Purpose of risk management

Risk is defined as the potential for negative deviation from expected financial results. Northmill Bank, through its operations, is exposed to various types of risks that must be managed, including credit, market (currency and interest rate), operational, liquidity & funding and business risks.

The purpose of risk management is to ensure Northmill's long-term sustainability by maintaining operational stability, ensuring the quality of customer offerings, managing result fluctuations and increasing shareholder value through effective capital management.

Northmill Bank’s Board of Directors establishes the overarching risk strategy, which forms the foundation for achieving a sound risk-adjusted return and ensuring the long-term sustainability of operations. The strategy outlines the types of risks Northmill Bank is exposed to, the acceptable level of risk and the measures implemented to manage these risks. The strategy is closely integrated with the business plan, which is developed by management and approved by the Board, and is reviewed annually as part of the planning process.

Northmill Bank’s risk appetite framework is defined in a comprehensive risk policy, reflecting the bank's willingness to take, manage, and limit various types of risks. The Board sets clear limits for each risk category, which are regularly reviewed and updated to align with the business strategy and prevailing market conditions. Any deviations from risk limits are reported immediately to the Board.

First line of defense – Risk ownership and operational management

Business area managers and operational functions are responsible for owning and managing risks within their respective areas. They implement internal controls, systems, and processes to ensure risks are managed in line with the boundaries and principles established by the Board.

Second line of defense – Independent monitoring and control

The Risk Control and Compliance functions monitor, review, and support the first line of defense in their work.

These functions are responsible for establishing principles and frameworks for risk management and compliance, conducting independent control tests, and reporting adherence to risk appetite and policies to the CEO and Board. They also conduct independent follow-ups and strengthen the risk culture through support and training for managers and employees.

The second line of defense operates independently from the business areas and serves as a critical review function to ensure that risk management is effective and transparent.

Third line of defense – Independent internal audit

Internal Audit acts as an independent reviewer that regularly evaluates Northmill’s control systems. It ensures that risk management is robust and effective through periodic reviews and reports directly to the Board to ensure objectivity.

The Board of Directors and CEO set policies and guidelines for governing and managing all risks affecting the organization. These are complemented by detailed internal procedures and directives. The Board is supported in this work by the Risk & Audit Committee, which discusses, guides, and monitors risk-related issues and prepares decision-making materials for the Board.

The CEO has overall responsibility for managing the Group's risks in accordance with the Board’s guidelines and instructions. The CEO ensures that Northmill Bank's organization and administration are appropriate and that the Group's operations comply with external and internal regulations. A key responsibility is to provide the Board with all necessary information for risk-related decisions.

The Risk Control function operates independently of business operations. Its responsibilities and tasks are regulated through the risk control policy established by the Board. The function is responsible for monitoring, controlling, analyzing, and reporting risks within Northmill’s operations.

This includes risk assessment and testing of the internal controls implemented to reduce Northmill’s operational risk, as well as evaluating the effectiveness of these controls. The function also analyzes the various risk metrics used and proposes changes when necessary. The Chief Risk Officer, appointed by the CEO with Board approval, continuously reports on risks to the CEO, management team, Risk and Audit Committee, and the Board.

The Compliance function operates independently of business operations. Its responsibilities and tasks are regulated through the compliance policy established by the Board.

The Compliance function is responsible for supporting the business and management in regulatory compliance matters and helps identify, monitor, and report compliance risks, i.e., the risk that the organization does not comply with external and internal regulations. The compliance officer, appointed by the CEO, regularly reports compliance risks and issues to the CEO, management team, Risk and Audit Committee, and the Board.

The Internal Audit function is independent of business operations. Its responsibilities and tasks are regulated by the internal audit policy established by the Board, and the function reports directly to the Board.

The primary task of the Internal Audit is to provide the Board and the CEO with a reliable and objective evaluation of risk management, as well as governance and control processes, to reduce the occurrence of risks and ensure an effective control structure. Internal Audit is required to conduct independent, recurring reviews of the management structure and the internal control system. The Board has decided to outsource the function to an external party and has appointed Deloitte Sweden as the internal auditor. The Risk Control function acts as the internal coordinator for internal audit work.

The Internal Audit regularly reports to the Board and the Risk and Audit Committee on the results of its reviews, including identified risks and suggestions for improvements. It also informs the CEO, management team, and relevant departments about issues related to internal audit. The Board establishes a plan for internal audit work annually.

The Board and management receive regular reports from the various lines of defense to ensure they have a complete and up-to-date view of the bank’s risk profile. These reports include the identification of significant risks, monitoring of control measures, and any deficiencies that need to be addressed. This approach enables Northmill to continuously improve its risk management processes and ensure the organization remains resilient to evolving risks and challenges.

Northmill is operated in a few European countries and committed to comply with national anti-money laundering and counter-terrorist financing (AML/CFT) acts under the directive (EU) 2015/849. AML/CFT is referring to set of laws, regulations and procedures that intend to prevent criminal actions.

In order to prevent criminality, financial institutions are required to perform customer due diligence measures and monitor customers' transactions. Our procedures are intended to prevent individuals engaged in money laundering and other financial crimes from using Northmill's products and services.

Page last updated: 2024-01-17