Principles for risk management and internal control at Norges Bank
Adopted by the Executive Board on 24 June 2020. Last amended: 20 December 2022.
1 Authorisation and background
The principles for risk management and internal control at Norges Bank are based on requirements pursuant to the Act of 21 June 2019 No. 31 on Norges Bank and the monetary system etc (Central Bank Act) and the Ministry of Finance’s instructions of 28 June 2022 No. 1223 on risk management and internal control at Norges Bank.
The purpose of the principles is to ensure a systematic approach to risk management and internal control at the Bank. Risk management shall address all types of risk that may affect the attainment of objectives and strategies laid down for the Bank’s areas of operation.
Risk management shall be adapted to the Bank’s mission and tasks, be applied in the adoption and implementation of strategies throughout the Bank and at all governance levels and be an integral part of the Bank’s operational activities. Risk management and compliance shall be an integral part of business processes and also include management of outsourced services.
Risk management and internal control shall contribute to creating a balance between objectives, risk and control measures. The Executive Board lays down separate principles and risk frameworks for each area of operation on the basis of the tasks, nature, scope and complexity of the area.
4 Roles and responsibilities
Risk management and internal control at Norges Bank shall be organised in line with the three-lines-of-defence principle, in keeping with recognised standards and good professional practice. The risk and compliance functions shall have sufficient qualified staff and resources.
The first-line functions are operational risk management and control activities performed by the business lines. They identify, assess, decide on and manage risks and are responsible for risk mitigating measures and for compliance with internal and external requirements. All managers are responsible for risk management in their areas of responsibility and under their authority and shall have the authority to implement risk mitigating measures.
The second-line functions have an advisory and monitoring role. They are responsible for developing and maintaining risk management and internal control frameworks; monitor, verify and report on risk and the effectiveness of controls and measures; facilitate implementation of internal control; and follow up compliance with external and internal rules. The Chief Compliance Officer (CCO) has the right and duty wherever it is deemed necessary to independently report material risks to the Executive Board.
Risk management shall be organised so that the necessary division of responsibilities is established between the first and second lines. The organisation of the first- and second-line functions shall be based on established standards and be adapted to each operational area.
The third-line function (internal audit) has an independent audit role. It shall support the Executive Board in its follow-up of Norges Bank’s activities by providing independent assessments and advice on the Bank’s risk management and internal control (cf. separate mandate from the Executive Board).
The external auditor performs independent control of financial reporting.
5.1 General principles
The aim of risk management is to contribute to ensuring attainment of objectives and compliance with regulatory requirements. It shall be based on relevant standards and sound professional practice and be tailored to the two areas of operation. Each areas’ risk framework shall include material risk classes, in addition to operational risk.
Methods and procedures shall be defined for identifying, assessing, deciding on, managing and reporting risk. Risk management shall be integrated into processes at all levels and in all areas of the Bank. Risk assessments shall be a part of the decision basis for all material changes.
Internal control shall be put in place, including governance documents, processes, controls, routines and systems. Internal control shall be designed and implemented to provide reasonable assurance of achievement of objectives in operations/development, reporting and compliance. Control activities comprise regular controls and risk reducing measures.
The Executive Board and the individual areas of operation shall periodically evaluate risk management and internal control frameworks. Pursuant to the Instructions relating to risk management and internal control at Norges Bank, the Executive Board shall evaluate its work relating to the Bank’s risk management and internal control at least once a year.
5.2 Principles for operational risk
Operational risk is the risk of an unwanted operational event arising from insufficient or defective internal processes or systems, human factors or caused by third parties or other external factors. Among other things, operational risk includes compliance risk, fraud risk, legal and regulatory risk and security risk (including cyber risk).
Operational risk may be assessed qualitatively or quantitatively. For each individual risk, the probability that it will occur and its potential impact shall be assessed.
The areas of operation shall perform risk assessments regularly and in the event of all major changes to processes, technology functions or organisation.
Operational risk shall be reduced by implementing risk mitigating controls and measures, transferring risk to another party, accepting risk within limits laid down by the Executive Board for the two areas of operation and/or by avoiding the risk.
For risks with very high consequences, risk mitigating measures and controls must be implemented, and may include, but are not limited to, contingency and continuity plans.
Internal control shall be performed on an ongoing basis to ensure an acceptable risk level in accordance with limits laid down by the Executive Board, including compliance with principles, rules and guidelines. The risk level is controlled by establishing key controls, regular evaluations, tests and drills. Norges Bank’s security level shall be appropriate.
Unwanted operational incidents shall be registered and followed up. The objective of following up incidents, including security incidents, shall be to restore function, limit damage and prevent recurrence.
For each area of operation, routines for internal reporting and escalation of incidents and risk shall be established, and, if applicable, reporting to affected external parties and relevant authorities. Routines shall be established for coordination, response and external reporting of incidents that affect both operational areas.
Supplementary requirements shall be laid down for dealing with extraordinary incidents and unwanted events that can pose a threat to Norges Bank’s activities and the attainment of its objectives (crisis management).
5.3 Procurement and outsourcing
The principles for risk management and internal control also apply where development, administration and operation are outsourced. Outsourcing may not take place if proper risk management and internal control is impeded.
For contract personnel and service providers that perform work for Norges Bank, engagement contracts shall specify that regulatory requirements, defined standards and relevant internal rules must be complied with. Engagement contracts shall ensure the right of the Bank’s bodies and control functions to access and monitor outsourced operations, whether performed by subsidiaries or external service providers. The right to access shall enable sufficient implementation of, and reporting on, risk management and internal control measures according to the principles herein.
Operational risk, including security, shall be addressed during the entire lifetime of solutions and services. Routines shall be established for assessing and accepting risk associated with the choice of systems and subcontractors, including requirements, liability and the right to audit in contracts with suppliers/service providers, notification of incidents to Norges Bank and information to subcontractors about requirements.
Norges Bank shall have sufficient qualified staff and capacity to perform follow-up and control also where performance of services is fully or partially outsourced.
The Governor and CEO of Norges Bank Investment Management (NBIM) shall report on the risk situation to the Executive Board. The frequency and scope of reporting shall be adapted to the area of operation and be determined by the Executive Board.
An integrated systematic assessment of the risk situation at the Bank and of whether risk management and internal control have been implemented in a sound manner shall be conducted at least once per year (cf Instructions relating to risk management and internal control at Norges Bank).
7 Entry into force
These principles, with recent amendments, enter into force immediately.