Internal control

Internal control is a continuous process implemented by the management and other personnel with the aim of providing reasonable assurance of the achievement of targets related to functions, reporting and compliance. It consists of continuous advance guidance and retrospective assurance tasks and functions, which seek to ensure high-quality operations and compliance with guidelines and regulations. These actions apply to all operations, including outsourced services. 

At OP Financial Group, OP Cooperative’s Board of Directors confirms the Group-level principles of internal control that are observed by all OP Financial Group entities, including OP Corporate Bank. 

At OP Financial Group, internal control involves all of the internal guidance exercised to ensure that operations are directed towards targets. It includes all of the operating methods intended to ensure high-quality leadership, risk prevention and management, operational development, the assessment of profitability, accurate reporting and regulatory compliance in operations. Internal control seeks to ensure that the management lays the foundations for high-quality operations. 

The roles and responsibilities related to internal control and risk management are arranged into three lines of defence. The first line of defence, the business and centralised functions, are the risk owners. Therefore, they are responsible for compliance with the principles of the confirmed risk management framework – the risk limits and moderate risk appetite – as well as the principles of internal control. 

The second line of defence, the functions independent of the business, is responsible for maintaining the internal control framework and for monitoring the implementation of the related policies and procedures. The central cooperative’s Risk Management is responsible for OP Financial Group’s risk management framework, assessment, monitoring and reporting. The central cooperative’s Compliance is responsible for monitoring and ensuring compliance with internal and external rules throughout the organisation, as well as the process for managing compliance risks. 

The third line of defence, the central cooperative’s Internal Audit, which is independent of the business and the second line of defence, performs independent internal audit activities directed at governance, risk management and control processes and reports to the Group entities’ boards of directors and other management. Furthermore, external auditors ensure the effectiveness of internal control. 

Every line of defence is responsible for the organisation, adequacy and implementation of the internal control of its own activities. In the central cooperative’s governance, the Audit Committee of the Board of Directors, in particular, has a major role in ensuring that internal control performs effectively and in compliance with regulation. Internal control observations, recommendations given to the business line/division concerned and the progress of the implementation of such recommendations are reported to the Committee on a regular basis. 

OP Corporate Bank’s Board of Directors is tasked with ensuring that internal control is duly organised, taking account of the Group-wide internal control principles and the supplementary central cooperative guidelines. The company’s CEO and senior management are responsible for ensuring internal control in practice and that duties are duly segregated. 

Internal control is complemented by the opportunity of anyone employed by an OP Financial Group entity to report through an independent channel if they suspect that rules or regulations have been violated (whistleblowing). The channel is also available to parties outside of OP Financial Group.

 

Compliance

Managing compliance risks forms part of internal control and good corporate governance and, as such, forms an integral part of business management and corporate culture. Almost all activities involve compliance risk, and responsibility for managing those risks lies with the business lines/divisions. OP Corporate Bank has a designated senior compliance officer who belongs to the compliance organisation of OP Financial Group. The senior compliance officer reports to the company’s Board of Directors. The senior compliance officer is supported by designated compliance officers who together with the central cooperative’s compliance officers assist executive management and senior management and the business lines/divisions in the management of risks associated with regulatory noncompliance, supervise regulatory compliance and, for their part, develop internal control. 

Compliance ensures that regulations are complied with and implemented mainly by performing compliance supervision, by drawing up compliance risk assessments and by participating in regulatory management groups and the risk assessment of operating models related to new products and services. Compliance activities, compliance observations and the related recommendations issued to the business lines/divisions are subject to regular reporting to OP Corporate Bank plc’s Board of Directors and OP Financial Group’s Compliance organisation. Compliance activities must also be reported to OP Cooperative’s Executive Management Team and to the Risk Committee of the Board of Directors as part of OP Financial Group level reporting

One of the strategic priorities of OP Financial Group is to strengthen the risk management and compliance culture. In 2023, Compliance updated OP Corporate Bank’s compliance risk assessment and ML, TF and sanctions risk assessments, which are key tools in the riskbased targeting of compliance supervision and compliance support provided to business divisions. In addition, Compliance continued to further develop its tools, improved the system support for the management of OP Financial Group's guidelines and continued to utilise data analytics as part of the compliance risk assessment and controls. Compliance increased its human resources during the year.

The Compliance organisation annually draws up a compliance action plan which is discussed and confirmed by OP Corporate Bank’s Board of Directors with respect to the company. The Board of Directors also deals with the principles and instructions governing compliance. OP Financial Group’s Compliance organisation also controls OP Corporate Bank’s compliance activities. 

Compliance is aimed at preventing the materialisation of compliance risks. To this end, the Compliance organisation shall, for example:

  • prepare and maintain guidelines on key matters related to practices 
  • advise employees on, and train them in, matters related to practices 
  • support the business lines/divisions in the planning of development measures promoting internal control and the management of compliance risks 
  • keep executive and senior management and the business informed of upcoming regulatory changes and monitor the business’s preparation for regulatory changes 
  • supervise compliance within OP Corporate Bank Group with the current regulatory framework, ethical practices and internal guidelines related to practices and
  • regularly report to executive and senior management on recommendations given to the business, the results of control and other observations related to compliance risk exposure.

 

Risk management

OP Corporate Bank’s independent Risk Management function forms part of OP Financial Group’s centralised Risk Management in organisational terms. At OP Financial Group, OP Cooperative’s Board of Directors is the most important decision-making body for duties related to risk management. OP Cooperative’s Supervisory Council confirms the decisions by the Board of Directors that apply to OP Financial Group’s risk appetite. The Risk Committee of the Board of Directors assists the Board in performing duties related to risktaking and risk management. Based on a decision by the President and Group Chief Executive Officer, the Executive Management Team has set up a Risk Management Committee, Steering and Compliance Committee and Banking ALM Committee. These committees approve instructions and policy descriptions specifying the Risk Appetite Statement and the Risk Appetite Framework. The risk management-related tasks of various bodies are described in more detail in their respective charters.

The principles for the arrangement of OP Financial Group’s risk management set by OP Cooperative’s Board of Directors and prepared by OP Cooperative’s senior management are as follows:

  • Strategy and OP Financial Group's RAS: Senior management prepares business divisions’ strategic choices that, in terms of risk-taking, are based on OP Financial Group’s Risk Appetite Statement (RAS), confirmed by OP Cooperative’s Supervisory Council. The Risk Appetite Statement outlines and gives grounds for what risks each business is ready to take and to what extent. Businesses are obliged to operate within the limits of these restrictions.
  • Division of responsibilities: Senior management decides on how risk-taking responsibilities are divided. The Group defines what risks different revenue logics (product and service packages) can take and any potential elaborations on what risks legal entities and various functions can take within the revenue logics.
  • Governance structures provide the basis on which key principles guide operations and the related policies, and operating instructions are appropriately prepared and resolved. In addition, governance structures provide a basis for the proper assessment and supervision of the quality, scope and complexity of each activity by expert, business-independent parties, in addition to the business’s own monitoring. Senior management must ensure the maintenance and development of sufficient resourcing and expertise for the monitoring functions of the first, second and third line of defence.
  • The Risk Appetite Framework (RAF): OP Financial Group's RAF defines the general strategic intents of the risk management process at OP Financial Group and specifies this intent by revenue logic. The guidelines set preconditions for how senior management should organise the risk management process at OP Financial Group.
  • Joint and several liability: Control of joint and several liability between the central cooperative and member cooperative banks is based on the document, Principles of corporate governance as required under joint and several liability.
  • Remuneration principles: OP Financial Group’s remuneration schemes are built in line with the Group’s mission, values and targets, ensuring regulatory compliance. Remuneration must not incentivise unnecessary risk-taking or the taking of actions against the customer’s interests. The same risk measurement methods are used in remuneration as in capital and liquidity adequacy assessment processes. In addition, any risk adjustments to be made before remuneration must be based on other risk management metrics. If these metrics are adjusted as part of risk management processes, corresponding adjustments must be made in remuneration.
  • Internal control, good business practices and corporate security: Principles of internal control, good corporate governance and good business practices and corporate security also set preconditions for practices.

The most significant areas in need of development in 2023 were: 1) increasing the predictability of the assessment of capital adequacy; 2) testing the operationalisation, valuation data and liquidity reporting of the confirmed resolution strategy and improving data quality; 3) improving the clarity and effectiveness of risk reporting; and 4) improving the discriminatory power and accuracy of credit risk measurement using new internal credit risk models.

 

Internal audit

Internal Audit of OP Cooperative (OP Corporate Bank’s parent entity), or OP Financial Group’s Internal Audit, is responsible for internal audit. Internal audit constitutes independent and objective assessment, verification and consulting activities with a view to generating added value to OP Financial Group and improving its operations. Internal Audit is headed by the Chief Audit Executive who is appointed by OP Cooperative’s Board of Directors. 

The Audit Committee of OP Cooperative’s Board of Directors confirms the Internal Audit action plan, and OP Corporate Bank’s Board of Directors confirms the part of the action plan related to the company. Internal Audit reports its observations and recommendations as well as the implementation of the recommendations to OP Corporate Bank’s Board of Directors, the management of the auditable entity, OP Cooperative’s Executive Management Team and the Audit Committee of the Board of Directors. 

In its operations, Internal Audit complies with the Internal Audit Charter confirmed by the Board of Directors and the International Standards for the Professional Practice of Internal Auditing confirmed by the Institute of Internal Auditors (IIA). Internal audit performance is subject to external quality assessment every five years. 

OP Corporate Bank’s Board of Directors confirmed the internal audit action plan for 2023. In addition to audits directly targeted at the company, internal audit has been performed indirectly as part of audit applying to the centralised functions of OP Financial Group. The audits were prioritised and targeted on a risk basis by taking account of OP Financial Group’s strategic targets, regulatory requirements and Internal Audit priorities. During 2023, the audits especially focused, for example, on credit risk management and data management.