Operational risk / non-financial risk
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, including legal risks, excluding strategic risks. This is the Basel definition of operational risk, which covers a wide range of non-financial risks and potential risk events, causes and impact.
FMO adopted the Operational Risk Data Exchange Association risk taxonomy to structure all non-financial risk types, such as people, data, model, technology, third party, information and cyber security, business continuity, statutory reporting, transaction execution, et cetera.
Risk appetite and governance
FMO is cautious with operational risks. We do not seek them as they have no direct material reward in terms of return/income generation, yet they are inherent to our business. Safe options, with low inherent risk are preferred, despite the consequence of limited rewards or higher costs. There is no appetite for high residual risk.
First and second-line functions work closely together to understand the full and varied spectrum of non-financial risks, and to focus their risk and control efforts on meaningful and material risks. Risk identification and assessment draws on multiple sources of data, such as internal loss data and root-cause analysis, audit/review results, supervisory findings, key risk indicators, and key control indicators. Policies and operating procedures clarify control standards, accountabilities, and mandate training on key risks.
Management of the first line is responsible for understanding risks and implementing and operating internal controls in the day-to-day business processes. The first line performs these responsibilities in line with the risk management framework using the methods and tools of the second-line Operational Risk function. The Operational Risk function challenges and advises the first line, performs oversight and maintains the Integrated Control Framework.
Despite the implementation of internal controls, operational risk events will occur. Risk events can result in losses, non-compliance, misstatements in the financial reports, and reputational damage. Risk events are registered in the governance, risk and compliance system and reviewed and classified by the Operational Risk team. Root cause analyses of high-concern risk events and remediating actions are reviewed by the Operational Risk Committee.
Risk metrics are reported on a quarterly basis. These metrics cover operational risks, such as the amount of loss per quarter, timely follow-up of management actions, and specific metrics for all non-financial risk subtypes. All departmental directors are required to evaluate operational risks in their area of responsibility and sign a departmental in control statement at year-end.
The Internal Control project in 2022 has resulted in an Integrated Control Framework (ICF), improved internal control cycle, supporting processes and a central governance, risk and compliance system. The current Integrated Control Framework consists of the controls mandated by FMO’s internal policies. Key controls are subject to first line monitoring and second line testing to provide assurance on their effectiveness and identify improvements. The scope of the Integrated Control Framework will be expanded over the coming years.
Internal control champions have been appointed in each department to assist management with their responsibilities regarding internal control. The Operational Risk team has trained the internal control champions and facilitates monthly ‘Community of Practice’ meetings.
Regarding IT and Information Security risk, no significant IT disruptions or Security events occurred in 2022. Security monitoring of critical outsourcing arrangements was implemented in 2022 and FMO’s Security Incident Response capability was further improved. The ICT department commenced with the review of the IT and Security control framework and integration in FMO’s Integrated Control Framework, to ensure control effectiveness and compliance with regulatory expectations.
Compliance risk is the risk of failure to comply with laws, regulations, rules, related self-regulatory organization, standards, and codes of conduct applicable to FMO’s services and activities
Risk appetite and governance
FMO’s standards and policies and good business practices foster acting with integrity. FMO is committed to its employees, customers, and counterparties, adhering to high ethical standards. FMO has a compliance framework that entails identifying risks, designing policies, monitoring, training, and providing advice. FMO has policies on topics such as financial economic crime (including KYC, sanctions, anti-bribery, and corruption and transaction monitoring and unusual transaction reporting), conflicts of interest, anti-fraud, private investments, protection of personal data and speak-up. FMO also regularly trains its employees to raise awareness through virtual classroom trainings and mandatory compliance related e-learnings. Employees are also encouraged to speak up in case of suspected integrity violations conducted by an FMO employee. Management is periodically informed via the Compliance Committee or when required on an ad-hoc basis, on integrity related matters at customer or employee level. In case of signals of violations, e.g., money laundering, fraud or corruption, management will take appropriate actions.
The governance of compliance also entails the following key risks:
Financial economic crime, including sanctions
FMO’s financial economic crime (FEC) procedures include, amongst others, screening of customers on compliance with applicable anti-money laundering, counter financing of terrorism and international sanctions laws and regulations. Due diligence is performed on customers, which includes checks such as verifying the ultimate beneficial owners of the customer we finance, identifying politically exposed persons and screening against mandatory international sanction lists. These checks are also performed regularly during the relationship with existing customers.
There is always a risk that a customer is involved or alleged to be involved in illicit acts (e.g., money laundering, fraud, or corruption). If such an event occurs or is alleged, FMO will initiate a dialogue with the customer, if possible and appropriate given the circumstances, to understand the background and to be able to assess and investigate the severity of the event. When FMO is of the opinion that there is a breach of law that cannot be remedied, that no improvement by the customer will be achieved (e.g., awareness, implementing controls) or that the risk to FMO's reputation is unacceptably high, FMO may exercise certain remedies under the contract, such as the right to cancel a loan or suspend upcoming disbursements. FMO will report to regulatory authorities if deemed necessary.
In 2021, FMO completed its FEC enhancement project which included an extensive Know Your Customer (KYC) file remediation. An external validation, which was overall positive, identified several recommendations that FMO implemented in 2022. For certain compliance themes, such as anti-bribery and corruption, as well as sanctions and unusual transactions, awareness sessions (refreshers) were organized with targeted front-office departments.
FMO received the Dutch Central Bank's (DNB) findings and recommendations related to FEC and KYC. These resulted in a dedicated Systematic Integrity Risk Analysis (SIRA) and risk appetites statement on private equity fund investments and fund portfolio companies. These documents include the action plan addressing the gaps identified during the SIRA. We are determined to continue to improve in the regulatory domain and to ensure that the changes we implement are tailored to the day-to-day realities and complexities of the markets we are active in.
As a result of the file remediation, we reported a limited number of incidents to DNB at the end of 2021 and the beginning of 2022. These involved late notifications of unusual transactions to the Financial Intelligence Unit (FIU). DNB initiated an investigation into these incidents and the related KYC files. We expect this investigation to result in enforcement measures by DNB.
General Data Protection Act (GDPR)
In 2021, FMO started a project to further develop a data privacy framework and raise privacy awareness within the organization. The project is almost completed and has delivered several essential privacy improvements. A GDPR e-learning for all employees was rolled out to ensure the necessary knowledge within the organization. Next to that the privacy governance is strengthened in the organization by appointing a Data Protection Officer (DPO). The DPO conducts privacy assessments in new projects and initiatives, gives advice on reducing privacy risks and monitors FMO's privacy compliance.
Several additional measures have been taken since the start of 2022 in relation to sanctions involving Russia, Belarus and Myanmar to ensure FMO’s funds are not directly or indirectly provided to sanctioned parties. These measures include, setting up of a Sanctions Working Group, increased frequency of adverse news screenings and communication with customers in the affected regions and industries. In August 2022, FMO received a request from DNB to participate in an industry-wide investigation into the effectiveness of its sanctions screening system (transaction screening and customer screening).