Internal control and risk management

The systems for internal control and risk management of financial reporting are designed to provide reasonable assurance about the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles, applicable laws and regulations, and other requirements for listed companies. The internal control and risk management activities are included in Nordea’s planning and resource allocation processes. Internal control and risk management of financial reporting at Nordea can be described in accordance with the COSO Framework as follows below.

Control environment Risk assessment Control activities Info & communication Monitoring Control environment

Control Environment

The control environment constitutes the basis for Nordea’s internal control and centres around the culture and values established by the Board and Group Executive Management, and the organisational structure, with clear roles and responsibilities.

A clear and transparent organisational structure is of importance for the control environment. Nordea’s business structure aims to support the overall strategy, ensuring strong business momentum and meeting increased requirements on capital and liquidity. The business and the organisation are under continuous development. 

The primary governance principles is the adherence to the three lines of defence model which forms the basis for a clear division of roles and responsibilities in the organisation. A proper three lines of defence governance is in place ensuring that the segregation of duties is defined and established between risk management and risk control. 

Clear roles and responsibilities are critical in the governance of internal control over financial reporting where the risk owners, in the business areas, and the Group Finance & Treasury are responsible for the risk management activities. A risk management function supports the Chief Financial Officer in maintaining a Group wide set of controls, in Nordea defined as Accounting Key Controls (AKC)), in line with the risk framework, which covers the controlling of risks and the risk identification process, that to a large extent is based on the actual business and financial closing processes in place. An independent risk control function that is responsible for identifying, controlling and reporting on financial reporting risk has been established in Group Risk Management and Control. In addition, the internal audit function is providing the Board with an assessment of the overall effectiveness of the governance, risk management and control processes.

Source: Annual Report 2018 of Nordea Bank Abp 
Updated: February 2019

Risk assessment

Risk assessment

The Board of Directors bears ultimate responsibility for limiting and monitoring the Nordea’s risk exposure. Risk management is considered to be an integral part of running the business and the main responsibility for performing risk assessments regarding financial reporting risks lies with the business organisation. Performing risk assessments close to the business increases the possibility of identifying the most relevant risks. In order to govern the quality, control functions stipulate in governing documents when and how these assessments are to be performed. Examples of risk assessments, performed at least annually, are the Quality and Risk Analysis for changes and Risk and Control Self-Assessment.

Risk assessment in relation to reliable financial reporting involves the identification and analysis of risks of material misstatements. Financial reporting risk control work in Nordea focuses on risks and processes which could lead to material financial misstatements, i.e. if, in the light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item. Structured risk assessment procedures determine in which divisions, locations and/or processes risks for material financial misstatements exist and therefore need to be monitored under the Accounting Key Control (AKC) framework to ensure reasonable assurance of the reliability of Nordea’s external financial reporting.

Source: Annual Report 2017 of Nordea Bank AB (publ)
Updated: February 2018

Control activities

Control activities

The heads of the respective units are primarily responsible for managing risks, associated with the units’ operations and financial reporting processes. This responsibility is primarily supported by the Group Accounting Manual (GAM), the Financial Control Principles and various governing bodies, such as the Group Valuation Committee. The GAM includes a standard reporting package used by all entities to ensure consistent use of Nordea’s principles and coordinated financial reporting. Fundamental internal control principles at Nordea are segregation of duties and the four-eyes principle when approving for instance transactions and authorisations.

The Accounting key controls (AKC) control structure is based on Transaction Level Controls (TLC) that are identified through analysing risks based on high level processes with an end-to-end product focus. After deciding on the TLCs an analysis is performed to determine what systems/applications are in scope for AKCs where specific IT General Controls are governed. The analysis aims at scoping in the major systems where there is a risk that data, which is not detected in the TLC control structure could become corrupt.

The quality assurance vested in the management reporting process, where detailed analysis of the financial outcome is performed, constitutes one of the most important control mechanisms associated with the reporting process. The reconciliations constitute another set of important controls where Nordea works continuously to further strengthen the quality.

See the illustration of Control activities

Source: Annual Report 2017 of Nordea Bank AB (publ)
Updated: February 2018

Info & communication

Information and communication

Group Finance & Treasury is responsible for ensuring that the Group Accounting Manual and the Financial Control Principles are up-to-date and that changes are communicated with the responsible units. These governing documents are broken down into guidelines and standard operating procedures in the responsible units. Accounting specialists from Group Finance & Treasury provide accountants and controllers with information on changes in order to inform of existing and updated rules and regulations with an impact on Nordea.

Key criteria applied when communicating financial information to the market is “correct, relevant, consistent, reliable and timely”. The information is to be disclosed in such a way that the information is made available to the public in a fast and on a non-discriminatory manner.

Nordea interacts with relevant subject-matter experts to ensure fulfilment of financial reporting objectives. Nordea actively participates in relevant national forums, for example forums established by the Financial Supervisory Authorities, Central Banks and associations for financial institutions.

The AKC reporting procedures provide management at different levels in the organisation with information related to the performance and assessment of the identified AKCs in the form of Process Owner reports and Management Dashboard reports with a summarised assessment of the outcome and any high risk areas.

Source: Annual Report 2017 of Nordea Bank AB (publ)
Updated: February 2018



Nordea has established a process with the purpose of ensuring a proper monitoring of the quality of the financial reporting and the follow-up regarding possible deficiencies. This interactive process aims to cover all COSO-components in the Framework and is illustrated in this diagram.

The Risk and Control Self-Assessment process conducted in each Business Area and Group Function includes evaluation of risks and quality of internal controls related to financial reporting. 

The Board of Directors, the Board Audit Committee, the Board Risk Committee, the Board Operations and Compliance Committee, and Group Internal Audit have important roles in respect to overseeing and monitoring the internal control of financial reporting at Nordea Group. Further information is presented here. 

The work of the Board of Directors | Board Audit Committee | Board Risk CommitteeBoard Operations and Compliance CommitteeGroup Internal Audit

Group Finance & Treasury has also established specific quarterly reporting regarding Internal Control over Financial Reporting to the Group CFO covering risk management and high risk areas. The independent risk control function within GRMC reports specifically on financial reporting risk to the Board Audit Committee and the Group CEO in Group Executive Management on a quarterly basis.

Source: Annual Report 2017 of Nordea Bank AB (publ)
Updated: February 2018