Risk is defined as the possibility of a negative deviation from an expected financial result. Through its operations, Northmill is exposed to a number of different types of risks that must be managed; primarily credit risk, market risk (currency risk and interest rate risk), operational risks, liquidity and financing risk and business risks.
The purpose of risk management is to ensure Northmill’s long-term survival through stability in its operations and quality in customer offerings, manage profit volatility and increase the value for the owners by ensuring efficient capital management.
Northmill's ability to assess, manage and control risk is central to achieving a good, risk-adjusted return. The overall risk policy adopted by the board of directors regarding risk management and risk appetite framework, with limits for specific risk areas, aims to create a well-functioning risk management with a strong and transparent risk culture.
To ensure good risk management, Northmill has designed an operational structure based on three lines of defense. The purpose of such an organization is to clarify the roles and division of responsibilities regarding risk and regulatory compliance.
The model distinguishes between functions that own and manage risk and compliance (first line of defense), monitor and review the same (second line of defense) and functions that stand for independent review and supervision (third line of defense).
The external rules require good internal control, identification and management of risks as well as requirements for internal control functions (risk control, compliance and internal audit). The board has the ultimate responsibility for Northmill's risk organization and ensuring good internal control.
The first line of defense
The first line of defense concerns all types of risk management carried out by managers and staff in the business. All managers are fully responsible for the risks and management of these, within their respective responsibilities.
The second line of defense
The second line of defense consists of Northmill's independent risk control and compliance functions, which report directly to the CEO and the board. To guarantee independence, these functions are not involved in business operations. These functions set the framework and principles for the work on risk management and compliance and carry out independent follow-ups. The second line of defense will also promote a healthy culture for risk management and compliance by supporting and training managers and employees in various parts of the business.
The third line of defense
The third line of defense is the internal audit, which performs independent ongoing audits to ensure effective risk management of governance.
The board of directors and the CEO adopt policies and instructions for the control and management of all risks the operations are exposed to, and these are supplemented by detailed procedures and guidelines within the organization. The risk and audit committee (RRK) supports the board in this work by discussing, directing and monitoring these issues and preparing decisions for the board.
The CEO has overall responsibility for managing all the group's risks in accordance with the board's guidelines and instructions. The CEO must ensure that Northmill's organization and administration are appropriate and that the group's operations are in accordance with external and internal rules. In particular, the CEO must ensure that the board has all the necessary information to make risk-related decisions.
The risk control function is independent of the business operations and the functions responsibilities and duties is specified through the policy for the risk control function adopted by the board. The risk control function is responsible for monitoring, controlling, analyzing and reporting the risks in Northmill's operations.
This includes risk assessment and testing of internal controls that have been introduced to reduce Northmill's operational risk and an assessment of the appropriateness of controls. Furthermore, the function is responsible for analyzing the various risk measures used, and for proposing changes to these if deemed necessary. Chief Risk Officer, who is appointed by the CEO after an approval from the board, continuously reports on the risks to the CEO, management team, RKK and the board.
The compliance function is independent of the business operations. The function's responsibilities and duties are specified through the policy for the compliance function adopted by the board.
The compliance function is responsible for supporting the business operations and management in compliance issues, and for helping to identify, follow up and report compliance risks, i.e. the risk that operations does not comply with external and internal rules.
Responsible for the compliance function, which is appointed by the CEO, reports on an ongoing basis to the CEO, the management group, the RKK and the board on compliance risks and issues.
The internal audit function is independent of the business operations. The function's responsibilities and duties are specified through the policy for the internal audit function adopted by the board. The function reports directly to the board.
Internal audit function is primarily responsible for providing the board of directors and the CEO with reliable and objective evaluation of risk management as well as governance and control processes, in order to reduce the occurrence of risks and ensure an efficient control structure.
Internal audit function shall conduct independent recurring audits of the management structure and system for internal control. The board has decided to outsource the function to an external party and has appointed Grant Thornton as the internal auditor. The risk control function is the internal coordinator for the internal audit activities.
Internal audit function reports regularly to the board and RKK on the results of its audits, including identified risks and suggestions for improvement. Internal audit also informs the CEO, the management team and the relevant departments about issues regarding internal audits. The board annually establishes a plan for internal audit work.
In the risk policy, the board has determined how and when it should receive information about Northmill's risks and risk management. The periodic risk reporting is designed to provide reliable, up-to-date and complete information for different stakeholders reflecting the nature of various risk types and market developments. The board, RRK, the CEO, the management team, as well as other functions that need such information, receive regular reports on the status of risks and risk management.
The risk control function provides a quarterly risk report, which includes, among other things, a comprehensive and objective presentation of the risk profile to which Northmill is exposed. The report also includes a follow-up of the risk appetite and status of risk management to enable the board to ensure that there is an effective framework for risk management and control in place.
The compliance function also submit a quarterly report every to the board, including among other things, a risk profile regarding compliance risks. Any breach of the limits that requires immediate escalation under the risk or credit policy shall be reported directly to the CEO, RKK and the chairman of the board, or the CEO and the board, depending on the defined escalation process.Read the reports
Northmill is committed to comply with anti money laundering (AML) acts under the EU directive 2013/0025 (COD). Anti money laundering is referring to set of laws, regulations and procedures that intend to prevent criminal actions.
In order to prevent criminality, financial institutions are required to monitor customers' transactions. Our procedures are intended to prevent individuals engaged in money laundering and other financial crimes from using Northmill's products and services.