Principles of corporate governance, organisational design and risk management

Transcription

1 December 2015 Principles of corporate governance, organisational design and risk management Paper for internal auditors in the financial sector Royal Netherlands Institute of Chartered Accountants

2 2 This paper has been drawn up by a working group of IIA Netherlands and the Members Group of Internal and Government Auditors of the Royal Netherlands Institute of Chartered Accountants (NBA), consisting of the following people: John Bendermacher, ABN AMRO Bank Reinout Hoogendoorn, Nederlandse Waterschapsbank René de Jong, Bank Nederlandse Gemeenten Gertjan Langelaan, Van Lanschot Bankiers Hans Moison, Great Too Leen van der Plas, ING Bank Vincent Wanders, Compliant & More December 2015

3 Contents 1 Preface 4 2 Introduction to the principles 5 3 Responsibilities of the company Determining the mission, core values, strategy and policy Design of corporate governance, organisation and risk management Accountability 9 4 Corporate governance Executive Board Supervisory Board 12 5 Organisational design and risk management Measures for organisational design and risk management Primary business processes Risk management function and compliance function Internal audit function 25 6 Reporting 28 Footnotes 29 3 NBA/IIA

4 1. Preface Companies in the Dutch financial sector have to comply with a wide range of requirements, which include regulations in the areas of corporate governance, organisational design and risk management: domestic laws and regulations, laws and regulations for the regulation of certain industries, and corporate governance codes. These requirements are often detailed, address specific areas, and are aimed at specific types of companies. The level of insight into these requirements and compliance with these requirements can be increased by creating a compact accessible and broadly applicable overview of the principles of corporate governance, organisational design and risk management. It would be impossible to formulate requirements that apply to all financial companies, as the activities, size, complexity, risk profile and public interest of the various companies are too diverse. Nonetheless, there are many general principles that have been found to apply to many financial companies. The principles of corporate governance, organisational design and risk management included in this paper represent an attempt to formulate such a set of general principles. In this way, IIA Netherlands (IIA NL) and the NBA s Members Group of Internal and Government Auditors (NBA LIO) want to provide internal auditors with clear principles for audits of governance, risk management and control processes. These principles should be translated into a tailored reference framework based on the specific situation. 4 The principles are not based on a specific model or particular assumption or paradigms, but on the largest common denominator of the laws and regulations, other requirements, theories and concepts applying to the relevant companies. In specific circumstances, it will have to be determined whether laws and regulations or other requirements go beyond or have to be applied more strictly than these principles. If that is the case, those requirements will prevail over these principles. The principles are listed below, each followed by an explanation or further details. December 2015

5 2. Introduction to the principles 2.1 The principles describe, at a high level of abstraction, the requirements that can reasonably be imposed on financial companies 1 for the mentioned subaspects 2. The principles can be elaborated in further detail, but that impedes the extent to which they can be applied. In practice, a tailored and flexible approach is required. While a high level of abstraction means that the principles are formulated in an open way, that should not lead in practice to an insufficiently strict interpretation and application of the principles. The principles are limited to the mentioned sub-aspects and do not relate to other aspects of operational management The principles are applicable to most financial companies based on the proportionality principle. Most of the principles are applicable to all financial companies without any limitation. In a number of cases, based on the nature, size, activities and complexity of the company, it can be concluded that not all principles have to be complied with. If it doesn t concern any legal and regulatory requirements, a company may then deviate from the principles, provided that it explains its reasons for doing so. 2.3 The principles have been drawn up by the Institute of Internal Auditors Netherlands and the NBA s Member s Group of Internal and Government Auditors. The aim of the principles is to provide auditors with a clear reference framework for audits of governance, risk management and control processes, and they don t replace laws and regulations or existing codes. The principles should be applied in a tailored and flexible way. 5 NBA/IIA

6 3. Responsibilities of the company 3.1 Determining the mission, core values, strategy and policy The company determines its mission, core values and strategy and documents these in a systematic, clear and accessible way.this includes the desired culture, the accompanying required behaviour and the company s risk appetite. Having a clear mission in place, responsible core values and clear strategy resulting in an effective policy, create the prerequisites for the operational management and the achievement of the business objectives. In order to encourage and motivate personnel and other parties involved, it s important to adequately document and communicate these prerequisites. Creating and enforcing the right culture ( tone at the top ) and appropriate behaviour is vital. Only applying hard organisational controls is insufficient. The organisation s risk appetite should be clearly defined to prevent opportunistic organisational management. The risk appetite is approved in advance by the Supervisory Board The company considers in a balanced way the interest of persons and organisations involved in the company. 6 A Company is at the heart of society. The company should prevent a situation where the short-term (financial) interest of the company, its shareholders, Executive Board or personnel, play a dominant role in the decision-making. To this end, the company should explicitly document how and to what extent it considers the interests of all parties involved in the decision-making and how it weighs them up, and should document the risks and the balancing of these interests. This includes society 4, clients 5, business relations, personnel, capital providers 6, tax authorities and regulators. The extent to which the company s Executive Board and personnel adhere to these principles plays an important role in their performance assessment and remuneration Partly based on changing environmental factors, the company regularly 7 assesses its strategy and policy, adjusting it if necessary or considered advisable. To this end, careful (authorisation) procedures are applied. Companies can run into problems or topple over because they don t adapt to changing factors in their environment quickly enough. Even when a company has a strong market position and is posting good results, it s vital to stay alert to changes, including earning models, products and services reaching the end of their lifecycle and new earning models, products and services that are on the horizon or should be developed. Companies should have the flexibility and adaptability to anticipate these changes. December 2015

7 3.1.4 The company s mission, core values, policy and policy adjustments are effectively and efficiently translated into the design of its corporate governance, organisation, risk management, business plans and budgets. The mission, core values and strategy should be effectuated in concrete terms. The principles, which may be of an abstract nature, are translated into detailed concrete organisational measures, objectives and procedures. Reports on the daily operations should provide insight into whether or not, and to what extent the principles and objectives, as defined in general terms in the organisation s formulated mission, have been fulfilled. There should be a verifiable relationship between the mission, core values, strategy and policy and the concrete medium-term objectives, plans and budgets. The company should also translate the mission and core values into clear objectives in terms of the interests of clients and corporate social responsibility. 3.2 Design of corporate governance, organisation and risk management The company designs its corporate governance, organisation and risk management on the basis of its mission, core values, strategy and policy. The mission, core values, strategy and policy should provide a sufficient basis for the design of the corporate governance, organisation and risk management. In detailing this, the company should explain clearly and in concrete terms how the design relates to the principles The corporate governance, organisational design and risk management contribute optimally to the achievement of the strategy and policy. 7 In designing their corporate governance, organisation and risk management, companies are faced with choices, as there are many alternatives available. In choosing between the available economically sound solutions, the company should choose the option that contributes most effectively to the achievement of its strategy and policy In designing its corporate governance, organisation and risk management, the company also focuses on controlling the business risks and ensuring ethical behaviour. The dynamics of daily operational management may create a certain degree of opportunism when seemingly attractive business propositions arise. It s vital to continuously monitor that the careful considerations made in determining the values underlying the risk management (risk appetite) and ethical behaviour are adhered to. Any deviations from these considerations may be approved only after they have been carefully weighed up and they should be documented. NBA/IIA

8 3.2.4 The company translates its corporate governance, organisational design and risk management framework into an integrated system of governance, risk management and process control. A sound, integrated systems of controls is vital for monitoring and controlling the operational management and the production of clear and verifiable management information. This information is necessary to enable the company to guide, evaluate, adjust and account for its operational management The design of the decision-making processes ensures there is sufficient counterweight within the company. To enable responsible decision-making, organisations need to have some counterweight. This counterweight can come from multiple levels and positions within and outside of the organisation. The added value of this counterweight lies in the specific perspectives and interests of each of the parties involved. The effectiveness of the counterweight largely depends on the competencies of the persons involved. Prior to important decisions a risk analysis should be performed to determine whether this requirement is sufficiently met The company documents its corporate governance, organisational design, risk management and administrative procedures and measures in a systematic, clear and accessible way by means of a framework for the control of its operational management. 8 By having a framework for the control of its operational management, a company works towards the achievement of its objectives in a structured and controlled way and can demonstrate this to the public, its clients, business relations, personnel, capital providers and regulators. Risks should be adequately monitored and controlled to ensure that they don t exceed the risk appetite framework. This way, the risk of any financial fallout and reputational damage will remain within the acceptable limits set by the company The company regularly assesses its corporate governance, organisational design and risk management, adjusting it if necessary or considered advisable. To be able to remain successful, companies should constantly assess and improve their organisation. To ensure a constant focus on this, the organisation should have an embedded cyclical process of continuous improvement. This involves monitoring the design and operating effectiveness of the framework for the control of the operational management across all levels of the organisation 8. December 2015

9 3.3 Accountability The company reports to the individuals and organisations involved in the company. This includes society, clients, business relations, personnel, capital providers and regulators. A company should report not only to its providers of venture capital and creditors, but also to the personnel relying on the company for their income, or their works council or trade union representatives. The company s social responsibility also extends to parties that have a less direct relationship to the company or are not directly dependent on it. The company should meet the responsibility this creates, in addition to its formal external reporting requirements. The accountability entails an integrated set of reports containing financial and non-financial information. This includes specific statements by the company s Executive Board on the control of the operational management9, compliance with rules and codes of conduct, and acting in accordance with statutory requirements or requirements set by regulators. 9 NBA/IIA

10 4. Corporate governance 4.1 Executive Board The company s Executive Board is responsible for the company, its mission, core values, strategy, policy, corporate governance, organisational design and risk management. The formal responsibility and liability of the executive directors is defined by the statutory requirements for legal entities and other applicable laws and regulations. Corporate governance codes and other codes of contact may also be relevant. The company should analyse the applicable laws and regulations and codes of conduct and incorporate the relevant provisions in the administrative regulations of the Executive Board The composition of the Executive Board appropriately reflects the experience and expertise which the Executive Board as a whole needs to possess to adequately fulfil its managerial task. The number of Executive Board members, their diversity and complementarity, and the experience and expertise of the individual Board members, should be appropriate and suited to the task of the Executive Board as a whole. The executive directors should be sufficiently available to perform their duties. The position of executive director should generally be a full-time position The Executive Board determines its allocation of tasks and working methods and documents this in its administrative regulations. Agreeing on and documenting the allocation of tasks and working methods, ensures there is clarity about what is expected of the individual Executive Board members, not only within the Executive Board, but also for the company and for the Supervisory Board. The allocation of tasks and the working method should be tailored as much as possible to the responsibility of the Executive Board as a whole, the organisational structure and the segregation of duties within the organisation. The Executive Board should have a chairman Within the Executive Board, there should be segregation of duties between the responsibility for risk management, for the financial function and for the commercial function 10. The dynamics of daily operational management may create a certain degree of opportunism when seemingly attractive business propositions arise. It s vital to continuously monitor that the careful considerations made in determining the values underlying the risk management (risk appetite) and ethical behaviour are adhered to. Therefore, there should always be a segregation of duties within the Executive Board between the responsibility for risk management and the financial function and the responsibility for the commercial function. Financial companies have a higher risk profile and are of major public interest. December 2015

11 This means that there should also be a segregation of duties within the Executive Board, between the responsibility for risk management and the responsibility for the financial function The Executive Board communicates the company s mission, strategy, policy, culture, standards and values, including by setting the right example. It s not inconceivable for an organisation to lose sight of its carefully formulated principles due to the daily dynamics, leading its management and personnel to no longer behave, or at least not always or not entirely, in line with these principles. As a result, the organisation may drift off course and no longer operate coherently. It s essential to continuously bring the mission, core values, strategy, policy, culture, standards and values to the attention of the Executive Board and the personnel through codes of conduct, education and training, providing information, and during daily work activities The Executive Board avoids all (perceived or actual) conflicts of interests due to private interests conflicting with the company s business interests. There should be no doubt whatsoever about the fact that the Executive Board acts exclusively in the interest of the company and the parties involved in it, and within the limits of the applicable laws and regulations. Executive directors should be accountable for setting the right example, which goes beyond the codified agreements on avoiding conflicts of interests. To this end, rules (a ban or requiring prior approval) should be laid down on extending financing to executive directors, other transactions with executive directors, and private investments and outside activities of executive directors. The executive directors should confirm at least once a year to the compliance function or the Supervisory Board that they have acted and will continue to act in accordance with the applicable rules The Executive Board provides the Supervisory Board with timely information relevant to the performance of the Supervisory Board s tasks. The ability of the Supervisory Board to adequately perform its tasks, depends partly on the information provided by the Executive Board. This information should be provided timely, well in advance of Supervisory Board meetings and ad hoc if necessary. The information should be accessible (clear and informative, correctly aggregated) and complete, but limited to what is necessary for the adequate performance of the Supervisory Board s tasks. If considered advisable, the Supervisory Board may ask the internal audit function to perform an audit of the reliability and relevance of the information provided The Executive Board holds regular meetings, which are documented in minutes. The frequency of the meetings should be appropriate to the company s activities and the developments and risks that occur. The minutes should at least specify who was present at the meeting, who was not present, the agenda, the follow-up given to the action points from the previous meeting, the key considerations that have led to decisions, the decisions, and NBA/IIA

12 the new action points. For each topic, it should be stated which executive director made a contribution and in what way. The minutes should show whether the decision-making involved sufficient debate and counterweight The Executive Board participates in a tailored continuous education programme that covers all relevant aspects of its managerial task. The continuous education programme should be tailored to the specific needs of the Executive Board and the organisation and should cover topics relevant to the industry in which the company operates, macroeconomic developments, laws and regulations, compliance, risk management, IT, personnel matters, etc. The programme should preferably be hosted by experts from within and outside of the organisation. 4.2 Supervisory Board The Supervisory Board is responsible for supervising the company as a whole and the Executive Board, including the appointment and dismissal of executive directors. The Supervisory Board represents the interests of all stakeholders in a balanced way. 12 The formal responsibility and liability of the supervisory directors is defined by the statutory requirements for legal entities and other applicable laws and regulations. Corporate governance codes and other codes of conduct may also be relevant. The company should analyse the applicable laws and regulations and codes of conduct and incorporate the relevant provisions in the administrative regulations of the Supervisory Board. To safeguard their independence, the supervisory directors should not have any financial interests in the company The composition of the Supervisory Board appropriately reflects the experience and expertise which the Supervisory Board as a whole need to possess to adequately fulfil its supervisory task. The number of Supervisory Board members, their diversity and complementarity, and the experience and expertise of the individual Board members, should be appropriate and suited to its supervisory task 11. The supervisory directors should be sufficiently available to perform their duties. The Supervisory Board should stipulate a fixed number of Board members (this must be least three) and limitations to the nature and number of outside Supervisory and Executive Board memberships that the supervisory directors may fulfil. The Supervisory Board should exercise restraint when it comes to appointing former executive directors as members of the Supervisory Board, and should observe a cooling-off period if necessary. The chairman of the Supervisory Board may not be a former executive director of the company. December 2015

13 4.2.3 The Supervisory Board determines its allocation of tasks and working methods and documents this in its administrative regulations. Agreeing on and documenting the allocation of tasks and working methods not only ensure clarity about what is expected of the individual supervisory directors, but also for the Executive Board, the shareholders and other stakeholders. The allocation of tasks and the working method should be tailored as much as possible to the responsibility of the Supervisory Board as a whole. The Supervisory Board should have a chairman The Supervisory Board may 12 appoint committees from among its members to focus on specific issues such as a corporate governance committee 13, audit committee 14, risk committee 15, appointments committee 16 and remuneration committee 17. These committees review specific topics in depth, inform the Supervisory Board about these topics, make proposals to the Supervisory Board, and handle the preparations for the Supervisory Board s decisionmaking. The appointment of committees for specific reasons, should reflect the fact that certain topics require more specialised attention. These topics should be reviewed in depth within these committees. The committees should meet as often as necessary. The committees may gather information from specialists and may invite them to their meetings, such as employees of the company, executive directors, the actuary, the auditor, or third parties The Supervisory Board holds regular meetings, which are documented in minutes and in the Supervisory Board s report as included in the external reporting. 13 The frequency of the meetings should be appropriate to the company s activities and the developments and risks that occur. The minutes should at least specify who was present at the meeting, who was not present, the agenda, the follow-up given to the action points from the previous meeting, the key considerations that have led to decisions, the decisions, and the new action points. For each topic, it should be stated which supervisory director made a contribution and in what way The Supervisory Board or the audit committee appointed from among its members is involved in the decisions regarding the appointment, assessment, remuneration and dismissal of the management of the internal audit function. The internal audit function should be independent and the internal auditors should be objective in performing their activities. To ensure this and remove any impediments to this, any decisions by the Executive Board on the appointment, assessment, remuneration or dismissal of the management of the internal audit function should be subject to the approval of the Supervisory Board or audit committee NBA/IIA

14 4.2.7 The Supervisory Board participates in a tailored continuous education programme that covers all relevant aspects its supervisory task. The continuous education programme, should be tailored to the specific needs of the Supervisory Board and should cover topics relevant to the industry in which the company operates, macroeconomic developments, laws and regulations, compliance, risk management, IT, personnel matters, etc. The programme should preferably be hosted by experts from within and outside of the organisation The Supervisory Board evaluates its own performance and that of the committees appointed from among its members at least once a year. The purpose of this evaluation is to critically assess its performance. The evaluation may facilitate the Supervisory Board s performance of its duties and may contribute to the right choices being made for appointments and reappointments. The evaluations should preferably be performed periodically by an independent party from outside of the organisation. 14 December 2015

15 5. Organisational design and risk management 5.1 Measures for organisational design and risk management General principles The measures for the operational design and risk management are tailored to the nature, size, activities and complexity of the company. This should include measures regarding the culture and behaviour, the appointment, remuneration and assessment of personnel, the allocation of duties and tasks, codes of conduct, risk committees, information and communication, three lines of defence, and emergency management measures. The organisational design and risk management should not be exclusively based on one or a few of these aspects, as that provides insufficient guarantees for the operating effectiveness of the controls. There should be an integrated framework for the control of the operational management. This can be sufficiently assured only if the company adopts an approach embedding all the aspects in its organisation through the complementarity of the measures The company has an adequate management cycle, including regular reporting and analysis, that leads to adjustments if necessary. The management cycle is the process of (strategic) planning, implementing, adjusting and reporting. The management cycle is the basis for the company s internal control and external reporting. 15 The management cycle should generally include the following or comparable steps: Determining the strategic options; Analysing the strengths, weaknesses, opportunities and threats; Multi-annual plan and budget; Annual plan and budget; Operational implementation and management; Monitoring and testing; Reports and analyses; and Market and competitor comparison. Necessary adjustments should be made at strategic level (managerial, such as mission, core values, strategy policy), tactical level (management control, such as multi-annual plans and budgets) and operational level (process control, such as annual plans, budget, forecast, monitoring, testing and reporting). NBA/IIA

16 5.1.3 The company encourages the right culture and proper behaviour through the Executive Board and management setting the right example.properly operating soft controls and behavioural controls are an essential part of the framework for the control of the operational management.culture and behaviour are included in the assessment criteria for the Executive Board and personnel and in the remuneration policy. So-called hard controls are not always sufficiently effective, if they are not supported by the right culture and proper behaviour. To this end, a distinction is often made between formal and informal controls. Informal controls relate to the behaviour of the Executive Board and personnel and are also referred to as soft controls. These should be embedded in the organisation and the daily processes. The company should raise awareness of the importance of internal control, for example through training programmes. The operating effectiveness of the controls should be monitored and reported on within the organisation. The remuneration policy should be approved in advance by the Supervisory Board The company has an independent confidential hotline 18 where personnel, clients, business relations and third parties can report any potentially illegal, unethical or unprofessional behaviour. There is a segregation of duties between this hotline and the relevant departments or employees. The Executive Board and Supervisory Board are regularly informed about the number and nature of the complaints reported to the hotline. 16 Such a hotline makes a preventive and repressive contribution to enforcing the right culture and proper behaviour. The reported complaints should be handled promptly and adequately and brought to the attention of the Executive Board so that corrective action can be taken if necessary. This may involve not only adjusting procedures and measures but also the sanctioning of individuals. The privacy of the person reporting the complaint (the whistleblower) should be protected through confidentiality. Personnel The company defines clear job profiles and competency criteria for its key positions (per job group or per job) and hires personnel that meets these profiles and criteria. The company should hire personnel with the right qualifications (education, experience, competencies) for the right positions so as to fulfil its capacity needs. The employees should be motivated to achieve the business objectives and thereby meet the expectations of the parties involved. December 2015

17 5.1.6 Employee performance is regularly assessed based on the company s mission, core values, strategy and policy and the performance indicators for departments and individuals documented the job profiles.the remuneration policy is tailored accordingly. The business objectives should be clearly translated into tasks, authorisations and performance indicators for departments and individuals, so that the assessment generates reliable performance assessment outcomes. The performance and remuneration of employees should be evaluated at least once a year to encourage the desired behaviour. The remuneration arrangements should not include any perverse incentives. Restraint should be exercised in the variable remuneration, which should focus only on the achievement of the long-term business objectives. Employees in the risk management function, compliance function and internal audit function should not receive any variable remuneration that depends on the company s (financial) performance The company puts in place procedures and measures to safeguard the continuity of its critical functions. The company should take measures to reduce any major dependence on one or a few individuals. The company should have a succession plan for its key positions, providing for the succession in the short, medium and long term of the employees in these positions. Jobs and tasks The company clearly and coherently allocates the various jobs, tasks, responsibilities and authorisations, and tailors the reporting line accordingly. The company tailors the allocation of jobs, tasks, responsibilities and authorisations to the company s activities, the required capacity and the competency criteria. 17 The correct allocation of jobs, tasks, responsibilities and authorisations makes a significant contribution to the efficient and effective operation of the company. This allocation should not be static. To facilitate a company s development and the progression of talent through the ranks, it s important to have flexibility in the personnel structure. Jobs, tasks, responsibilities and authorisations should be clearly documented, up-to-date, and provide guidance to employees in the performance of their tasks. Segregation of duties The company applies adequate segregation of duties to ensure controlled and ethical operational management. Having in place the right segregation of duties between individuals and departments, creates opposing interests within the company, which contributes to the operating effectiveness of the controls. It s important to ensure that this division into opposing interests is not subverted by collusion or fraud. NBA/IIA

18 The company applies primary segregation of duties between at least the authorisation 19, custody 20, verification 21, record-keeping 22 and operational functions 23. When these types of functions are performed by one and the same individual or department, the segregation of duties an organisation should aim for is non-existent. Any concessions to the principle of primary segregation of duties should be avoided as much as possible. The scope of the custody function extends beyond the physical custody of assets, and can also include monitoring the financial assets, from which no items may be withdrawn without a good reason or without authorisation. In the largely electronic environment of a modern company, this is achieved by various measures, including by access rights to the data processing and data storage systems used to support and design the business processes When the combination of functions within one and the same department is unavoidable, secondary segregation is applied by allocating tasks to different individuals. In small organisations, this situation cannot always be avoided. In that case, the tasks are allocated to individuals within the department who are separated by the greatest possible organisational distance. This segregation can also be achieved by applying the four-eyes principle. 18 Accounting, information and communication The company has the resources and procedures to ensure the correct, timely and complete recording, processing and availability of data on the business processes and the resulting rights and obligations. This type of data and information is vital to the operational management, risk management and management information and the associated external reporting. In today s information age, information and data communication are of critical importance for companies. Making good and timely investments in IT 24 is very important The company safeguards the continuous availability, reliability and integrity of data. The company takes measures to protect data against illegitimate use or misuse. Because information is so important, companies are gathering and storing ever more data. In doing so, they must comply with the statutory data retention period and data privacy legislation. If data are used incorrectly or end up with unauthorised parties, this can lead to reputational damage. Protecting the privacy and integrity of the data is, therefore, crucial. December 2015

19 The data are accessible and correctly, timely and fully processed into up-todate, reliable and integrated financial and non-financial information as required for (insight into) the operational management and risk management and the associated external reporting. The information can be easily traced back to the source data. The quality of information depends to a large extent on the quality of the data on which it is based. A structured approach is required to ensure that the quality of data and information is adequate. Such an approach should cover the gathering and analysis of data (content, structure and relationship to other data), the standardisation, formalising, updating and improvement of data, designing of a quality process, and monitoring and reporting on data quality. The information should have sufficient depth and detail and be promptly available. The quality and clarity of the data should not be in any doubt. To enable additional analysis, the individual elements of the information should be retraceable to source data. The company should preferably use databases in which all entities, attributes and relationships are aggregated, with the final step being to derive the required information from these data The company has the necessary insight at all required levels into the state of affairs and risks at the business units, also when considered in combination, to enable it to control the business processes and risks. To enable the company to adequately control and adjust its business processes, it should at least have up-to-date, timely and full insight into all developments, positions and risks. This requires good cooperation between the business units responsible for the primary business processes (the users of the data and information) and the business units gathering and supplying the information (such as IT, the accounting units at the various departments, and the controlling, risk management and compliance departments) The company can promptly meet information needs by providing information that meets the applicable requirements. The capacity and flexibility of systems and procedures should be such that, using a number of relatively simple steps, the company can meet regular and ad-hoc information requests from within the company and from third parties, such as regulators, without any concessions to data quality. Three lines of defence The company systematically tests and assesses it internal control.this is done by the line management (first line of defence), the business units specifically tasked with adequately controlling risks (monitoring and testing by the risk management and compliance function as the second line of defences), and the internal audit function (third line of defence). NBA/IIA

20 The three-lines-of-defence model 26 is a broadly accepted model for the design of risk management and monitoring and the allocation of risk management tasks and responsibilities. The model embeds the effectiveness of the risk management. The model is particularly suited to companies with a higher risk profile, such as financial companies In addition to the regular hierarchical reporting lines, the second and third line of defence have functional reporting lines to specific risk committees, the (chairman of) the Executive Board, the audit committee or the Supervisory Board. The operating effectiveness of the second and third line of defence is increased if they can also report directly to the bodies responsible for supervising the day-to-day policymaking. Sometimes these reporting lines are only set up as an escalation line. This is not the preferred option, as it may impede the supply of information. Emergency management measures The company has a business continuity plan. This business continuity plan is regularly tested. A business continuity plan contains measures through which the company can continue its operational management when this is jeopardised by emergencies (unavailability of personnel, company sites, utilities, IT, information, suppliers, logistics, etc.). 20 In its business continuity plan, the company focuses on: Prevention; Alternative operational management; and Insurance policies. The business continuity plan should be regularly tested to assess the effectiveness and to keep awareness among the employees at the desired level The company has a recovery plan. A recovery plan contains measures through which the company can improve its business, operational management and financial position after these have suffered due to an emergency The company has a winding-up plan. A winding-up plan contains measures for an orderly winding up of the company when its recovery is unlikely, so as to minimise the losses of third parties. December 2015

21 5.2 Primary business processes The company has procedures and controls that safeguard the unhindered, reliable and ethical operation of its business processes. The primary and key safeguards for the unhindered, reliable and ethical operation of the business processes are put in place in the so-called line organisation. This involves mapping the key risks and the measures through which these risks are reduced. The line organisation has the primary responsibility for identifying, flagging, monitoring and controlling risks The company designs procedures and controls, including for managing its business processes and business risks, monitoring the integrity of employees and clients, preventing damage to the trust in the company or the sector, and assuring the solidity of the company. The system of control should extend beyond the correct operation of processes within the organisation. This will also prevent irresponsible positions or risks being taken by the company, the company or industry suffering reputational damage or financial losses due to undesirable behaviour of clients, or an erosion occurring of the company s long-term profitability or solvency The company uses authorisation procedures, sets limits, and monitors compliance with the limits, which are tailored to the nature, size, risk profile and complexity of the company s activities. The risks can be reduced in various ways, including by putting in place a stepped authorisation procedure, using limits for positions in certain assets and counterparty exposures, and monitoring compliance with these measures The company regularly tests the effectiveness of the key controls within the line organisation. The primary and key safeguards for the unhindered, reliable and ethical operation of the business processes are put in place in the line organisation. That means that the line organisation is responsible for regularly resting the effectiveness of the key controls. The second line of defence can play a facilitating and monitoring role in this. The outcome of this testing can help the management and Executive Board to form an opinion and can serve as a basis for an in-control statement, which may be issued as part of the financial reporting When outsourcing activities, the company ensures that these activities can be adequately controlled. The outsourcing of activities should not lead to unacceptable business risks. The conditions for outsourcing, the responsibilities of the parties involved, the way in which risks are NBA/IIA

22 controlled and how this is reported, should be documented in a service agreement. The company will retain ultimate responsibility for the quality of the activities performed by the service organisation and should monitor this. If necessary, it should be stipulated that the company or its regulators may perform on-site audits at the service organisation The company has a complaints handling procedure for its clients and business relations. There is a segregation of duties between this complaints handling desk and the departments or employees concerned. The Executive Board and Supervisory Board are periodically informed about the number and nature of the complaints submitted to this desk. The complaints handling procedure makes a preventive and repressive contribution to enforcing an unhindered, reliable and ethical operational management. The submitted complaints should be handled timely and adequately and brought to the attention of the Executive Board so that corrective action can be taken if necessary. This may involve not only adjusting procedures and measures but also sanctioning individuals. 5.3 Risk management function and compliance function Risk management function The company has an independent risk management function. This risk management function should at least be independent of the functions that report on the company s operating and financial performance The risk management function monitors the operating effectiveness of risk management in the line organisation and advises on policy to optimise this risk management. Risk management takes place primarily in the line organisation. The risk management function should regularly advise the Executive Board on the optimal design of the risk management. The risk management function should determine the risk management framework and monitor whether risk management is performed adequately The risk management function systematically identifies, measures and evaluates the risks to which the company is or may be exposed. To this end, the risk management function considers the risks arising from the (macroeconomic) environment in which the company operates. The risks to which the company are exposed to, depend on various factors, including the nature of its activities, its size, regional diversification, and the jurisdictions in which the company operates. These risks are not static. December 2015

23 The risk categories and areas of attention may include: Strategic (e.g. macroeconomic developments, ageing populations, emerging markets, energy prices, consumer demand, market entrants, corporate social responsibility); Financial (e.g. liquidity, profitability, solvency, market and counterparty risk, financing costs, regulatory requirements); and Operational (e.g. disruption of processed due to human or IT systems failures, outsourcing, legal agreements, fraud, access to data and systems, burglary) The risk management function reports directly to the Executive Board member responsible for risk management and to the chairman of the Supervisory Board or chairman of the risk committee. It s important that the risk management function can operate with sufficient independence and that the findings and conclusions of the risk management function are reported at the right organisational level, without being filtered or watered down by the line management. This means that the reporting line to the chairman of the Supervisory Board or chairman of the risk committee should not be used only for escalations The risk management function has an up-to-date mandate describing its tasks, authorisations and responsibilities and its expertise and skills level are appropriate to the risks to which the company is exposed. There should be a solid framework for the operation of the risk management function and the requirements it must fulfil. This should include task-based requirements for the level of experience, expertise and competencies of the employees, the quantitative and qualitative staffing of the function, and an appropriately tailored budget. The organisation should regularly review, preferably annually, whether the mandate is still up-to-date The risk management function has unimpeded access to all of the company s relevant activities, officials, locations and information. To be able to adequately perform its tasks, the risk management function needs to have unimpeded access to all the company s relevant activities, officials, locations and information. Compliance function The company has an independent compliance function. The compliance function should at least be independent of the functions that report on the company s operating and financial performance. NBA/IIA

24 5.3.8 The compliance function monitors the operating effectiveness of the compliance risk management in the line organisation and advises on policy to optimise this control. Compliance risks are managed primarily in the line organisation. The compliance function should regularly advise the Executive Board on the optimal design of the compliance risk management. The compliance function determines the framework for the compliance risks management and monitor whether it is performed The compliance function systematically identifies, measures and evaluates the risks of non-compliance with laws and regulations and internal and external codes of conduct. The risks to which the company are exposed to, depend on various factors, including the nature of its activities, its size, regional diversification, and the jurisdictions in which the company operates. These risks are not static The compliance function reports directly to the Executive Board member responsible for compliance and to the chairman of the Supervisory Board or chairman of the relevant committee of the Supervisory Board. 24 It s important that the compliance function can operate with sufficient independence and that the findings and conclusions of the compliance function are reported at the right operational level, without being filtered or watered down by the line management. This means that the reporting line to the Supervisory Board should not be used only for escalations The compliance function has an up-to-date mandate describing its tasks, authorisations and responsibilities and its expertise level and skills are appropriate to the compliance risks to which the company is exposed. There should be a solid framework for the operation of the compliance function and the requirements it must fulfil. This should include task-based requirements for the experience, expertise and competencies of the employees, the quantitative and qualitative staffing of the function, and an appropriately tailored budget. The organisation should regularly review, preferably annually, whether the mandate is still up-to-date The compliance function has unimpeded access to all the company s relevant activities, officials, locations and information. To be able to adequately perform its tasks, the compliance function needs to have unimpeded access to all the company s relevant activities, officials, locations and information. December 2015