Internal control and risk management

Denne siden finnes ikke på ditt språk og vises derfor på engelsk.

The systems for internal control and risk management of financial reporting are designed to provide reasonable assurance about the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles, applicable laws and regulations, and other requirements for listed companies. The internal control and risk management activities are included in Nordea’s planning and resource allocation processes. Internal control and risk management of financial reporting at Nordea can be described in accordance with the COSO Framework as follows below.

Control environment Risk assessment Control activities Info & communication Monitoring Control environment

Control environment

The control environment constitutes the basis for Nordea’s internal control and centres around the culture and values established by the Board of Directors and Group Executive Management, and the organisational structure, with clear roles and responsibilities.

A clear and transparent organisational structure is of importance for the control environment. Nordea’s business structure aims to support the overall strategy, ensuring strong business momentum and meeting increased requirements on capital and liquidity. The business and the organisation are under continuous development. 

Clear roles and responsibilities are critical in the governance of Internal Control over Financial Reporting where the risk owners, in the business areas, and the Group Finance & Business Control are responsible for the risk management activities. A risk management function supports the CFO in maintaining a Group wide set of controls (in Nordea defined as Accounting Key Controls (AKC)), in line with the risk framework, which covers the controlling of risks and the risk identification process, that to a large extent is based on the actual business and financial closing processes in place. An independent risk control function that is responsible for identifying, controlling and reporting on financial reporting risk has been established in Group Risk Management and Control (GRMC). In addition, the internal audit function is providing the Board of Directors with an assessment of the overall effectiveness of the governance, risk management and control processes.

Source: Annual Report 2016  
Updated: February 2017

Risk assessment

Risk assessment

The Board of Directors bears ultimate responsibility for limiting and monitoring the Nordea’s risk exposure. Risk management is considered to be an integral part of running the business and the main responsibility for performing risk assessments regarding financial reporting risks lies with the business organisation. Performing risk assessments close to the business increases the possibility of identifying the most relevant risks. In order to govern the quality, central functions stipulate in governing documents when and how these assessments are to be performed. Examples of risk assessments, performed at least annually, are the Quality and Risk Analysis for changes and Risk and Control Self-Assessment.

Risk assessment in relation to reliable financial reporting involves the identification and analysis of risks of material misstatements. Financial risk control work in Nordea focuses on risks and processes which could lead to material financial misstatements, i.e. if, in the light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item. Structured risk assessment procedures determine in which divisions, locations and/or processes risks for material financial misstatements exist and therefore need to be monitored under the Accounting Key Control (AKC) framework to ensure reasonable assurance of the reliability of Nordea’s external financial reporting.

Source: Annual Report 2016  
Updated: February 2017

Control activities

Control activities

The heads of the respective units are primarily responsible for managing risks, associated with the units’ operations and financial reporting processes. This responsibility is primarily supported by the Group Accounting Manual (GAM), the Financial Control Principles and various governing bodies, such as the Group Valuation Committee. The GAM includes a standard reporting package used by all entities to ensure consistent use of Nordea’s principles and coordinated financial reporting. Fundamental internal control principles at Nordea are segregation of duties and the four-eyes principle when approving for instance transactions and authorisations.

The AKC framework is based on Transaction Level Controls (TLC) that are identified through analysing risks based on high level processes with an end-to-end product focus. After deciding on the TLCs an analysis is performed to determine what systems/applications are in scope for AKCs where specific IT General Controls are governed. The analysis aims at scoping in the major systems where there is a risk that data, which is not detected in the TLC control structure could become corrupt.

The quality assurance vested in the management reporting process, where detailed analysis of the financial outcome is performed, constitutes one of the most important control mechanisms associated with the reporting process. The reconciliations constitute another set of important controls where Nordea works continuously to further strengthen the quality.

See the illustration of Control activities

Source: Annual Report 2016   
Updated: February 2017

Info & communication

Information and communication

Group Finance & Business Control is responsible for ensuring that the Group Accounting Manual and the Financial Control Principles are up-to-date and that changes are communicated with the responsible units. These governing documents are broken down into guidelines and standard operating procedures in the responsible units. Accounting specialists from Group Finance & Business Controll provide accountants and controllers with information on changes in order to inform of existing and updated rules and regulations with an impact on Nordea.

Nordea interacts with relevant subject-matter experts to ensure fulfilment of financial reporting objectives. Nordea actively participates in relevant national forums, for example forums established by the Financial Supervisory Authorities, Central Banks and associations for financial institutions.

The AKC reporting procedures provide management at different levels in the organisation with information related to the performance and assessment of the identified AKCs in the form of Process Owner reports and Management Dashboard reports with a summarised assessment of the outcome and any high risk areas.

Source: Annual Report 2016  
Updated: February 2017

Monitoring

Monitoring

Nordea has established a process with the purpose of ensuring a proper monitoring of the quality of the financial reporting and the follow-up regarding possible deficiencies. This interactive process aims to cover all COSO-components in the Framework and is illustrated in this diagram.

The Risk and Control Self-Assessment process includes monitoring the quality of internal control for financial reporting. The assessment is presented in the annual Group Operational and Compliance Risk Map, which is submitted to the CEO in Group Executive Management, the Board Risk Committee and the Board of Directors.

The Board of Directors, the Board Audit Committee, the Board Risk Committee and Group Internal Audit have important roles in respect to overseeing and monitoring the internal control of financial reporting at Nordea Group. Further information is presented here. 

The work of the Board of Directors | Board Audit Committee | Board Risk Committee | Group Internal Audit

Group Finance & Business Control has also established specific quarterly reporting regarding Internal Control over Financial Reporting to the Group CFO covering risk management and high risk areas. The independent risk control function within GRMC reports specifically on financial reporting risk to the Board Audit Committee and the CEO in Group Executive Management on a quarterly basis.

Source: Annual Report 2016  
Updated: February 2017