Risk Management, Risk Reporting and Control Functions.
Risk is defined as the possibility of a negative deviation from an expected outcome. Klarna is through its business activities subject to a number of different risks, the main ones being credit risk, market risk, liquidity risk and operational risk. Other risks include concentration risk, business risk, strategic risk, reputational risk and remuneration risk.
Klarna has a risk appetite framework in place, set by the Board, and supported by limits for specific risk areas.
The purpose of risk management is to safeguard Klarna’s long term survival, manage volatility in financial performance, and increase value for shareholders by ensuring efficient capital management.
The external framework requires good internal control, identification and management of risks and requirements for internal control functions. The Board has ultimate responsibility for Klarna’s risk organization and for ensuring satisfactory internal control. The Board and the CEO adopt policies and instructions for controlling all perceived risks and these are supplemented by detailed processes and guidelines within the organization.
The Audit, Risk and Compliance Committee (ACRC) supports the Board in this work by discussing, steering and monitoring these issues and preparing materials to support decisions by the full Board.
The CEO has overall responsibility for managing all of the Group’s risks in accordance with the Board’s policies and instructions. The CEO shall ensure that Klarna’s organization and administration are appropriate and that the Group’s operations are in compliance with the external and internal framework. In particular, the CEO shall ensure that the Board has all necessary information to make risk-related decisions.
Like at all financial institutions, the basis for the risk management and internal control framework in Klarna is the three lines of defense model. This is laid down in Klarna’s Risk Policy.
The first line of defense refers to all risk management activities carried out by line management and staff. All managers are fully responsible for the risks, and the management of these, within their respective area of responsibility. They are responsible for ensuring that the appropriate organization, procedures and support systems are implemented to ensure a sufficient system of internal controls.
The second line of defense refers to Klarna’s independent Risk Control and Compliance Function, as well as Engineering Assurance, which report directly to the CEO and the Board. To ensure independence, these functions are not involved in business operations. These functions set the framework and principles for the work on risk management and compliance, and carry out independent follow-up. The second line of defense should also promote a culture of sound risk management and compliance by supporting and training managers and employees in different areas of the business.
Third line of defense refers to the Internal Audit Function which performs independent periodic reviews of the governance structure and the system of internal controls.
In the Risk Policy, the Board has established how and when it shall receive information about Klarna’s risks and risk management. The ongoing periodic risk reporting in Klarna is designed to provide reliable, current, complete and timely information to the recipients, reflecting the nature of different risk types as well as market developments. The Board, the ACRC, the CEO and the CXOs, as well as other functions that require such information, receive regular reports on the status of risks and risk management. Klarna’s Risk Control Function shall provide a risk report quarterly, which among other things include a comprehensive and objective presentation of the major risks Klarna faces as well as a follow-up of risk appetite and the level of risk management in order to enable the Board to ensure that Klarna’s risk management and control is satisfactory. The Compliance Function shall also provide a report quarterly to the Board which among other things includes Klarna’s compliance risks. Any breach of the risk appetite limits requiring immediate escalation according to the Risk Policy or the Credit Policy shall be reported directly to the CEO, ACRC and the Chairman of the Board or the CEO and the Board, dependent on the defined escalation process.
If you would like to read more about Klarna’s capital adequacy and risk management you can do it here.
The Risk Control Function is independent from the business. The Board has adopted a Policy on Risk Control.
The Risk Control Function has the responsibility to monitor, control, analyze and report risks in Klarna’s business. This includes facilitating assessment of risks, performing testing of internal controls that have been implemented to reduce Klarna’s operational risk, and an evaluation± of the appropriateness of the controls. Furthermore, the function is responsible for analyzing the different risk measures being used, and to propose changes to these if deemed necessary.
The Chief Risk Officer (CRO) (head of Risk Control), who is appointed by the CEO after approval of the Board, reports on the risks on an ongoing basis to the CEO, CXO-team, ACRC and the Board.
The Compliance Function is independent from the business. The Board has adopted a Compliance Policy.
The Compliance Function is responsible for supporting the business and management in compliance matters and for assisting in identifying, for following-up and reporting on compliance risks, which refers to the risk of Klarna not complying with external and internal rules. Furthermore, the Compliance Function is responsible for promoting a sound compliance culture across the business by helping to ensure quality, integrity and ethical practices within the business.
The Chief Compliance Officer (head of the Compliance Function), who is appointed by the CEO after approval of the Board, reports on an ongoing basis to the CEO, CXO-team, ACRC and the Board regarding compliance risks and compliance matters.
The Engineering Assurance domain and the Chief Information Security Office (CISO) serve as a second line of defense, and are responsible for managing and overseeing the area of information and communication technology (ICT) & Security risk as a control function. The independence and objectivity of a control function is ensured by maintaining appropriate segregation from the ICT operations processes it controls.
The Board has adopted a Policy on ICT & Security Risk Management. Engineering Assurance shall via the Chief Information Security Officer report to the CEO and the Board.
Klarna’s Internal Audit Function is independent from the business, directly reporting to the Board. The Board has adopted a Policy on Internal Audit.
The responsibility of Internal Audit is to provide reliable and objective assurance to the Board and the CEO regarding the effectiveness of controls, risk management and governance processes by performing independent periodic reviews of the governance structure and the system of internal controls.
The Board has decided to outsource Klarna’s Internal Audit Function to an external party and has appointed Deloitte as Internal Auditor. The Risk Control Function is the internal coordinator for the internal audit activities.
The Internal Audit Function reports regularly to the Board and ACRC of the results of its audits, including identified risks and suggestions for improvements. Internal Audit also informs the CEO, the CXO-team and the relevant departments on internal audit matters. The Board annually establishes a plan for the internal audit work.