Internal control and risk management

Denne side findes ikke på dit sprog, og derfor vises den på engelsk.

The systems for internal control and risk management of financial reporting are designed to provide reasonable assurance about the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles, applicable laws and regulations, and other requirements for listed companies. The internal control and risk management activities are included in Nordea’s planning and resource allocation processes. Internal control and risk management of financial reporting at Nordea can be described in accordance with the COSO Framework as follows below.

Control environment Risk assessment Control activities Info & communication Monitoring Control environment

Control environment

The control environment constitutes the basis for Nordea’s internal control and contains the culture and values established by the Board of Directors and Group Executive Management.

A clear and transparent organisational structure is of importance for the control environment. Nordea’s business structure aims to support the overall strategy, with strong business momentum and increased requirements on capital and liquidity. The business and the organisation are under continuous development. 

Clear roles and responsibilities are critical in the governance of Internal Control over Financial reporting where the risk owners in the business areas and the Group Finance & Business Control is responsible for the risk management activities. A risk management function supports the risk owners in maintaining a Group wide set of controls, in line with the risk framework, which covers the controlling of risks and the risk identification process, that to a large extent is based on the actual business and financial closing processes in place. An independent risk control function that is responsible for identifying, controlling and reporting on financial reporting risk has been established in Group Risk Management (GRM). On top of that, the internal audit function is providing the Board of Directors with an assessment of the overall effectiveness of the governance, risk management and control processes.

Source: Annual Report 2015 
Updated: February 2016

Risk assessment

Risk assessment

The Board of Directors bears ultimate responsibility for limiting and monitoring the Nordea’s risk exposure, and risk management is considered to be an integral part of running the business. The main responsibility for performing risk assessments regarding financial reporting risks lies with the business organisation. Performing risk assessments close to the business increases the possibility of identifying the most relevant risks. In order to govern the quality, central functions stipulate in governing documents when and how these assessments are to be performed. Examples of risk assessments, performed at least annually, are Quality and Risk Analysis for changes and Risk and Control Self-Assessment.

Risk assessment in relation to reliable financial reporting involves the identification and analysis of risks of material misstatements. Financial risk control work in Nordea only focuses on risks and processes which could lead to material financial misstatements, i.e. if, in the light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item. Structured risk assessment procedures determine in which divisions, locations and/or processes risks for material financial misstatements exist and therefore will need to be monitored under the Accounting Key Control (AKC) framework to ensure reasonable assurance of the reliability of Nordea’s external financial reporting.

Source: Annual Report 2015 
Updated: February 2016

Control activities

Control activities

The heads of the respective units are primarily responsible for managing the risks, associated with the units’ operations and financial reporting processes. This responsibility is primarily supported by the Group Accounting Manual (GAM), the Financial Control Principles and various governing bodies, such as the Group Valuation Committee. The GAM includes a standard reporting package used by all entities to ensure consistent use of Nordea’s principles and coordinated financial reporting. Fundamental internal control principles at Nordea are segregation of duties and the four-eyes principle when approving for instance transactions and authorisations.

AKC control structure is based on that Transaction Level Controls are identified through analysing risks based on high level processes with an end-to-end product focus. After deciding on the TLCs an analysis is performed to decide what systems/applications are in scope for AKC. The analysis aims at scoping in the major systems where there is a risk that data becomes corrupt without being detected in the TLC control structure.

The quality assurance vested in the management reporting process, where detailed analysis of the financial outcome is performed, constitutes one of the most important control mechanisms associated with the reporting process. The reconciliations constitute another set of important controls where Nordea works continuously to further strengthen the quality.

See the illustration of Control activities

Source: Annual Report 2015  
Updated: February 2016

Info & communication

Information and communication

Group Finance & Business Control is responsible for ensuring that the Group Accounting Manual and the Financial Control Principles are up-to-date and that changes are communicated with the responsible units. These governing documents are broken down into instructions and standard operating procedures in the responsible units. Accounting specialists from Group Finance & Business Controll provide accountants and controllers with information on changes in order to inform about existing and updated rules and regulations with an impact on Nordea.

Matters having impact on the fulfilment of financial reporting objectives are communicated with external parties, with Nordea actively participating in relevant national forums, for example forums established by the Financial Supervisory Authorities, Central Banks and associations for financial institutions.

The AKC reporting procedures are providing management at different levels in the organisation with information related to the performance and assessment of the identified AKCs in the form of Process Owner reports and Management Dashboard reports with summary of assessment outcome and high risk areas.

Source: Annual Report 2015 
Updated: February 2016

Monitoring

Monitoring

Nordea has established a process with the purpose of ensuring a proper monitoring of the quality of the financial reporting and the follow-up regarding possible deficiencies. This interactive process aims to cover all COSO-components in the Framework and is illustrated with this diagramPDF.

The Risk and Control Self-Assessment process includes monitoring the quality of internal control for financial reporting. The assessment is presented in the annual Operational and Compliance Risk Map, which is submitted to the CEO in Group Executive Management, the Board Audit Committee, the Board Risk Committee and the Board of Directors.

The Board of Directors, the Board Audit Committee, the Board Risk Committee and Group Internal Audit have important roles with respect to monitoring the internal control of financial reporting at Nordea Group. Further information is presented here. 

The work of the Board of Directors | Board Audit Committee | Board Risk Committee | Group Internal Audit

Group Finance & Business Control has also established a specific Internal Control report over Financial Reporting to the Group CFO covering risk management and high risk areas. The independent risk control function within GRM reports specifically on financial reporting risk to Board Audit Committee and CEO in Group Executive Management.

Source: Annual Report 2015 
Updated: February 2016