The company’s organisational structure, clearly established responsibilities and authorisations, and its competent employees support the planning, execution, control, and monitoring of business operations in a manner that facilitates the achievement of set objectives.
Risk management refers to actions aimed at systematically surveying, identifying, analysing, and preventing risks. The objectives of risk management are to:
Risk management is a part of internal control, and therefore the responsibility for executing risk management measures lies first with the business units, as the first line of defence. The managers of the business units are responsible for ensuring that risk management is at a sufficient level in each respective unit.
The task of business units is to:
The second line of defence comprises the independent Risk Control and Compliance functions, whose primary tasks are to develop, maintain and oversee the general principles and framework of risk management.
The Risk Control function oversees daily operations and compliance with the risk limits granted to the business units, as well as compliance with risk-taking policies and guidelines. Risk Control reports on Evli Group’s overall risk position to the Board and the Executive Group each month.
The Compliance function is responsible for ensuring compliance with the rules in all of Evli Group’s operations by supporting operating management and the business units in applying the provisions of the law, the official regulations and internal guidelines, and in identifying, managing and reporting on any risks of insufficient compliance with the rules in accordance with the separate compliance policy and monitoring plan confirmed by Evli’s Board of Directors. The Compliance function reports regularly via the Audit and Risk committee to Evli’s Board and also to the operating management.
The third line of defence is Internal Audit. The Internal Audit is a support function for the Board of Directors and senior management that is independent of the business functions. It is administratively subordinate to the CEO and reports to the CEO and, via the Audit and Risk Committee, to the Board of Evli. The Internal Audit assesses the functioning of Evli Group’s internal control system, the appropriateness and efficiency of the functions and the compliance with instructions. It does this by means of inspections that are based on the internal audit action plan adopted annually by the Audit and Risk Committee of the Board of Evli.
Internal Audit follows not only the internal audit guidelines, but also the internationally acknowledged framework of professional practices (The Institute of Internal Auditors) and corresponding guidelines on information systems audit standards (The Information Systems Audit and Control Association).