The Board of Directors is responsible for setting the Group’s risk appetite and approving the Corporate Risk Management Policy and Principles.
Risk management governance is based on the ‘three lines of defense’ model (see the Risk management governance illustration), which distinguishes between:
- business areas and common functions owning and managing risk
- risk management specialists responsible for controlling, consulting, and developing systems, and
- the Audit Committee, which provides independent assurance of the overall efficacy of the Company’s risk management.
Risk management line responsibility
As part of the first line of defense, the President & CEO, supported by the Neste Executive Board, has overall responsibility for the management of risks, particularly in risks that threaten the Company’s strategy and performance plans, as well as investments and new business models. Management and personnel in Neste Oil’s business areas and common functions are responsible for assessing and managing risks related to planning, decision-making, and operational processes in their particular areas.
Risk management control and consultation
The second line of defense comprises the Risk Management Committee steered by the Chief Financial Officer provides a comprehensive understanding of the overall risks the organization faces, supported by the risk management specialists in the Corporate Risk Management function and other common functions and business areas.
The Risk Management Committee steers the development of risk management principles, tools and processes.
The Committee assesses the state of risk management processes, control and compliance and reviews the efficacy of different risk management disciplines, especially in price, FX, proprietary trading, and counterparty risks.
Risk Management specialists are responsible for controlling special risk disciplines, consulting and facilitating risk management processes and developing risk management systems.
Risk management effectiveness assurance
The third line of defense, led by the Audit Committee, is designed to provide independent assurance on the efficacy of governance and risk management systems. Internal Audit plays a key role in the third line of defense and provides assurance to the Audit Committee.