The Board is responsible for setting and overseeing an adequate and effective Internal Control Framework, covering the whole Group. The framework sets out the responsibilities of the Group Board and the senior management regarding internal control, all Group functions and business areas, including outsourced activities and distribution channels. Under the Internal Control Framework, all business areas, Group functions and units are responsible for managing the risks they incur in conducting their activities and for having controls in place that aim to ensure compliance with internal and external requirements. As part of the Internal Control Framework, Nordea has established Group control functions with appropriate and sufficient authority, stature and access to the Board to fulfil their mission as well as the Risk Management Framework.
The Internal Control Framework ensures effective and efficient operations, adequate identification, measurement and mitigation of risks, prudent conduct of business, sound administrative and accounting procedures, reliability of financial and non-financial information (both internal and external) and compliance with applicable laws, regulations, supervisory requirements and Group internal rules.
The internal control process is carried out by the governing bodies, risk management functions, management and other staff at Nordea. The internal control process is based on five main components: control environment, risk assessment, control activities, information and communication as well as monitoring. The internal control process is created to ensure the necessary fundamentals for the entire organisation to contribute to the effectiveness and high quality of internal control through, for instance, clear definitions, assignments of roles and responsibilities and common tools and procedures. Roles and responsibilities with respect to internal control and risk management are divided into three lines of defence.
According to the Group Board Directive on Internal Governance, the first line of defence refers to all units and employees that are neither in the second nor in the third line of defence.
In the first line of defence, the business organisation and Group functions are risk owners and thus responsible for conducting their business within risk exposure limits and the risk appetite and in accordance with the Internal Control Framework.
The second line of defence consists of Group Risk, which is responsible for maintaining and monitoring the implementa-tion of the Risk Management Framework as a fundamental part of the Internal Control Framework, and Group Compliance, which is responsible for maintaining and monitoring the implementation of the Compliance Risk Management Frame-work. To ensure effective risk management, the second line of defence has access to all business lines and other internal units that have the potential to generate risk as well as to rel-evant subsidiaries and branches and outsourced activities.
Group Internal Audit, which is the third line of defence, performs audits and provides the Board with an assessment of the overall effectiveness of governance and the risk and control framework, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation’s risk profile.
Group Internal Audit (GIA) is an independent function com-missioned by the Board. The Board Audit Committee (BAC) is responsible for guidance on and evaluation of GIA within the Nordea Group. The Chief Audit Executive (CAE) has the over-all responsibility for GIA. The CAE reports on a functional basis to the Board and the BAC and reports on an administrative basis to the President and Group CEO. The Board approves the appointment and dismissal of the CAE and decides, by proposal of the Board Remuneration and People Committee, on salary and other employment terms and conditions for the CAE.
The purpose of GIA is to support the Board and the GLT in protecting the assets, reputation and sustainability of the organisation. GIA does this by assessing whether all significant risks are identified and appropriately reported by management and the risk functions to the Board, its committees and the GLT, by assessing whether all significant risks are adequately controlled and by challenging the GLT to improve the effectiveness of governance, risk management and internal controls. GIA does not engage in consulting activities unless otherwise instructed by the BAC.
All activities and entities of the Group fall within the scope of GIA. GIA makes a risk-based decision as to which areas within its scope should be included in the audit plan approved by the Board.
GIA must operate free from interference in determining the scope of internal auditing, in performing its audit work and in communicating its results. This means for example that GIA, via the CAE, is authorised to inform the financial supervisory authorities of any matter without further approval. The CAE has unrestricted access to the President and Group CEO and the Chair of the BAC and should meet with the Chair of the BAC throughout the year, including without the presence of executive management. GIA is authorised to conduct all investigations and obtain all information required to dis-charge its duties. This includes the right to sufficient and timely access to the organisation’s records, systems, premises and staff. GIA has the right to attend and observe Board committees, the GLT, overall committees and forums for the Nordea Group and other key management decision-making forums when relevant and necessary.
According to the Articles of Association, the auditor of the Company must be an audit firm with the auditor in charge being an authorised public accountant. The term of office of the auditor expires at the end of the AGM following the election. The current auditor of the Company is Pricewater houseCoopers Oy. Jukka Paunonen, Authorised Public Accountant, has been the auditor in charge since the 2022 AGM.