Risk management as an element of internal control
Internal control is a process that aims to ensure:
- the achievement of the goals and objectives set,
- economical and efficient use of resources,
- sufficient management of operations-related risks,
- reliability and correctness of financial and other management infor-mation,
- compliance with laws and regulations,
- compliance with the decisions of the Board and other bodies and with internal rules, regulations and practices,
- the safeguarding of operations, information and assets, and
- existence of sufficient and appropriately organised manual and IT systems in support of operations.
Risk management is an element of internal control and involves the identification, assessment, limitation and control of risks arising from and closely connected with the company’s business operations. Internal control is a management tool that helps the company to function efficiently, economically and reliably.
Varma is managed in a professional manner and in accordance with sound and cautious business principles. The company has established written procedures and quantitative and qualitative targets for its core functions. Varma’s risk management plan takes into account what the Board of Directors decides on the content and organisation of internal control, on implementation of the internal control sectors and principles and on the joint guidelines for the internal control of the Group.
The Board of Directors follows a charter, which defines its core tasks and operating principles. As part of the company’s internal control function, the Board deals with such matters as the company’s strategy, basic strategies connected with organisational development and management, risks, financial reporting, budgets, investments, pension insurance business, operational plans, and key development projects.
Risk management – organisation, responsibilities, supervision and reporting
The Supervisory Board’s task is to supervise the administration of Varma, which is entrusted to the Board of Directors and the President and CEO.
The Board of Directors annually outlines a risk management plan and a contingency plan that cover all operations and assesses whether the company’s internal control is appropriately arranged. The Board of Directors’ Audit Committee supervises financial and other reporting and the status of internal control, e.g. by tracking the work in progress of internal and external auditing and by reviewing a variety of audit reports. The President and CEO monitors the company’s risks in accordance with the principles laid down in the risk management, investment and contingency plans approved by the Board of Directors.
The Executive Group monitors the company’s internal control and risk management processes and maintains and develops guidelines for risk management and contingency planning.
Risks are reported to the Board of Directors quarterly.
The company’s supervisory auditor and the person in charge of the internal audit take part in the meetings of the Audit Committee.
Managers are responsible for organising internal control, risk management, the legal compliance function and good governance in their areas. This ensures that internal control is fully integrated into company operations. The detailed plans and guidelines of each business function supplement the plans and principles approved by the Board of Directors. Risk-taking limits and the indicators used are laid down and monitored separately by each function. Each function is responsible for implementing operational plans and budgets, and for operating efficiency, the supervision of outsourced operations and preparing for unsettled conditions. Information Management provides the expertise for the development, maintenance, project management, infrastructure and risk management of systems that are the responsibility of the business functions. The targets, responsibilities and means of data security management are defined in the data security policy approved by the IT Executive Group. Information Management maintains a separate recovery plan relating to IT disruption.
The function responsible for preparing and implementing investment decisions (Investment Operations) and the supervisory and reporting function (Financial Administration and Actuaries) have been separated. The decision-making powers and the maximum limits for investments are presented as separate risk limits in the investment plan. The risk control function, which is independent of the Investment Operations, is responsible for monitoring investment risks in accordance with the limits set by the Board of Directors, including a financial-theory- and risk-theory-based assessment of investment risks and the reporting of results. Financial Administration is involved in reviewing the changes in the investment plan and in the implementation process of new investment products, and controls mainly through random inspections the solvency classification of investments and instrument pricing.
The Chief Financial Officer is responsible for the independent monitoring of investment positions and risks. The Financial Administration reports monthly to the Board of Directors on observations relating to investment risk management. Major observations are reported to the management without delay.
Investment risks and the impacts their realisation would have on Varma’s risk-bearing ca-pacity are monitored in a monthly report by the officer responsible for investment risk management in the Actuaries function. The Actuaries function also reports to the Board of Directors on Varma’s risk level in relation to the risk level of the earnings-related pension system.
Investment management is responsible for arranging the handling of the investment portfolio and operative investment risk management. The risk management function of Investment Operations monitors the trends in the portfolio position vis-à-vis the risk limits defined in the investment plan and the basic allocation, and reports on them on a daily basis. Adherence to authorisations and allocation and investment assignments are monitored by the Investment Operations on a daily basis.
The Financial Administration coordinates the identification and management of operational risks in different functions. It also prepares a summary of the risk assessments drawn up by the functions. The Chief Financial Officer is in charge of monitoring operational risks.
The compliance officer reports to the Board of Directors on compliance with the insider guidelines. In order to manage the risks relating to malpractice, Varma emphasises the continuous observing of ethical operating principles and applies different control methods for protection against malpractice risks. Each function bears responsibility for managing risks relating to malpractice. Varma has specific guidelines in place to prevent money laundering and the financing of terrorism.
Varma complies with the Finnish Corporate Governance Code for listed companies where applicable.
Goals and general risk management principles
Risk management aims to secure the rights of pensioners and policyholders. Risks relating to the company’s operations are identified, assessed, limited and supervised, taking a long-term perspective. Risk management ensures that if risks are realised, they will not cause significant financial losses, or endanger Varma’s customer service and other services, the continuity of operations, the attainment of the company’s business targets, or affect trust in the company. Varma applies efficient and reliable processes both internally and when co-operating with its partners.
In order to ensure efficient risk management, the company relies on, among other things, the careful preparation of decisions, use of experts, risk insurance, detailed job descriptions, approval routines, decentralisation of functions and tasks, physical control, data protection and security, personnel training, planning process, maintenance of different backup arrangements, distribution of necessary information and limiting access to confidential information to those who need it. As tasks, power of decision and responsibility are divided, no one person is allowed to deal with a single matter throughout the handling chain, whereupon potentially dangerous combinations have been separated. Actions are subject to independent supervision and approval mechanisms. Personnel are not allowed to participate in the preparation of or decision-making on a matter concerning themselves, their family or friends. IT systems are assigned owners from the line organisation, and the functioning of the IT systems is monitored by the business functions and the IT Executive Group.
When agreeing on the terms of outsourcing, Varma’s responsibility for the outsourced functions, e.g. for conforming to regulations, continuous and disturbance-free business operations and contingency planning, are taken into account. The function in charge of outsourcing must take into consideration clear contracts and processes, supervision of the outsourced activities and risks relating to the outsourcing.
Varma also observes good insurance principles and treats all policyholders in a fair manner. All business transactions with policyholders are on market terms. Particular attention is paid to transactions covering the financing of a policyholder’s operations, real estate and other transactions, and leases.
The Corporate Governance Report drawn up by the Board and the Salary and Remuneration Statement are published on Varma’s website.
Varma’s preparation for unsettled and exceptional circumstances
Earnings-related pension institutions are under statutory obligation to ensure their tasks can be handled with minimum disruption, even under exceptional circumstances. According to the National Security Strategy, the pension and book entry systems, among others, are functions that must be secured.
Principal threat types and their concomitant special circumstances related to pension payments and funding include serious perturbations in the infrastructure required by the net-worked operating model, citizens’ health and income security, and society’s economic capacity. Due to the distributed management of pension cover, there is a lot of co-operation within the earnings-related pension system. This increases mutual dependency and vulnerability. The internationalisation of information technology services and bank services creates challenges for contingency operations.
Contingency operations secure critical activities in exceptional circumstances and in serious disturbances within normal circumstances. Also in exceptional circumstances or when threatened by them, Varma will fulfil its statutory and contractual obligations as comprehensively and for as long as possible. In co-operation with other operators, banks, authorities, and the emergency supply organisation, priority will be given to securing services connected with citizens' income security.
Varma has a recovery plan for situations where IT is disrupted and a contingency plan approved by the Board of Directors, which is supplemented by detailed plans prepared by different functions. A contingency unit, which the managers of core functions belong to, coordinates the activities in possible contingencies.
The contingency unit is responsible for preparing the contingency plan, for preparing for unsettled situations, for preparing and maintaining other plans (such as the recovery plan and the security and rescue plan) and instructions based on it, for managing unsettled situations, for contingency actions, for building, maintaining and testing contingency systems, and for taking into account the experiences gained from drills organised within the sector in the company’s operations. The members of the contingency unit, in their own area of responsibility, take care of emergency planning, construction and testing of contingency systems, providing timely information and securing data storage.
Significant risks in exceptional circumstances include
- the payment of pensions is jeopardised,
- the financing of pensions and liquidity management become more difficult,
- the implementation of processes during exceptional circumstances does not happen quickly enough,
- bank systems, investment trading systems or other societal infrastructures fail to work,
- the earnings-related pension systems, telecommunication lines or coordination within the sector fail to work,
- our own IT applications or networks fail to work, stoppage of services provision,
- counterparty risks and the invalidity of contracts under exceptional circumstances, and
- risks related to the availability of data at the onset of a crisis.
Varma participates in operational drills together with other pension insurance institutions, insurance companies, banks and financial players.
Internal auditing operates in accordance with the principles defined in the professional standards of internal auditing. It comprises independent and objective assessment, assurance and consulting activities whose purpose is to support the organisation in achieving its goals by producing assessments and development proposals concerning the status of risk management and other internal controls. The organisational status, tasks, responsibilities and powers of the internal audit are laid down in the instructions approved by the Board of Directors. The areas to be audited are set out in an annual audit plan, which is approved by the Board of Directors after it has been discussed by the Executive Group and the Audit Committee. The audit observations are reported to the company management, the Audit Committee and the Board of Directors. The internal audit is organised under the supervision of the CEO.
Control by authorities
In addition to laws and decrees, Varma’s operations are governed by the instructions and regulations of the Financial Supervisory Authority. Varma provides the Financial Supervisory Authority with information and reports on a regular basis or as required. The supervising authority carries out appropriate inspections related to administration, solvency, investment operations and operational risks, among other things.