Internal governance and control
In order to ensure a well-functioning internal governance and control system, the bank has established a framework of internal rules and processes that complement the applicable external regulations. The internal and external rules divide responsibility for the governance, control and follow-up of the business between the shareholders, the Board and the CEO.
To enable satisfactory risk management, it is of vital importance for the corporate culture and organization to be characterized by clear internal governance and control. In order to achieve a good control environment, Norion Bank applies the principle of three lines of defense, whereby the different lines of defense have different tasks but a shared responsibility for achieving good internal governance and control. The Bank’s entire organization participates in this control environment. The first line of defense consists of the entire operation and all employees, except those who belong to the control functions, i.e., compliance, risk control and internal audit.
Compliance
The compliance function is the bank’s function for ensuring compliance with regulations and belongs to the second line of defense. Among other things, the compliance function must identify the risks of regulatory noncompliance within the bank’s operations and check that these risks are being managed by the relevant functions within the business. The compliance function is also responsible for checking compliance with the external and internal regulations relating to the bank’s activities that require a permit and for regularly assessing whether the bank’s regulatory compliance procedures and measures are appropriate and effective.
Risk control
The work of the risk control function is based on the bank’s overall risk policy and is part of the second line of defense. The risk control function is responsible, among other things, for ensuring that all the material risks to which the bank is exposed are identified and managed by relevant functions within the business. The risk control function also checks that the bank’s internal rules regarding risk management, the risk framework and the appetite for risk in general are appropriate and effective and, if necessary, proposes changes to the rules. Furthermore, the risk control function should promote and contribute to a high level of risk awareness within the organization.
Internal audit
Norion Bank has established a special function for internal audit and follow-up. Deloitte has been contracted to carry this out. Internal audit is an independent review function whose work is based on a risk analysis and the audit plan established by the Board of Directors of Norion Bank. The role of internal audit is often described as the “third line of defense,” based on the model of three lines of defense. The Board of Directors has appointed Deloitte as internal auditor of Norion Bank. Internal audit helps the organization achieve its goals by using a structured approach to systematically assess risk management, governance and control, as well as management processes, and by suggesting changes when they can contribute to improved efficiency. The focus and scope of internal audit work is based on good internal audit practice. Ultimate responsibility for risk management and internal governance and control always lies with the Company’s Board of Directors, which has internal audit as its controlling body. The Board of Directors receives regular feedback directly from the internal auditor regarding the Company’s internal controls and, if it so wishes, can strengthen them if necessary.
Internal control over financial reporting
Internal control regarding financial reporting is part of the overall internal control within Norion Bank. It aims to provide reasonable assurance that the external financial reporting is reliable and that it has been prepared in accordance with the law, applicable accounting standards, and other requirements for listed companies. The Board's responsibility for internal governance and control is governed by the Swedish Companies Act, the Swedish Annual Accounts Act, and the Swedish Corporate Governance Code. The Annual Accounts Act requires the Company to annually describe its system for internal control and risk management regarding financial reporting. The Board of Directors has overall responsibility for financial reporting.
Policies and instructions
The bank’s policy documents constitute its internal rules. The aim of internal regulations is to maintain good internal governance and control at the bank. The internal regulatory framework is based on the CEO instruction that describes the bank’s process and uniform structure and that also aims to ensure proper implementation. The process clarifies responsibility in the organization, which further creates the conditions for the bank to comply with the internal and external regulations that have been defined.
The internal regulatory framework includes the following policy documents adopted by the Board:
- The rules of procedure for the Board and the Board’s committees
- The instructions for the CEO
- The instructions for the internal audit and control functions
- The internal governance and control policy
- Risk policy
- Credit policy
- Financial policy
- The policy on the combating of money laundering and terrorist financing
- The conflict of interest management policy
- Remuneration policy
- Anti-corruption policy
- The diversity policy for the Board
- The policy on the suitability assessment of the Board and senior management
- Sustainability policy