Regulation on risk management and internal control at Norges Bank
Laid down by the Ministry of Finance on 17 December 2009 pursuant to Section 30a, third paragraph, of Act no. 28 of 24 May 1985 on Norges Bank and the Monetary System etc.
Section 1 Scope
This regulation applies to all Norges Bank’s operations, including the operations of subsidiaries.
Section 2. Proportionality
Risk management and internal control shall be proportional to the type, scope and complexity of each element of Norges Bank’s or its subsidiaries’ operations.
Section 3. Responsibilities of the Executive Board
The Executive Board shall ensure that the Bank’s risk management and internal control systems are appropriate. To this end, the Executive Board shall:
- ensure that there is a clear division of responsibility between the Executive Board and the governor of Norges Bank in his capacity as general manager and that this is laid down in principles for the Executive Board and the governor of Norges Bank;
- ensure that Norges Bank has a clear organisational structure;
- determine the objectives and strategy of Norges Bank and principal guidelines for the Bank’s operations, including defining risk profiles for the Bank’s various areas of operations and determining the applicable risk limits where relevant;
- lay down principles for risk management and internal control for the Bank as a whole and within each area of operation;
- ensure that risk management and internal control systems are established in accordance with laws and regulations and with decisions made by Norges Bank’s bodies, for example through the processing of reports prepared in accordance with Sections 8 and 9;
- ensure compliance with and monitoring of risk management and internal control, for example through the processing of reports prepared in accordance with Sections 8 and 9;
- assess its own work and competence in relation to the Bank’s risk management and internal control at least once a year.
Section 4. Responsibilities of the governor of Norges Bank
The governor of Norges Bank shall:
- ensure the establishment of adequate risk management and internal control systems on the basis of an assessment of relevant risks in accordance with guidelines laid down by the Executive Board;
- conduct an ongoing review of changes in the Bank’s risks and ensure that the Bank’s risks are adequately managed in accordance with Executive Board guidelines;
- provide the Executive Board with timely information relevant to the Bank’s risk management and internal control, including information about new risks;
- ensure documentation of the Bank’s risk management and internal control;
- ensure that risk management and internal control are conducted and monitored in a sound manner.
Section 5. Outsourcing
Norges Bank also bears the responsibility for risk management and internal control in relation to outsourced operations. This responsibility shall be established in a written agreement. The agreement shall ensure that the Bank’s bodies are entitled to inspect and monitor outsourced operations.
Norges Bank shall ensure that there is adequate competence within the Bank’s organisation to manage the outsourcing agreement.
Section 6. Risk management
Norges Bank shall continuously assess which significant risks are related to Norges Bank’s operations. In the event of substantial changes in or establishment of new areas of responsibility or procedures, appropriate risk assessments shall be conducted before the activity commences.
Based on the Bank’s defined objectives and strategies, a review of significant risks for all the Bank’s areas of operation shall be undertaken at least once a year. A systematic evaluation to determine the adequacy of the Bank’s risk management and internal control systems in managing the Bank’s identified risks in a sound manner shall be conducted for all the Bank’s areas of operation.
Section 7. Implementation of internal control
Managers in all essential areas of operation shall continuously assess internal control implementation.
An overall assessment of the adequacy of internal control implementation shall be conducted at least once a year.
Section 8. Documentation and reporting
Records shall be kept of assessment reports made according to Section 6, second paragraph, and Section 7, second paragraph. A risk assessment summary including conclusions and an assessment of the need for further measures shall be submitted for each area of operation.
The governor of Norges Bank shall prepare an overall assessment of risk at least once a year. The assessment shall be submitted to the Executive Board for review. The executive director of Norges Bank Investment Management may submit a separate area assessment.
The Executive Board shall send a risk assessment report for Norges Bank’s operations to the Supervisory Council at least once a year.
Reports shall be kept on file for a minimum of three years.
Section 9. Internal audit
The director of Internal Audit shall be appointed and dismissed by the Executive Board, is entitled to attend Executive Board meetings and shall submit a report on risk management and internal control at least once a year. The Executive Board shall approve Internal Audit resources and plans on an annual basis.
Internal auditing shall be conducted in line with recognised standards and the Bank’s operations shall be kept under continuous review.
Section 10. Audit committee
Norges Bank’s Executive Board shall have an audit committee. The members shall be elected by and amongst the Executive Board’s external members.
The responsibilities of the audit committee shall include serving as a preparatory body for the Executive Board on matters relating to the Board’s supervisory functions and responsibility for risk management and internal control. The committee may inspect any activity or situation related to the Bank’s operations. Bank employees shall provide any information requested by the committee.
Section 11. Entry into force etc.
This regulation enters into force on 1 January 2010. The requirements laid down in the regulation shall be implemented by 31 December 2010.