Non-financial risk
Operational risk
Definition
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events, including legal risks, excluding strategic risks. This is the Basel definition of operational risk, which covers a wide range of non-financial risks.
FMO adopted the Operational Risk Data Exchange Association (ORX) risk taxonomy to structure all non- financial risk types, such as people, data, model, technology, third party, information and cyber security, business continuity, statutory reporting, and transaction execution. FMO uses the terms operational risk and non-financial risk interchangeably.
Risk appetite and governance
FMO is in general cautious about non-financial risks. We do not seek them as they have no direct material reward in terms of return/income generation, but they are inherent to our business. We prefer safe options, with low inherent risk, even if they limit rewards or lead to higher costs. There is no appetite for high residual risk.
First and second line functions work closely together to understand the full and varied spectrum of non- financial risks, and to focus their risk and control efforts on meaningful and material risks. Risk identification and assessment draws on multiple sources of data, such as topic-specific risk-assessments, results of half-yearly control monitoring and testing rounds, internal loss data and root cause analysis, audit results, supervisory findings, and key risk indicators. Policies and operating procedures clarify control standards and, accountabilities, and require training on key risks.
Management of the first line is responsible for understanding risks and implementing and operating internal controls in the day-to-day business processes. Key controls are monitored and tested twice a year. The first line performs these responsibilities in line with the risk management framework, using the methods and tools provided by the second-line Operational Risk function. The Operational Risk function challenges and advises the first line, performs oversight and maintains the Internal Control Framework.
Risk events will occur, despite the implementation of internal controls. Risk events can result in losses, non-compliance, misstatements in the financial reports, and reputational damage. Risk events are centrally registered and reviewed and classified by the Operational Risk team. Root cause analyses of high-concern risk events require approval by the Non-Financial Risk Committee and follow-up of remediating actions is tracked and reported.
Non-financial risk metrics are reported on a monthly and quarterly basis. These metrics cover operational risks, such as the amount of loss per quarter, timely follow-up of remediating actions by management, and specific metrics for all non-financial risk subtypes. All departmental directors evaluate the operational risks in their area of responsibility and sign a departmental in control statement at year end.
Developments
The scope and quality of the Internal Control Framework has been further improved in 2024 through two half-yearly rounds of control monitoring and testing. Special attention has been given to the review and improvement of General IT controls and accounting controls.
Financial economic crime risk
Definition
Financial economic crime (FEC) risk is the risk that FMO, its subsidiaries, investments, customers and/or employees are involved in or used for any crime that has a financial component, even though at times such transactions may be hidden or not socially perceived as criminal. This includes (but is not limited to): money laundering, terrorism financing, bribery and corruption, sanction breaches or any other predicate offence as defined by the Dutch Penal Code or any other rules or regulations related to financial crime that are applicable to FMO.
Risk appetite and governance
FMO acknowledges that as a financial institution it has been entrusted with a gatekeeper role. FMO attaches great value to this role and will always strive for full and timely adherence to FEC regulations. We are aware that in line with FMO’s mandate, the operational working environment (countries with high(er) financial crime risks) as well as the risk maturity level of its customers, means that risks are present and incidents within customer complexes (i.e. the customer and any associated and/or third parties) may happen.
Financial economic crime framework
FMO’s FEC procedures include measures to ensure compliance with applicable anti-money laundering, counter financing of terrorism and international sanctions laws and regulations and mitigate risks of FMO being involved in FEC. Due diligence is performed on customers, which includes checks such as verifying the ultimate beneficial owners of the customer we finance, identifying politically exposed persons and screening against mandatory international sanction lists. These checks are also performed regularly during the relationship with existing customers.
In our continued efforts to implement learnings, FMO’s Compliance department reviews its FEC framework in cooperation with the Know Your Customer (KYC) department on an ongoing basis, taking into account any monitoring results, risk analysis, incidents and updates in regulations and industry best practices. In addition, continuous risk-based quality monitoring takes place in both the first- and second line including sample-based and thematic monitoring. In 2024, the sample-based monitoring consisted of at least 10 percent of all finalized KYC files in every quarter. FMO also conducts ongoing training programs for its employees to raise awareness on topics related to FEC. In addition, FMO continues to remind its customers of the importance of integrity in business operations, including sanctions compliance.
FMO continues to work on strengthening its risk culture and creating awareness of FEC, potential unusual transactions and anti-bribery and corruption practices. In 2024, all FMO employees were required to complete the Compliance ‘Annual Integrity refresher e-learning' course that addresses customer and personal integrity topics, such as bribery and corruption.
There is always a risk that a customer is involved or alleged to be involved in illicit acts (e.g., money laundering, fraud, or corruption). When FMO is of the opinion that there is a breach of law that cannot be remedied, that no improvement by the customer will be achieved (e.g., awareness, implementing controls) or that the risk to FMO's reputation is unacceptably high, FMO may exercise certain remedies under the contract, such as the right to cancel a loan or suspend upcoming disbursements. FMO will report to the regulatory authorities when necessary. Refer to the sub-chapter 'G1 Business conduct’ for recent developments in this area.
Developments
In 2024, FMO conducted its periodic company-wide Systematic Integrity Risk Analysis (SIRA). Its purpose was to gain insights into the inherent risks facing the organization, including FEC risks, and to determine whether the control measures FMO implements are sufficiently effective. The outcomes of the SIRA were discussed by the Management Board and Supervisory Board of FMO. The outcome of the SIRA shows that FMO is acting within risk appetite with respect to FEC risks. To ensure ongoing compliance, various follow-up actions are taken to ensure continued insight into (emerging) risks and further strengthen the management of those risks.
Regulatory compliance risk
Definition
Regulatory compliance risk is the risk that FMO does not operate in accordance with applicable rules and regulations, either by not or not timely identifying applicable regulations or not adequately implementing and adhering to applicable regulations and related internal policies and procedures.
Risk appetite and governance
FMO has a minimal appetite for regulatory compliance risk. It closely monitors and assesses future regulations that apply to FMO and strives for full and timely implementation of regulations.
To ensure compliance with the EU Banking Supervisory Regulations as implemented by the DNB and the ECB and other laws and regulations applicable to FMO, FMO closely monitors regulatory developments, including the supervisory authority’s guidance.
FMO has a risk committee structure, accompanied by a Regulatory Monitoring Policy that defines the internal requirements, processes, roles, and responsibilities of identifying, assessing and implementing regulatory changes.
Developments
Basel IV implementation in the EU
The new EU legislative package on the Capital Requirements Regulation (CRR3) and Capital Requirements Directive (CRD6) implementing the Basel IV standards within EU was published on 19 June 2024. The CRR3 will largely apply to FMO starting from 1 January 2025 with a phase-in approach. The CRD6 will enter into force following its transposition in January 2026. The market risk framework under the new legislative package will also enter into force on 1 January 2026. In addition to the implementation of Basel IV standards, the legislative package introduced new rules requiring banks to systematically identify, disclose and manage sustainability risks (ESG risks), and stronger enforcement tools for supervision of the EU banks.
FMO has set up a bank-wide project for the timely and compliant implementation of the CRR3/CRD6 amendments which require changes in FMO’s internal policies, systems and processes. As of date, the project is on track in line with the regulatory timelines. Full implementation of the CRR3/CRD6 is still subject to the finalization and publication of supporting regulatory and implementing technical standards and guidelines.
The package contains a number of items which will impact FMO’s capital position following implementation in January 2025, particularly the regulatory changes regarding the standardized approach for credit risk and the new alternative standardized approach for market risk. Regarding the credit risk, the main capital impact is expected to come from the phasing in of the treatment of equity exposures to 250 percent risk weight instead of the current 150 percent. Regarding market risk, FMO will be subject to the new alternative standardized approach for market risk (A-SA). The methodology is significantly more sensitive to movements in currency composition and its results are therefore also more volatile.
FMO has taken all these changes into consideration for its internal capital adequacy assessment process in 2024.
ESG related regulatory requirements
The new EU legislative package includes several amendments in relation to ESG risks. ESG risks are considered (external) factors to existing risk categories and banks are required to systematically identify, disclose and manage ESG risks as part of their risk management including regular climate stress testing. This provides an additional lens for addressing ESG risks to the existing (predominant) practice within FMO, whereby ESG risks are regarded as the risk that our investments will realize adverse impacts on people or the environment, and/or contribute to corporate governance practices, that are inconsistent with FMO policy commitments. Furthermore, the proposal introduces amendments regarding the possible capitalization for ESG risks, and adjusted risk weights for assets with high levels of climate risk. Most notably, FMO is required to start disclosing ESG risks as part of its Pillar 3 disclosures on an annual basis starting in 2026.
In line with the DNB’s expectations, FMO continued to align internal processes, disclosures, business strategy and risk management with the ECB guidance on managing C&E risks, issued in 2020. This guide describes how the ECB expects institutions to consider climate-related and environmental risks – as drivers of existing categories of risk – when formulating and implementing their business strategy and governance and risk management frameworks. It further explains how the ECB expects institutions to become more transparent by enhancing their C&E disclosures.
In respect to additional ESG related reporting requirements, the CSRD revises amends and expands extends the requirements of the current NFRD for undertakings to disclose information on ESG matters, including sustainability-related impacts, risks and opportunities. Companies subject to the CSRD have to report according to the European Sustainability Reporting Standards (ESRS). This is the first year that FMO is publishing a report that is in accordance with the ESRS.
In addition, in 2020, the EC introduced a taxonomy for sustainable activities. This is a classification system that defines criteria for economic activities that are aligned with a Net-Zero trajectory by 2050, and with broader environmental goals beyond climate alone. Since 2023, banks have been required to report their level of taxonomy alignment with the first two environmental objectives (climate change mitigation and climate change adaptation), and their taxonomy eligibility on all six environmental objectives (the two objectives above, plus sustainable use and protection of water and marine resources; transition to a circular economy; pollution prevention and control; and protection and restoration of biodiversity and ecosystems). FMO reported against these rules in our 2023 Annual Report and plan to continue reporting each year against the framework as it evolves.
The Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is a European regulation aimed at establishing a uniform and comprehensive framework for digital operational resilience across the EU financial sector. DORA provides a single set of rules for the use of ICT systems by financial institutions, focusing on governance and board responsibilities, ICT risk management, security and business continuity, resilience testing, and third-party risk management. DORA applies from 17 January 2025. While FMO has progressed significantly on DORA implementation, it is currently in the process of outsourcing its data center. This is envisaged for April 2025, for which related key controls will from that time be updated in accordance with DORA.