Risk management and internal controls

Arion Bank faces many risks arising from its day-to-day operations as a financial institution. Managing risk and taking informed decisions is a crucial component of the Bank's activities and its responsibility towards society. Managing risk is therefore a core activity within the Bank. The key to effective risk management is a process of ongoing identification of significant risk, quantification of risk exposure, action to limit risk and constant monitoring of risk.

The Board of Directors is ultimately responsible for implementing risk management and approves risk policies which specify the risk framework, governance structure and appropriate monitoring systems among other things. The risk management of subsidiaries is the responsibility of the board of directors of the relevant subsidiary. The Board of Directors sets a risk appetite for the parent company (the Bank) which is translated into exposure limits and targets monitored by the Bank’s Risk Management division. It is ensured that the Bank’s strategy, business plan and limit frameworks are aligned with its risk appetite.

The CEO is responsible for sustaining an effective risk management framework, processes and controls as well as maintaining a strong risk culture, making risk the business of every employee. The Bank operates a three-line model in accordance with its internal control policy.

The Board Risk Committee (BRIC) performs an advisory and supervisory role to the Board with respect to the Bank’s risk management framework and risk appetite and ensures consistency with the Bank’s business plan, goals and values. The committee is also responsible for the internal capital adequacy assessment process (ICAAP) and the internal liquidity adequacy assessment process (ILAAP). The Board Credit Committee (BCC) decides on all major credit risk exposures, underwriting and investments which are outside the scope of the CEO’s credit authority, and it advises the Board on matters which constitute a risk beyond defined risk appetite.

The CEO has appointed five risk committees which address key risk factors in the Bank’s operations. The Asset and Liability Committee (ALCO) manages the asset-liability mismatch, liquidity risk, market risk, interest rate risk, and capital management. The committee also makes decisions on underwriting and investments. The role of the Operational Risk Committee (ORCO) is to ensure the effective management of operational risk at the Bank in accordance with risk appetite and legal requirements. The committee is responsible for managing non-financial risk, including information security and data risk, financial crime, business processes, outsourcing, model risk, compliance risk and conduct risk.

The Arion Credit Committee (ACC) takes decisions on lending exposures and is responsible for the Bank’s credit rules, and the Arion Composition and Debt Cancellation Committee (ADC) makes decisions on composition and debt cancellation. Both committees work within the limits set by the Board Credit Committee. The Bank’s Sustainability Committee ensures that the Bank’s strategy and decision-making are aligned with its ESG commitments. The committee’s tasks include overseeing the Bank’s green financing framework.

The Executive Risk Committee is responsible for the implementing and following up on the strategy set out by the Board. It is designed to ensure that the executive committee has a comprehensive overview of the risk management framework and the numerous risk factors which the Bank faces at any given time.

The Bank's Internal Audit conducts independent and objective reviews of the Bank, its subsidiaries and pension funds administered by the Bank. Internal Audit communicates its results to management and reports its findings and recommendations to the Board Audit Committee and the Board of Directors.

Compliance, headed by the Compliance Officer, is an independent unit which reports directly to the CEO. Compliance manages the Bank's conduct and compliance risks, including those relating to data protection, and financial crime risk.

The Bank’s Risk Management division is headed by the Chief Risk Officer. It is independent and centralized and reports directly to the CEO. Risk Management is divided into three departments. Risk Analysis, which is responsible for the quantification of risk on a portfolio level, including risk modelling and reporting; Risk Monitoring and Framework, which facilitates and monitors the management of risk and controls in the first line of defence; and Credit Analysis, which supports the Bank's credit transaction process and participates in credit decisions. The Bank’s Security Officer maintains and monitors the effectiveness of the Bank’s defences against risks associated with IT security and physical security. The Security Officer and the Pension Risk Officer are part of the Risk.

Arion Bank is a small bank by international standards but is classified as systemically important in Iceland. The Group operates in a small economy with its own currency, which is subject to sectoral concentration, fluctuations in capital flows, and exchange rate volatility. The most significant risks to which the Bank is exposed are credit risk, concentration risk, liquidity risk, interest rate risk, cyber risk, business risk and sustainability risk. These risk factors are mainly encountered within the parent company. Through the Bank's subsidiaries, the Group bears risk arising from insurance activities and fund management, with operational risk the most material.

The Bank’s Pillar 3 Risk Disclosures 2023 report discusses risk factors and risk management in detail.