Risk management and internal audit

Evli’s values, and its policy of transparent and appropriate communications, support the company’s operational integrity and high ethical standards. The company’s organizational structure, clearly established responsibilities and authorizations, and its competent staff support the planning, execution, control and monitoring of business operations in a manner that facilitates the achievement of the set objectives.

Risk management refers to those actions aimed at systematically surveying, identifying, analyzing and preventing risks.

The objectives of risk management:

  • Ensure that the company’s assets are sufficient in relation to its risk positions
  • Financial results and valuations remain within the confirmed objectives and limits
  • Risks are priced in the right way to achieve sustainable profitability
  • Support the uninterrupted implementation of the Group’s strategy and income generation.

Evli Bank defines risk as an event or series of events that jeopardize the company’s income generation over the short or long term.

Evli Bank’s Board of Directors is primarily responsible for the Evli Group’s risk management, and confirms the risk management policies, the Group's risk limits and other guidelines governing how risk management and internal oversight is to be organized. The Board has also set up a credit and asset liability committee (Credalco) that briefs it on risk-taking matters.

In addition to the general risk management policies, the Evli Group’s risk management is founded on the “three lines of defence” model.

Internal Audit's and Risk Management's lines of defence

First line of defence – the business units

Risk management is a part of internal control, and therefore the responsibility for executing risk management measures lies first with the business units, as the first line of defense. The managers of the business units are responsible for ensuring that risk management is at a sufficient level in each respective unit. The task of business units is to:

  • Build the processes and competence for risk management and internal audit
  • Identify and analyze risks
  • Make decisions on risk management by means of various protection measures.

Second line of defence – Compliance and Risk Management operations

The second line of defense comprises the independent Compliance and Risk Management operations whose primary task is to develop, maintain and oversee the general principles and framework of risk management.

The Risk Management unit oversees daily operations and compliance with the risk limits granted to the business units, as well as compliance with risk-taking policies and guidelines. Risk Management reports on the Evli Group’s overall risk position to the Board and the Executive Group each month.

The compliance function is responsible for ensuring compliance with the rules in all of the Evli Group’s operations by supporting operating management and the business units in applying the provisions of the law, the official regulations and internal guidelines, and in identifying, managing and reporting on any risks of insufficient compliance with the rules in accordance with the separate compliance policy and monitoring plan confirmed by Evli Bank’s Board of Directors. The Compliance function reports regularly via the audit committee to Evli Bank’s Board and also to the operating management.

Third line of defence – internal audits

The third line of defense is internal audit. The internal audit is a support function for the Board of Directors and senior management that is independent of the business functions. It is administratively subordinate to the CEO and reports to the CEO and, via the Audit Committee, to the Board of Evli Bank.

The internal audit assesses the functioning of the Evli Group’s internal control system, the appropriateness and efficiency of the functions and compliance with instructions. It does this by means of inspections that are based on the internal audit action plan adopted annually by the Audit Committee of the Board of Evli Bank.

Internal audit follows not only the internal audit guidelines, but also the internationally acknowledged framework of professional practices (The Institute of Internal Auditors) and corresponding guidelines on information systems audit standards (The Information Systems Audit and Control Association).

Updated: March 19, 2018