Non-financial risk
Operational risk
Definition
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, including legal risks, excluding strategic risks. This is the Basel definition of operational risk, which covers a wide range of non-financial risks.
FMO adopted the Operational Risk Data Exchange Association (ORX) risk taxonomy to structure all non-financial risk types, such as people, data, model, technology, third party, information and cyber security, business continuity, statutory reporting, and transaction execution. FMO uses the terms operational risk and non-financial risk interchangeably.
Risk appetite and governance
FMO is cautious about non-financial risks. We do not seek them as they have no direct material reward in terms of return/income generation, but they are inherent to our business. We prefer safe options, with low inherent risk, even if they limit rewards or lead to higher costs. There is no appetite for high residual risk.
First and second line functions work closely together to understand the full and varied spectrum of non-financial risks, and to focus their risk and control efforts on meaningful and material risks. Risk identification and assessment draws on multiple sources of data, such as topic-specific risk-assessments, results of half-yearly control monitoring and testing rounds, internal loss data and root cause analysis, audit results, supervisory findings, and key risk indicators. Policies and operating procedures clarify control standards, accountabilities, and mandate training on key risks.
Management of the first line is responsible for understanding risks and implementing and operating internal controls in the day-to-day business processes. Key controls are monitored and tested twice a year. The first line performs these responsibilities in line with the risk management framework, using the methods and tools provided by the second-line Operational Risk function. The Operational Risk function challenges and advises the first line, performs oversight and maintains the Internal Control Framework.
Risk events will occur, despite the implementation of internal controls. Risk events can result in losses, non-compliance, misstatements in the financial reports, and reputational damage. Risk events are centrally registered and reviewed and classified by the Operational Risk team. Root cause analyses of high-concern risk events require approval by the Non-Financial Risk Committee and follow-up of remediating actions is tracked and reported.
Non-financial risk metrics are reported on a quarterly basis. These metrics cover operational risks, such as the amount of loss per quarter, timely follow-up of remediating actions by management, and specific metrics for all non-financial risk subtypes. All departmental directors evaluate the operational risks in their area of responsibility and sign a departmental in control statement at year end.
Developments
The scope and quality of the Internal Control Framework has been further improved in 2023 through two half-yearly rounds of control monitoring and testing. Special attention has been given to the review and improvement of IT, information security and cyber risk related controls.
Financial economic crime risk
Definition
Financial economic crime risk is the risk that FMO, its subsidiaries, investments, customers and/or employees are involved or used for any non-violent crime that has a financial component, even though at times such transactions may be hidden or not socially perceived as criminal.
During 2023, FMO continued to enhance the maturity of its financial economic crime (FEC) framework through building the team, strengthening our policies and procedures and continuous monitoring of performance.
Risk appetite and governance
FMO acknowledges that as a financial institution it has been entrusted with a gatekeeper role. FMO attaches great value to this role and will always strive for full and timely adherence to financial economic crime regulations. In addition, we are aware that in line with FMO’s mandate, the operational working environment (countries with high(er) financial crime risks) as well as the risk maturity level of its clients, risks are present and incidents within customer complexes may happen (i.e. the customer and any associated and/or third parties).
Financial economic crime framework
FMO’s financial economic crime (FEC) procedures include, amongst others, screening of customers on compliance with applicable anti-money laundering, counter financing of terrorism and international sanctions laws and regulations. Due diligence is performed on customers, which includes checks such as verifying the ultimate beneficial owners of the customer we finance, identifying politically exposed persons and screening against mandatory international sanction lists. These checks are also performed regularly during the relationship with existing customers.
There is always a risk that a customer is involved or alleged to be involved in illicit acts (e.g., money laundering, fraud, or corruption). When FMO is of the opinion that there is a breach of law that cannot be remedied, that no improvement by the customer will be achieved (e.g., awareness, implementing controls) or that the risk to FMO's reputation is unacceptably high, FMO may exercise certain remedies under the contract, such as the right to cancel a loan or suspend upcoming disbursements. FMO will report to the regulatory authorities when necessary. Refer to the ‘Business integrity’ section in the ‘Performance against our strategy’ chapter for recent developments in this area.
In January, FMO received the results of DNB’s assessment of the effectiveness and efficiency of FMO’s sanctions screening systems. Based on the results of the examination, DNB assessed that the overall functioning of these screening systems is currently ‘sufficient’. FMO is also conducting training programs for its employees to raise awareness on sanctions. Further, FMO continues to remind its customers of the importance of sanctions compliance.
Also, in 2023, FMO has reviewed its Systematic Integrity Risk Analysis (SIRA) framework based on lessons learned from past SIRAs. This review resulted in an adjusted approach for 2023 and 2024: The (companywide) SIRA will be data driven and will enable FMO to identify its top integrity risks, level of risk mitigation and need for follow up actions.
FMO continues to work on strengthening the risk culture and creating awareness on FEC, (intended) unusual transactions and anti-bribery and corruption practices. In 2023, all new FMO employees were required to complete the compliance e-learning that addresses personal integrity topics, such as bribery and corruption. In addition, new investment staff were also required to complete the KYC e-learning as part of their onboarding. All new investment staff were also required to undertake additional training related to the FEC program and remediation project.
Regulatory compliance risk
Definition
Regulatory compliance risk is the risk that FMO does not operate in accordance with applicable rules and regulations, either by not or not timely identifying applicable regulations or not adequately implementing and adhering to applicable regulations and related internal policies and procedures.
Risk appetite and governance
FMO has a minimal appetite for regulatory compliance risk. FMO closely monitors and assesses future regulations that apply to FMO and strives for full and timely implementation of regulations.
To ensure compliance with the EU Banking Supervisory Regulations as implemented by the DNB and the ECB and other laws and regulations applicable to FMO, FMO closely monitors the regulatory developments including the supervisory authority’s guidance.
FMO has a risk committee structure, accompanied by a Regulatory Monitoring Policy that defines the internal requirements, processes, roles, and responsibilities to identify, assess and implement regulatory changes.
Developments
The new EU legislative package on the Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD) is aimed at implementing the Basel IV standards within EU. The legislative procedures are in the final stages and expected to be implemented with a phase-in approach starting from 2025. In addition to the implementation of Basel IV standards, the legislative package will introduce new rules requiring banks to systematically identify, disclose and manage sustainability risks (ESG risks), and stronger enforcement tools for supervision of the EU banks.
The two main proposals that are of particular relevance to FMO are the standardized approach for credit risk and capital requirements for market risk. Other parts of the EU Banking Reforms, such as a standardized approach for operational risk and the new standardized approach for CVA, are expected to have a smaller impact on the capital position. Regarding the credit risk, main capital impact is expected on the treatment of equity exposures with 250% risk weight instead of the current 150%.
Regarding market risk, the proposed draft affects the capital requirements for FMO’s foreign exchange position in the banking book. Due to the size of the open position, FMO believes it will be subject to the new alternative standardized approach for market risk. As part of the CRR-2 reporting requirement, FMO has reported the results of the new methodology to DNB since September 2021. In addition to being sensitive to FMO’s market risk positions at any given moment, the methodology is significantly more sensitive to movements in the currency composition, and its results are therefore also more volatile.
FMO has taken all these changes into consideration for its internal capital adequacy assessment process in 2023.
ESG related regulatory requirements
The new EU legislative package includes several amendments in relation to ESG risk. It will require banks to systematically identify, disclose and manage ESG risks as part of their risk management including regular climate stress testing. The proposal also puts ESG risks in scope of the Supervisory Review and Evaluation Process (SREP). Furthermore, the proposal introduces amendments regarding the possible capitalization for ESG risks, and adjusted risk weights for assets with high levels of climate risk. Most notably, FMO is required to start disclosing ESG risks as part of its Pillar 3 disclosures on a semi-annual basis starting in 2025.
In respect to additional ESG related reporting requirements, the Corporate Sustainability Reporting Directive (CSRD) amends and expands the Non-Financial Reporting Directive (NFRD) for undertakings to disclose information on environmental, social, and governance matters. FMO must report for the first time in 2025 in its 2024 annual report. Undertakings subject to the CSRD must adhere to the European Sustainability Reporting Standards (ESRS) to report on their material sustainability related impacts, risks, and opportunities.
In line with the DNB’s expectations, FMO continued to align internal processes, disclosures, business strategy, and risk management with the ECB guidance on managing climate and environmental risks issued in 2020. This guide describes how the ECB expects institutions to consider climate-related and environmental risks – as drivers of existing categories of risk – when formulating and implementing their business strategy and governance and risk management frameworks. It further explains how the ECB expects institutions to become more transparent by enhancing their climate-related and environmental disclosures.
The Digital Operational Resilience Act (DORA)
DORA defines rules for the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. DORA sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. DORA came into force in 2023 and will apply from 17 January 2025.
General Data Protection Act (GDPR)
The follow-up GDPR project, which was initiated in January 2023, has been finalized. Additional technical and organizational controls have been implemented to further strengthen personal data security. To keep risk awareness on top of mind, several training sessions were organized, for departments across the three lines. This will continue in 2024. The outcome of the 2023 GDPR pillar reassessment by EY Belgium on behalf of the EC is positive. FMO fulfills the requirements with regard to the protection of personal data. Overseas representative offices are fully in scope.