actuarial function in the insurance operations, which independently and autonomously controls the Group’s operations and reports regularly to the respective CEO, board and certain board committees, both in writing and verbally.

The third line of defence is an independent internal audit function. This function regularly examines the Group’s operations, including activities in the first and second lines of defence, to evaluate that the first lines are adequately managed from a risk perspective. The internal audit function reports regularly to the Board, both in writing and verbally.