Risk Management, Risk Reporting and Control Functions.
Risk is defined as the possibility of a negative deviation from an expected financial outcome. Klarna is through its business activities subject to a number of different risks, the main ones being credit risk, market risk, liquidity risk and operational risk. Other risks include concentration risk, business risk, strategic risk, reputational risk, remuneration risk and pension risk.
Klarna has a risk appetite framework in place, set by the Board, and supported by limits for specific risk areas.
The purpose of risk management is to safeguard Klarna’s long term survival, manage volatility in financial performance, and increase value for the owners by ensuring efficient capital management.
The external framework requires good internal control, identification and management of risks and requirements for internal control functions. The Board has ultimate responsibility for Klarna’s risk organization and for ensuring satisfactory internal control. The Board and the CEO adopts policies and instructions for controlling all perceived risks and these are supplemented by detailed routines and guidelines within the organization.
Audit, Risk and Compliance Committee (ACRC) supports the Board in this work by discussing, steering and monitoring these issues and prepare for decisions by the full Board.
The CEO has overall responsibility for managing all of the Group’s risks in accordance with the Board’s policies and instructions. The CEO shall ensure that Klarna’s organization and administration are appropriate and that the Group’s operations are in compliance with the external and internal framework. In particular, the CEO shall ensure that the Board has all necessary information to make risk related decisions.
Like at all financial institutions, the basis for the risk management and internal control framework in Klarna is the three lines of defense model. This is laid down in Klarna’s Risk Policy.
The first line of defense refers to all risk management activities carried out by line management and staff. All managers are fully responsible for the risks, and the management of these, within their respective area of responsibility. Hence they are responsible for ensuring that the appropriate organization, procedures and support systems are implemented to ensure a sufficient system of internal controls.
The second line of defense refers to Klarna’s independent Risk Control and Compliance Functions, which report directly to the CEO and the Board. To ensure independence, these functions are not involved in business operations. These functions set the framework and principles for the work on risk management and compliance, and carry out independent follow-up. The second line of defense should also promote a sound culture of risk management and compliance by supporting and training managers and employees in different areas of the business.
Third line of defense refers to the Internal Audit Function which performs independent periodic reviews of the governance structure and the system of internal controls.
Model for risk management and internal control with three lines of defense
In the Risk Policy the Board has established how and when it shall receive information about Klarna’s risks and risk management. The periodic recurring risk reporting in Klarna is designed to provide reliable, current, complete and timely information to the recipients, reflecting the nature of different risk types as well as market developments. The Board, the ACRC, the CEO and the CXOs, as well as other functions that require such information, receive regular reports on the status of risks and risk management. Klarna’s Risk Control Function shall provide a risk report quarterly, which among other things include a comprehensive and objective presentation of the major risks Klarna faces as well as a follow-up of risk appetite and the level of risk management in order to enable the Board to ensure that Klarna’s risk management and control is satisfactory. The Compliance Function shall also provide a report quarterly to the Board which among other things includes Klarna’s compliance risks. Any breach of the appetite limits requiring immediate escalation according to the Risk Policy or the Credit Policy shall be reported directly to the CEO, ACRC and the Chairman of the Board or the CEO and the Board, dependent on the defined escalation process.
If you would like to read more about Klarna’s capital adequacy and risk management you can do it here.
The Risk Control Function
The Risk Control Function is independent from the business. The Board has adopted a Policy on the Risk Control Function.
The Risk Control Function has the responsibility to monitor, control, analyze and report risks in Klarna’s business. This includes facilitating assessment of risks, performing testing of internal controls that have been implemented to reduce Klarna’s operational risk, and an evaluation± of the appropriateness of the controls. Furthermore, the function is responsible for analyzing the different risk measures that are being used, and to propose changes to these if deemed necessary.
The Chief Risk Officer (CRO) (head of the Risk Control Function), who is appointed by the CEO after approval of the Board, reports on the risks on an ongoing basis to the CEO, CXO Team, ACRC and the Board.
The Compliance Function
The Compliance Function is independent from the business. The Board has adopted a Policy on the Compliance Function.
The Compliance Function is responsible for supporting the business and management in compliance matters and for assisting in identifying, for following-up and reporting on compliance risks, which refers to the risk of Klarna not complying with external and internal rules. Furthermore, the Compliance Function is responsible for promoting a sound compliance culture across the business by helping to ensure quality, integrity and ethical practices within the business.
The Accountable Lead of Compliance (head of the Compliance Function), who is appointed by the CEO after approval of the Board, reports on an ongoing basis to the CEO, CXOs, ACRC and the Board regarding compliance risks and compliance matters.
The Internal Audit Function
Klarna’s Internal Audit Function is independent from the business, directly reporting to the Board. The Board has adopted a Policy on the Internal Audit Function.
The responsibility of Internal Audit is to provide reliable and objective assurance to the Board and the CEO regarding the effectiveness of controls, risk management and governance processes by performing independent periodic reviews of the governance structure and the system of internal controls.
The Board has decided to outsource Klarna’s Internal Audit Function to an external party and has appointed Deloitte as Internal Auditor. The Risk Control Function is internal coordinator for the internal audit activities.
The Internal Audit Function reports regularly to the Board and ACRC of the results of its audits, including identified risks and suggestions for improvements. Internal Audit also informs the CEO, the CXO-team and the relevant departments on internal audit matters. The Board annually establishes a plan for the internal audit work.