Executive Board's principles for risk management and internal control
Adopted by the Executive Board on 24 June 2020.
1 Formal basis and purpose
The principles for risk management and internal control at Norges Bank are based on requirements pursuant to the Act of 21 June 2019 No. 31 on Norges Bank and the monetary system etc (Central Bank Act) and the Regulation on risk management and internal control at Norges Bank.
The purpose of the principles is to ensure a systematic approach to risk management and internal control at the Bank. Risk management shall address all types of risk that may affect the attainment of objectives and strategies laid down for the Bank’s areas of operation.
Risk management shall be adapted to the Bank’s mission and tasks, be applied in the adoption and implementation of strategies throughout the Bank and at all governance levels and be an integral part of the Bank’s operational activities. Risk management and compliance shall be an integral part of business processes and also include management of outsourced services.
Risk management and internal control shall contribute to creating a balance between objectives, risk and control measures. The Executive Board lays down separate principles and risk frameworks for each area of operation on the basis of the nature, scope and complexity of the area.
2 Roles and responsibilities
Risk management and internal control at Norges Bank shall be organised in line with the three-lines-of-defence principle, in keeping with recognised standards and good professional practice.
The first-line functions are operational risk management and control activities performed by the business lines. They identify, assess, decide on and manage risks and are responsible for risk mitigating measures and for compliance with internal and external requirements. All managers are responsible for risk management in their areas of responsibility and under their authority and shall have the authority to implement risk mitigating measures.
The second-line functions have an advisory and monitoring role. They are responsible for developing and maintaining risk management and internal control frameworks; monitor, verify and report on risk and the effectiveness of controls and measures; facilitate implementation of internal control; and follow up compliance with external and internal rules. The Chief Compliance Officer (CCO) has the right and duty wherever it is deemed necessary to independently report material risks to the Executive Board.
Risk management shall be organised so that the necessary division of responsibilities is established between the first and second lines. The organisation of the first- and second-line functions shall be based on established standards and be adapted to each operational area.
The third-line function (internal audit) has an independent audit role. It shall support the Executive Board in its follow-up of Norges Bank’s activities by providing independent assessments and advice on the Bank’s risk management and internal control (cf. separate mandate).
3.1 General principles
The aim of risk management is to contribute to ensuring attainment of objectives and compliance with regulatory requirements. It shall be based on relevant standards and sound professional practice and be tailored to the two areas of operation. Each areas’ risk framework shall include material risk classes, in addition to operational risk.
Methods and procedures shall be defined for identifying, assessing, deciding on, managing and reporting risk. Risk management shall be integrated into processes at all levels and in all areas of the Bank. Risk assessments shall be a part of the decision basis for all material changes.
Internal control shall be put in place, including governance documents, processes, controls, routines and systems. Internal control shall be designed and implemented to provide reasonable assurance of achievement of objectives in operations/development, reporting and compliance. Control activities comprise regular controls and risk reducing measures.
The Executive Board and the individual areas of operation shall periodically evaluate risk management and internal control frameworks. Pursuant to the Regulation on risk management and internal control at Norges Bank, the Executive Board shall evaluate its work and qualifications relating to the Bank’s risk management and internal control once a year.
3.2 Principles for operational risk
Operational risk is the risk of an unwanted operational event arising from insufficient or defective internal processes or systems, human factors or caused by third parties or other external factors.
Operational risk may be assessed qualitatively or quantitatively. For each individual risk, the probability that it will occur and its potential impact shall be assessed.
The areas of operation shall perform risk assessments regularly and in the event of all major changes to processes, technology, functions or organisation.
Operational risk shall be reduced by implementing risk mitigating controls and measures, transferring risk to another party, accepting risk within limits laid down by the Executive Board for the two areas of operation and/or by avoiding the risk.
For risks with very serious consequences, risk mitigating controls and measures may include, but are not limited to, contingency and continuity plans.
Internal control shall be performed on an ongoing basis to ensure an acceptable risk level in accordance with limits laid down by the Executive Board, including compliance with principles, rules and guidelines. The risk level is controlled by establishing key controls, regular evaluations, tests and drills.
Unwanted operational incidents shall be registered and followed up. The objective of following up incidents, including security incidents, shall be to restore function, limit damage and prevent recurrence.
For each area of operation, routines for internal reporting and escalation of incidents and risk shall be established, and, if applicable, reporting to affected external parties and relevant authorities.
Supplementary requirements shall be laid down for dealing with extraordinary incidents and unwanted events that can pose a threat to Norges Bank’s activities and the attainment of its objectives (crisis management).
3.3 Procurement and outsourcing
The principles for risk management and internal control also apply where development, administration and operation are outsourced.
Engagement contracts shall state that temporary staff and subcontractors hired to perform work for Norges Bank shall comply with regulatory requirements, defined standards and relevant internal rules.
Operational risk, including security, shall be addressed during the entire lifetime of solutions and services. Routines shall be established for assessing and accepting risk associated with the choice of systems and subcontractors, including requirements, liability and the right to audit in contracts with suppliers/service providers, notification of incidents to Norges Bank and informing subcontractors about requirements.
Norges Bank shall have sufficient competency and capacity to perform follow-up and control also where performance of services is fully or partially outsourced.
The Governor and CEO of Norges Bank Investment Management (NBIM) shall report on the risk situation to the Executive Board. The frequency and scope of reporting shall be adapted to the area of operation and be determined by the Executive Board.
An assessment of internal control shall be reported in accordance with the Regulation on risk management and internal control at Norges Bank at least once a year.
5 Entry into force
These principles enter into force immediately, whereupon “Main principles for risk management at Norges Bank” of 16 December 2009 are repealed.