The Group’s risks and risk control
Given the level of financial unease and the rapidly deteriorating economic trend in many of the markets in which the bank operates, Swedbank has intensified its efforts to mitigate the Group’s risks. During 2009, the bank’s risk management system was reinforced and a number of measures were implemented to manage credit risks, market risks, liquidity risks and operational risks.
The year 2009
During 2009, a key priority was the general strengthening of the bank’s system of risk control. The role of Chief Risk Officer (CRO) was introduced, focusing particularly on an integrated approach to risk and on ensuring that risk management is fully addressed in strategic and operational issues. Reorganisation was also carried out to clarify governance locally and to strengthen the mandate of the risk organisation by having the business areas’ credit and risk managers report directly to the Group Credit Officer (CRO) and the head of Group Risk Control respectively.
To counter the decline in economic activity in the Baltic countries and Ukraine, all of Swedbank’s special credit departments, Financial Restructuring and Recoveries (FR&R), were reinforced with both internal and external expertise. These deal with potential and actual problem credits. For each problem credit, a thorough analysis is performed and a plan of action is established.
The company Ektornet was set up during the year to manage and add value to repossessed collateral, primarily properties, in order to obtain as much value as possible over time for the bank’s shareholders.
The rights issue of SEK 15.1bn together with measures taken during the year that substantially reduced risk-weighted assets, resulted in Swedbank’s current capitalisation being competitive even in a very negative scenario according to stresstests.
The strengthening of the capital base and the explicit objective of gradually exiting the government guarantee programme also resulted in a reduction of the liquidity risk. The average maturity profile for market borrowing was extended to 22 months.
Risk is defined as a potentially negative impact on a company that can arise due to current internal processes or future internal or external events. The concept of risk comprises the likelihood that an event will occur and the impact it would have on the company. Shareholders have an interest in a high return on the capital they invest in the bank and thus in ensuring that shareholders’ equity is not unnecessary high. For creditors and society, on the other hand, it is important that the bank maintains a sufficient buffer, or risk capital, to cover potential losses. Society has therefore introduced laws and regulations that set minimum requirements on the size of the buffer based on how much risk the bank assumes, i.e., capital adequacy rules.
Swedbank’s risk and capital policy
Swedbank’s Board of Directors has ultimate responsibility for the Group’s risk-taking and capital requirements. Through a risk and capital policy, the Board provides guidelines for the CEO on risk management, risk control, risk and capital assessments, and capital management in Swedbank. The policy describes the connection between risk and capital and how risk and capital management support the business strategy. The aim of risk and capital management at Swedbank is to ensure a high return on equity and that the level of capital never falls below the legal minimum, while maintaining access to cost-effective financing even under unfavourable market conditions.
Risk and capital process
Swedbank continuously identifies the risks its operations generate and has designed a process to manage them. The process is described in the bank’s risk and capital policy. The risk process includes eight steps: prevent risks, identify risks, quantify risks, analyse risks, suggest measure, control and monitor, report risks, and, lastly, follow up. The process is general, encompassing all of the risk areas, at the same time that concrete activities are adapted to each risk area to protect the bank against unwanted risk-taking. The risk process also provides a clear description of Swedbank’s risk profile, which then serves as the basis of the internal capital adequacy assessment process. This process entails an evaluation of capital needs based on Swedbank’s overall risk level and business strategy. The aim is to ensure efficient use of capital and that Swedbank at the same time meets the minimum legal capital requirement and maintains access to domestic and international capital markets even under adverse market conditions.
Organisation and responsibility
Each of Swedbank’s business units and subsidiaries has full responsibility for the risks that its operations create. This means that those responsible must ensure that the risk process is implemented within each risk area and unit and that the standards set by the Board and CEO are followed. The head of operations is also responsible for fostering a sound and informed risk culture within the unit and ensuring that employees understand Swedbank’s risk tolerance and operational risk rules. Their responsibility includes ensuring that all employees act ethically in accordance with Swedbank’s values, policies and regulations as well as applicable legislation.
Each business unit and subsidiary has the resources to identify and control risks. All risks are evaluated on the basis of the likelihood that an event will occur and of its economic consequences. The local risk control functions are subordinated to the Management of Group Risk Control and are responsible for coordinating activities within their unit as well as independently monitoring, and reporting the units risks.
In addition to the control and monitoring performed by the business units, there is a Group risk control function independent from operations. In Swedbank it is consolidated in a single organisation, Group Risk Control, which directly reports to the CRO.
Group Risk Control reports all risks on a consolidated basis to the CEO and the Board of Directors. Group Risk Control is responsible for developing the risk process and providing methods for risk identification, risk quantification, analysis and reporting of the most common risks, i.e., credit, market, liquidity and operational risks. Group Risk Control regularly conducts analyses of recent events in the market and economy and their impact on the Group’s risks. Stress tests complement these periodic assessments to calculate the effect of potentially dramatic changes. Changes over time in risk profiles within various credit portfolios are analysed as well.
Similar to the risk control functions all larger business units have local functions for overseeing and reporting on compliance risks. The local compliance functions also provide support to management to identify, monitor and handle those risks. The local compliance function reports directly to Group Compliance, and local management in parallel. In turn, Group Compliance coordinates the local compliance functions’ operations and reports to the Board of Directors and CEO.
Internal Capital Adequacy Assessment Process (ICAAP) - the second pillar
The internal capital adequacy assessment process is the process by which Swedbank ensures that it is adequately capitalised to cover its risks and to conduct and develop its operations. Internal capital adequacy assessment therefore takes into account all relevant risks that arise within Swedbank.
Since the ICAAP 2008 the models and the calculations have been further elaborated, notably regarding concentration risks and further involvement of senior management and business units. The Swedbank ICAAP is an extensive process involving the business units in measuring the risks and incorporating the results in business strategies. Given the turmoil and the great uncertainty in the global economy the ICAAP 2009 has been based on exceptionally negative scenarios. The results shown in the sections below indicate that Swedbank is adequately capitalised as of 31 December 2008. The ICAAP 2009 was approved by Swedbank´s Board of Directors in June 2009.
In August 2009 Swedbank’s Board of Directors decided to further increase the Tier 1 capital ratio by means of a rights issue. The major motives are outlined under the heading Total capital requirement below.
Swedbank’s internal capital adequacy assessment is based on two different methods: the Building Block model and the Scenario model. The building block model is a static model with an evaluation horizon of one year, while the Scenario model is a dynamic model with a multi-year horizon. Since the capital adequacy assessment represents the bank’s own estimation of its requirement according to Pillar 2, the assessment may deviate, upwards or downwards, from the corresponding capital requirement according to Pillar 1.
Types of risk
Risks that have been identified and for which Swedbank has allocated mitigating capital are:
- Credit risk (incl. concentration risk)
- Market risk (incl. interest rate risk outside trading activities)
- Operational risk
- Earnings volatility risk
- Insurance risk
- Pension risk
- Strategic risk
Other forms of strategic risk and reputational risk usually are not dealt with in capital adequacy simulations, even though the capital buffer also implicitly protects against such risks. However these risks remain an important part of Swedbank’s potential exposure, which is why they are carefully monitored and managed. Liquidity constraints may arise as a result of an imbalance between risks and capital. The internal capital adequacy assessment process is designed to ensure that such imbalances do not arise. Consequently, a conservative view of liquidity risks is crucial to the capital process.
Total capital requirement
The ultimate capital need for the bank according to the internal capital adequacy assessment is given through a combination of the Building Block model, the Scenario model and qualitative aspects.
As of 31 December 2008 the total capital requirement according to Building Block and scenario model calculations amounted to SEK 104.8bn. Total capital supply as per the same date amounted to SEK 106bn. Capital Supply then included SEK 3bn of non paid-in capital from the 2008 rights issue. As long as Swedbank maintains a larger capital supply than the Pillar 2 requirement, all risks are covered including the negative effects that an adverse scenario may have on capital supply. An important conclusion of the 2009 capital adequacy assessment was that the capital buffer held at 31 December 2008 was adequate to prevent Swedbank’s Tier 1 capital ratio from falling below the minimum capital requirements even in the event of an unlikely but possible adverse macroeconomic development that was extremely unfavourable to Swedbank.
To estimate the ultimate capital need of Swedbank these quantitative calculations are then included in a general assessment and discussion, which consider analyses of the market’s expectations, comparisons with competitors and other factors.
The economic conditions continued to be highly uncertain during the first half of 2009 and perceptions of investors and other stakeholders regarding capitalization for banks continuously changed in the direction of higher capitalisation. In August 2009, Swedbank’s Board of Directors decided to further increase the Tier 1 capital by means of a rights issue, the major motives being to;
- Strengthen the bank’s ability to implement its strategy and to create flexibility, even under adverse conditions.
- Accelerate the bank’s return to non-state guaranteed funding on competitive terms.
- Establish Swedbank as a well capitalised, strong and independent bank in control of its future.
Credit risk is defined as the risk that a counterparty, or obligor, fails to meet contractual obligations to Swedbank and the risk that collateral will not cover the claim.
Credit Risk arises also when dealing in financial instruments, but this is often called counterparty risk. The counterparty risk arises as an effect of the possible failure by the counterparty in a financial transaction to meet its obligations. This risk is often expressed as the current market value of the contract adjusted with an add-on for future potential movements in the underlying risk factors.
Credit risk also includes concentration risk, which refers, for example, to large exposures or concentrations in the credit portfolio to certain regions or industries.
Many of the countries in which the bank operates have been hit hard by the deep global downturn. In the Baltic countries, domestic demand, which had accounted for the lion’s share of growth for several years, fell sharply in 2009. The deep recession in the Ukrainian economy levelled off somewhat in the latter part of 2009 although the economic situation in the country is still considered very serious. The Russian economy was also impacted heavily by the international crisis, bringing a considerable decline in industrial production.
The Group’s total lending declined by SEK 33bn, or 2 per cent, to SEK 1 383bn during the year. In particular, the share of the Group’s net lending in the Baltic countries, Ukraine and Russia has decreased. Lending to the public (net, excluding exchange rate effects), fell by 18 per cent in the Baltic States and by 45 per cent in Ukraine, causing the share of the Group’s total lending in the Baltic States, Ukraine and Russia to fall to 14.1 per cent (17.4), 0.7 per cent (1.5) and 0.8 per cent (1.1) respectively.
This decline in lending is a consequence of active efforts to cut back lending, as well as a general decline in demand for credit. Lending also declined as a result of provisions for credit impairments of SEK 21.8bn and exchange rate effects of SEK 14.7bn. Impaired loans grew substantially early in the year, although the rate of increase abated in the second half of the year.
In Sweden, Swedbank adopted a more conservative stance regarding new housing mortgages. This is because low interest rate levels have resulted in increased real estate prices, which could increase repayment risk when interest rates rise. This caused Swedbank’s share of new lending to decline.
Measures to improve the quality of credit and thereby decrease credit risks were undertaken primarily within three areas: the establishment of units working on restructuring efforts regarding problem credits and collateral taken over, greater focus on risk-adjusted return and measures to decrease risk-weighted assets.
The units within the bank that work with restructuring, Financial Reconstruction & Recovery (FR&R), are now working at full capacity. As of 31 December 2009, all exposures in the Baltic countries, Ukraine and Russia, judged to be problem cases, had been reviewed, with plans of action adopted and initiated.
As far as it is defensible from a financial point of view, Swedbank avoids taking over collateral, although in a large number of these cases, the bank will be forced to assume ownership of the pledged assets. During the year, Ektornet AB was established to manage and improve collateral assets taken over, mainly properties, in order to safeguard long-term shareholder value. By the end of the year, this company was fully operational in the Nordic region, the Baltic countries and the US. At that time, the first sales to Ektornet of assets in these markets had been made.
A further measure to improve credit quality has been an increased focus on risk-adjusted return on capital (RAROC). Work on re-pricing the credit portfolio to better reflect international risk levels is progressing as planned. The changes are having a more rapid effect among major companies than among smaller businesses and is proceeding faster in Sweden than in the Baltic countries.
Over the year, the Group’s risk-weighted assets decreased substantially through active management and control. Risk-weighted assets were decreased by SEK 93bn or 13 per cent from the start of the year to SEK 603bn.
Measurement of credit risks
The vast majority of Swedbank’s lending to the public has been rated according to Swedbank’s internal rating system. The rating aims at forecasting the probability of default within a 12-month period.
Swedbank has received approval from the Swedish Financial Supervisory Authority for the so-called IRB approach, and it is consequently the method used to calculate most of the capital requirement for credit risk. The IRB approach is used for the absolute majority of credit exposures, with sovereign credit exposures and the credit portfolios in Ukraine and Russia being the main exception.
Swedbank’s internal rating system serves as a basis for:
- risk assessments and credit decisions
- monitoring and management of credit risk
- estimating risk adjusted profitability
- analysing the risk profile of Swedbank’s credit portfolios
- developing the credit strategy and subsequent risk management activities
- reporting credit risks to the Board of Directors, the CEO and senior management
- estimating capital requirements and capital allocation
- In the Basel 2 regulations credit risks are to be measured as exposure or EAD (Exposure at default). EAD is based on the credit risk exposures, instead of loans on-balance as in the balance sheet. The main differences are that EAD includes off-balance items (such as guarantees and unutilised amounts of credit facilities), securities financing (reversed repurchase agreements, net) and derivative contracts.
With the goal of achieving adequate precision in the risk calculations leading to a more professional treatment of customers, a number of different models have been developed for the rating of counterparties, customers or contracts. The tests conducted to date have shown that the models are reliable.
Using the risk rating system and models, the bank assigns each customer or exposure a value on a risk scale, a so-called risk class. With the help of the risk scale, customers or exposures are ranked from those with the highest risk to those with the lowest. The risk has also been quantified for each risk step. The classification of the risk that a customer will default is expressed on a scale of 23 risk grades, where 0 represents the greatest risk and 21 represents the lowest risk, and one default grade.
Of the total exposures 70 per cent can be found in the risk grades 13-21, i.e. “investment grade”, where the probability of default is considered to be low. More than a fourth of exposures are assigned a grade of 19 or higher, corresponding to an AAA rating from the major rating agencies. See diagrams on page 52.
Management of credit risks
Swedbank’s risk rating system is a central component in the credit process and comprises working methods and decisionmaking processes for lending operations, credit monitoring and quantification of credit risk. The system, which consists of methods and models, aims to measure, as accurately as possible, the risk that a customer or a contract will default and thereby estimate the losses that the Group could face.
Lending to both private individuals and businesses is governed by credit processes that contain systematised decision-making support, a key component of which is the counterparty’s rating. Hence, Swedbank’s internal risk rating system is primarily a business-support tool that facilitates an efficient credit process where counterparties with high risk are automatically denied or analysed more thoroughly. Low-risk transactions can be approved in a simplified, quicker credit process. The system also plays a central role in monitoring individual credit exposures. It regulates the monitoring process in various ways whereby, for example, a weaker rating requires a special evaluation followed by a proposal of adequate measures if necessary.
The risk classification system is safeguarded by governance documents. The overarching rules have been established by the Board of Directors. These principles are complemented by more detailed regulations issued by the CEO or the CRO or the CCO or the head of Group Risk Control. These regulations contain rules as to how models shall be structured and validated in connection with development and regular quality controls. The efficiency and reliability of the system is maintained by means of annual quantitative and qualitative validations.
Market risks refers to the risk that changes in interest rates, exchange rates and equity prices will lead to a decline in the value of Swedbank’s net assets, including derivatives.
Following a highly turbulent year for the financial markets in 2008, 2009 progressed more calmly as a consequence of central banks worldwide implementing large-scale measures to guarantee the stability of the financial system.
Swedbank’s trading operations generated favourable results due to continued successful risk management, good analysis and a favourable trend in credit spreads, as well as solid earnings in customer trade.
The turbulent market trend in the Baltic countries, Ukraine and Russia, with recurrent rumours of devaluation, highlighted focus on the bank’s structural exchange rate risk linked to lending and borrowing in different currencies. In addition to the structural risk, there was also a strategic risk associated with the holdings in the foreign operations. These exchange rate risks were continuously monitored, stress tested and actively managed.
Measurement of market risks
Swedbank measures market risks - those of a structural nature and those that arise in trading operations - with a Value-at-Risk (VaR) model. VaR expresses a possible loss level for the current portfolio which is so high there is little likelihood it can be exceeded during a specific time horizon. Swedbank uses a 99-per cent probability and a time horizon of one day. This means that the potential loss for the portfolio statistically will exceed the VaR amount one day out of 100.
Occasionally, the historical correlations on which the VaR calculation is based do not apply, e.g, in stressful situations in the financial markets. For the individual types of risk, interest rate, equity price and currency risks, complementary risk measures and limits are therefore used based on sensitivity to changes in various market prices. Market risks are also measured with stress tests, where the loss is calculated in a number of scenarios where interest rates, equity prices, exchange rates and corresponding volatilities are shifted.
Management of market risks
The primary objective of Swedbank’s activity in various financial markets is the desire to satisfy customers’ long-term needs and facilitate Swedbank’s own financing. The secondary objective is to create additional income by taking positions. Risk taking is always weighed against expected return. Market risks arise in Swedbank’s trading operations (in conjunction with trading on financial markets) as well as structurally in its other operations. Consequently, the management of market risks can be divided into these two main areas.
Swedbank’s total risk-taking is governed by limits set by the Board on the nature and size of financial risk-taking. Only so called risk-taking units, i.e, units assigned a risk mandate by the CEO, are permitted to take financial risks. Risks in these units are measured, monitored and reported daily to the CEO and senior executives in Swedbank. Every risk-taking unit has limits for various types of risks, which are monitored systematically using a daily routine.
The dominant market risks within Swedbank are of a structural or strategic nature and are managed centrally by Group Treasury, which is responsible for minimising possible negative impacts on Swedbank’s net income and equity. One example of structural risks include interest rate risks, which arise when the interest fixing periods in Swedbank’s lending operations do not precisely correspond with the interest fixing periods in its financing. Another example is currency risks which arise when deposits and lending are conducted in different currencies. Strategic risks mainly comprise currency risks associated with holdings in foreign operations where it is not possible to hedge these risks. Swedbank’s international expansion in recent years has resulted in an increase in currency risk, including strategic currency risk. Although the exposure to strategic currency risk has substantially decreased during the year, currency risk is still the largest single market risk within Swedbank, followed by interest rate risk.
Market risks in Swedbank’s trading operations are low in relation to Swedbank’s total risks as illustrated by the fact that their share of the total risk-weighted amount in the calculation of capital adequacy is about 4 per cent as of 31 December 2009.
The diagram below shows Swedbank’s market risks, expressed in Value-at-Risk (VaR). Here, VaR excludes market risks in Swedbank Ukraine and strategic currency risks. In the case of Swedbank Ukraine, VaR is misleading due to the illiquid and undeveloped financial markets in Ukraine. For strategic currency risks, a VaR measure that is based on a one-day horizon is not a relevant measure. The figure confirms that Swedbank’s market risks are largely of a structural nature and are concentrated in Group Treasury.
Swedbank’s VaR during 2009 was slightly lower than it was for the corresponding period in 2008 which is illustrated in the table below.
The reported risks include positions that are not marked-to-market and consequently have no direct impact on Swedbank’s net gains and losses on financial items at fair value.
Liquidity risks arise when the maturities of the Group’s assets and liabilities, including derivatives, do not coincide. Swedbank defines liquidity risk as the risk that Swedbank cannot fulfil its payment commitments on any given due date without significantly raising the cost of obtaining means of payment.
Swedbank significantly strengthened its liquidity in 2009. The possibility of using liquid securities as collateral as well as of issuing debt instruments under the state guarantee programme contributed to the bank’s improved liquidity. At the same time, the market recovered and with it a gradually increasing risk appetite. Swedbank made significant efforts to improve its liquidity during the year, of which the right issue in September is one example. During the year, covered bonds worth SEK 160bn were issued. The bank’s borrowing maturity was extended from 14 months to 22 months at the end of the year. In addition, liquidity reserves were also increased. At year-end, Swedbank’s liquidity reserve was large enough to allow the bank, in an emergency, without access to funding from the financial markets, to meet two year’s cash flow needs.
Measurement of liquidity risks
Swedbank’s liquidity risks are measured and reported daily through analyses of the Group’s future cash flows and the volume of assets eligible for refinancing. At Group level Swedbank uses liquidity limits based on survival periods level. The survival period is defined as the period with positive cash flows, without access to funding from the financial markets. Limits also define the negative cash flows allowed during a specific day or other predetermined time periods for individual currencies. Measurement of liquidity risks and limiting is done at an overall Group level and broken down by individual currencies.
Management of liquidity risks
Managing liquidity risks is an integral part of Swedbank’s banking operations. Thus, liquidity risk is continually measured, monitored, limited and forecasted. Swedbank’s liquidity risk taking is governed by survival period limits on group level.
Liquidity management is centralised in a few units, which improves efficiency and facilitates the monitoring and control of Swedbank’s liquidity risks. Liquidity risks are monitored and analysed continuously to ensure that excessive short-term payment obligations do not arise. Special continuity plans to manage serious disruptions to the liquidity situation have been prepared at the Group level and locally in the countries where Swedbank conducts significant operations. Swedbank also frequently conducts liquidity stress tests with the purpose of enhancing preparedness and to ensure that the bank will be able to cope with situations where for example, various funding sources do not function.
Swedbank’s funding is structured in such a way that a long-term, stable and well diversified investor base is built up and maintained. Borrowing is conducted with the objective of establishing and maintaining a satisfactory balance between long-term assets and long-term liabilities such that adequate liquidity reserves are accumulated.
Liquidity risks are reduced through Swedbank’s active efforts to ensure stable sources of funding, e.g. deposits and borrowings from the public and diversified funding from a large number of capital markets. Swedbank employs a number of different funding programmes for its short and long-term funding, including European Commercial Papers, US Commercial Papers, Global Medium Term Notes, certificates and covered bonds. Swedbank makes active efforts to retain and develop its already well diversified funding base. In 2007 the Swedish Financial Supervisory Authority gave Swedbank Mortgage permission to issue covered bonds. This has improved the Group’s liquidity substantially. The programme has broadened the funding base further and offers increased opportunities to maintain liquidity reserves.
As a consequence of the financial crisis Swedbank has participated in the loan facilities offered by the central banks. One important element in the management of liquidity risks are the liquidity reserves held in both Swedish and international operations in the form of cash and securities pledged to central banks. At the end of 2008, an opportunity was created for banks in Sweden to issue debt instruments guaranteed by the government. For Swedbank’s part, this opportunity was considered to offer a valuable complement to the bank’s other borrowing instruments and Swedbank therefore decided to sign an agreement allowing it to utilise the guarantee. However, the guarantee has not been utilised since September 2009.
Operational risk refers to the risk of losses resulting from inadequate or failed internal processes or routines, human error, incorrect systems or external events.
Compliance risk is the risk that laws, regulations and policies (external and internal) will be breached.
Money laundering refers to activities including the conversion or transfer of assets in the knowledge that this derives from criminal activities or complicity in such activities and with the purpose of concealing the illegal origins of the assets, or assisting anyone involved in such activities in avoiding the legal repercussions of their actions. Money laundering also encompasses terrorist financing. Swedbank adheres to the definitions of money laundering and terrorist financing stated in EU legislation.
Security and Continuity comprises the analyses, planning and mitigating actions that are made throughout the organisation to control and manage risk. Continuity planning aims at preparing the organisation for unlikely but possible events such as disruptions in e.g. processes and systems. Continuity planning is governed within the framework of a regulated process which is initiated regularly by the business impact analysis. Security work aims at having relevant protective measures in place to protect assets against different kinds of threats. Swedbank’s security management model is derived from the international standard ISO/IEC 27002:2005 Code of Practice for Information Security Management.
The aggregated level of operational risk in the Group was higher than normal in 2009 due to unease in the financial markets. One specific risk is the reputational risk arising during periods of intense media attention. Due to the raised level of risk, both the monitoring of the Group’s business areas and the reporting from the business areas to the Group’s central risk control functions were intensified during the year.
Several measures to mitigate the operational risks were undertaken as a consequence of the raised level of risk: a new management structure was introduced, competence in Compliance, Risk Control and Internal Audit has been upgraded and the committee structure at both the management and Board levels was improved and strengthened.
The Group has witnessed an increase in both external and internal risks and a number of major incidents occurred. During the year, approximately SEK 540m was charged against earnings by Swedbank Robur for compensation to customers following inaccurately stated fees for mutual funds. The error occurred in connection with the re-authorisation of the funds in accordance with new legislation that came into effect in 2004. The error was discovered in February 2009. During the year, Swedbank also compensated the owners of holdings in an investment fund in Estonia because internal rules to prevent internal conflicts of interest were not sufficiently clear, resulting in a cost of SEK 88m. Since then, Swedbank has conducted a thorough review, identifying areas for improvement in order to strengthen control, processes and systems support. Changes were also made in Swedbank Robur’s Board and management.
Swedbank works proactively on security measures and continuity planning to enhance its level of protection and capacity to deal with unusual events. During 2009, several of Swedbank’s crisis groups received training in crisis management.
Measurement of operational risks
The Board’s operational risk policy requires that a low operational risk level is maintained. Risk-taking should be limited within the framework of what is economically feasible. Operational risks that can damage Swedbank’s reputation and brands should be limited and given special consideration. Measures are implemented to reduce all risks not considered acceptable.
Based on the Board of Directors’ established definition of operational risk, a standardised risk structure has been created whereby personnel, process, IT and system risk, and external risk have been divided into areas that are defined and exemplified by actual risks. Personnel risk may for example arise due to human errors or internal crime, and IT- and system risk may arise due to deficiencies in traceability or reliability.
Due to the economic crisis the Group has seen an increase in both external and internal risks. However, the macroeconomic situation varies significantly from country to country. In Swedbank the level of personnel risk, process risk, IT- and system risk, and external risk were all assessed as higher than normal at the end of 2009 and consequently the aggregated operational risk level in Swedbank Group was assessed as higher than normal. The reputational risk is still high and it affects all business areas in Swedbank Group. The reason for the increased risk levels in Swedbank depends largely on the risks associated with the international financial crisis and its effects on e.g. the bank’s brand.
Management of operational risks
Swedbank has internal regulations for operational risk management. The central components of these regulations consist of the Board’s risk and capital policy, its operational risk policy and the CEO’s instructions for operational risk management. Since operational risk is an extensive discipline, operational risks and their management are also addressed in other disciplines’ instructions and policies such as security, continuity, crisis management, antimoney laundering and compliance.
Among other things, the operational risk regulations include:
- Basic principles
- Swedbank’s risk tolerance
- Description of organisation and responsibilities
- Reporting requirements
- Operational risk management methods and techniques.
Group Risk Control is responsible for a uniform Group-wide operational risk reporting to the Board of Directors, the CEO and Group Executive Management. An analysis of the risk level in all large business units is performed quarterly and reported to each local management as well as to the Board of Directors, the CEO and Group Executive Committee.
Swedbanks internal regulation comprises principles for managing compliance risk. The central component of the internal regulation is the Board’s compliance policy. The aim of internal policies is to ensure that the Group always meets the standards and behaviour expected (whether prescribed or otherwise) by customers and financial services’ regulators.
Swedbank has successfully established a Group-wide AML framework, based on EU’s and Swedish legislation and perceived international best practise. The Swedbank Group is using a centralised, pan-Group risk control approach to ensure that the bank’s operations in all locations are compliant with the respective local legislation, perceived best practice and the Group’s AML framework. Swedbank Group has implemented a Risk Based Approach to ensure that used safeguards and tools assure the best possible protection against AML risks.
Swedbank works actively with protective security work within physical security, information security and personnel security. Swedbank Group also coordinates efforts to prevent and manage serious events - such as IT disruptions, natural disasters, financial disturbances and pandemics - that may affect the bank’s ability to maintain services and offerings. The Board of Directors has established a security policy as well as a crisis policy, where, among other things, the principles for security, continuity, incident, and crisis management are defined. A Group level crisis management team is available for Group level coordination and communication internally and externally. In addition, continuity plans are in place for business-critical operations and services that are critical for society. The plans describe how the bank would operate in the event of a serious disruption. The group also has insurance protection, with an emphasis on catastrophe protection, for significant parts of its operations. The goal of continuous security and risk reduction work within the Group is to maintain and reinforce the Group’s trust and reputation by, among other things, protecting life, health, value and information.
Principal assumptions: no access to capital markets, no refinancing of loans to credit institutes, issued bonds or subordinated debt.