The systems for internal control and risk management with respect to financial reporting are designed to provide reasonable assurance about the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles, applicable laws and regulations and other requirements for listed companies. The internal control and risk management activities are included in Nordea’s planning and resource allocation processes. Internal control and risk management with respect to financial reporting at Nordea are described below.
Internal control and risk management
The control environment consists of Nordea’s internal controls and centres around the culture and values established by the Board and the GLT and the organisational structure with clear roles and responsibilities.
Nordea’s organisational structure aims to support the over-all strategy, ensuring business momentum and meeting the requirements on capital and liquidity. The primary governance principle is the adherence to the three lines of defence model, which provides the foundation for a clear division of roles and responsibilities in the organisation.
Clear roles and responsibilities are crucial in the governance of internal control over financial reporting (ICFR). The first line of defence is responsible for the ongoing risk management and for compliance with applicable rules. Risk owners in the business areas and Group functions are responsible for risk management activities. A central function supports the Group CFO in defining standards that apply to relevant controls Group-wide. These controls are implemented and maintained within significant processes and monitored by quarterly self-assessments
Risk assessment in relation to reliable financial reporting involves the identification and assessment of risks of material misstatements or deficiencies. Financial reporting risk is defined as the risk of misstatements or deficiencies in financial reporting, regulatory reporting and disclosures, tax reporting and reporting of environment, social and governance (ESG) information.
Risk management is considered to be an integral part of running the business and the main responsibility for performing risk assessments regarding financial reporting risks lies with the business organisation. Performing risk assessments close to the business increases the possibility of identifying the most relevant risks. In order to govern the quality, control functions stipulate in governing documents when and how these assessments are to be performed. Examples of risk assessments are the recurring Risk and Control Self-Assessments and the event-driven Change Risk Management and Approval process.
The scope of the ICFR framework is designed to focus on areas where risk of material financial misstatements could exist, i.e. where the judgement of a reasonable person relying on the report would have been changed or influenced by the inclusion or correction of the misstated item.
Business areas and Group functions are primarily responsible for managing risks associated with the units’ operations and financial reporting processes. Entity-wide controls are directive measures and governance bodies in place to set the standards for internal control, such as the Group Accounting Manual, the Group CEO Instructions on Financial Control and the Financial Reporting Risk Protocol. The Group Accounting Manual holds information on the accounting policies to be used in the Group and provides detailed reporting instructions and the tools needed to produce the financial statements.
The ICFR control structure is based on principal financial controls that are identified as the primary control that is relied on to prevent, detect or mitigate high and critical financial reporting risks. This involves the identification and assessment of risks of financial reporting misstatements or deficiencies based on process flows with an end-to-end process focus. After deciding on the principal financial controls, an analysis is performed to determine which systems/applications are relied on in financial reporting, including IT general controls.
The quality assurance achieved through the management reporting process, where a detailed analysis of the financial outcome is performed, constitutes an important control mechanism in the reporting process.
Group Finance is responsible for ensuring that the Group Accounting Manual and other relevant directive measures are up to date and that changes are communicated to the responsible units. These are supported by detailed guidelines and standard operating procedures in the responsible units.
Management at different levels in the organisation is provided with information about the performance and assessment of the identified key controls and details on the outcome of the self-assessment of controls in their process.
Nordea interacts with relevant subject-matter experts externally to keep up to date with changes in reporting expectations and ensure the fulfilment of financial reporting objectives. Nordea actively participates in relevant national and international forums, such as those established by the financial supervisory authorities, central banks and associations for financial institutions.
Nordea has established a process for regular monitoring of risk metrics, including results of self-assessment of internal controls with the purpose of ensuring proper monitoring of the quality of the financial reporting. The Group CFO reports specifically on risk metrics, self-assessment outcomes and other activities related to the management of financial reporting risk to the BAC on a quarterly basis.
An independent risk control function resides in the second line of defence and is responsible for identifying, controlling and reporting on financial reporting risk. In addition, GIA provides the Board with an assessment of the overall effectiveness of the governance, risk management and control processes throughout the organisation, including financial reporting.
The Board, the BAC, the BRIC, the BOSC, Group Risk, Group Compliance and GIA have important roles with respect to governance and oversight of the internal control of financial reporting at the Nordea Group. For further information, see “Work of the Board of Directors”, “Board Audit Committee (4)”, “Board Risk Committee (5)”, “Board Operations and Sustainability Committee (7)”, “Group Risk (9)”, “Group Compliance (10)” and “Group Internal Audit (11)” in the Annual report.