Risk management and internal controls

Arion Bank faces numerous risks arising from its day-to-day operations as a financial institution. Managing risk and taking informed decisions are crucial components of the Bank's activities and its responsibility towards society. The key to effective risk management is a process of ongoing identification of significant risk, quantification of risk exposure, action to limit risk and active monitoring of risk.

The Board of Directors is ultimately responsible for implementing risk management and approves risk policies which specify the risk framework, governance structure and appropriate monitoring systems among other things. The risk management of subsidiaries is the responsibility of that subsidiary. For the parent company (the Bank) the Board sets the risk appetite, which is translated into exposure limits and targets monitored by the Bank’s Risk Management division. It is ensured that the Bank’s strategy, business plan and limit frameworks are aligned with its risk appetite.

The CEO is responsible for sustaining an effective risk management framework, processes and controls as well as maintaining a high level of risk awareness among the employees, making risk everyone’s business. The Bank operates a three line model in accordance with its internal control policy.

The Bank operates several committees to manage risk. The Board Risk Committee (BRIC) is responsible for supervising the Bank’s risk management framework, risk appetite and internal capital adequacy assessment process (ICAAP) and internal liquidity adequacy assessment process (ILAAP). The Board Credit Committee (BCC) decides on all major credit risk exposures.

The CEO has appointed five risk committees. The Asset and Liability Committee (ALCO) manages risks that arise from asset-liability mismatches: liquidity risk, market risk, interest rate risk, and capital management. The committee also makes decisions on underwriting and investments. The role of the Operational Risk Committee (ORCO) is to ensure the effective management of operational risk at the Bank in accordance with risk appetite and legal requirements. The committee is responsible for managing non-financial risk, including information security and data risk, financial crime, business processes, outsourcing, model risk, compliance risk and conduct risk. The Arion Credit Committee (ACC) takes decisions on lending exposures and is responsible for the Bank’s credit rules, and the Arion Composition and Debt Cancellation Committee (ADC) makes decisions on composition and debt cancellation. The ACC and ADC operate within limits set by the BCC. The Sustainability Committee ensures that the Bank's strategy and decision making are aligned with the Bank's commitments in relation to the environmental, social and governance (ESG) agenda. The committee oversees the Bank's Green Financing Framework.

The Bank's Internal Audit conducts independent and objective reviews of the Bank and several subsidiaries to assess the governance, risk management and internal controls. Internal Audit communicates its results to management and reports its findings and recommendations to the Board Audit Committee.

Compliance, headed by the Compliance Officer, is an independent unit which reports directly to the CEO. Compliance manages the Bank's conduct and compliance risks, including those relating to data protection, and financial crime risk, including measures against anti-money laundering and terrorist financing.

The Bank's Risk Management division is headed by the Chief Risk Officer. It is independent and centralized and reports directly to the CEO. The division is divided into three units: Risk Analysis, which is responsible for the quantification of risk on a portfolio level, including risk modeling and reporting; Risk Monitoring and Framework, which facilitates and monitors the management of risk and controls in the first line of defense; and Credit Analysis, which supports the Bank's credit transaction process and participates in credit decisions. The Bank's Security Officer and the Bank's Pension Risk Officer are part of the Risk Management division.

Arion Bank is a small bank in an international context but classified as systemically important in Iceland. The Group operates in a small economy, which is subject to sectoral concentration, fluctuations in capital flows, and exchange rate volatility. The Group’s most significant risks are credit risk, concentration risk, liquidity risk, interest rate risk, cyber risk, third party risk and business risk. These risk factors are mainly encountered within the parent company. Through the Bank's subsidiaries, the Group bears risk arising from insurance activities, card payment solutions and fund management. Operational risk is the predominant risk for the latter two.

The Bank’s Pillar 3 Risk Disclosures 2021 discuss risk factors and risk management in detail.