Operational risk /non-financial risk
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, including legal risks, excluding strategic risks. This is the ‘Basel’ definition of operational risk.
This definition of operational risk above is very broad and covers a wide range of non-financial risks and potential risk events, causes and impacts. FMO adopted the ORX (Operational Risk data eXchange Association) risk taxonomy in to structure all non-financial risk types, such as people, data, model, technology, third party, information & cyber security, business continuity, statutory reporting, transaction execution, et cetera.
Risk appetite and governance
Operational risks are not actively sought and have no direct material upside in terms of return/income generation, yet operational risk events are inherent in operating a business. Operational risk events can result in non-compliance with applicable (internal and external) standards, losses, misstatements in the financial reports, and reputational damage.
Overall, FMO is cautious with operational risks. Safe options, with low inherent risk are preferred, despite consequence of limited rewards or higher costs. There is no appetite for high residual risk. Risk metrics are reported on a quarterly basis. These metrics cover operational risks in general, such as the amount of loss per quarter and timely follow-up of management actions and metrics for all non-financial risk types.
Management of the first line of defense is primarily responsible for managing risks in the day-to-day business processes. The first line acts within the risk management framework and supporting guidelines defined by specialized risk functions that make up the second line of defense. Internal Audit in its role of the third line of defense provides independent assurance on the effectiveness of the first and second lines.
Departmental risk control self-assessments are conducted annually to identify and assess risks and related controls. The strategy and business objectives are also reviewed annually by the Directors in a risk perspective. Based on among others these Risk and Control Self Assessments, the Directors sign a departmental In Control Statement at the year-end, which provides the underpinning for the management declaration in the Annual Report. Despite all preventive measures, operational risk events will occur.
New policies have been introduced and are under development. A company-wide project is initiated to increase the maturity of the control environment, the processes for risk-management and internal control and the central GRC tooling. The structure of the framework is improving, through alignment of risk-types, policies, and responsibilities, in line with the principle of three lines of defense.
After finishing the KYC remediation project end of 2021, FMO focuses on remaining compliant with Wwft and Sanctions law and regulations by keeping abreast of relevant developments in the regulatory environment and timely implementation within the KYC processes where necessary.
Compliance Risk is the risk of failure to comply with laws, regulations, rules, related self-regulatory organization, standards, and codes of conduct applicable to FMO’s services and activities.
Risk appetite & governance
FMO’s standards and policies and good business practices foster acting with integrity. FMO is committed to its employees, customers, and counterparties, adhering to high ethical standards. FMO has a Compliance framework which entails identifying risks, designing policies, monitoring, training, and providing advice. FMO has policies on topics such as financial economic crime (including KYC, sanctions, anti-bribery, and corruption) conflicts of interest, anti-fraud, private investments, protection of personal data and speak-up. FMO also regularly trains its employees to raise awareness by means of e.g., virtual classroom trainings and mandatory compliance related e-learnings. Employees are also encouraged to speak up in case of suspected integrity violations conducted by a FMO employee.
Management is periodically informed via the Compliance Committee or when required on an ad-hoc basis, on integrity related matters at customer or employee level. In case of signals of violations, e.g., money laundering, fraud or corruption, management will take appropriate actions. For example, initiating a dialogue with the customer, if possible and appropriate given the circumstances, to understand the background to be able to assess and investigate the severity. When FMO is of the opinion that there is a breach of law that cannot be remedied or that no improvement by the customer will be achieved (e.g. awareness, implementing controls) or that the risk to FMO’s reputation is unacceptably high, FMO may be able to exercise certain remedies under the contract such as the right to cancel a loan or suspend upcoming disbursements and will report to regulatory authorities if deemed necessary.
The governance of compliance also entails the following key risks:
Financial Economic Crime, incl. sanctions
FMO’s financial economic crime procedures include, amongst others, screening of customers on compliance with applicable anti-money laundering, counter financing of terrorism and international sanctions laws and regulations. Due diligence is performed on customers, which includes checks such as verifying the ultimate beneficial owners of the customer we finance, identifying politically exposed persons and screening against mandatory international sanction lists. These checks are also performed regularly during the relationship with existing customers.
In 2021, FMO continued the FEC Enhancement program initiated in 2019 and met the agreed deadline with DNB to finalize the remediation project on December 31, 2021. All active KYC-files are remediated – using a new KYC tool - and meet the standards of the renewed CDD-AML Policy and CDD-AML Manual. In the second half of 2021, the renewed KYC-organization was implemented in the front-office (first line) and business as usual processes were restarted, amongst others periodic reviews of KYC-files. Independent external validation confirmed that the remediated efforts and KYC files are demonstrably compliant with the relevant requirements, after which the Management Board provided a compliance statement to DNB end of 2021. The validation identified several recommendations that FMO will follow up on in 2022.
There is always a risk that a customer is involved or alleged to be involved in illicit acts (e.g. money laundering, fraud, or corruption). If such an event occurs, FMO will initiate a dialogue with the customer, if possible and appropriate given the circumstances, to understand the background to be able to assess and investigate the severity. When FMO is of the opinion that there is a breach of law that cannot be remedied or that no improvement by the customer will be achieved (e.g. awareness, implementing controls) or that the risk to FMO's reputation is unacceptably high, FMO may be able to exercise certain remedies under the contract such as the right to cancel a loan or suspend upcoming disbursements and will report to regulatory authorities if deemed necessary.
General Data Protection Act (GDPR)
In 2021, FMO started a project to further develop and enhance privacy data protection capabilities including engaging a dedicated privacy officer and privacy champions within various departments. Specific trainings will be deployed to stimulate awareness. The project aims to finish in 2022. The privacy officer monitors FMO's privacy compliance periodically. The privacy officer is involved in i.e., change management activities and new projects to advise on privacy risks and risk mitigation.
Corruption and Bribery is a global issue and challenge, requiring a global response. FMO is guided by the OECD Convention on Combating Bribery and the UN Convention against Corruption and is dedicated to fighting bribery and corruption not only to adhere to the law, but also because such acts undermine sustainable development and the achievement of higher levels of economic and social welfare. Good governance, fair business practices and public trust in the private sector is necessary to unlock the full potential of an economy and its citizens. Corruption can be best prevented collaboratively and FMO actively supports the Transparency International’s Netherlands branch and the International Chamber of Commerce to share best practices and stimulate the dialogue between Dutch corporates on best practices in doing business internationally. In 2021, all staff were obliged to complete an on-line training course explaining the key concepts of anti-bribery & corruption and providing examples of high-risk activities and ways to prevent bribery & corruption. These awareness activities will continue in 2022 amongst others through in-depth training sessions with targeted stakeholders and departments.