Corporate Governance

Risk management and internal audit

The company’s organisational structure, clearly established responsibilities and authorisations, and its competent employees support the planning, execution, control, and monitoring of business operations in a manner that facilitates the achievement of set objectives.

Risk management refers to actions aimed at systematically surveying, identifying, analysing, and preventing risks. The objectives of risk management are to:

  • ensure the sufficiency of own assets in relation to risk positions
  • ensure that fluctuations in financial results and valuations remain within the confirmed objectives and limits
  • price risks correctly to achieve sustainable profitability
  • support the uninterrupted implementation of the Group’s strategy and income generation.
Evli defines risk as an event or series of events that jeopardise the company’s income generation over the short or long term. Evli’s Board of Directors is primarily responsible for Evli Group’s risk management. The Board of Directors confirms the risk management policies, responsibilities, the Group’s risk limits, and other general guidelines governing how risk management and internal control are to be organised. The Board has also set up a Risk Management Committee, which briefs the Audit and Risk Committee on risk-taking matters. In addition to the general risk management policies, Evli Group’s risk management is founded on the “three lines of defence” model.

Internal Audit's and Risk Management's lines of defense

Riskmanagement

First line of defense – the business units

Risk management is a part of internal control, and therefore the responsibility for executing risk management measures lies first with the business units, as the first line of defence. The managers of the business units are responsible for ensuring that risk management is at a sufficient level in each respective unit.

The task of business units is to:

  • build the processes and competence for risk management and internal audit
  • identify and analyse risks
  • make decisions on risk management by means of various protection measures.
  • Second line of defense – Risk Management and Compliance

Second line of defence – Risk Control and Compliance

The second line of defence comprises the independent Risk Control and Compliance functions, whose primary tasks are to develop, maintain and oversee the general principles and framework of risk management.

The Risk Control function oversees daily operations and compliance with the risk limits granted to the business units, as well as compliance with risk-taking policies and guidelines. Risk Control reports on Evli Group’s overall risk position to the Board and the Executive Group each month.

The Compliance function is responsible for ensuring compliance with the rules in all of Evli Group’s operations by supporting operating management and the business units in applying the provisions of the law, the official regulations and internal guidelines, and in identifying, managing and reporting on any risks of insufficient compliance with the rules in accordance with the separate compliance policy and monitoring plan confirmed by Evli’s Board of Directors. The Compliance function reports regularly via the Audit and Risk committee to Evli’s Board and also to the operating management.

Third line of defence – Internal Audit

The third line of defence is Internal Audit. The Internal Audit is a support function for the Board of Directors and senior management that is independent of the business functions. It is administratively subordinate to the CEO and reports to the CEO and, via the Audit and Risk Committee, to the Board of Evli. The Internal Audit assesses the functioning of Evli Group’s internal control system, the appropriateness and efficiency of the functions and the compliance with instructions. It does this by means of inspections that are based on the internal audit action plan adopted annually by the Audit and Risk Committee of the Board of Evli.

Internal Audit follows not only the internal audit guidelines, but also the internationally acknowledged framework of professional practices (The Institute of Internal Auditors) and corresponding guidelines on information systems audit standards (The Information Systems Audit and Control Association).

Updated: February 21, 2023