Purpose and organisation
The aim of Triodos Bank’s risk management activities is to ensure the long-term resilience of the business. These activities create an environment in which Triodos Bank can pursue its mission to its fullest potential in a safe way. Risk management provides the structural means to identify, prioritise and manage the risks inherent in its business activities. The intention is to embed risk management in such a way that it fits the complexity and size of the organisation and is designed to also allow for future growth. In order to ensure that such an environment can exist and prosper, a Risk Governance Framework has been put in place which underpins the risk processes.
The Three Lines of Defense
Triodos Bank manages its business using a Three Lines of Defense Model. This approach ensures that each co-worker is fully aware of their responsibilities in the management of risk, irrespective of whether their role is in a commercial, policy-making or control function. The model ensures that responsibilities are properly aligned and makes clear that all co-workers have a role to play in managing risk.
First line functions are Triodos Bank’s branches, business units and departments, which are responsible for managing the risks of their operations. Second line functions (separated from the first line function) are located in the bank’s branches and business units and ensure that risks are appropriately identified and managed.
Second line functions are also established at the Head Office. They create and maintain the corporate Risk Governance Framework, and the policies and procedures which provide the boundaries for the local and consolidated business activities and also perform the risk control function.
The third line of defense is the Internal Audit function providing independent and objective assurance of Triodos Bank’s corporate governance, internal controls, compliance and risk management systems. This includes the effectiveness and efficiency of the internal controls in the first and second lines of defense.
In light of Triodos Bank’s growth, the impact of all new regulations, and the increased attention of supervisory authorities, Triodos Bank has made an important step up in its risk management organisation during the past years. The Director Risk and Compliance takes full responsibility for all the second line risk management and compliance activities and reports directly to the Executive Board and its activities are supervised by the Audit and Risk Committee of the Supervisory Board.
The Director Risk and Compliance provides relevant independent information, analyses and expert judgement on risk exposures, and advises on proposals and risk decisions made by the Executive Board and business or support units as to whether they are consistent with the institution’s risk appetite. The Director Risk and Compliance recommends improvements to the risk management framework and options to remedy breaches of risk policies, procedures and limits.
The structure of the risk organisation meets banking industry standards and covers all relevant risks for Triodos Bank within the three following risk categories: Enterprise Risks, Financial Risks and Non-Financial Risks. Each risk type covers a number of risk categories (see diagram).
The essence of our mission and business model supports the mitigation of our risks, allowing Triodos Bank to develop a resilient business that’s able to play its part in a more diverse, sustainable and transparent banking sector. In addition, our internal governance structure provides a sound basis to enable an effective risk culture; the three lines of defense model in particular ensures a dovetailing of responsibilities across the organisation in terms of Business, Risk and Internal Audit and ensures each group of professionals understands the boundaries of their responsibilities and how their position fits into the organisation’s internal control and risk management system. This also relates to the segregation of duties aspect, which is an important element of the internal governance and organisation structure. The Executive Board performs its ‘oversight’ role in general in setting the ‘Tone at the Top’ and by playing an important, transparent role in the key elements of the internal control and risk management system (such as setting of risk appetite, strategy, targets, values and company culture, approval of risk and compliance frameworks, overall policies, and approving internal control system over financial reporting).
The Executive Board delegated decision-making authority to the following risk committees at a central level:
- For Financial Risk, the Central Credit Committee has authority to take decisions on credit risks, both on an individual debtor level and on a credit portfolio level; the Asset & Liability Committee has authority to decide on market risks and liquidity risk;
- For Non-financial Risk, the Non-Financial Risk Committee has authority to decide on operational and compliance risk matters. The Product Approval Committee has the authority to approve new products and review existing products; and
- For Enterprise Risk, the Enterprise Risk Committee has authority to decide on strategic and reputational risk issues.
Each committee is chaired by an Executive Board member to ensure consistent decision making on material risks within Triodos Bank’s wider strategy.
Branches also have a decision-making committee for their lending activities: the Local Credit Committee. This local credit committee decides on loans under the responsibility of the local Managing Director within delegated credit approval limits. This committee also monitors the credit risks of the local credit portfolio and monitors alignment with relevant credit risk policies.
The Supervisory Board’s Audit and Risk Committee supervises the activities of the Executive Board with respect to the operation and adequacy of internal risk management and control systems. The Director Risk and Compliance reports to the Executive Board and has an escalation line to the Chair of the Audit and Risk Committee (that supports the independency of the Risk Control Function as a countervailing power to the business).