Risk management is part of the bank's business

Risk management is an integral part of the bank's business and internal control. OmaSp's risk management principles are determined by the risk management policy approved by the Board. At OmaSp, the task of risk management is to ensure that the company's significant risks are identified, assessed and measured, and that risks are monitored and managed as part of the day-to-day management of the business. The company's risks are assessed regularly and the Board of Directors regularly assesses the company's risk management strategy, risk-bearing capacity and approach to risk-taking. The aim is to manage risks through risk surveys and measures taken on the basis of the surveys, systematic monitoring and analysis of the operating environment and the market.

The bank has arranged for the following independent functions to ensure efficient and comprehensive risk management and internal monitoring:

  • Risk control function
  • Compliance function
  • Internal audit function
  • Credit risk assessment function

The Board's task is to ensure that the risk management assessment function, the compliance function and the internal audit have sufficient and professional human resources in relation to the quality, scope and diversity of the bank's operations. The aim of the risk management assessment function is to promote systematic and proactive risk management, through which the bank's business can be developed safely. Within the bank's organization, the risk management functions directly under the CEO Director and reports to the Board of Directors, the CEO, as well as other executive management.

We have three lines of defense in our risk management

OmaSp 's risk management framework is based on the principle of three lines of defense, which are

  • 1st line of defence: Personnel of the bank

In day-to-day work, the bank's operating instructions and risk management principles must be observed by all the bank's personnel, both those who operate the customer interface and those who perform other tasks.

  • 2nd line of defence: Risk management andcompliance

The risk management function monitors and ensures that the bank's operations comply with defined strategies and limits. The function performs continuous monitoring and ensures that operating methods evolve over time. The compliance function monitors compliance with regulations.

  • 3rd line of defence: Internal audit

Internal audit assesses and ensures the adequacy, functionality and efficiency of internal control in the bank's various units, operations and subsidiaries.

Principles of the risk management assessment function

By controlling risks and risk management, the risk management assessment function must ensure that the bank complies with the risk management principles and capital management strategy approved by the Board.

The task of the function is to identify the risks to the business. Risk management maintains, develops and prepares risk management principles for approval by the Board, and plans and develops procedures related to risk and risk management control. The function monitors that each identified risk remains within the established limits. In addition, it must ensure that the methods for measuring each risk are appropriate and reliable. These methods should also include assessment of the effects of exceptional situations (stress tests).

The risk management assessment function provides a comprehensive summary of its activities and findings at least annually. The summary or report shall indicate the measures taken to remedy any deficiencies. The summary shall be submitted to the Board of Directors and the executive management of the bank.

Risk identification and management

Credit risk

The function ensures that the bank has a credit risk strategy and credit risk management principles approved by the Board. The function monitors that, among other things, large customer exposures, risk concentrations and the structure of the loan portfolio are in line with the credit risk strategy. The task of the function is to ensure that the risks arising from lending are prevented, identified and controlled at an adequate level. The function reports its findings to business management as part of its day-to-day operations. The aim of the function is to promote proactive and systematic credit risk management. Credit risk management involves, among other things, attending meetings of the bank's credit groups, in which case decision-making related to the most significant loans is monitored. The function has the right to request additional information on pending credit applications and, if necessary, to suspend or block a decision. The function organizes the monitoring of problem customers on a quarterly basis and monitors the implementation of customer-specific action plans made by the branches.

Market risk

The bank's Board of Directors annually confirms the liquidity and market risk strategy. The function monitors and assesses whether the bank's market risk management is in accordance with the established principles and objectives, that there are no unexpected changes in net interest income and that the investments are within the limits approved by the bank's Board of Directors. The function checks at random that the counterparty limits for investment activities are not exceeded.

Interest rate risk management assessment

The bank aims to balance the interest rate bases of receivables and liabilities and reduce unforeseen fluctuations in net interest income. Pricing of lending and borrowing is a key issue for the development of the bank's net interest income.

Management of equity risk and other market risk

The function ensures that the bank makes investments within the established limits by asset class, counterparty limits and the total amount of market risk allowed.

Liquidity and financial risk

The function ensures that the bank constantly monitors its net financial position and its development and that liquidity is considered good in all situations. The function monitors that liquidity remains within the limits of the risk measures set by the Board of Directors and that the management of the payment account is in accordance with the guidelines. The function uses a liquidity risk report to monitor risk measures.

The function ensures that the bank's investment activities operate within the objectives and limits set by the Board. The assurance function is implemented by conducting spot checks to monitor the investment limits and by utilizing the reporting provided to the Board of Directors by the operating management.

The function ensures that the bank's liquidity maintenance and forecasting resources are sufficient. Access to the funds in the payment account must be properly restricted, while ensuring the smooth running of operations even during personnel absences. The function monitors intraday liquidity levels on a regular basis. Supervision and development work related to mortgage banking is also one of the regular tasks of the function.

Operational risk

The bank's Board of Directors annually confirms the principles of operational risk management. The Bank shall identify operational risks associated with all significant products, services, operations, processes and systems that may have a material effect on the achievement of the set operational objectives. The bank prepares a risk survey covering all functions and evaluates and updates the inventory annually. The risk management assessment function is responsible for compiling the inventory. The members of the management teams are responsible for the preparation of their own business areas. The bank's Management Team appoints a person responsible for the risks assessed as significant, whose task is to monitor and seek to limit the probability of such risk and its possible effects. The Board approves the risk assessment and its annual update.

The ongoing risk assessment must take into account the probability of the risks materializing and their effects in the event of damage. The risk management planning shall establish the necessary risk mitigation measures and other corrective measures required for the operation. The risk management assessment function maintains a continuous operational risk notification procedure and reports the most significant operational risks annually to the Financial Supervisory Authority (FIN-FSA).

Risk management organization, responsibilities and risk management process and reporting

The person responsible for the area of ​​responsibility of the risk management assessment function is the Chief Risk Officer, who is replaced by the Risk Officer. Risk management cooperates with the bank's compliance function.

The risk management assessment function utilizes the annual clock in its operations. The bank's Chief Risk Officer is responsible for scheduling and taking responsibility for regular tasks. Day-to-day operations also include consulting and training, as well as the development of one's own operations as an important area. The risk management assessment function must be able to respond to the development of the bank's business, regulatory changes and the change in the industry. Regular activities include monthly credit risk reporting and quarterly credit risk strategy monitoring.

The risk management assessment function reports annually to the Board of Directors on its operations and findings through an annual risk management report. The report shall indicate the measures taken to remedy any shortcomings.

The risk assessment is carried out twice a year. The first survey covers the bank's strategic and operational risks in its entirety, and the second focuses on a selected area of ​​the bank's business. The Chief Risk Officer also regularly attends Board meetings and reports current and significant findings related to credit, liquidity and market risks. The mapping of operational risks is reported to the Board once a year. In addition, the function implements other necessary or desired reporting by operating management, for example in relation to credit risk. The risk management assessment function meets weekly to review current issues.

The most significant risks

OmaSp's business results have been and will continue to be affected by many internal and external factors, many of which the bank cannot control. Risks affecting the bank's business results can be divided into three categories

Risks related to the operating environment, for example

  • economic and capital market uncertainty and unfavorable developments
  • the development of the Finnish housing and real estate market may be different in different parts of the country and the development may be unfavorable
  • OmaSp is exposed to systemic risk
  • there are risks associated with the monetary policy of central banks
  • there are risks associated with investment activities and market management

Business risks, for example

  • risks related to the implementation and adaptation of the strategy to changes in the operating environment
  • risks related to changes in the industry's regulations and legislation
  • risks related to regulatory compliance, customer and other stakeholder requirements
  • risks related to compliance with anti-money laundering and anti-terrorist financing requirements or procedural requirements for the provision of banking and investment services;
  • risks related to business development; and
  • operational risks and risks related to the development of business, services and distribution channels
  • risks related to the recruitment of key personnel
  • risks associated with the use of partners
  • risks related to IT systems and information and cyber security
  • risks of reputational damage
  • risks associated with strikes and other industrial action

Risks related to financial position and financing, for example

  • risks related to funding costs
  • interest rate and credit management risks
  • liquidity risk management risks; and
  • risks related to taxes and accounting standards
  • risks related to solvency regulations